blackduck #1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI-BlackDuck | |
| on: | |
| push: | |
| branches: [ main, master, develop, stage, test/test/tst ] | |
| pull_request: | |
| branches: [ main, master, develop, stage, release ] | |
| jobs: | |
| build: | |
| runs-on: [ macOS ] | |
| steps: | |
| - name: Checkout Source | |
| uses: actions/checkout@v3 | |
| - name: Black Duck Full Scan | |
| if: ${{ github.event_name != 'pull_request' }} | |
| uses: synopsys-sig/synopsys-action@SIGINT-1715-backup | |
| ### Use below configuration to set specific detect environment variables | |
| env: | |
| DETECT_PROJECT_NAME: OWASP-NodeGoat-main | |
| with: | |
| blackduck_url: ${{ vars.BLACKDUCK_URL }} | |
| blackduck_token: ${{ secrets.BLACKDUCK_TOKEN }} | |
| blackduck_scan_full: true | |
| ### Accepts Multiple Values | |
| blackduck_scan_failure_severities: 'BLOCKER,CRITICAL' | |
| ### Uncomment below configuration to enable automatic fix pull request creation if vulnerabilities are reported | |
| blackduck_fixpr_enabled: true | |
| blackduck_fixpr_maxCount: 5 | |
| blackduck_fixpr_filter_severities: 'CRITICAL,HIGH' | |
| blackduck_fixpr_useUpgradeGuidance: 'SHORT_TERM,LONG_TERM' | |
| github_token: ${{ secrets.TOKEN }} # Mandatory when blackduck_fixpr_enabled is set to 'true' | |
| ### SARIF report generation and upload to GitHub Adavanced Security: Uncomment below to enable | |
| blackduck_reports_sarif_create: true # Create Black Duck SARIF report and upload it as artifact | |
| blackduck_reports_sarif_file_path: '/Users/tmp/report.sarif.json' # File path including file name where SARIF report should be created(need to include file name as well) | |
| blackduck_reports_sarif_severities: 'CRITICAL,HIGH' | |
| blackduck_reports_sarif_groupSCAIssues: true # By default true | |
| blackduck_upload_sarif_report: true # Upload Black Duck SARIF report in GitHub Advanced Security tab | |
| # github_token: ${{ secrets.GITHUB_TOKEN }} # Required when blackduck_upload_sarif_report is set as true | |
| ### Uncomment below configuration if Synopsys Bridge diagnostic files needs to be uploaded | |
| include_diagnostics: true | |
| - name: Black Duck PR Scan | |
| if: ${{ github.event_name == 'pull_request' }} | |
| uses: synopsys-sig/synopsys-action@SIGINT-1715-backup | |
| ### Use below configuration to set specific detect environment variables | |
| env: | |
| DETECT_PROJECT_NAME: ${{ github.event.repository.name }} | |
| with: | |
| blackduck_url: ${{ vars.BLACKDUCK_URL }} | |
| blackduck_token: ${{ secrets.BLACKDUCK_TOKEN }} | |
| blackduck_scan_full: false | |
| ### Below configuration is used to enable automatic pull request comment based on Black Duck scan result | |
| blackduck_prComment_enabled: true | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| # Mandatory when blackduck_automation_prcomment is set to 'true' | |
| ### Uncomment below configuration if Synopsys Bridge diagnostic files needs to be uploaded | |
| include_diagnostics: true |