CI-AppSec [Master] #314
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI-AppSec [Master] | |
| on: | |
| schedule: | |
| #At 13:00 on every day-of-week from Sunday through Thursday. | |
| - cron: '0 13 * * SUN-THU' | |
| workflow_dispatch: | |
| jobs: | |
| blackduck-scan: | |
| runs-on: [ ubuntu-latest ] | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Set up Python 3.9.12 | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: "3.9.12" | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| if [ -f requirements-dev.txt ]; then pip install -r requirements-dev.txt; fi | |
| - name: Black Duck Full Scan | |
| uses: synopsys-sig/[email protected] | |
| ### Use below configuration to set specific detect environment variables | |
| env: | |
| DETECT_PROJECT_NAME: ${{ github.event.repository.name }} | |
| with: | |
| blackduck_url: ${{ secrets.BLACKDUCK_URL }} | |
| blackduck_token: ${{ secrets.BLACKDUCK_API_TOKEN }} | |
| blackduck_scan_full: true | |
| ### Accepts Multiple Values | |
| blackduck_scan_failure_severities: 'BLOCKER,CRITICAL' | |
| ### Uncomment below configuration to enable automatic fix pull request creation if vulnerabilities are reported | |
| blackduck_fixpr_enabled: true | |
| blackduck_fixpr_maxCount: 5 | |
| blackduck_fixpr_filter_severities: 'CRITICAL,HIGH' | |
| blackduck_fixpr_useUpgradeGuidance: 'SHORT_TERM,LONG_TERM' | |
| github_token: ${{ secrets.GITHUB_TOKEN }} # Mandatory when blackduck_fixpr_enabled is set to 'true' | |
| ### Uncomment below configuration if Synopsys Bridge diagnostic files needs to be uploaded | |
| # include_diagnostics: true | |
| - name: If failed - Configure 1Password Service Account For Slack Webhook URL Secret | |
| uses: 1password/load-secrets-action/configure@v1 | |
| if: ${{ failure() }} | |
| with: | |
| service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} | |
| - name: If failed - Load Slack Webhook URL Secret | |
| uses: 1password/load-secrets-action@v1 | |
| if: ${{ failure() }} | |
| with: | |
| export-env: true | |
| env: | |
| SLACK_WEBHOOK_URL: op://Security/slack-appsec-blackduck-alerts/webhook-url | |
| - name: If failed - Report failure to Slack | |
| #Slack channel: appsec-blackduck-alerts | |
| uses: ravsamhq/notify-slack-action@v2 | |
| if: ${{ failure() }} | |
| with: | |
| status: ${{ job.status }} | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| notification_title: "{workflow} has {status_message}" | |
| message_format: "{emoji} *{workflow}* {status_message} in <{run_url}|{repo}>" | |
| footer: "Linked Run <{run_url}|{repo}>" | |
| notify_when: "failure" | |
| mention_users: "U040AD4BT42" | |
| mention_users_when: "failure,warnings" | |
| mention_groups: "!channel" | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ env.SLACK_WEBHOOK_URL }} |