Black Duck Scan #64
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Black Duck Scan | |
| on: | |
| workflow_call: | |
| inputs: | |
| target: | |
| description: 'Publish scan result as, valid values are Production, Development-v6, Development-v7' | |
| type: string | |
| log-level: | |
| description: 'Log level of scanning. Use DEBUG or TRACE for troubleshooting.' | |
| type: string | |
| default: INFO | |
| workflow_dispatch: | |
| inputs: | |
| target: | |
| description: 'Publish scan result as' | |
| type: choice | |
| options: | |
| - Production | |
| - Development-v6 | |
| - Development-v7 | |
| log-level: | |
| description: 'Log level of scanning. Use DEBUG or TRACE for troubleshooting.' | |
| type: choice | |
| options: | |
| - 'OFF' | |
| - ERROR | |
| - WARN | |
| - INFO | |
| - DEBUG | |
| - TRACE | |
| default: INFO | |
| jobs: | |
| scan-blackduck: | |
| name: 'Blackduck' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Context Valdidation | |
| run: | | |
| BRANCH_NAME="${GITHUB_REF#refs/heads/}" | |
| if [[ "${{ inputs.target }}" == "Production" && $BRANCH_NAME != "v6" && $BRANCH_NAME != "v7" ]]; \ | |
| then echo "Only v6 & v7 branch can be published as production"; exit 1; \ | |
| fi | |
| if [[ -z "${{ vars.BLACKDUCK_APP_ID }}" ]]; then echo "[BLACKDUCK] APP_ID must be set"; exit 1; fi | |
| if [[ -z "${{ vars.BLACKDUCK_PROJECT_ID }}" ]]; then echo "[BLACKDUCK] PROJECT_ID must be set"; exit 1; fi | |
| if [[ -z "${{ secrets.BLACKDUCK_APP_TOKEN }}" ]]; then echo "[BLACKDUCK] BLACKDUCK_APP_TOKEN must be set"; exit 1; fi | |
| echo "Inputs, variables & secrets validation: successful." | |
| - name: Check out repository code | |
| uses: actions/checkout@v4 | |
| with: | |
| # Number of commits to fetch. 0 indicates all history for all branches and tags. | |
| # Pulls all commits (needed for Lerna) | |
| fetch-depth: 0 | |
| - name: Install Dependencies | |
| run: npm ci --audit=false --fund=false | |
| - name: Scanning | |
| run: | | |
| DETECT_FILE="synopsys.jar" | |
| curl https://sig-repo.synopsys.com/artifactory/bds-integrations-release/com/synopsys/integration/synopsys-detect/${{ vars.SYNOPSYS_DETECT_VERSION }}/synopsys-detect-${{ vars.SYNOPSYS_DETECT_VERSION }}.jar -o $DETECT_FILE | |
| mkdir appsec || true | |
| mv $DETECT_FILE appsec/ | |
| RELEASE_TYPE="DEV" | |
| VERSION_ID="${{ inputs.target }}" | |
| if [[ "${{ inputs.target }}" == "Production" ]]; then RELEASE_TYPE="PROD"; VERSION_ID="Release_${GITHUB_REF#refs/heads/}"; fi | |
| java -jar appsec/$DETECT_FILE \ | |
| --detect.project.application.id="${{ vars.BLACKDUCK_APP_ID }}" \ | |
| --detect.project.name="${{ vars.BLACKDUCK_APP_ID }}-${{ vars.BLACKDUCK_PROJECT_ID }}-${RELEASE_TYPE}" \ | |
| --detect.project.user.groups="${{ vars.BLACKDUCK_APP_ID }}-AppSec-Dev" \ | |
| --detect.project.version.name="${VERSION_ID}" \ | |
| --detect.code.location.name="${{ vars.BLACKDUCK_APP_ID }}-${{ vars.BLACKDUCK_PROJECT_ID }}-${VERSION_ID}" \ | |
| --detect.source.path="." \ | |
| --detect.clone.project.version.latest=true \ | |
| --blackduck.api.token="${{ secrets.BLACKDUCK_APP_TOKEN }}" \ | |
| --blackduck.url="${{ vars.BLACKDUCK_URL }}" \ | |
| --blackduck.trust.cert=true \ | |
| --logging.level.detect=${{ inputs.log-level }} \ | |
| --detect.policy.check.fail.on.severities=BLOCKER,CRITICAL,MAJOR,MINOR \ | |
| --detect.excluded.directories=appsec \ | |
| --detect.npm.dependency.types.excluded="DEV" \ | |
| --detect.lerna.path="./node_modules/.bin/lerna" # make sure blackduck use lerna from npm package rather than shell one |