Black Duck Scan #52
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Black Duck Scan | |
on: | |
workflow_dispatch: | |
inputs: | |
production: | |
description: Production | |
type: boolean | |
default: true | |
version: | |
description: 'For non-production scan only: base branch version' | |
type: choice | |
options: | |
- v6 | |
- v7 | |
default: v7 | |
log-level: | |
description: 'Log level of scanning. Use DEBUG or TRACE for troubleshooting.' | |
type: choice | |
options: | |
- OFF | |
- ERROR | |
- WARN | |
- INFO | |
- DEBUG | |
- TRACE | |
default: INFO | |
jobs: | |
scan-code: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out repository code | |
uses: actions/checkout@v3 | |
with: | |
# Number of commits to fetch. 0 indicates all history for all branches and tags. | |
# Pulls all commits (needed for Lerna) | |
fetch-depth: 0 | |
- name: Install Dependencies | |
run: npm ci --audit=false --fund=false | |
- name: Scanning | |
run: | | |
DETECT_FILE="synopsys.jar" | |
curl https://sig-repo.synopsys.com/artifactory/bds-integrations-release/com/synopsys/integration/synopsys-detect/${{ vars.SYNOPSYS_DETECT_VERSION }}/synopsys-detect-${{ vars.SYNOPSYS_DETECT_VERSION }}.jar -o $DETECT_FILE | |
mkdir appsec || true | |
mv $DETECT_FILE appsec/ | |
if [[ "${{ inputs.production }}" == "true" ]]; then export RELEASE_TYPE="PROD"; export VERSION_ID="Release_${GITHUB_REF#refs/heads/}"; fi | |
if [[ "${{ inputs.production }}" == "false" ]]; then export RELEASE_TYPE="DEV"; export VERSION_ID="Development-${{ inputs.version }}"; fi | |
if [[ -z "${{ vars.BLACKDUCK_APP_ID }}" ]]; then echo "[BLACKDUCK] APP_ID must be set"; exit 1; fi | |
if [[ -z "${{ vars.BLACKDUCK_PROJECT_ID }}" ]]; then echo "[BLACKDUCK] PROJECT_ID must be set"; exit 1; fi | |
if [[ -z "${{ secrets.BLACKDUCK_APP_TOKEN }}" ]]; then echo "[BLACKDUCK] BLACKDUCK_APP_TOKEN must be set"; exit 1; fi | |
java -jar appsec/$DETECT_FILE \ | |
--detect.project.application.id="${{ vars.BLACKDUCK_APP_ID }}" \ | |
--detect.project.name="${{ vars.BLACKDUCK_APP_ID }}-${{ vars.BLACKDUCK_PROJECT_ID }}-${RELEASE_TYPE}" \ | |
--detect.project.user.groups="${{ vars.BLACKDUCK_APP_ID }}-AppSec-Dev" \ | |
--detect.project.version.name="${VERSION_ID}" \ | |
--detect.code.location.name="${{ vars.BLACKDUCK_APP_ID }}-${{ vars.BLACKDUCK_PROJECT_ID }}-${VERSION_ID}" \ | |
--detect.source.path="." \ | |
--detect.clone.project.version.latest=true \ | |
--blackduck.api.token="${{ secrets.BLACKDUCK_APP_TOKEN }}" \ | |
--blackduck.url="${{ vars.BLACKDUCK_URL }}" \ | |
--blackduck.trust.cert=true \ | |
--logging.level.detect=${{ inputs.log-level }} \ | |
--detect.excluded.directories=appsec \ | |
--detect.npm.dependency.types.excluded="DEV" \ | |
--detect.lerna.path="./node_modules/.bin/lerna" # make sure blackduck use lerna from npm package rather than shell one |