java/.github/workflows/blackducksca-workflow.yml at master · IceT5/java · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# Quickstart: Black Duck Security Scan Action with blackducksca:
#     https://documentation.blackduck.com/bundle/bridge/page/documentation/t_github-blackduck-quickstart.html
name: Black Duck Security Scan
on:
  push:
    branches:
      - main
      - master
      - develop
      - stage
      - release
  pull_request:
    branches:
      - main
      - master
      - develop
      - stage
      - release
  workflow_dispatch: {}
# GitHub token permissions for post-scan actions. Required for built-in GITHUB_TOKEN; if using a PAT with equivalent scopes, permissions block can be commented out.
permissions:
  contents: write               # Required to push changes or create fix branches
  security-events: write        # Required to upload SARIF results to GitHub Security
jobs:
  blackducksca:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Source
        uses: actions/checkout@v4

      - name: Black Duck Security Scan
        id: black-duck-security-scan
        uses: blackduck-inc/black-duck-security-scan@v2
        with:
          ### SCANNING: Required fields
          blackducksca_url: ${{ vars.BLACKDUCKSCA_URL }}
          blackducksca_token: ${{ secrets.BLACKDUCKSCA_TOKEN }}
          ### GITHUB TOKEN
          github_token: ${{ secrets.GITHUB_TOKEN }}  # Required when PR comments or sarif reports enabled
          ### SARIF report parameters
          blackducksca_reports_sarif_create: true  # Create SARIF report and upload it as artifact
          blackducksca_upload_sarif_report: true  # Upload SARIF report in GitHub Advanced Security tab


          ### SCAN CONFIGURATION: Uncomment below to enable
          # blackducksca_waitForScan: true # Wait for scan completion before proceeding

          ### Mark build status if policy violating issues are found
          # mark_build_status: failure # Set to success, failure, or skip

          ### Uncomment below configuration if Bridge diagnostic files needs to be uploaded
          # include_diagnostics: false

          ### PULL REQUEST COMMENTS: Uncomment below to enable
          # blackducksca_prComment_enabled: false

          ### FIX PULL REQUEST CREATION: Uncomment below to enable
          # blackducksca_fixpr_enabled: false