Skip to content

CI-AppSec [Master] #368

CI-AppSec [Master]

CI-AppSec [Master] #368

name: CI-AppSec [Master]
on:
schedule:
#At 13:00 on every day-of-week from Sunday through Thursday.
- cron: '0 13 * * SUN-THU'
workflow_dispatch:
#The workflow will only run when a push that includes a change to the package.json file is made in the main branch.
push:
branches:
- main
paths:
- 'package.json'
jobs:
blackduck-scan:
runs-on: [ ubuntu-latest ]
steps:
- name: Checkout Source
uses: actions/checkout@v3
- name: Black Duck Full Scan
uses: synopsys-sig/[email protected]
### Use below configuration to set specific detect environment variables
env:
DETECT_PROJECT_NAME: ${{ github.event.repository.name }}
DETECT_PROJECT_VERSION_NAME: main
with:
blackduck_url: ${{ secrets.BLACKDUCK_URL }}
blackduck_token: ${{ secrets.BLACKDUCK_API_TOKEN }}
blackduck_scan_full: true
### Accepts Multiple Values
blackduck_scan_failure_severities: 'BLOCKER,CRITICAL'
### Uncomment below configuration to enable automatic fix pull request creation if vulnerabilities are reported
blackduck_fixpr_enabled: true
blackduck_fixpr_maxCount: 5
blackduck_fixpr_filter_severities: 'CRITICAL,HIGH'
blackduck_fixpr_useUpgradeGuidance: 'SHORT_TERM,LONG_TERM'
github_token: ${{ secrets.GITHUB_TOKEN }} # Mandatory when blackduck_fixpr_enabled is set to 'true'
### Uncomment below configuration if Synopsys Bridge diagnostic files needs to be uploaded
# include_diagnostics: true
- name: If failed - Configure 1Password Service Account For Slack Webhook URL Secret
uses: 1password/load-secrets-action/configure@v1
if: ${{ failure() }}
with:
service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
- name: If failed - Load Slack Webhook URL Secret
uses: 1password/load-secrets-action@v1
if: ${{ failure() }}
with:
export-env: true
env:
SLACK_WEBHOOK_URL: op://Security/slack-appsec-blackduck-alerts/webhook-url
- name: If failed - Report failure to Slack
#Slack channel: appsec-blackduck-alerts
uses: ravsamhq/notify-slack-action@v2
if: ${{ failure() }}
with:
status: ${{ job.status }}
token: ${{ secrets.GITHUB_TOKEN }}
notification_title: "{workflow} has {status_message}"
message_format: "{emoji} *{workflow}* {status_message} in <{run_url}|{repo}>"
footer: "Linked Run <{run_url}|{repo}>"
notify_when: "failure"
mention_users: "U040AD4BT42"
mention_users_when: "failure,warnings"
mention_groups: "!channel"
env:
SLACK_WEBHOOK_URL: ${{ env.SLACK_WEBHOOK_URL }}