From 63c6b9a4d6d1291f544dc6b89d33a0d8535ea50b Mon Sep 17 00:00:00 2001
From: Black Duck <tech-support@blackduck.com>
Date: Tue, 24 Mar 2026 15:23:43 +0000
Subject: [PATCH] Black Duck Security: Automatic pull request to commit
 polaris-workflow.yml

---
 .github/workflows/polaris-workflow.yml | 56 ++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)
 create mode 100644 .github/workflows/polaris-workflow.yml

diff --git a/.github/workflows/polaris-workflow.yml b/.github/workflows/polaris-workflow.yml
new file mode 100644
index 00000000..c48d7240
--- /dev/null
+++ b/.github/workflows/polaris-workflow.yml
@@ -0,0 +1,56 @@
+# Quickstart: Black Duck Security Scan Action with polaris:
+#     https://documentation.blackduck.com/bundle/bridge/page/documentation/t_github-polaris-quickstart.html
+name: Polaris Security Scan
+on:
+  push:
+    branches:
+      - main
+      - master
+      - develop
+      - stage
+      - release
+  pull_request:
+    branches:
+      - main
+      - master
+      - develop
+      - stage
+      - release
+  workflow_dispatch: {}
+# GitHub token permissions for post-scan actions. Required for built-in GITHUB_TOKEN; if using a PAT with equivalent scopes, permissions block can be commented out.
+permissions:
+  contents: write               # Required to push changes or create fix branches
+  pull-requests: write          # Required to add comments or create fix pull requests
+  security-events: write        # Required to upload SARIF results to GitHub Security
+jobs:
+  polaris:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v4
+
+      - name: Polaris Security Scan
+        id: polaris-scan
+        uses: blackduck-inc/black-duck-security-scan@v2
+        with:
+          ### SCANNING: Required fields
+          polaris_server_url: ${{ vars.POLARIS_URL }}
+          polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }}
+          ### ASSESSMENT TYPES
+          polaris_assessment_types: SAST,SCA  # Comma-separated list: SAST,SCA,DAST
+          ### GITHUB TOKEN
+          github_token: ${{ secrets.GITHUB_TOKEN }}  # Required when PR comments or sarif reports enabled
+          polaris_prComment_enabled: true
+          ### SARIF report parameters
+          polaris_reports_sarif_create: true  # Create SARIF report and upload it as artifact
+          polaris_upload_sarif_report: true  # Upload SARIF report in GitHub Advanced Security tab
+
+
+          ### SCAN CONFIGURATION: Uncomment below to enable
+          # polaris_waitForScan: true # Wait for scan completion before proceeding
+
+          ### Mark build status if policy violating issues are found
+          # mark_build_status: failure # Set to success, failure, or skip
+
+          ### Uncomment below configuration if Bridge diagnostic files needs to be uploaded
+          # include_diagnostics: false
\ No newline at end of file