From 7575ccbe0b6fd1ceb22b03fc40ed68910ae75d7b Mon Sep 17 00:00:00 2001 From: Waizguy Date: Mon, 31 Jul 2023 15:11:11 -0400 Subject: [PATCH 01/14] Create main.yml --- .github/workflows/main.yml | 49 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 .github/workflows/main.yml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 00000000..1918d136 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,49 @@ + +name: bd-sig-action + +on: + push: + branches: [ main, master, develop, stage, release ] + pull_request: + branches: [ main, master, develop, stage, release ] + workflow_dispatch: +jobs: + build: + runs-on: [ ubuntu-latest ] + steps: + - name: Checkout Source + uses: actions/checkout@v3 + + - name: Black Duck Full Scan + if: ${{ github.event_name != 'pull_request' }} + uses: synopsys-sig/synopsys-action@v1.2.0 + ### Use below configuration to set specific detect environment variables + env: + DETECT_PROJECT_NAME: ${{ github.event.repository.name }} + with: + blackduck_url: ${{ secrets.BLACKDUCK_URL }} + blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }} + blackduck_scan_full: true + ### Accepts Multiple Values + blackduck_scan_failure_severities: 'BLOCKER,CRITICAL' + ### Uncomment below configuration to enable automatic fix pull request creation if vulnerabilities are reported + # blackduck_automation_fixpr: true + # github_token: ${{ secrets.GITHUB_TOKEN }} # Mandatory when blackduck_automation_fixpr is set to 'true' + ### Uncomment below configuration if Synopsys Bridge diagnostic files needs to be uploaded + # include_diagnostics: true + + - name: Black Duck PR Scan + if: ${{ github.event_name == 'pull_request' }} + uses: synopsys-sig/synopsys-action@v1.2.0 + ### Use below configuration to set specific detect environment variables + env: + DETECT_PROJECT_NAME: ${{ github.event.repository.name }} + with: + blackduck_url: ${{ secrets.BLACKDUCK_URL }} + blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }} + blackduck_scan_full: false + ### Below configuration is used to enable automatic pull request comment based on Black Duck scan result + blackduck_automation_prcomment: true + github_token: ${{ secrets.GITHUB_TOKEN }} # Mandatory when blackduck_automation_prcomment is set to 'true' + ### Uncomment below configuration if Synopsys Bridge diagnostic files needs to be uploaded + # include_diagnostics: true From 16da1d835850e4b0ce35b0882fc534f58d6ccf62 Mon Sep 17 00:00:00 2001 From: Waizguy Date: Mon, 31 Jul 2023 15:14:37 -0400 Subject: [PATCH 02/14] Update main.yml --- .github/workflows/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 1918d136..59fd6eb4 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -27,10 +27,10 @@ jobs: ### Accepts Multiple Values blackduck_scan_failure_severities: 'BLOCKER,CRITICAL' ### Uncomment below configuration to enable automatic fix pull request creation if vulnerabilities are reported - # blackduck_automation_fixpr: true - # github_token: ${{ secrets.GITHUB_TOKEN }} # Mandatory when blackduck_automation_fixpr is set to 'true' + blackduck_automation_fixpr: true + github_token: ${{ secrets.GITHUB_TOKEN }} # Mandatory when blackduck_automation_fixpr is set to 'true' ### Uncomment below configuration if Synopsys Bridge diagnostic files needs to be uploaded - # include_diagnostics: true + include_diagnostics: true - name: Black Duck PR Scan if: ${{ github.event_name == 'pull_request' }} From 4f653b8f492a0a61eca22df562b4868ecf8d884a Mon Sep 17 00:00:00 2001 From: Waizguy Date: Mon, 31 Jul 2023 15:18:42 -0400 Subject: [PATCH 03/14] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 59fd6eb4..0bfbd042 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -30,7 +30,7 @@ jobs: blackduck_automation_fixpr: true github_token: ${{ secrets.GITHUB_TOKEN }} # Mandatory when blackduck_automation_fixpr is set to 'true' ### Uncomment below configuration if Synopsys Bridge diagnostic files needs to be uploaded - include_diagnostics: true + # include_diagnostics: true - name: Black Duck PR Scan if: ${{ github.event_name == 'pull_request' }} From c87b061fb4376214e4ce7ce490d19be2040d9f16 Mon Sep 17 00:00:00 2001 From: Waizguy Date: Mon, 31 Jul 2023 15:37:07 -0400 Subject: [PATCH 04/14] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 0bfbd042..42a08b3a 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -25,7 +25,7 @@ jobs: blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }} blackduck_scan_full: true ### Accepts Multiple Values - blackduck_scan_failure_severities: 'BLOCKER,CRITICAL' + blackduck_scan_failure_severities: 'CRITICAL' ### Uncomment below configuration to enable automatic fix pull request creation if vulnerabilities are reported blackduck_automation_fixpr: true github_token: ${{ secrets.GITHUB_TOKEN }} # Mandatory when blackduck_automation_fixpr is set to 'true' From e6c43f1b1fd42f4dd7f1505f4d56047dae7af35d Mon Sep 17 00:00:00 2001 From: Waizguy Date: Mon, 31 Jul 2023 15:50:06 -0400 Subject: [PATCH 05/14] Update main.yml --- .github/workflows/main.yml | 60 +++++++++++++++----------------------- 1 file changed, 24 insertions(+), 36 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 42a08b3a..3026eb66 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,49 +1,37 @@ -name: bd-sig-action + +name: Synopsys Security Testing on: push: - branches: [ main, master, develop, stage, release ] + branches: [ master, main ] + pull_request: - branches: [ main, master, develop, stage, release ] - workflow_dispatch: + branches: [ master, main ] + jobs: build: - runs-on: [ ubuntu-latest ] + runs-on: [self-hosted] steps: - - name: Checkout Source + - name: Checkout uses: actions/checkout@v3 - - - name: Black Duck Full Scan - if: ${{ github.event_name != 'pull_request' }} - uses: synopsys-sig/synopsys-action@v1.2.0 - ### Use below configuration to set specific detect environment variables - env: - DETECT_PROJECT_NAME: ${{ github.event.repository.name }} + - name: Synopsys Action + uses: synopsys-sig/synopsys-action@v1.1.0 with: - blackduck_url: ${{ secrets.BLACKDUCK_URL }} blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }} - blackduck_scan_full: true - ### Accepts Multiple Values - blackduck_scan_failure_severities: 'CRITICAL' - ### Uncomment below configuration to enable automatic fix pull request creation if vulnerabilities are reported - blackduck_automation_fixpr: true - github_token: ${{ secrets.GITHUB_TOKEN }} # Mandatory when blackduck_automation_fixpr is set to 'true' - ### Uncomment below configuration if Synopsys Bridge diagnostic files needs to be uploaded - # include_diagnostics: true - - - name: Black Duck PR Scan - if: ${{ github.event_name == 'pull_request' }} - uses: synopsys-sig/synopsys-action@v1.2.0 - ### Use below configuration to set specific detect environment variables - env: - DETECT_PROJECT_NAME: ${{ github.event.repository.name }} - with: blackduck_url: ${{ secrets.BLACKDUCK_URL }} - blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }} + + # Optional parameter. By default, pushes will initiate a full "intelligent" scan and pull requests + # will initiate a rapid scan. blackduck_scan_full: false - ### Below configuration is used to enable automatic pull request comment based on Black Duck scan result - blackduck_automation_prcomment: true - github_token: ${{ secrets.GITHUB_TOKEN }} # Mandatory when blackduck_automation_prcomment is set to 'true' - ### Uncomment below configuration if Synopsys Bridge diagnostic files needs to be uploaded - # include_diagnostics: true + # Required parameter if blackduck_automation_fixpr is enabled + # Make sure GITHUB_TOKEN have appropriate permissions + github_token: ${{ secrets.GITHUB_TOKEN }} + # Optional parameter. By default, create fix pull requests if vulnerabilities are reported + # Passing false will disable fix pull request creation + blackduck_automation_fixpr: true + # Optional parameter. The values could be. ALL|NONE|BLOCKER|CRITICAL|MAJOR|MINOR|OK|TRIVIAL|UNSPECIFIED + # Single parameter + blackduck_scan_failure_severities: "ALL" + # multiple parameters + # blackduck_scan_failure_severities: "BLOCKER,CRITICAL,TRIVIAL" From 91aa73ee4a8e8c12f25c3650c31f92f3ca3e7d64 Mon Sep 17 00:00:00 2001 From: Waizguy Date: Mon, 31 Jul 2023 16:02:28 -0400 Subject: [PATCH 06/14] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 3026eb66..f42314f1 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -11,7 +11,7 @@ on: jobs: build: - runs-on: [self-hosted] + runs-on: [ubuntu-latest] steps: - name: Checkout uses: actions/checkout@v3 From 4ed41771bbf33cb60e4de95457a5e027b18acf23 Mon Sep 17 00:00:00 2001 From: Waizguy Date: Mon, 31 Jul 2023 16:05:20 -0400 Subject: [PATCH 07/14] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f42314f1..571c33e1 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -23,7 +23,7 @@ jobs: # Optional parameter. By default, pushes will initiate a full "intelligent" scan and pull requests # will initiate a rapid scan. - blackduck_scan_full: false + blackduck_scan_full: true # Required parameter if blackduck_automation_fixpr is enabled # Make sure GITHUB_TOKEN have appropriate permissions github_token: ${{ secrets.GITHUB_TOKEN }} From 7bcce84bd4bb2cf78da153acffc1b47a03d96a92 Mon Sep 17 00:00:00 2001 From: Waizguy Date: Mon, 31 Jul 2023 16:51:16 -0400 Subject: [PATCH 08/14] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 571c33e1..38ba4bec 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -32,6 +32,6 @@ jobs: blackduck_automation_fixpr: true # Optional parameter. The values could be. ALL|NONE|BLOCKER|CRITICAL|MAJOR|MINOR|OK|TRIVIAL|UNSPECIFIED # Single parameter - blackduck_scan_failure_severities: "ALL" + # blackduck_scan_failure_severities: "ALL" # multiple parameters # blackduck_scan_failure_severities: "BLOCKER,CRITICAL,TRIVIAL" From 71e3fcfc8b483b3eada2cb9bfb64b382a5255f69 Mon Sep 17 00:00:00 2001 From: Waizguy Date: Mon, 31 Jul 2023 16:56:21 -0400 Subject: [PATCH 09/14] Update main.yml --- .github/workflows/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 38ba4bec..b7ea52f4 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -16,7 +16,7 @@ jobs: - name: Checkout uses: actions/checkout@v3 - name: Synopsys Action - uses: synopsys-sig/synopsys-action@v1.1.0 + uses: synopsys-sig/synopsys-action@v1.2.0 with: blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }} blackduck_url: ${{ secrets.BLACKDUCK_URL }} @@ -35,3 +35,5 @@ jobs: # blackduck_scan_failure_severities: "ALL" # multiple parameters # blackduck_scan_failure_severities: "BLOCKER,CRITICAL,TRIVIAL" + include_diagnostics: true + From cc0dbe116571aed04de074f74ec5499fd19fb6eb Mon Sep 17 00:00:00 2001 From: Waizguy Date: Mon, 31 Jul 2023 17:01:41 -0400 Subject: [PATCH 10/14] Update main.yml --- .github/workflows/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b7ea52f4..ff8ab0dc 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -23,7 +23,7 @@ jobs: # Optional parameter. By default, pushes will initiate a full "intelligent" scan and pull requests # will initiate a rapid scan. - blackduck_scan_full: true + blackduck_scan_full: false # Required parameter if blackduck_automation_fixpr is enabled # Make sure GITHUB_TOKEN have appropriate permissions github_token: ${{ secrets.GITHUB_TOKEN }} @@ -35,5 +35,5 @@ jobs: # blackduck_scan_failure_severities: "ALL" # multiple parameters # blackduck_scan_failure_severities: "BLOCKER,CRITICAL,TRIVIAL" - include_diagnostics: true + include_diagnostics: false From f8cf9eb686a2a2717278fdee58ea168677cd0087 Mon Sep 17 00:00:00 2001 From: Waizguy Date: Mon, 31 Jul 2023 17:28:51 -0400 Subject: [PATCH 11/14] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index ff8ab0dc..b927fa63 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -23,7 +23,7 @@ jobs: # Optional parameter. By default, pushes will initiate a full "intelligent" scan and pull requests # will initiate a rapid scan. - blackduck_scan_full: false + blackduck_scan_full: true # Required parameter if blackduck_automation_fixpr is enabled # Make sure GITHUB_TOKEN have appropriate permissions github_token: ${{ secrets.GITHUB_TOKEN }} From b4a5e63f543836be636e371d9aa459ca722ca307 Mon Sep 17 00:00:00 2001 From: Waizguy Date: Mon, 31 Jul 2023 17:52:28 -0400 Subject: [PATCH 12/14] Update main.yml --- .github/workflows/main.yml | 62 ++++++++++++++++++++++---------------- 1 file changed, 36 insertions(+), 26 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b927fa63..1918d136 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,39 +1,49 @@ - -name: Synopsys Security Testing +name: bd-sig-action on: push: - branches: [ master, main ] - + branches: [ main, master, develop, stage, release ] pull_request: - branches: [ master, main ] - + branches: [ main, master, develop, stage, release ] + workflow_dispatch: jobs: build: - runs-on: [ubuntu-latest] + runs-on: [ ubuntu-latest ] steps: - - name: Checkout + - name: Checkout Source uses: actions/checkout@v3 - - name: Synopsys Action + + - name: Black Duck Full Scan + if: ${{ github.event_name != 'pull_request' }} uses: synopsys-sig/synopsys-action@v1.2.0 + ### Use below configuration to set specific detect environment variables + env: + DETECT_PROJECT_NAME: ${{ github.event.repository.name }} with: - blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }} blackduck_url: ${{ secrets.BLACKDUCK_URL }} - - # Optional parameter. By default, pushes will initiate a full "intelligent" scan and pull requests - # will initiate a rapid scan. + blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }} blackduck_scan_full: true - # Required parameter if blackduck_automation_fixpr is enabled - # Make sure GITHUB_TOKEN have appropriate permissions - github_token: ${{ secrets.GITHUB_TOKEN }} - # Optional parameter. By default, create fix pull requests if vulnerabilities are reported - # Passing false will disable fix pull request creation - blackduck_automation_fixpr: true - # Optional parameter. The values could be. ALL|NONE|BLOCKER|CRITICAL|MAJOR|MINOR|OK|TRIVIAL|UNSPECIFIED - # Single parameter - # blackduck_scan_failure_severities: "ALL" - # multiple parameters - # blackduck_scan_failure_severities: "BLOCKER,CRITICAL,TRIVIAL" - include_diagnostics: false - + ### Accepts Multiple Values + blackduck_scan_failure_severities: 'BLOCKER,CRITICAL' + ### Uncomment below configuration to enable automatic fix pull request creation if vulnerabilities are reported + # blackduck_automation_fixpr: true + # github_token: ${{ secrets.GITHUB_TOKEN }} # Mandatory when blackduck_automation_fixpr is set to 'true' + ### Uncomment below configuration if Synopsys Bridge diagnostic files needs to be uploaded + # include_diagnostics: true + + - name: Black Duck PR Scan + if: ${{ github.event_name == 'pull_request' }} + uses: synopsys-sig/synopsys-action@v1.2.0 + ### Use below configuration to set specific detect environment variables + env: + DETECT_PROJECT_NAME: ${{ github.event.repository.name }} + with: + blackduck_url: ${{ secrets.BLACKDUCK_URL }} + blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }} + blackduck_scan_full: false + ### Below configuration is used to enable automatic pull request comment based on Black Duck scan result + blackduck_automation_prcomment: true + github_token: ${{ secrets.GITHUB_TOKEN }} # Mandatory when blackduck_automation_prcomment is set to 'true' + ### Uncomment below configuration if Synopsys Bridge diagnostic files needs to be uploaded + # include_diagnostics: true From a6c9b85a1e8c3010711535a314eea89c46cd69c9 Mon Sep 17 00:00:00 2001 From: Waizguy Date: Mon, 31 Jul 2023 18:06:34 -0400 Subject: [PATCH 13/14] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 1918d136..10f84d36 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -43,7 +43,7 @@ jobs: blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }} blackduck_scan_full: false ### Below configuration is used to enable automatic pull request comment based on Black Duck scan result - blackduck_automation_prcomment: true + blackduck_automation_prcomment: false github_token: ${{ secrets.GITHUB_TOKEN }} # Mandatory when blackduck_automation_prcomment is set to 'true' ### Uncomment below configuration if Synopsys Bridge diagnostic files needs to be uploaded # include_diagnostics: true From 92ad15823b842d0917c08e8cca45efaf2bd07865 Mon Sep 17 00:00:00 2001 From: Waizguy Date: Mon, 31 Jul 2023 18:10:25 -0400 Subject: [PATCH 14/14] Update main.yml --- .github/workflows/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 10f84d36..dd81d80c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -47,3 +47,4 @@ jobs: github_token: ${{ secrets.GITHUB_TOKEN }} # Mandatory when blackduck_automation_prcomment is set to 'true' ### Uncomment below configuration if Synopsys Bridge diagnostic files needs to be uploaded # include_diagnostics: true + bridge.break: false