diff --git a/.github/workflows/blackduck-scan.yml b/.github/workflows/blackduck-scan.yml new file mode 100644 index 0000000..df96e4e --- /dev/null +++ b/.github/workflows/blackduck-scan.yml @@ -0,0 +1,99 @@ +### +# Foundation-security BlackDuck workflow +# version: 2.1 +### +name: Foundation-Security/Black Duck Scan + +on: + push: + tags: + - "**" + pull_request: + types: [opened, synchronize, reopened] + branches: + - "**" + schedule: + - cron: "0 3 * * *" # 3:00 AM UTC / 10PM EST + workflow_dispatch: + inputs: + scan-mode: + description: "BlackDuck Scan mode" + required: true + type: choice + options: + - RAPID + - INTELLIGENT + default: RAPID + ref: + description: "Branch to scan" + required: true + +jobs: + Blackduck-Scan: + runs-on: ubuntu-22.04 + permissions: + id-token: write + contents: read + steps: + - name: Checkout source repository for dispatch runs + id: checkout-source-dispatch + if: github.event_name == 'workflow_dispatch' + uses: actions/checkout@v4 + with: + repository: ${{ github.repository }} + ref: ${{ inputs.ref }} + path: source + token: ${{ secrets.GH_SLONIK }} + + - name: Set project name and version for dispatch runs + id: set-project-name-and-version-dispatch + if: github.event_name == 'workflow_dispatch' + run: | + echo "PROJECT_NAME=${{ github.event.repository.name }}" >> "$GITHUB_ENV" + echo "PROJECT_VERSION=${{ inputs.ref }}" >> "$GITHUB_ENV" + + - name: Checkout source repository for non-dispatch runs + id: checkout-source + if: github.event_name != 'workflow_dispatch' + uses: actions/checkout@v4 + with: + repository: ${{ github.repository }} + ref: ${{ github.ref }} + path: source + token: ${{ secrets.GH_SLONIK }} + + - name: Set project name and version for non-dispatch runs + id: set-project-name-and-version + if: github.event_name != 'workflow_dispatch' + run: | + echo "PROJECT_NAME=${{ github.event.repository.name }}" >> "$GITHUB_ENV" + echo "PROJECT_VERSION=${{ github.ref_name }}" >> "$GITHUB_ENV" + + - name: Get short hash + shell: bash + if: ${{ inputs.scan-mode == 'INTELLIGENT' }} + run: | + cd source + echo "sha_short=$(git rev-parse --short "$GITHUB_SHA")" >> "$GITHUB_ENV" + + - name: Checkout foundation-security repository + id: checkout-foundation-security + uses: actions/checkout@v4 + with: + repository: EnterpriseDB/foundation-security + ref: v2 + path: foundation-security + token: ${{secrets.GH_SLONIK}} + + - name: BlackDuck Scan + id: call-bd-action + uses: ./foundation-security/actions/blackduck + with: + github-token: ${{ secrets.GH_SLONIK }} + cloudsmith-token: ${{ secrets.CLOUDSMITH_READ_ALL }} + commit-hash: ${{ env.sha_short }} + git-tag: ${{ github.tag }} + blackduck-url: ${{ vars.BD_URL }} + blackduck-api-token: ${{ secrets.BLACKDUCK_API_TOKEN }} + project-name: ${{ env.PROJECT_NAME }} + project-version: ${{ env.PROJECT_VERSION }}