Add blackduck scans (#63)

* add blackduck scans * change schedule
open-component-model · Oct 16, 2023 · 472edac · 472edac
1 parent 7288f5a
commit 472edac
Show file tree

Hide file tree

Showing 2 changed files with 89 additions and 0 deletions.
diff --git a/.github/workflows/blackduck_scan.yaml b/.github/workflows/blackduck_scan.yaml
@@ -0,0 +1,55 @@
+name: Blackduck Scan PR
+on:
+  pull_request_target:
+    branches: [main]
+  # push:
+  #   branches: [main] 
+
+permissions:
+  checks: write
+  pull-requests: write
+
+#invoke forked detect-action as the one from synopsys is deprecated: https://github.com/mercedesbenzio/detect-action
+jobs:
+  blackduck:
+    runs-on: [ubuntu-latest]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Set up Java 17
+        uses: actions/setup-java@v3
+        with:
+          java-version: '17'
+          distribution: 'temurin'
+
+      - name: Blackduck Full Scan
+        if: ${{ github.event_name != 'pull_request_target' }}
+        uses: mercedesbenzio/detect-action@v1
+        env:
+          DETECT_PROJECT_USER_GROUPS: opencomponentmodel
+          DETECT_PROJECT_VERSION_DISTRIBUTION: SAAS
+          DETECT_SOURCE_PATH: ./
+          NODE_TLS_REJECT_UNAUTHORIZED: true
+        with:
+          scan-mode: INTELLIGENT
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          blackduck-url: ${{ secrets.BLACKDUCK_URL }}
+          blackduck-api-token: ${{ secrets.BLACKDUCK_API_TOKEN }}
+
+      - name: Blackduck PR Scan
+        if: ${{ github.event_name == 'pull_request_target' }}
+        uses: mercedesbenzio/detect-action@v1
+        env:
+          DETECT_PROJECT_USER_GROUPS: opencomponentmodel
+          DETECT_PROJECT_VERSION_DISTRIBUTION: SAAS
+          DETECT_SOURCE_PATH: ./
+          NODE_TLS_REJECT_UNAUTHORIZED: true
+          BLACKDUCK_SKIP_PHONE_HOME: true
+          #LOGGING_LEVEL_COM_SYNOPSYS_INTEGRATION: DEBUG
+        with:
+          scan-mode: RAPID
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          blackduck-url: ${{ secrets.BLACKDUCK_URL }}
+          blackduck-api-token: ${{ secrets.BLACKDUCK_API_TOKEN }}
+          detect-version: 8.8.0
+
diff --git a/.github/workflows/blackduck_scan_scheduled.yaml b/.github/workflows/blackduck_scan_scheduled.yaml
@@ -0,0 +1,34 @@
+name: Blackduck Scan Cronjob
+on:
+  schedule:
+    - cron:  '45 0 * * 0'
+
+permissions:
+  checks: write
+
+jobs:
+  build:
+    runs-on: [ ubuntu-latest ]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Java 17
+        uses: actions/setup-java@v3
+        with:
+          java-version: '17'
+          distribution: 'temurin'
+
+      - name: Blackduck Full Scan
+        uses: mercedesbenzio/detect-action@v1
+        env:
+          DETECT_PROJECT_USER_GROUPS: opencomponentmodel
+          DETECT_PROJECT_VERSION_DISTRIBUTION: SAAS
+          DETECT_SOURCE_PATH: ./
+          NODE_TLS_REJECT_UNAUTHORIZED: true
+        with:
+          scan-mode: INTELLIGENT
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          blackduck-url: ${{ secrets.BLACKDUCK_URL }}
+          blackduck-api-token: ${{ secrets.BLACKDUCK_API_TOKEN }}
+          detect-version: 8.8.0