Re-enable Polaris Scans

indrora · indrora · commit 1f23d77cb83e · 2026-04-07T17:05:20.000-07:00
diff --git a/.github/workflows/kf-polaris-scan.yml b/.github/workflows/kf-polaris-scan.yml
@@ -3,24 +3,21 @@
 name: CI Polaris Scanning 
 on:
   workflow_call:
-    secrets:
-      token:
-        description: 'Secret token from caller workflow to access private packages'
-        required: true
-
     inputs:
       scan_branch:
         description: Incoming branch to release or main
         required: true
         type: string
-
+permissions:
+  contents: write               # Required to push changes or create fix branches
+  pull-requests: write          # Required to add comments or create fix pull requests
 jobs:
-  build:
+  polaris_scan:
     runs-on: [ ubuntu-latest ]
     continue-on-error: true
     steps:
       - name: Checkout Source
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       - name: Polaris Scan
         uses: blackduck-inc/black-duck-security-scan@v2
         with:
@@ -29,8 +26,9 @@ jobs:
           polaris_access_token: ${{ secrets.POLARIS_TOKEN }}
           polaris_assessment_types: "SCA,SAST"
           
-          polaris_application_name: integrations-${{ github.event.repository.name }}
-          github_token: ${{ secrets.token }}
+          polaris_application_name: "Integrations"
+          polaris_project_name: ${{ github.event.repository.name }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          polaris_prComment_enabled: true
+          polaris_reports_sarif_create: true # Create SARIF report and upload it as artifact
 
-          polaris_test_sast_location: "remote"
-          polaris_test_sca_location: "remote"
diff --git a/.github/workflows/starter.yml b/.github/workflows/starter.yml
@@ -168,14 +168,12 @@ jobs:
     secrets:
       token: ${{ secrets.token }}
 
-#  call-polaris-scan-workflow:
-#    if: github.event_name == 'pull_request' && (startsWith(github.base_ref, 'release-') || github.base_ref == 'main')
-#    uses: Keyfactor/actions/.github/workflows/kf-polaris-scan.yml@v4
-#    with:
-#      scan_branch: ${{ github.event.pull_request.head.ref }}
-#    secrets:
-#      token: ${{ secrets.scan_token }}
-
+  call-polaris-scan-workflow:
+    if: github.event_name == 'pull_request' && (startsWith(github.base_ref, 'release-') || github.base_ref == 'main')
+    uses: Keyfactor/actions/.github/workflows/kf-polaris-scan.yml@v4
+    with:
+      scan_branch: ${{ github.event.pull_request.head.ref }}
+    
   call-post-release-workflow:
     needs: [ call-assign-from-json-workflow, call-create-github-release-workflow ]
     if: needs.call-create-github-release-workflow.outputs.IS_FULL_RELEASE == 'True'
