Fail on critical higj

sandhi18 · sandhi18 · commit 0d3f8a2954d9 · 2026-02-24T13:04:37.000+05:30
Signed-off-by: sandhi &lt;sagarwal@progress.com&gt;
diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml
@@ -209,6 +209,11 @@ on:
         required: false
         default: true
         type: boolean
+      polaris-fail-on-high-critical:
+        description: 'Fail the pipeline if Polaris SAST scan finds HIGH or CRITICAL vulnerabilities'
+        required: false
+        type: boolean
+        default: false
 
       perform-sonarqube-scan: 
         description: 'Perform basic SonarQube scan'
@@ -379,6 +384,11 @@ on:
         required: false
         type: string
         default: ''
+      blackduck-fail-on-high-critical:
+        description: 'Fail the pipeline if BlackDuck SCA scan finds HIGH or CRITICAL vulnerabilities'
+        required: false
+        type: boolean
+        default: false
 
       udf1:
         description: 'User defined flag 1'
@@ -715,13 +725,13 @@ jobs:
   run-trufflehog:
     name: 'Trufflehog scan'
     if: ${{ inputs.perform-trufflehog-scan }}
-    uses: chef/common-github-actions/.github/workflows/trufflehog.yml@main
+    uses: chef/common-github-actions/.github/workflows/trufflehog.yml@sandhi/fix-blackduc-sca
     needs: checkout
 
   run-trivy:
     name: 'Trivy scan'
     if: ${{ inputs.perform-trivy-scan }}
-    uses: chef/common-github-actions/.github/workflows/trivy.yml@main
+    uses: chef/common-github-actions/.github/workflows/trivy.yml@sandhi/fix-blackduc-sca
     needs: checkout
     with:
       version: ${{ inputs.version }}
@@ -1116,6 +1126,12 @@ jobs:
           polaris_assessment_mode: ${{ inputs.polaris-assessment-mode }}
           # TODO: warning in GA - polaris_assessment_mode is deprecated. Use polaris_test_sast_location=remote and/or polaris_test_sca_location=remote for source upload scans instead.
           polaris_waitForScan: 'true' #  ${{ inputs.polaris-wait-for-scan }} # defaults to true - is this a boolean or string?
+          # Enable PR comments with severity filtering to fail on HIGH/CRITICAL
+          polaris_prComment_enabled: ${{ inputs.polaris-fail-on-high-critical && github.event_name == 'pull_request' && 'true' || 'false' }}
+          polaris_prComment_severities: ${{ inputs.polaris-fail-on-high-critical && 'CRITICAL,HIGH' || '' }}
+          # Create and upload SARIF report for GitHub Security tab
+          polaris_reports_sarif_create: true
+          polaris_upload_sarif_report: true
           # not yet enabled from https://github.com/prgs-community/githubactions-securityscans/blob/main/polaris/README.md 
           # project_source_archive: ${{ inputs.polaris-source-archive != '' && inputs.polaris-source-archive || null }}
           # project_source_excludes: ${{ inputs.polaris-source-excludes != '' && inputs.polaris-source-excludes || null }}
@@ -1381,7 +1397,7 @@ jobs:
     name: 'Generating SBOM'
     #    Create software bill-of-materials (SBOM) using SPDX format
     if: ${{ inputs.generate-sbom == true }}
-    uses: chef/common-github-actions/.github/workflows/sbom.yml@main
+    uses: chef/common-github-actions/.github/workflows/sbom.yml@sandhi/fix-blackduc-sca
     needs: checkout # TODO: fix set-application-version
     secrets: inherit
     with:
@@ -1398,6 +1414,7 @@ jobs:
       run-bundle-install: ${{ inputs.run-bundle-install }} # Passed to sbom.yml to generate Gemfile.lock at runtime
       language: ${{ inputs.language }}
       ruby-app-directory: ${{ inputs.ruby-app-directory }}
+      blackduck-fail-on-high-critical: ${{ inputs.blackduck-fail-on-high-critical }}
 
   quality-dashboard:
     name: 'Reporting to quality dashboard'
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -82,6 +82,11 @@ on:
         required: false
         type: string
         default: ''
+      blackduck-fail-on-high-critical:
+        description: 'Fail the pipeline if BlackDuck SCA scan finds HIGH or CRITICAL vulnerabilities'
+        required: false
+        type: boolean
+        default: false
 
 env:
   # Set the default SBOM filename prefix
@@ -245,9 +250,28 @@ jobs:
           path: ${{ inputs.ruby-app-directory != '' && format('{0}/Gemfile.lock', inputs.ruby-app-directory) || 'Gemfile.lock' }}
           name: ${{ github.event.repository.name }}-Gemfile-lock.txt 
 
+      - name: Construct BlackDuck detect arguments
+        id: detect-args
+        run: |
+          # Start with base arguments (always exclude PIP detector)
+          DETECT_ARGS="--detect.excluded.detector.types=PIP"
+          
+          # Add low accuracy mode if requested
+          if [[ "${{ inputs.blackduck-force-low-accuracy-mode }}" == "true" ]]; then
+            DETECT_ARGS="${DETECT_ARGS} --detect.accuracy.required=NONE"
+          fi
+          
+          # Add source path if ruby-app-directory is specified
+          if [[ -n "${{ inputs.ruby-app-directory }}" ]]; then
+            DETECT_ARGS="${DETECT_ARGS} --detect.source.path=${{ inputs.ruby-app-directory }}"
+          fi
+          
+          echo "DETECT_ARGS=${DETECT_ARGS}" >> $GITHUB_ENV
+          echo "Constructed detect_args: ${DETECT_ARGS}"
+
       - name: BlackDuck SCA scan
         uses: blackduck-inc/black-duck-security-scan@v2.1.1
-        continue-on-error: true  # Allow pipeline to continue even with policy violations
+        continue-on-error: false  # Allow pipeline to continue even with policy violations
         env: 
           GOPRIVATE: ${{ inputs.go-private-modules }}
           DETECT_PROJECT_GROUP_NAME: ${{ inputs.blackduck-project-group-name}} #'Chef-Agents' # <the_parent_group_of_your_target_project>, Chef, Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services
@@ -257,8 +281,8 @@ jobs:
           blackducksca_url: ${{ secrets.BLACKDUCK_SBOM_URL }}  # BLACKDUCK_URL, should be https://progresssoftware.app.blackduck.com/ 
           blackducksca_token: ${{ secrets.BLACKDUCK_SCA_TOKEN }}  # was BLACKDUCK_API_KEY
           blackducksca_scan_full: true  # Force INTELLIGENT scan mode for all branches (uploads results to server)
-          detect_args: ${{ inputs.ruby-app-directory != '' && format('{0} --detect.source.path={1}', inputs.blackduck-force-low-accuracy-mode == true && '--detect.excluded.detector.types=PIP --detect.accuracy.required=NONE' || '--detect.excluded.detector.types=PIP', inputs.ruby-app-directory) || (inputs.blackduck-force-low-accuracy-mode == true && '--detect.excluded.detector.types=PIP --detect.accuracy.required=NONE' || '--detect.excluded.detector.types=PIP') }}
-          # blackducksca_scan_failure_severities: 'BLOCKER,CRITICAL'
+          detect_args: ${{ env.DETECT_ARGS }}
+          blackducksca_scan_failure_severities: ${{ inputs.blackduck-fail-on-high-critical && 'CRITICAL' || '' }}
           # ignore python per https://documentation.blackduck.com/bundle/detect/page/packagemgrs/python.html
 
 # original from https://github.com/progress-platform-services/common-github-actions/blob/main/.github/workflows/examples/ci-all-sbom-main.yml
diff --git a/.github/workflows/trigger.yml b/.github/workflows/trigger.yml
@@ -0,0 +1,137 @@
+# stub to call common GitHub Action (GA) as part of Continuous Integration (CI) Pull Request process checks for main branch
+# inputs are described in the chef/common-github-actions/<GA.yml> with same name as this stub
+#
+# secrets are inherited from the calling workflow, typically SONAR_TOKEN, SONAR_HOST_URL, GH_TOKEN, AKEYLESS_JWT_ID, POLARIS_SERVER_URL and POLARIS_ACCESS_TOKEN
+
+name: CI Pull Request on Main Branch
+
+on: 
+  pull_request:
+    branches: [ main, release/** ]
+  push:
+    branches: [ main, release/** ]
+
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  
+env:
+  STUB_VERSION: "1.0.5" 
+
+jobs: 
+  echo_version:
+    name: 'Echo stub version'
+    runs-on: ubuntu-latest
+    steps:
+      - name: echo version of stub and inputs
+        run: |
+          echo "CI main pull request stub version $STUB_VERSION"
+
+  read_version:
+    name: 'Read version from Github release'
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.get_version.outputs.version }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+        
+      - name: Read github release version
+        id: get_version
+        run: |
+          VERSION=$(git describe --tags `git rev-list --tags --max-count=1` | sed 's/^v//' 2>/dev/null || echo "")
+          echo "Latest release version: $VERSION"
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
+  call-ci-main-pr-check-pipeline:
+    needs: read_version
+    uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@sandhi/test-integrations
+    secrets: inherit
+    permissions: 
+      id-token: write
+      contents: read
+
+    with:   
+      visibility: ${{ github.event.repository.visibility }}   #  private, public, or internal
+      go-private-modules: GOPRIVATE for Go private modules, default is 'github.com/progress-platform-services/*'
+
+      # if version specified, it takes precedence; can be a semver like 1.0.2-xyz or a tag like "latest"
+      version: ${{ needs.read_version.outputs.version }}
+      detect-version-source-type: 'none' # options include "none" (do not detect), "file", "github-tag" or "github-release"
+      detect-version-source-parameter: '' # use for file name
+      language: 'go'  # Go, Ruby, Rust, JavaScript, TypeScript, Python, Java, C#, PHP, other - used for build and SonarQube language setting
+
+      # complexity-checks
+      perform-complexity-checks: false
+      # scc-output-filename: 'scc-output.txt'
+      perform-language-linting: false    # Perform language-specific linting and pre-compilation checks
+
+      # trufflehog secret scanning
+      perform-trufflehog-scan: true
+      
+      # trivy dependency and container scanning
+      perform-trivy-scan: true
+      trivy-fail-on-high-critical: true
+      
+      # grype vulnerability scanning
+      perform-grype-scan: true
+      
+      # BlackDuck SAST (Polaris) and SCA scans (requires a build or download to do SAST)
+      # requires these secrets: POLARIS_SERVER_URL, POLARIS_ACCESS_TOKEN
+      perform-blackduck-polaris: true
+      polaris-application-name: "Chef-Chef360"  # one of these: Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Other, Chef-Non-Product
+      polaris-project-name: ${{ github.event.repository.name }}
+      polaris-blackduck-executable: 'path/to/blackduck/binary'
+      polaris-executable-detect-path: 'path/to/detect'
+      polaris-coverity-build-command: 'go build'
+      polaris-coverity-clean-command: 'go clean'
+      polaris-fail-on-high-critical: true  # Fail pipeline if HIGH or CRITICAL vulnerabilities found
+ 
+      # perform application build and unit testing, will use custom repository properties when implemented for chef-primary-application, chef-build-profile, and chef-build-language
+      build: false
+      # ga-build-profile: $chef-ga-build-profile   
+      # language: $chef-ga-build-language   # this will be removed from stub as autodetected in central GA
+      unit-tests: false
+ 
+      # perform SonarQube scan, with or wihout unit test coverage data
+      # requires secrets SONAR_TOKEN and SONAR_HOST_URL (progress.sonar.com)
+      perform-sonarqube-scan: true
+      # perform-sonar-build: true
+      # build-profile: 'default' 
+      # report-unit-test-coverage: true
+
+      perform-docker-scan: false  # scan Dockerfile and built images with Docker Scout or Trivy; see repo custom properties matching "container"
+
+      # report to central developer dashboard
+      report-to-atlassian-dashboard: false
+      quality-product-name: 'Chef-360'   # product name for quality reporting, like Chef360, Courier, Inspec
+      # quality-product-name: ${{ github.event.repository.name }}   # like 'Chef-360' - the product name for quality reporting, like Chef360, Courier, Inspec
+      # quality-sonar-app-name: 'YourSonarAppName'
+      # quality-testing-type: 'Integration' like Unit, Integration, e2e, api, Performance, Security
+      # quality-service-name: 'YourServiceOrRepoName'
+      # quality-junit-report: 'path/to/junit/report''
+
+      # perform native and Habitat packaging, publish to package repositories
+      package-binaries: false     # Package binaries (e.g., RPM, DEB, MSI, dpkg + signing + SHA)
+      habitat-build: false        # Create Habitat packages
+      publish-packages: false     # Publish packages (e.g., container from Dockerfile to ECR, go-releaser binary to releases page, omnibus to artifactory, gems, choco, homebrew, other app stores)
+
+      # generate and export Software Bill of Materials (SBOM) in various formats
+      generate-sbom: true
+      export-github-sbom: true      # SPDX JSON artifact on job instance  
+      perform-blackduck-sca-scan: true # combined with generate sbom & generate github-sbom, also needs version above
+      blackduck-project-group-name: 'Chef-Chef360' # typically one of (Chef), Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Non-Product'
+      blackduck-project-name: ${{ github.event.repository.name }} # BlackDuck project name, typically the repository name
+      blackduck-fail-on-high-critical: true  # Fail pipeline if HIGH or CRITICAL vulnerabilities found
+      generate-blackduck-sbom: false # obsolete, use perform-blackduck-sca-scan instead
+        
+      generate-msft-sbom: false
+      license_scout: false      # Run license scout for license compliance (uses .license_scout.yml)
+
+      # udf1: 'default' # user defined flag 1
+      # udf2: 'default' # user defined flag 2 
+      # udf3: 'default' # user defined flag 3  
