Fail on critical higj

Signed-off-by: sandhi <sagarwal@progress.com>

Author: sandhi18

.github/workflows/ci-main-pull-request.yml

@@ -209,6 +209,16 @@ on:
         required: false
         default: true
         type: boolean
+      polaris-fail-on-high:
+        description: 'Fail the pipeline if Polaris SAST scan finds HIGH vulnerabilities'
+        required: false
+        type: boolean
+        default: false
+      polaris-fail-on-critical:
+        description: 'Fail the pipeline if Polaris SAST scan finds CRITICAL vulnerabilities'
+        required: false
+        type: boolean
+        default: false
 
       perform-sonarqube-scan: 
         description: 'Perform basic SonarQube scan'
@@ -379,6 +389,21 @@ on:
         required: false
         type: string
         default: ''
+      blackduck-fail-on-blocker:
+        description: 'Fail the pipeline if BlackDuck SCA scan finds BLOCKER vulnerabilities'
+        required: false
+        type: boolean
+        default: false
+      blackduck-fail-on-critical:
+        description: 'Fail the pipeline if BlackDuck SCA scan finds CRITICAL vulnerabilities'
+        required: false
+        type: boolean
+        default: false
+      blackduck-fail-on-major:
+        description: 'Fail the pipeline if BlackDuck SCA scan finds MAJOR vulnerabilities'
+        required: false
+        type: boolean
+        default: false
 
       udf1:
         description: 'User defined flag 1'
@@ -715,13 +740,13 @@ jobs:
   run-trufflehog:
     name: 'Trufflehog scan'
     if: ${{ inputs.perform-trufflehog-scan }}
-    uses: chef/common-github-actions/.github/workflows/trufflehog.yml@main
+    uses: chef/common-github-actions/.github/workflows/trufflehog.yml@sandhi/fix-blackduc-sca
     needs: checkout
 
   run-trivy:
     name: 'Trivy scan'
     if: ${{ inputs.perform-trivy-scan }}
-    uses: chef/common-github-actions/.github/workflows/trivy.yml@main
+    uses: chef/common-github-actions/.github/workflows/trivy.yml@sandhi/fix-blackduc-sca
     needs: checkout
     with:
       version: ${{ inputs.version }}
@@ -1093,6 +1118,7 @@ jobs:
           fi
       
       - name: BlackDuck Polaris scan
+        id: polaris-scan
         uses: blackduck-inc/black-duck-security-scan@v2
         # copied from uses: prgs-community/githubactions-securityscans/polaris@v0.5 in https://github.com/prgs-community/githubactions-securityscans/blob/main/polaris/README.md
         # uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9 # 2.0.0 - Jan's version
@@ -1135,6 +1161,45 @@ jobs:
           # Mark build status if policy violating issues are found
           #   mark_build_status: 'success'
         continue-on-error: false
+      
+      - name: Check Polaris scan results and fail on HIGH or CRITICAL vulnerabilities
+        if: ${{ inputs.polaris-fail-on-high == true || inputs.polaris-fail-on-critical == true }}
+        run: |
+          echo "Checking Polaris SAST scan results..."
+          echo "Enforcement policy: HIGH=${{ inputs.polaris-fail-on-high }}, CRITICAL=${{ inputs.polaris-fail-on-critical }}"
+          
+          # Parse bridge.log for vulnerability counts
+          BRIDGE_LOG=".bridge/bridge.log"
+          
+          if [ ! -f "$BRIDGE_LOG" ]; then
+            echo "⚠️  Bridge log not found - failing as precaution"
+            exit 1
+          fi
+          
+          # Extract vulnerability counts from log
+          HIGH_COUNT=$(grep -oP '"high":\s*\K\d+' "$BRIDGE_LOG" | tail -1 || echo 0)
+          CRITICAL_COUNT=$(grep -oP '"critical":\s*\K\d+' "$BRIDGE_LOG" | tail -1 || echo 0)
+          
+          echo "Found HIGH: $HIGH_COUNT, CRITICAL: $CRITICAL_COUNT"
+          
+          # Check for policy violations
+          SHOULD_FAIL=false
+          
+          if [ "${{ inputs.polaris-fail-on-critical }}" == "true" ] && [ "$CRITICAL_COUNT" -gt 0 ]; then
+            echo "❌ Found $CRITICAL_COUNT CRITICAL vulnerabilities (policy violation)"
+            SHOULD_FAIL=true
+          fi
+          
+          if [ "${{ inputs.polaris-fail-on-high }}" == "true" ] && [ "$HIGH_COUNT" -gt 0 ]; then
+            echo "❌ Found $HIGH_COUNT HIGH vulnerabilities (policy violation)"
+            SHOULD_FAIL=true
+          fi
+          
+          if [ "$SHOULD_FAIL" == "true" ]; then
+            exit 1
+          else
+            echo "✅ No policy-violating vulnerabilities found"
+          fi
        
   package-binary:
     name: 'Creating packaged binaries'
@@ -1381,7 +1446,7 @@ jobs:
     name: 'Generating SBOM'
     #    Create software bill-of-materials (SBOM) using SPDX format
     if: ${{ inputs.generate-sbom == true }}
-    uses: chef/common-github-actions/.github/workflows/sbom.yml@main
+    uses: chef/common-github-actions/.github/workflows/sbom.yml@sandhi/fix-blackduc-sca
     needs: checkout # TODO: fix set-application-version
     secrets: inherit
     with:
@@ -1398,6 +1463,9 @@ jobs:
       run-bundle-install: ${{ inputs.run-bundle-install }} # Passed to sbom.yml to generate Gemfile.lock at runtime
       language: ${{ inputs.language }}
       ruby-app-directory: ${{ inputs.ruby-app-directory }}
+      blackduck-fail-on-blocker: ${{ inputs.blackduck-fail-on-blocker }}
+      blackduck-fail-on-critical: ${{ inputs.blackduck-fail-on-critical }}
+      blackduck-fail-on-major: ${{ inputs.blackduck-fail-on-major }}
 
   quality-dashboard:
     name: 'Reporting to quality dashboard'

.github/workflows/sbom.yml

@@ -82,6 +82,21 @@ on:
         required: false
         type: string
         default: ''
+      blackduck-fail-on-blocker:
+        description: 'Fail the pipeline if BlackDuck SCA scan finds BLOCKER vulnerabilities'
+        required: false
+        type: boolean
+        default: false
+      blackduck-fail-on-critical:
+        description: 'Fail the pipeline if BlackDuck SCA scan finds CRITICAL vulnerabilities'
+        required: false
+        type: boolean
+        default: false
+      blackduck-fail-on-major:
+        description: 'Fail the pipeline if BlackDuck SCA scan finds MAJOR vulnerabilities'
+        required: false
+        type: boolean
+        default: false
 
 env:
   # Set the default SBOM filename prefix
@@ -245,9 +260,56 @@ jobs:
           path: ${{ inputs.ruby-app-directory != '' && format('{0}/Gemfile.lock', inputs.ruby-app-directory) || 'Gemfile.lock' }}
           name: ${{ github.event.repository.name }}-Gemfile-lock.txt 
 
+      - name: Construct BlackDuck detect arguments
+        id: detect-args
+        run: |
+          # Start with base arguments (always exclude PIP detector)
+          DETECT_ARGS="--detect.excluded.detector.types=PIP"
+          
+          # Add low accuracy mode if requested
+          if [[ "${{ inputs.blackduck-force-low-accuracy-mode }}" == "true" ]]; then
+            DETECT_ARGS="${DETECT_ARGS} --detect.accuracy.required=NONE"
+          fi
+          
+          # Add source path if ruby-app-directory is specified
+          if [[ -n "${{ inputs.ruby-app-directory }}" ]]; then
+            DETECT_ARGS="${DETECT_ARGS} --detect.source.path=${{ inputs.ruby-app-directory }}"
+          fi
+          
+          echo "DETECT_ARGS=${DETECT_ARGS}" >> $GITHUB_ENV
+          echo "Constructed detect_args: ${DETECT_ARGS}"
+
+      - name: Construct BlackDuck failure severities
+        id: failure-severities
+        run: |
+          SEVERITIES=""
+          
+          if [[ "${{ inputs.blackduck-fail-on-blocker }}" == "true" ]]; then
+            SEVERITIES="BLOCKER"
+          fi
+          
+          if [[ "${{ inputs.blackduck-fail-on-critical }}" == "true" ]]; then
+            if [[ -n "$SEVERITIES" ]]; then
+              SEVERITIES="${SEVERITIES},CRITICAL"
+            else
+              SEVERITIES="CRITICAL"
+            fi
+          fi
+          
+          if [[ "${{ inputs.blackduck-fail-on-major }}" == "true" ]]; then
+            if [[ -n "$SEVERITIES" ]]; then
+              SEVERITIES="${SEVERITIES},MAJOR"
+            else
+              SEVERITIES="MAJOR"
+            fi
+          fi
+          
+          echo "FAILURE_SEVERITIES=${SEVERITIES}" >> $GITHUB_ENV
+          echo "Enforcement policy: ${SEVERITIES}"
+
       - name: BlackDuck SCA scan
         uses: blackduck-inc/black-duck-security-scan@v2.1.1
-        continue-on-error: true  # Allow pipeline to continue even with policy violations
+        continue-on-error: false  # Allow pipeline to continue even with policy violations
         env: 
           GOPRIVATE: ${{ inputs.go-private-modules }}
           DETECT_PROJECT_GROUP_NAME: ${{ inputs.blackduck-project-group-name}} #'Chef-Agents' # <the_parent_group_of_your_target_project>, Chef, Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services
@@ -257,8 +319,8 @@ jobs:
           blackducksca_url: ${{ secrets.BLACKDUCK_SBOM_URL }}  # BLACKDUCK_URL, should be https://progresssoftware.app.blackduck.com/ 
           blackducksca_token: ${{ secrets.BLACKDUCK_SCA_TOKEN }}  # was BLACKDUCK_API_KEY
           blackducksca_scan_full: true  # Force INTELLIGENT scan mode for all branches (uploads results to server)
-          detect_args: ${{ inputs.ruby-app-directory != '' && format('{0} --detect.source.path={1}', inputs.blackduck-force-low-accuracy-mode == true && '--detect.excluded.detector.types=PIP --detect.accuracy.required=NONE' || '--detect.excluded.detector.types=PIP', inputs.ruby-app-directory) || (inputs.blackduck-force-low-accuracy-mode == true && '--detect.excluded.detector.types=PIP --detect.accuracy.required=NONE' || '--detect.excluded.detector.types=PIP') }}
-          # blackducksca_scan_failure_severities: 'BLOCKER,CRITICAL'
+          detect_args: ${{ env.DETECT_ARGS }}
+          blackducksca_scan_failure_severities: ${{ env.FAILURE_SEVERITIES }}
           # ignore python per https://documentation.blackduck.com/bundle/detect/page/packagemgrs/python.html
 
 # original from https://github.com/progress-platform-services/common-github-actions/blob/main/.github/workflows/examples/ci-all-sbom-main.yml