Fail on critical higj

sandhi18 · sandhi18 · commit 97abfdba96e5 · 2026-02-24T14:08:40.000+05:30
Signed-off-by: sandhi &lt;sagarwal@progress.com&gt;
diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml
@@ -209,6 +209,16 @@ on:
         required: false
         default: true
         type: boolean
+      polaris-fail-on-high:
+        description: 'Fail the pipeline if Polaris SAST scan finds HIGH vulnerabilities'
+        required: false
+        type: boolean
+        default: false
+      polaris-fail-on-critical:
+        description: 'Fail the pipeline if Polaris SAST scan finds CRITICAL vulnerabilities'
+        required: false
+        type: boolean
+        default: false
 
       perform-sonarqube-scan: 
         description: 'Perform basic SonarQube scan'
@@ -379,6 +389,21 @@ on:
         required: false
         type: string
         default: ''
+      blackduck-fail-on-blocker:
+        description: 'Fail the pipeline if BlackDuck SCA scan finds BLOCKER vulnerabilities'
+        required: false
+        type: boolean
+        default: false
+      blackduck-fail-on-critical:
+        description: 'Fail the pipeline if BlackDuck SCA scan finds CRITICAL vulnerabilities'
+        required: false
+        type: boolean
+        default: false
+      blackduck-fail-on-major:
+        description: 'Fail the pipeline if BlackDuck SCA scan finds MAJOR vulnerabilities'
+        required: false
+        type: boolean
+        default: false
 
       udf1:
         description: 'User defined flag 1'
@@ -715,13 +740,13 @@ jobs:
   run-trufflehog:
     name: 'Trufflehog scan'
     if: ${{ inputs.perform-trufflehog-scan }}
-    uses: chef/common-github-actions/.github/workflows/trufflehog.yml@main
+    uses: chef/common-github-actions/.github/workflows/trufflehog.yml@sandhi/fix-blackduc-sca
     needs: checkout
 
   run-trivy:
     name: 'Trivy scan'
     if: ${{ inputs.perform-trivy-scan }}
-    uses: chef/common-github-actions/.github/workflows/trivy.yml@main
+    uses: chef/common-github-actions/.github/workflows/trivy.yml@sandhi/fix-blackduc-sca
     needs: checkout
     with:
       version: ${{ inputs.version }}
@@ -1093,6 +1118,7 @@ jobs:
           fi
       
       - name: BlackDuck Polaris scan
+        id: polaris-scan
         uses: blackduck-inc/black-duck-security-scan@v2
         # copied from uses: prgs-community/githubactions-securityscans/polaris@v0.5 in https://github.com/prgs-community/githubactions-securityscans/blob/main/polaris/README.md
         # uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9 # 2.0.0 - Jan's version
@@ -1135,6 +1161,45 @@ jobs:
           # Mark build status if policy violating issues are found
           #   mark_build_status: 'success'
         continue-on-error: false
+      
+      - name: Check Polaris scan results and fail on HIGH or CRITICAL vulnerabilities
+        if: ${{ inputs.polaris-fail-on-high == true || inputs.polaris-fail-on-critical == true }}
+        run: |
+          echo "Checking Polaris SAST scan results..."
+          echo "Enforcement policy: HIGH=${{ inputs.polaris-fail-on-high }}, CRITICAL=${{ inputs.polaris-fail-on-critical }}"
+          
+          # Parse bridge.log for vulnerability counts
+          BRIDGE_LOG=".bridge/bridge.log"
+          
+          if [ ! -f "$BRIDGE_LOG" ]; then
+            echo "⚠️  Bridge log not found - failing as precaution"
+            exit 1
+          fi
+          
+          # Extract vulnerability counts from log
+          HIGH_COUNT=$(grep -oP '"high":\s*\K\d+' "$BRIDGE_LOG" | tail -1 || echo 0)
+          CRITICAL_COUNT=$(grep -oP '"critical":\s*\K\d+' "$BRIDGE_LOG" | tail -1 || echo 0)
+          
+          echo "Found HIGH: $HIGH_COUNT, CRITICAL: $CRITICAL_COUNT"
+          
+          # Check for policy violations
+          SHOULD_FAIL=false
+          
+          if [ "${{ inputs.polaris-fail-on-critical }}" == "true" ] && [ "$CRITICAL_COUNT" -gt 0 ]; then
+            echo "❌ Found $CRITICAL_COUNT CRITICAL vulnerabilities (policy violation)"
+            SHOULD_FAIL=true
+          fi
+          
+          if [ "${{ inputs.polaris-fail-on-high }}" == "true" ] && [ "$HIGH_COUNT" -gt 0 ]; then
+            echo "❌ Found $HIGH_COUNT HIGH vulnerabilities (policy violation)"
+            SHOULD_FAIL=true
+          fi
+          
+          if [ "$SHOULD_FAIL" == "true" ]; then
+            exit 1
+          else
+            echo "✅ No policy-violating vulnerabilities found"
+          fi
        
   package-binary:
     name: 'Creating packaged binaries'
@@ -1381,7 +1446,7 @@ jobs:
     name: 'Generating SBOM'
     #    Create software bill-of-materials (SBOM) using SPDX format
     if: ${{ inputs.generate-sbom == true }}
-    uses: chef/common-github-actions/.github/workflows/sbom.yml@main
+    uses: chef/common-github-actions/.github/workflows/sbom.yml@sandhi/fix-blackduc-sca
     needs: checkout # TODO: fix set-application-version
     secrets: inherit
     with:
@@ -1398,6 +1463,9 @@ jobs:
       run-bundle-install: ${{ inputs.run-bundle-install }} # Passed to sbom.yml to generate Gemfile.lock at runtime
       language: ${{ inputs.language }}
       ruby-app-directory: ${{ inputs.ruby-app-directory }}
+      blackduck-fail-on-blocker: ${{ inputs.blackduck-fail-on-blocker }}
+      blackduck-fail-on-critical: ${{ inputs.blackduck-fail-on-critical }}
+      blackduck-fail-on-major: ${{ inputs.blackduck-fail-on-major }}
 
   quality-dashboard:
     name: 'Reporting to quality dashboard'
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -82,6 +82,21 @@ on:
         required: false
         type: string
         default: ''
+      blackduck-fail-on-blocker:
+        description: 'Fail the pipeline if BlackDuck SCA scan finds BLOCKER vulnerabilities'
+        required: false
+        type: boolean
+        default: false
+      blackduck-fail-on-critical:
+        description: 'Fail the pipeline if BlackDuck SCA scan finds CRITICAL vulnerabilities'
+        required: false
+        type: boolean
+        default: false
+      blackduck-fail-on-major:
+        description: 'Fail the pipeline if BlackDuck SCA scan finds MAJOR vulnerabilities'
+        required: false
+        type: boolean
+        default: false
 
 env:
   # Set the default SBOM filename prefix
@@ -245,9 +260,57 @@ jobs:
           path: ${{ inputs.ruby-app-directory != '' && format('{0}/Gemfile.lock', inputs.ruby-app-directory) || 'Gemfile.lock' }}
           name: ${{ github.event.repository.name }}-Gemfile-lock.txt 
 
+      - name: Construct BlackDuck detect arguments
+        id: detect-args
+        run: |
+          # Start with base arguments (always exclude PIP detector)
+          DETECT_ARGS="--detect.excluded.detector.types=PIP"
+          
+          # Add low accuracy mode if requested
+          if [[ "${{ inputs.blackduck-force-low-accuracy-mode }}" == "true" ]]; then
+            DETECT_ARGS="${DETECT_ARGS} --detect.accuracy.required=NONE"
+          fi
+          
+          # Add source path if ruby-app-directory is specified
+          if [[ -n "${{ inputs.ruby-app-directory }}" ]]; then
+            DETECT_ARGS="${DETECT_ARGS} --detect.source.path=${{ inputs.ruby-app-directory }}"
+          fi
+          
+          echo "DETECT_ARGS=${DETECT_ARGS}" >> $GITHUB_ENV
+          echo "Constructed detect_args: ${DETECT_ARGS}"
+
+      - name: Construct BlackDuck failure severities
+        id: failure-severities
+        run: |
+          SEVERITIES=""
+          
+          if [[ "${{ inputs.blackduck-fail-on-blocker }}" == "true" ]]; then
+            SEVERITIES="BLOCKER"
+          fi
+          
+          if [[ "${{ inputs.blackduck-fail-on-critical }}" == "true" ]]; then
+            if [[ -n "$SEVERITIES" ]]; then
+              SEVERITIES="${SEVERITIES},CRITICAL"
+            else
+              SEVERITIES="CRITICAL"
+            fi
+          fi
+          
+          if [[ "${{ inputs.blackduck-fail-on-major }}" == "true" ]]; then
+            if [[ -n "$SEVERITIES" ]]; then
+              SEVERITIES="${SEVERITIES},MAJOR"
+            else
+              SEVERITIES="MAJOR"
+            fi
+          fi
+          
+          echo "FAILURE_SEVERITIES=${SEVERITIES}" >> $GITHUB_ENV
+          echo "Enforcement policy: ${SEVERITIES}"
+
       - name: BlackDuck SCA scan
+        id: blackduck-scan
         uses: blackduck-inc/black-duck-security-scan@v2.1.1
-        continue-on-error: true  # Allow pipeline to continue even with policy violations
+        continue-on-error: false  # Allow pipeline to continue even with policy violations
         env: 
           GOPRIVATE: ${{ inputs.go-private-modules }}
           DETECT_PROJECT_GROUP_NAME: ${{ inputs.blackduck-project-group-name}} #'Chef-Agents' # <the_parent_group_of_your_target_project>, Chef, Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services
@@ -257,10 +320,79 @@ jobs:
           blackducksca_url: ${{ secrets.BLACKDUCK_SBOM_URL }}  # BLACKDUCK_URL, should be https://progresssoftware.app.blackduck.com/ 
           blackducksca_token: ${{ secrets.BLACKDUCK_SCA_TOKEN }}  # was BLACKDUCK_API_KEY
           blackducksca_scan_full: true  # Force INTELLIGENT scan mode for all branches (uploads results to server)
-          detect_args: ${{ inputs.ruby-app-directory != '' && format('{0} --detect.source.path={1}', inputs.blackduck-force-low-accuracy-mode == true && '--detect.excluded.detector.types=PIP --detect.accuracy.required=NONE' || '--detect.excluded.detector.types=PIP', inputs.ruby-app-directory) || (inputs.blackduck-force-low-accuracy-mode == true && '--detect.excluded.detector.types=PIP --detect.accuracy.required=NONE' || '--detect.excluded.detector.types=PIP') }}
-          # blackducksca_scan_failure_severities: 'BLOCKER,CRITICAL'
+          detect_args: ${{ env.DETECT_ARGS }}
+          blackducksca_scan_failure_severities: ${{ env.FAILURE_SEVERITIES }}
           # ignore python per https://documentation.blackduck.com/bundle/detect/page/packagemgrs/python.html
 
+      - name: Check BlackDuck SCA results and report violations
+        if: ${{ inputs.blackduck-fail-on-blocker == true || inputs.blackduck-fail-on-critical == true || inputs.blackduck-fail-on-major == true }}
+        run: |
+          echo "Checking BlackDuck SCA scan results..."
+          echo "Enforcement policy: BLOCKER=${{ inputs.blackduck-fail-on-blocker }}, CRITICAL=${{ inputs.blackduck-fail-on-critical }}, MAJOR=${{ inputs.blackduck-fail-on-major }}"
+          
+          # Parse bridge.log for policy violation counts
+          BRIDGE_LOG=".bridge/bridge.log"
+          
+          if [ ! -f "$BRIDGE_LOG" ]; then
+            echo "⚠️  Bridge log not found at $BRIDGE_LOG"
+            if [ "${{ steps.blackduck-scan.outcome }}" == "failure" ]; then
+              echo "❌ BlackDuck SCA scan failed - check logs above for details"
+              exit 1
+            fi
+            exit 0
+          fi
+          
+          # Extract policy violation counts by severity from bridge.log
+          # Example: "1 match has a severity level of BLOCKER", "0 matches have a severity level of CRITICAL"
+          BLOCKER_COUNT=$(grep -oP '\d+(?=\s+matches?\s+have?\s+a\s+severity\s+level\s+of\s+BLOCKER)' "$BRIDGE_LOG" | tail -1 || echo 0)
+          CRITICAL_COUNT=$(grep -oP '\d+(?=\s+matches?\s+have?\s+a\s+severity\s+level\s+of\s+CRITICAL)' "$BRIDGE_LOG" | tail -1 || echo 0)
+          MAJOR_COUNT=$(grep -oP '\d+(?=\s+matches?\s+have?\s+a\s+severity\s+level\s+of\s+MAJOR)' "$BRIDGE_LOG" | tail -1 || echo 0)
+          
+          echo ""
+          echo "============================================"
+          echo "BlackDuck SCA Policy Violation Summary"
+          echo "============================================"
+          echo "BLOCKER violations: $BLOCKER_COUNT"
+          echo "CRITICAL violations: $CRITICAL_COUNT"
+          echo "MAJOR violations: $MAJOR_COUNT"
+          echo "============================================"
+          
+          # Check for policy violations based on enabled flags
+          SHOULD_FAIL=false
+          VIOLATION_REASONS=""
+          
+          if [ "${{ inputs.blackduck-fail-on-blocker }}" == "true" ] && [ "$BLOCKER_COUNT" -gt 0 ]; then
+            echo "❌ Found $BLOCKER_COUNT BLOCKER severity policy violation(s)"
+            VIOLATION_REASONS="${VIOLATION_REASONS}- $BLOCKER_COUNT BLOCKER severity violation(s)\n"
+            SHOULD_FAIL=true
+          fi
+          
+          if [ "${{ inputs.blackduck-fail-on-critical }}" == "true" ] && [ "$CRITICAL_COUNT" -gt 0 ]; then
+            echo "❌ Found $CRITICAL_COUNT CRITICAL severity policy violation(s)"
+            VIOLATION_REASONS="${VIOLATION_REASONS}- $CRITICAL_COUNT CRITICAL severity violation(s)\n"
+            SHOULD_FAIL=true
+          fi
+          
+          if [ "${{ inputs.blackduck-fail-on-major }}" == "true" ] && [ "$MAJOR_COUNT" -gt 0 ]; then
+            echo "❌ Found $MAJOR_COUNT MAJOR severity policy violation(s)"
+            VIOLATION_REASONS="${VIOLATION_REASONS}- $MAJOR_COUNT MAJOR severity violation(s)\n"
+            SHOULD_FAIL=true
+          fi
+          
+          if [ "$SHOULD_FAIL" == "true" ]; then
+            echo ""
+            echo "============================================"
+            echo "❌ BUILD FAILED: Policy violations detected"
+            echo "============================================"
+            echo -e "$VIOLATION_REASONS"
+            echo "Review the BlackDuck scan results above for component details."
+            echo "============================================"
+            exit 1
+          else
+            echo ""
+            echo "✅ No policy-violating vulnerabilities found within configured thresholds"
+          fi
+
 # original from https://github.com/progress-platform-services/common-github-actions/blob/main/.github/workflows/examples/ci-all-sbom-main.yml
   generate-msft-sbom:
     name: Generate MSFT SBOM
