Skip to content

Fix blackduck sca scan getting skipped #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sean-sype-simmons merged 12 commits into from
Feb 25, 2026
Merged

Fix blackduck sca scan getting skipped #21

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
87f7462
Fix blackduck sca scan getting skipped
sandhi18 Feb 16, 2026
6a089ff
Fix polaris scan
sandhi18 Feb 17, 2026
2c287a2
Fail trivy for high and critical
sandhi18 Feb 17, 2026
99d9a96
Fix polaris scan
sandhi18 Feb 17, 2026
d72d128
Fix for build pipeline
sandhi18 Feb 17, 2026
eb4b9bc
Fix for polaris on 360
sandhi18 Feb 17, 2026
3b59424
Removing extra code
sandhi18 Feb 18, 2026
68026c2
Added Erlang support
sandhi18 Feb 18, 2026
4ee8d09
Fixes for ruby code
sandhi18 Feb 19, 2026
f9b16b7
Fail on critical higj
sandhi18 Feb 24, 2026
ca2e00f
Grype support
sandhi18 Feb 24, 2026
8f14667
Adding changes for image grype
sandhi18 Feb 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
78 changes: 72 additions & 6 deletions .github/workflows/ci-main-pull-request.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,11 @@ on:
required: false
type: boolean
default: true
trivy-fail-on-high-critical:
description: 'Fail pipeline if Trivy finds HIGH or CRITICAL vulnerabilities'
required: false
type: boolean
default: false
Comment thread
sandhi18 marked this conversation as resolved.

build:
description: 'CI Build (language-specific)'
Expand Down Expand Up @@ -164,15 +169,15 @@ on:
type: string
polaris-coverity-clean-command:
# NEW IN 1.0.7
description: 'Coverity clean command, typically done before build stage by language or here as param 1-liner like "mvn clean"'
description: 'Coverity clean command, typically done before build stage by language or here as param 1-liner like "mvn clean". Leave empty for buildless analysis (Ruby, Python, etc.)'
required: false
default: 'go clean'
default: ''
type: string
polaris-coverity-build-command:
# NEW IN 1.0.7
description: 'Coverity build command, typically done in build stage by language or here as param 1-liner like "mvn clean install"'
description: 'Coverity build command, typically done in build stage by language or here as param 1-liner like "mvn clean install". Leave empty for buildless analysis (Ruby, Python, etc.)'
required: false
default: 'go build'
default: ''
type: string
polaris-coverity-args:
# NEW IN 1.0.7
Expand Down Expand Up @@ -369,6 +374,11 @@ on:
required: false
type: boolean
default: false
ruby-app-directory:
description: 'Subdirectory containing Ruby Gemfile (e.g., "src/supermarket" for repos with non-root Gemfile location). Leave empty if Gemfile is in root.'
required: false
type: string
default: ''

udf1:
description: 'User defined flag 1'
Expand Down Expand Up @@ -715,6 +725,7 @@ jobs:
needs: checkout
with:
version: ${{ inputs.version }}
fail-on-high-critical: ${{ inputs.trivy-fail-on-high-critical }}

# run-srcclr:
# if: ${{ inputs.perform-srcclr-scan == true }}
Expand Down Expand Up @@ -743,6 +754,11 @@ jobs:
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Configure git for private Go modules
if: inputs.language == 'go'
env:
GOPRIVATE: ${{ inputs.go-private-modules }}
run: git config --global url."https://${{ secrets.GH_TOKEN }}@github.com/".insteadOf "https://github.com/"
- name: 'Go build'
if: ${{ inputs.language == 'go' && env.GA_BUILD_PROFILE == 'cli' }}
continue-on-error: true
Expand Down Expand Up @@ -1008,6 +1024,55 @@ jobs:
runs-on: ubuntu-latest
needs: checkout # TODO: fix set-application-version
steps:
- name: Checkout repository
uses: actions/checkout@v6
with:
fetch-depth: 0

- name: Install build tools for Erlang
if: inputs.language == 'erlang'
run: |
sudo apt-get update
sudo apt-get install -y build-essential

- name: Set up Erlang/OTP and rebar3
if: inputs.language == 'erlang'
uses: erlef/setup-beam@v1
with:
otp-version: '25.3.2.16'
rebar3-version: '3.22.0'

- name: Set up Ruby
if: inputs.language == 'ruby'
uses: ruby/setup-ruby@v1
with:
ruby-version: '3.4'
Comment thread
sandhi18 marked this conversation as resolved.
bundler-cache: false

- name: Create bundle stub for Erlang SAST scan
if: inputs.language == 'erlang'
working-directory: ${{ github.workspace }}
Comment thread
sandhi18 marked this conversation as resolved.
run: |
# Polaris scans Erlang source code for SAST - Ruby gems not needed
# System ruby-dev from apt provides Ruby runtime (already installed)
# Create bundle stub to skip gem installation during Polaris scan
echo "Creating bundle stub to bypass Ruby gem installation"

# Create no-op bundle script
mkdir -p "$HOME/.polaris-stubs"
cat > "$HOME/.polaris-stubs/bundle" << 'EOF'
#!/bin/bash
# Stub: skips gem installation during SAST scan
echo "[STUB] Skipping bundle $@ - not needed for Erlang SAST"
exit 0
EOF
chmod +x "$HOME/.polaris-stubs/bundle"

# Prepend to PATH so stub is found before any system bundler
echo "$HOME/.polaris-stubs" >> $GITHUB_PATH

echo "Bundle stub created and added to PATH"

- name: Starting Black Duck Polaris scan
run: |
echo "Starting Polaris SAST scan"
Expand Down Expand Up @@ -1069,7 +1134,7 @@ jobs:
# polaris_upload_sarif_report: true
# Mark build status if policy violating issues are found
# mark_build_status: 'success'
continue-on-error: true
continue-on-error: false

package-binary:
name: 'Creating packaged binaries'
Expand Down Expand Up @@ -1317,7 +1382,7 @@ jobs:
# Create software bill-of-materials (SBOM) using SPDX format
if: ${{ inputs.generate-sbom == true }}
uses: chef/common-github-actions/.github/workflows/sbom.yml@main
needs: ci-build
needs: checkout # TODO: fix set-application-version
secrets: inherit
with:
version: ${{ inputs.version }}
Expand All @@ -1332,6 +1397,7 @@ jobs:
blackduck-force-low-accuracy-mode: ${{ inputs.blackduck-force-low-accuracy-mode }}
run-bundle-install: ${{ inputs.run-bundle-install }} # Passed to sbom.yml to generate Gemfile.lock at runtime
language: ${{ inputs.language }}
ruby-app-directory: ${{ inputs.ruby-app-directory }}

quality-dashboard:
name: 'Reporting to quality dashboard'
Expand Down
25 changes: 20 additions & 5 deletions .github/workflows/sbom.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,11 @@ on:
required: false
type: string
default: 'ruby'
ruby-app-directory:
description: 'Subdirectory containing Ruby Gemfile (e.g., "src/supermarket" for repos with non-root Gemfile location). Leave empty if Gemfile is in root.'
required: false
type: string
default: ''

env:
# Set the default SBOM filename prefix
Expand Down Expand Up @@ -203,11 +208,19 @@ jobs:
uses: actions/checkout@v6

- name: Set up Ruby and run bundle install
if: ${{ inputs.language == 'ruby' }} # only run for Ruby projects where we need to generate Gemfile.lock at runtime, inputs.run-bundle-install == true
if: inputs.language == 'ruby'
uses: ruby/setup-ruby@v1
with:
ruby-version: '3.4'
bundler-cache: true
ruby-version: '3.4.2'
bundler-cache: false
working-directory: ${{ inputs.ruby-app-directory != '' && inputs.ruby-app-directory || '.' }}

- name: Set up Erlang/OTP and rebar3
if: inputs.language == 'erlang'
uses: erlef/setup-beam@v1
with:
otp-version: '25.3.2.16'
rebar3-version: '3.22.0'

- name: Configure git for private Go modules
if : ${{ inputs.go-private-modules != '' }}
Expand All @@ -218,6 +231,7 @@ jobs:
- name: generate Gemfile.lock if needed for Ruby projects
if: ${{ inputs.run-bundle-install == true && inputs.language == 'ruby' }}
continue-on-error: true
working-directory: ${{ inputs.ruby-app-directory != '' && inputs.ruby-app-directory || '.' }}
run: |
if [ ! -f Gemfile.lock ]; then
bundle install
Expand All @@ -228,7 +242,7 @@ jobs:
uses: actions/upload-artifact@v4
continue-on-error: true
with:
path: Gemfile.lock
path: ${{ inputs.ruby-app-directory != '' && format('{0}/Gemfile.lock', inputs.ruby-app-directory) || 'Gemfile.lock' }}
name: ${{ github.event.repository.name }}-Gemfile-lock.txt

- name: BlackDuck SCA scan
Expand All @@ -242,7 +256,8 @@ jobs:
with:
blackducksca_url: ${{ secrets.BLACKDUCK_SBOM_URL }} # BLACKDUCK_URL, should be https://progresssoftware.app.blackduck.com/
blackducksca_token: ${{ secrets.BLACKDUCK_SCA_TOKEN }} # was BLACKDUCK_API_KEY
detect_args: ${{ inputs.blackduck-force-low-accuracy-mode == true && '--detect.excluded.detector.types=PIP --detect.accuracy.required=NONE' || '--detect.excluded.detector.types=PIP' }}
blackducksca_scan_full: true # Force INTELLIGENT scan mode for all branches (uploads results to server)
detect_args: ${{ inputs.ruby-app-directory != '' && format('{0} --detect.source.path={1}', inputs.blackduck-force-low-accuracy-mode == true && '--detect.excluded.detector.types=PIP --detect.accuracy.required=NONE' || '--detect.excluded.detector.types=PIP', inputs.ruby-app-directory) || (inputs.blackduck-force-low-accuracy-mode == true && '--detect.excluded.detector.types=PIP --detect.accuracy.required=NONE' || '--detect.excluded.detector.types=PIP') }}
Copy link

Copilot AI Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The detect_args expression is overly complex and difficult to read/maintain. The nested ternary operators make it hard to verify correctness. Consider breaking this into a separate step that constructs the arguments using a shell script, which would improve readability and make it easier to test each condition independently. The current expression combines ruby-app-directory and blackduck-force-low-accuracy-mode checks in a way that's error-prone.

Copilot uses AI. Check for mistakes.
# blackducksca_scan_failure_severities: 'BLOCKER,CRITICAL'
# ignore python per https://documentation.blackduck.com/bundle/detect/page/packagemgrs/python.html

Expand Down
29 changes: 18 additions & 11 deletions .github/workflows/trivy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,11 @@ on:
required: false
type: string
default: '1.0.0'
fail-on-high-critical:
description: 'Fail the build if HIGH or CRITICAL vulnerabilities are found'
required: false
type: boolean
default: false

jobs:
trivy:
Expand Down Expand Up @@ -67,14 +72,16 @@ jobs:
# name: trivy-report-${{ github.event.repository.name }}-${{ github.ref_name }}-${{ inputs.version }}-$(date +'%Y%m%d')-text
path: trivy-report.txt
retention-days: 30
# - name: Fail build on High/Criticial Vulnerabilities
# uses: aquasecurity/trivy-action@master
# with:
# scan-type: "fs"
# format: table
# scan-ref: .
# severity: HIGH,CRITICAL
# ignore-unfixed: true
# exit-code: 1
# # On a subsequent call to the action we know trivy is already installed so can skip this
# skip-setup-trivy: true

- name: Fail build on High/Critical Vulnerabilities
if: ${{ inputs.fail-on-high-critical }}
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
format: table
scan-ref: .
severity: HIGH,CRITICAL
ignore-unfixed: true
exit-code: 1
# On a subsequent call to the action we know trivy is already installed so can skip this
skip-setup-trivy: true