Skip to content

RTI-5: Add blackduck scan #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

RTI-5: Add blackduck scan #1

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
93f3325
Add blackduck workflow
repl-ashwin-r Jul 8, 2025
7a90cdd
run only for master / main
repl-ashwin-r Jul 14, 2025
99efcd1
remove weekly schedule
repl-ashwin-r Jul 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
91 changes: 91 additions & 0 deletions .github/workflows/blackduck.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
name: Black Duck Security Scan

on:
push:
branches:
- main
- master

permissions:
contents: read
packages: read

jobs:
blackduck-scan:
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up Node.js
uses: actions/setup-node@v3
with:
node-version: '20'
registry-url: 'https://npm.pkg.github.com/'
scope: '@replicon'

- name: Update package-locks
env:
NODE_AUTH_TOKEN: ${{secrets.GH_NPM_TOKEN}}
run: |
find . -name "package.json" -not -path "*/node_modules/*" | while read pkg; do
dir=$(dirname "$pkg")
lock="$dir/package-lock.json"
yarn_lock="$dir/yarn.lock"

if [ -f "$yarn_lock" ]; then
echo "Skipping $dir because yarn.lock is present."
continue
fi

if [ ! -f "$lock" ]; then
echo "No package-lock.json found in $dir. Running npm install --package-lock-only..."
cd "$dir"
npm install --package-lock-only --force || echo "Failed in $dir"
cd - > /dev/null
elif jq -e '.lockfileVersion == 1' "$lock" > /dev/null; then
echo "package-lock.json in $dir has lockfileVersion 1. Regenerating..."
cd "$dir"
rm -f package-lock.json
npm install --package-lock-only --force || echo "Failed in $dir"
cd - > /dev/null
else
echo "package-lock.json in $dir is up to date (lockfileVersion != 1). Skipping."
fi
done

- name: Test Black Duck Connection
run: |
echo "Testing connection to Black Duck server..."
curl -I "${{ secrets.BLACKDUCK_URL }}" || echo "Connection test failed"

- name: Run Black Duck Detect
run: |
# Download and run Black Duck Detect
curl -O https://detect.blackduck.com/detect9.sh
chmod +x detect9.sh

# Add debug logging
./detect9.sh \
--blackduck.url=${{ secrets.BLACKDUCK_URL }} \
--blackduck.api.token=${{ secrets.BLACKDUCK_TOKEN }} \
--detect.project.name=${{ github.repository }} \
--detect.project.version.name=${{ github.ref_name }} \
--detect.source.path=.\
--detect.code.location.name="${{ github.repository }}-${{ github.ref_name }}" \
--detect.policy.check.fail.on.severities=BLOCKER,CRITICAL \
--detect.cleanup=false \
--logging.level.detect=DEBUG \
--blackduck.trust.cert=true \
--detect.excluded.directories=node_modules,target,build,dist,.git \
--detect.detector.search.depth=99

- name: Upload Black Duck results
uses: actions/upload-artifact@v4
if: always()
with:
name: blackduck-results
path: |
.synopsys/
blackduck-output/