From 7b37c4203ea0b91ca6c3a7b7db7c4a4570ea3381 Mon Sep 17 00:00:00 2001 From: ashwin Date: Wed, 2 Jul 2025 14:53:22 -0400 Subject: [PATCH 1/3] Add blackduck workflow --- .github/workflows/blackduck.yml | 95 +++++++++++++++++++++++++++++++++ 1 file changed, 95 insertions(+) create mode 100644 .github/workflows/blackduck.yml diff --git a/.github/workflows/blackduck.yml b/.github/workflows/blackduck.yml new file mode 100644 index 0000000..04ef39a --- /dev/null +++ b/.github/workflows/blackduck.yml @@ -0,0 +1,95 @@ +name: Black Duck Security Scan + +on: + pull_request: {} + push: + branches: + - main + - master + schedule: + # Run weekly on Sundays at 2 AM UTC + - cron: '0 2 * * 0' + +permissions: + contents: read + packages: read + +jobs: + blackduck-scan: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Node.js + uses: actions/setup-node@v3 + with: + node-version: '20' + registry-url: 'https://npm.pkg.github.com/' + scope: '@replicon' + + - name: Update package-locks + env: + NODE_AUTH_TOKEN: ${{secrets.GH_NPM_TOKEN}} + run: | + find . -name "package.json" -not -path "*/node_modules/*" | while read pkg; do + dir=$(dirname "$pkg") + lock="$dir/package-lock.json" + yarn_lock="$dir/yarn.lock" + + if [ -f "$yarn_lock" ]; then + echo "Skipping $dir because yarn.lock is present." + continue + fi + + if [ ! -f "$lock" ]; then + echo "No package-lock.json found in $dir. Running npm install --package-lock-only..." + cd "$dir" + npm install --package-lock-only --force || echo "Failed in $dir" + cd - > /dev/null + elif jq -e '.lockfileVersion == 1' "$lock" > /dev/null; then + echo "package-lock.json in $dir has lockfileVersion 1. Regenerating..." + cd "$dir" + rm -f package-lock.json + npm install --package-lock-only --force || echo "Failed in $dir" + cd - > /dev/null + else + echo "package-lock.json in $dir is up to date (lockfileVersion != 1). Skipping." + fi + done + + - name: Test Black Duck Connection + run: | + echo "Testing connection to Black Duck server..." + curl -I "${{ secrets.BLACKDUCK_URL }}" || echo "Connection test failed" + + - name: Run Black Duck Detect + run: | + # Download and run Black Duck Detect + curl -O https://detect.blackduck.com/detect9.sh + chmod +x detect9.sh + + # Add debug logging + ./detect9.sh \ + --blackduck.url=${{ secrets.BLACKDUCK_URL }} \ + --blackduck.api.token=${{ secrets.BLACKDUCK_TOKEN }} \ + --detect.project.name=${{ github.repository }} \ + --detect.project.version.name=${{ github.ref_name }} \ + --detect.source.path=.\ + --detect.code.location.name="${{ github.repository }}-${{ github.ref_name }}" \ + --detect.policy.check.fail.on.severities=BLOCKER,CRITICAL \ + --detect.cleanup=false \ + --logging.level.detect=DEBUG \ + --blackduck.trust.cert=true \ + --detect.excluded.directories=node_modules,target,build,dist,.git \ + --detect.detector.search.depth=99 + + - name: Upload Black Duck results + uses: actions/upload-artifact@v4 + if: always() + with: + name: blackduck-results + path: | + .synopsys/ + blackduck-output/ From bf1965028c955335416e1dfbe99d12518bd80c66 Mon Sep 17 00:00:00 2001 From: ashwin Date: Mon, 14 Jul 2025 13:00:42 -0400 Subject: [PATCH 2/3] run only for master / main --- .github/workflows/blackduck.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/blackduck.yml b/.github/workflows/blackduck.yml index 04ef39a..c06a236 100644 --- a/.github/workflows/blackduck.yml +++ b/.github/workflows/blackduck.yml @@ -1,7 +1,6 @@ name: Black Duck Security Scan on: - pull_request: {} push: branches: - main From 0a072a52fbe73759e3df7d0a599135b1182d00b5 Mon Sep 17 00:00:00 2001 From: ashwin Date: Tue, 15 Jul 2025 11:31:29 -0400 Subject: [PATCH 3/3] remove weekly schedule --- .github/workflows/blackduck.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/blackduck.yml b/.github/workflows/blackduck.yml index c06a236..3cd96ff 100644 --- a/.github/workflows/blackduck.yml +++ b/.github/workflows/blackduck.yml @@ -5,9 +5,6 @@ on: branches: - main - master - schedule: - # Run weekly on Sundays at 2 AM UTC - - cron: '0 2 * * 0' permissions: contents: read