forked from JoyChou93/java-sec-code
-
Notifications
You must be signed in to change notification settings - Fork 0
56 lines (51 loc) · 2.16 KB
/
Copy pathpolaris-workflow.yml
File metadata and controls
56 lines (51 loc) · 2.16 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
# Quickstart: Black Duck Security Scan Action with polaris:
# https://documentation.blackduck.com/bundle/bridge/page/documentation/t_github-polaris-quickstart.html
name: Polaris Security Scan
on:
push:
branches:
- main
- master
- develop
- stage
- release
pull_request:
branches:
- main
- master
- develop
- stage
- release
workflow_dispatch: {}
# GitHub token permissions for post-scan actions. Required for built-in GITHUB_TOKEN; if using a PAT with equivalent scopes, permissions block can be commented out.
permissions:
contents: write # Required to push changes or create fix branches
pull-requests: write # Required to add comments or create fix pull requests
security-events: write # Required to upload SARIF results to GitHub Security
jobs:
polaris:
runs-on: ubuntu-latest
steps:
- name: Checkout Source
uses: actions/checkout@v4
- name: Polaris Security Scan
id: polaris-scan
uses: blackduck-inc/black-duck-security-scan@v2
with:
### SCANNING: Required fields
polaris_server_url: ${{ vars.POLARIS_URL }}
polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }}
### ASSESSMENT TYPES
polaris_assessment_types: SAST,SCA # Comma-separated list: SAST,SCA,DAST
### GITHUB TOKEN
github_token: ${{ secrets.GITHUB_TOKEN }} # Required when PR comments or sarif reports enabled
polaris_prComment_enabled: true
### SARIF report parameters
polaris_reports_sarif_create: true # Create SARIF report and upload it as artifact
polaris_upload_sarif_report: true # Upload SARIF report in GitHub Advanced Security tab
### SCAN CONFIGURATION: Uncomment below to enable
# polaris_waitForScan: true # Wait for scan completion before proceeding
### Mark build status if policy violating issues are found
# mark_build_status: failure # Set to success, failure, or skip
### Uncomment below configuration if Bridge diagnostic files needs to be uploaded
# include_diagnostics: false