diff --git a/.github/workflows/blackducksca-workflow.yml b/.github/workflows/blackducksca-workflow.yml new file mode 100644 index 0000000..0ee7b00 --- /dev/null +++ b/.github/workflows/blackducksca-workflow.yml @@ -0,0 +1,56 @@ +# Quickstart: Black Duck Security Scan Action with blackducksca: +# https://documentation.blackduck.com/bundle/bridge/page/documentation/t_github-blackduck-quickstart.html +name: Black Duck Security Scan +on: + push: + branches: + - main + - master + pull_request: + branches: + - main + - master + workflow_dispatch: {} +jobs: + blackducksca: + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + steps: + - name: Checkout Source + uses: actions/checkout@v4 + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: '3.11' + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@v3 + with: + token_format: access_token + workload_identity_provider: projects/66669732991/locations/global/workloadIdentityPools/workload-identity-pool-github/providers/workload-identity-pool-github + service_account: cicd-service-deploy@aip-services-dev.iam.gserviceaccount.com + audience: https://github.com/EmergenceAI + create_credentials_file: true + - name: Configure pip for Google Artifact Registry + env: + ACCESS_TOKEN: ${{ steps.auth.outputs.access_token }} + run: | + pip config set global.extra-index-url https://oauth2accesstoken:${ACCESS_TOKEN}@us-central1-python.pkg.dev/aip-artifacts-store/aipy/simple/ + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r requirements.txt + - name: Black Duck Security Scan + id: black-duck-security-scan + uses: blackduck-inc/black-duck-security-scan@v2 + with: + blackducksca_url: ${{ vars.BLACKDUCKSCA_URL }} + blackducksca_token: ${{ secrets.BLACKDUCKSCA_TOKEN }} + blackducksca_scan_full: true + blackducksca_scan_failure_severities: 'NONE' + mark_build_status: success + env: + DETECT_PROJECT_VERSION_NAME: master + continue-on-error: true