diff --git a/.github/workflows/blackduck_scan.yaml b/.github/workflows/blackduck_scan.yaml new file mode 100644 index 00000000..d812367a --- /dev/null +++ b/.github/workflows/blackduck_scan.yaml @@ -0,0 +1,80 @@ +name: Blackduck SCA Scan +on: + #push: + # branches: [ "main" ] + #pull_request: + # branches: [ "main" ] + schedule: + - cron: '5 0 * * 0' + workflow_dispatch: + +permissions: + contents: read + checks: write + +jobs: + build: + runs-on: [ ubuntu-latest ] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup Go + uses: actions/setup-go@v5 + with: + go-version-file: '${{ github.workspace }}/go.mod' + cache: false + + - name: Get go environment for use with cache + run: | + echo "go_cache=$(go env GOCACHE)" >> $GITHUB_ENV + echo "go_modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV + # This step will only reuse the go mod and build cache from main made during the Build, + # see push_ocm.yaml => "ocm-cli-latest" Job + # This means it never caches by itself and PRs cannot cause cache pollution / thrashing + # This is because we have huge storage requirements for our cache because of the mass of dependencies + + - name: Restore / Reuse Cache from central build + id: cache-golang-restore + uses: actions/cache/restore@v4 # Only Restore, not build another cache (too big) + with: + path: | + ${{ env.go_cache }} + ${{ env.go_modcache }} + key: ${{ env.cache_name }}-${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-${{ hashFiles('**/go.mod') }} + restore-keys: | + ${{ env.cache_name }}-${{ runner.os }}-go- + env: + cache_name: ocm-cli-latest-go-cache # needs to be the same key in the end as in the build step + + - name: Run Black Duck Full SCA Scan (Manual Trigger and Scheduled) + if: github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' + uses: blackduck-inc/black-duck-security-scan@v2.0.0 + env: + DETECT_PROJECT_USER_GROUPS: opencomponentmodel + DETECT_PROJECT_VERSION_DISTRIBUTION: opensource + DETECT_SOURCE_PATH: ./ + DETECT_EXCLUDED_DIRECTORIES: .bridge + DETECT_BLACKDUCK_SIGNATURE_SCANNER_ARGUMENTS: '--min-scan-interval=0' + NODE_TLS_REJECT_UNAUTHORIZED: true + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + blackducksca_url: ${{ secrets.BLACKDUCK_URL }} + blackducksca_token: ${{ secrets.BLACKDUCK_API_TOKEN }} + blackducksca_scan_full: true + + - name: Run Black Duck SCA Scan (Pull Request or Push) + if: github.event_name != 'workflow_dispatch' + # The action sets blackducksca_scan_full internally: for pushes to true and PRs to false + uses: blackduck-inc/black-duck-security-scan@v2.0.0 + env: + DETECT_PROJECT_USER_GROUPS: opencomponentmodel + DETECT_PROJECT_VERSION_DISTRIBUTION: opensource + DETECT_SOURCE_PATH: ./ + DETECT_EXCLUDED_DIRECTORIES: .bridge + NODE_TLS_REJECT_UNAUTHORIZED: true + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + blackducksca_url: ${{ secrets.BLACKDUCK_URL }} + blackducksca_token: ${{ secrets.BLACKDUCK_API_TOKEN }} + blackducksca_prComment_enabled: true diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 056f1dfb..addcafc0 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -74,6 +74,7 @@ jobs: with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} + queries: security-extended # as recommended by SAP Security # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file.