disclosure-cli/.github/workflows/foss-scan.yml at a12d3f34305bb4d5dd7e120573afbc1a9b66ed21 · mercedes-benz/disclosure-cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# SPDX-FileCopyrightText: 2023 Mercedes-Benz Tech Innovation GmbH
#
# SPDX-License-Identifier: MIT

name: Foss scan
permissions:
  packages: write
  contents: read
on:
  pull_request:
    types:
      - closed
    branches:
      - main

jobs:
  if_merged:
    if: github.event.pull_request.merged
    env:
      SCAN_SOURCE_PATH: './'
    name: CLI foss scan
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - uses: actions/setup-go@v3
      continue-on-error: true
      with:
        go-version: '^1.25'
    - name: build binary
      run: |
        go build -v
    - name: Synopsys Detect
      uses: blackduck-inc/black-duck-security-scan@v2.0.0
      env:
        SYNOPSYS_SKIP_PHONE_HOME: true
        DETECT_TOOLS: DETECTOR
        DETECT_POLICY_CHECK_FAIL_ON_SEVERITIES: ALL
        DETECT_CLEANUP: false
        DETECT_PROJECT_NAME: ${{ secrets.BD_PROJECT_NAME }}
        DETECT_SOURCE_PATH: ${{ env.SCAN_SOURCE_PATH }}
        DETECT_EXCLUDED_DETECTOR_TYPES: GIT
        DETECT_CODE_LOCATION_NAME: ${{ secrets.BD_PROJECT_NAME }}-disclosure-cli
        DETECT_PROJECT_VERSION_NAME: ${{ secrets.BD_PROJECT_VERSION }}
        DETECT_BLACKDUCK_SIGNATURE_SCANNER_EXCLUSION_NAME_PATTERN: .git
      with:
        github_token: ${{ secrets.GITHUB_TOKEN }}
        blackducksca_url: ${{ secrets.BD_URL}}
        blackducksca_token: ${{ secrets.BD_API_TOKEN }}
        blackducksca_scan_full: true # INTELLIGENT
  call-sbom-upload:
    needs: if_merged
    uses: ./.github/workflows/sbom-upload.yml
    secrets: inherit