CI-AppSec [Master] #282
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI-AppSec [Master] | |
| on: | |
| schedule: | |
| #At 13:00 on every day-of-week from Sunday through Thursday. | |
| - cron: "0 13 * * SUN-THU" | |
| workflow_dispatch: | |
| #The workflow will only run when a push that includes a change to the build.gradle file is made in the main branch. | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - "build.gradle" | |
| jobs: | |
| blackduck-scan: | |
| runs-on: [ubuntu-latest] | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-java@v3 | |
| with: | |
| distribution: temurin | |
| java-version: 11 | |
| - name: Setup Gradle | |
| uses: gradle/gradle-build-action@v2 | |
| - name: Execute Gradle build | |
| run: ./gradlew check | |
| env: | |
| UNIT_API_URL: ${{ secrets.UNIT_API_URL }} | |
| UNIT_TOKEN: ${{ secrets.UNIT_TOKEN }} | |
| access_token: ${{ secrets.UNIT_TOKEN }} | |
| token_tests_user_id: ${{ secrets.TOKEN_TESTS_USER_ID }} | |
| test_plaid_counterparty_token: ${{ secrets.TEST_PLAID_COUNTERPARTY_TOKEN }} | |
| wallet_terms: ${{ secrets.WALLET_TERMS }} | |
| - name: Black Duck Full Scan | |
| uses: synopsys-sig/[email protected] | |
| ### Use below configuration to set specific detect environment variables | |
| env: | |
| DETECT_PROJECT_NAME: ${{ github.event.repository.name }} | |
| DETECT_PROJECT_VERSION_NAME: main | |
| with: | |
| blackduck_url: ${{ secrets.BLACKDUCK_URL }} | |
| blackduck_token: ${{ secrets.BLACKDUCK_API_TOKEN }} | |
| blackduck_scan_full: true | |
| ### Accepts Multiple Values | |
| blackduck_scan_failure_severities: "BLOCKER,CRITICAL" | |
| ### Uncomment below configuration to enable automatic fix pull request creation if vulnerabilities are reported | |
| blackduck_fixpr_enabled: true | |
| blackduck_fixpr_maxCount: 5 | |
| blackduck_fixpr_filter_severities: "CRITICAL,HIGH" | |
| blackduck_fixpr_useUpgradeGuidance: "SHORT_TERM,LONG_TERM" | |
| github_token: ${{ secrets.GITHUB_TOKEN }} # Mandatory when blackduck_fixpr_enabled is set to 'true' | |
| ### Uncomment below configuration if Synopsys Bridge diagnostic files needs to be uploaded | |
| # include_diagnostics: true | |
| - name: If failed - Configure 1Password Service Account For Slack Webhook URL Secret | |
| uses: 1password/load-secrets-action/configure@v1 | |
| if: ${{ failure() }} | |
| with: | |
| service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} | |
| - name: If failed - Load Slack Webhook URL Secret | |
| uses: 1password/load-secrets-action@v1 | |
| if: ${{ failure() }} | |
| with: | |
| export-env: true | |
| env: | |
| SLACK_WEBHOOK_URL: op://Security/slack-appsec-blackduck-alerts/webhook-url | |
| - name: If failed - Report failure to Slack | |
| #Slack channel: appsec-blackduck-alerts | |
| uses: ravsamhq/notify-slack-action@v2 | |
| if: ${{ failure() }} | |
| with: | |
| status: ${{ job.status }} | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| notification_title: "{workflow} has {status_message}" | |
| message_format: "{emoji} *{workflow}* {status_message} in <{run_url}|{repo}>" | |
| footer: "Linked Run <{run_url}|{repo}>" | |
| notify_when: "failure" | |
| mention_users: "U040AD4BT42" | |
| mention_users_when: "failure,warnings" | |
| mention_groups: "!channel" | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ env.SLACK_WEBHOOK_URL }} |