Use this action to scan repositories for dependency vulnerabilities with the Black Duck Software Composition Analysis (SCA) scanner.
The Black Duck SCA scanner architectural components are:
-
Client-side: The Black Duck Detect scanning tool, the Signature Scanner command line tool, and the REST API.
-
Server-side: The Black Duck server.
-
Data center: The Black Duck KnowledgeBase open-source software database.
The scanning process is as follows:
-
The Black Duck Detect tool is used to authenticate and initiate the code scan.
-
Codebases are scanned on the client side.
-
The scan data is uploaded to the Black Duck server with the Detect tool. The completed scan data does not contain any source code, to maintain your code security. The completed scan contains only file and directory signatures, and information derived from package management files.
-
The scan data is sent to the Black Duck KnowledgeBase, and open source components in your code are matched and identified. The matching/identification process is based on your package manager data and SHA1 hashes created by the Signature Scanner when it scans your files and directories.
-
The REST API is used to fetch the bearer token and retrieve the scanning results.
-
The matched open source components are reported as a viewable Bill of Materials that contains the associated security, licensing, and operational risks of the discovered components.
|
Note
|
For more information about the Black Duck SCA scanner, refer to the product documentation. |
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
Yes |
The Black Duck server URL. |
|
String |
Yes |
The Black Duck client secret. |
|
String |
Yes |
Specify the ref to be checked out and archived. |
|
String |
No |
The Black Duck project name. |
|
String |
No |
The Black Duck project version. |
|
String |
No |
Specify any Black Duck Detect properties. |
The following is a basic usage example for this action:
- name: Scan with Black Duck SCA
uses: https://github.com/cloudbees-io/blackduck-sca-scan-dependency@v2
with:
server-url: ${{ vars.BLACK_DUCK_URL }}
api-token: ${{ secrets.BLACK_DUCK_TOKEN }}
ref: mainIn the following example, the Black Duck Detect properties logging.level.detect and blackduck.offline.mode are specified:
- name: Scan with Black Duck SCA with params
uses: https://github.com/cloudbees-io/blackduck-sca-scan-dependency@v2
with:
server-url: ${{ vars.BLACK_DUCK_URL }}
api-token: ${{ secrets.BLACK_DUCK_TOKEN }}
ref: main
project-name: 'my-project'
project-version: '0.0.1'
detect-cli-params: '--logging.level.detect=DEBUG --blackduck.offline.mode=false'This code is made available under the MIT license.
-
Learn more about using actions in CloudBees workflows.
-
Learn about the CloudBees platform.