Switch scanner to BlackDuck

Makoto Koishi · Makoto Koishi · commit be4e8ed6ddc9 · 2023-02-01T16:30:07.000+09:00
diff --git a/.github/workflows/synopsys.yml b/.github/workflows/synopsys.yml
@@ -17,30 +17,25 @@ jobs:
       - name: Synopsys Action
         uses: synopsys-sig/synopsys-action@main
         with:
-          coverity_url: ${{ secrets.COVERITY_URL }}
-          coverity_user: ${{ secrets.COVERITY_USER }}
-          coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }}
-          # Many customers prefer to set their Coverity project and stream names to match
-          # the GitHub repository name
-          coverity_project_name: ${{ secrets.COVERITY_PROJECT_NAME }}
-          coverity_stream_name: ${{ github.event.repository.name }}
-          # Optionally you may specify the ID number of a saved view to apply as a "break the build" policy.
-          # If any defects are found within this view when applied to the project, the build will be failed
-          # with an exit code.
-          #coverity_policy_view: 100001
-          # Below fields are optional
-          coverity_repository_name: ${{ secrets.COVERITY_REPOSITORY_NAME }}
-          coverity_branch_name: ${{ secrets.COVERITY_BRANCH_NAME }}
-          
-          # Optional parameter to specify path to synopsys bridge.
-          # This can be used if you want to pre-configure your GitHub Runner with the
-          # Synopsys Bridge software
-          # The default is either /{user_home}/synopsys-bridge or in linux /usr/synopsys-bridge
-          #synopsys_bridge_path: "/path_to_bridge_executable"
+          blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }}
+          blackduck_url: ${{ secrets.BLACKDUCK_URL }}
+
+          # Optional parameter. By default, pushes will initiate a full "intelligent" scan and pull requests
+          # will initiate a rapid scan.
+          blackduck_scan_full: false
+          # Required parameter if blackduck_automation_fixpr is enabled
+          # Make sure GITHUB_TOKEN have appropriate permissions
+          github_token: ${{ secrets.GH_TOKEN }}
+          # Optional parameter. By default, create fix pull requests if vulnerabilities are reported
+          # Passing false will disable fix pull request creation 
+          blackduck_automation_fixpr: true
+          # Optional parameter. The values could be. ALL|NONE|BLOCKER|CRITICAL|MAJOR|MINOR|OK|TRIVIAL|UNSPECIFIED
+          # Single parameter
+          blackduck_scan_failure_severities: "[\"ALL\"]"
+          # multiple parameters
+          # blackduck_scan_failure_severities: "[\"BLOCKER\", \"CRITICAL\", \"TRIVIAL\"]"
 
           # Optional parameter, but usually specified - the location of the Synopsys Bridge software
           # The Synopsys Bridge software distribution is platform specific - this must match the host OS
           # of your runner. For example in this case, we are using the latest version for Linux.
           bridge_download_url: ${{ env.LINUX_BRIDGE_URL }}
-        env:
-          LINUX_BRIDGE_URL: "https://sig-repo.synopsys.com/artifactory/bds-integrations-release/com/synopsys/integration/synopsys-action/0.1.72/ci-package-0.1.72-linux64.zip"
