From 19789d166972e7694a2477bcbbc32927069099e2 Mon Sep 17 00:00:00 2001 From: John McCrae Date: Fri, 7 Nov 2025 11:11:27 -0800 Subject: [PATCH 01/13] creating our own branch and adding 2 new detection items to it. Signed-off-by: John McCrae --- .github/workflows/ci-main-pull-request.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index 2736c91..ac17a7c 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -56,6 +56,16 @@ on: required: false type: string default: '1.0.0' + detect-policy-check-fail-on-severities: + description: 'Detect policy check on failure of prior steps, prevents an upload of SBOM or BlackDuck SCA scan if prior steps failed' + required: false + type: string + default: 'ALL' + blackduck-break-build: + description: 'Break the build if BlackDuck SCA scan finds new high or critical vulnerabilities' + required: false + type: boolean + default: true detect-version-source-type: # options include "none" (do not detect), "file", "github-tag" or "github-release" description: 'flag to determine how to detect version dynamically' required: false From 1ea2311f3325a030da020caa4c13e26797557fce Mon Sep 17 00:00:00 2001 From: John McCrae Date: Fri, 7 Nov 2025 12:13:38 -0800 Subject: [PATCH 02/13] created our own branch in commmon-worflows and adding new items from it. Signed-off-by: John McCrae --- .github/workflows/ci-main-pull-request.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index ac17a7c..d295bce 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -66,6 +66,11 @@ on: required: false type: boolean default: true + blackduck-bridge-break: + description: 'Break the build if BlackDuck SCA scan finds new bridge vulnerabilities' + required: false + type: boolean + default: true detect-version-source-type: # options include "none" (do not detect), "file", "github-tag" or "github-release" description: 'flag to determine how to detect version dynamically' required: false From 73c1b2971052231f7cbe3ff9dfaf6ea292a7a8aa Mon Sep 17 00:00:00 2001 From: John McCrae Date: Fri, 7 Nov 2025 12:32:13 -0800 Subject: [PATCH 03/13] created our own branch in commmon-worflows and adding new items from it. Signed-off-by: John McCrae --- .github/workflows/ci-main-pull-request.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index d295bce..66d8fe2 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -66,7 +66,7 @@ on: required: false type: boolean default: true - blackduck-bridge-break: + bridge-break: description: 'Break the build if BlackDuck SCA scan finds new bridge vulnerabilities' required: false type: boolean From 52a9af9b7e96a3c145755f89db549c3d9ac884f3 Mon Sep 17 00:00:00 2001 From: John McCrae Date: Tue, 9 Dec 2025 09:21:49 -0800 Subject: [PATCH 04/13] updating security scan version Signed-off-by: John McCrae --- .github/workflows/sbom.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 3ba50d1..661d9d1 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -202,7 +202,7 @@ jobs: # echo "BLACKDUCK_SBOM_API_KEY: ${{ secrets.BLACKDUCK_SBOM_API_KEY }}" no longer used, see BLACKDUCK_SCA_TOKEN - name: BlackDuck SBOM scan - uses: blackduck-inc/black-duck-security-scan@v2.1.1 + uses: blackduck-inc/black-duck-security-scan@v2.6.0 continue-on-error: true # Allow pipeline to continue even with policy violations env: GOPRIVATE: ${{ inputs.go-private-modules }} From 88f6d078a5e9f9333a649dc8b3105a8c42c9afe1 Mon Sep 17 00:00:00 2001 From: John McCrae Date: Tue, 9 Dec 2025 09:33:10 -0800 Subject: [PATCH 05/13] updating security scan version Signed-off-by: John McCrae --- .github/workflows/ci-main-pull-request.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index 66d8fe2..d17ad8a 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -71,6 +71,11 @@ on: required: false type: boolean default: true + detect-blackduck-scan-mode: + description: 'Mode for BlackDuck SCA scan detection - options include RAPID,STATELESS,INTELLIGENT' + required: false + type: string + default: 'INTELLIGENT' detect-version-source-type: # options include "none" (do not detect), "file", "github-tag" or "github-release" description: 'flag to determine how to detect version dynamically' required: false From 5c909c01a4a153e2387539aac444a2b289b143eb Mon Sep 17 00:00:00 2001 From: John McCrae Date: Tue, 9 Dec 2025 10:01:55 -0800 Subject: [PATCH 06/13] updating security scan version Signed-off-by: John McCrae --- .github/workflows/stubs/ci-main-pull-request-stub.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stubs/ci-main-pull-request-stub.yml b/.github/workflows/stubs/ci-main-pull-request-stub.yml index c92e8c0..6626b2b 100644 --- a/.github/workflows/stubs/ci-main-pull-request-stub.yml +++ b/.github/workflows/stubs/ci-main-pull-request-stub.yml @@ -29,7 +29,7 @@ jobs: echo "CI main pull request stub version $STUB_VERSION" call-ci-main-pr-check-pipeline: - uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@main + uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@chef-19 secrets: inherit permissions: id-token: write From 3d4b7fc38e91376aa0a563ab61fbfc17bbc25ee9 Mon Sep 17 00:00:00 2001 From: John McCrae Date: Wed, 10 Dec 2025 09:34:33 -0800 Subject: [PATCH 07/13] tweaking the sbom.yml file Signed-off-by: John McCrae --- .github/workflows/ci-main-pull-request.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index d17ad8a..5b30d9f 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -948,7 +948,7 @@ jobs: generate-sbom: name: 'Generating SBOM' if: ${{ inputs.generate-sbom == true }} - uses: chef/common-github-actions/.github/workflows/sbom.yml@main + uses: chef/common-github-actions/.github/workflows/sbom.yml@chef-19 needs: ci-build secrets: inherit with: From a030e05b5a1b3cf274c9324a17d15c3081e0bf2d Mon Sep 17 00:00:00 2001 From: John McCrae Date: Wed, 10 Dec 2025 09:45:15 -0800 Subject: [PATCH 08/13] tweaking the sbom.yml file Signed-off-by: John McCrae --- .github/workflows/ci-main-pull-request.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index 5b30d9f..ebe1e3f 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -961,6 +961,7 @@ jobs: generate-msft-sbom: ${{ inputs.generate-msft-sbom }} license_scout: ${{ inputs.license_scout }} go-private-modules: ${{ inputs.go-private-modules }} + detect-blackduck-scan-mode: ${{ inputs.detect-blackduck-scan-mode }} quality-dashboard: name: 'Reporting to quality dashboard' From accbf5a5e877d9cb07ed8c566fa85b3ff278ae2e Mon Sep 17 00:00:00 2001 From: John McCrae Date: Wed, 10 Dec 2025 09:47:09 -0800 Subject: [PATCH 09/13] tweaking the sbom.yml file Signed-off-by: John McCrae --- .github/workflows/ci-main-pull-request.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index ebe1e3f..5b30d9f 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -961,7 +961,6 @@ jobs: generate-msft-sbom: ${{ inputs.generate-msft-sbom }} license_scout: ${{ inputs.license_scout }} go-private-modules: ${{ inputs.go-private-modules }} - detect-blackduck-scan-mode: ${{ inputs.detect-blackduck-scan-mode }} quality-dashboard: name: 'Reporting to quality dashboard' From fa1fdc394d876de8246ab0f557b44291134a47d7 Mon Sep 17 00:00:00 2001 From: John McCrae Date: Wed, 10 Dec 2025 12:47:10 -0800 Subject: [PATCH 10/13] tweaking the sbom.yml file Signed-off-by: John McCrae --- .github/workflows/ci-main-pull-request.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index 5b30d9f..4683705 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -76,6 +76,11 @@ on: required: false type: string default: 'INTELLIGENT' + blackducksca_scan_full: + description: 'Scan Mode. (true for intelligent scan & false for rapid scan)' + required: false + type: boolean + default: false detect-version-source-type: # options include "none" (do not detect), "file", "github-tag" or "github-release" description: 'flag to determine how to detect version dynamically' required: false From bcc0a68a9490bbf02cd62059216e09dc534a65fb Mon Sep 17 00:00:00 2001 From: John McCrae Date: Wed, 10 Dec 2025 12:56:37 -0800 Subject: [PATCH 11/13] tweaking the sbom.yml file Signed-off-by: John McCrae --- .github/workflows/ci-main-pull-request.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index 4683705..3fad394 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -76,7 +76,7 @@ on: required: false type: string default: 'INTELLIGENT' - blackducksca_scan_full: + blackducksca-scan-full: description: 'Scan Mode. (true for intelligent scan & false for rapid scan)' required: false type: boolean From 08aa16a4f2787a81b431d08fdbb38bb08e967fac Mon Sep 17 00:00:00 2001 From: John McCrae Date: Wed, 10 Dec 2025 13:13:54 -0800 Subject: [PATCH 12/13] tweaking the sbom.yml file Signed-off-by: John McCrae --- .github/workflows/ci-main-pull-request.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index 18d6c8a..4451aa2 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -76,7 +76,7 @@ on: required: false type: string default: 'INTELLIGENT' - blackducksca-scan-full: + blackducksca_scan_full: description: 'Scan Mode. (true for intelligent scan & false for rapid scan)' required: false type: boolean From 712f142c9c3cb1b1a6871b0deee72024c4cf1c90 Mon Sep 17 00:00:00 2001 From: John McCrae Date: Mon, 23 Mar 2026 16:54:35 +0000 Subject: [PATCH 13/13] Removing Trivy testing for now Signed-off-by: John McCrae --- .github/workflows/ci-main-pull-request.yml | 27 +++++++++---------- .../stubs/ci-main-pull-request-stub.yml | 2 +- 2 files changed, 13 insertions(+), 16 deletions(-) diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index 4451aa2..463da81 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -110,11 +110,11 @@ on: required: false type: boolean default: true - perform-trivy-scan: - description: 'Perform Trivy scan' - required: false - type: boolean - default: true + # perform-trivy-scan: + # description: 'Perform Trivy scan' + # required: false + # type: boolean + # default: true perform-blackduck-polaris: description: 'Perform BlackDuck Polaris (SAST) scan' required: false @@ -353,9 +353,6 @@ jobs: if [ ${{ inputs.perform-trufflehog-scan }} ]; then echo " Perform trufflehog scan set to ${{ inputs.perform-trufflehog-scan }}" fi - if [ ${{ inputs.perform-trivy-scan }} ]; then - echo " Perform Trivy scan set to ${{ inputs.perform-trivy-scan }}" - fi if [ ${{ inputs.perform-blackduck-polaris }} ]; then echo " Perform BlackDuck polaris scan set to ${{ inputs.perform-blackduck-polaris }}" echo " Polaris application name set to ${{ inputs.polaris-application-name }}" @@ -556,13 +553,13 @@ jobs: if: ${{ inputs.perform-trufflehog-scan }} uses: chef/common-github-actions/.github/workflows/trufflehog.yml@main needs: checkout - run-trivy: - name: 'Trivy scan' - if: ${{ inputs.perform-trivy-scan }} - uses: chef/common-github-actions/.github/workflows/trivy.yml@main - needs: checkout - with: - version: ${{ inputs.version }} + # run-trivy: + # name: 'Trivy scan' + # if: ${{ inputs.perform-trivy-scan }} + # uses: chef/common-github-actions/.github/workflows/trivy.yml@main + # needs: checkout + # with: + # version: ${{ inputs.version }} # run-srcclr: # if: ${{ inputs.perform-srcclr-scan == true }} diff --git a/.github/workflows/stubs/ci-main-pull-request-stub.yml b/.github/workflows/stubs/ci-main-pull-request-stub.yml index 6626b2b..4626e72 100644 --- a/.github/workflows/stubs/ci-main-pull-request-stub.yml +++ b/.github/workflows/stubs/ci-main-pull-request-stub.yml @@ -54,7 +54,7 @@ jobs: perform-trufflehog-scan: true # trivy dependency and container scanning - perform-trivy-scan: true + # perform-trivy-scan: true # BlackDuck SAST (Polaris) and SCA scans (requires a build or download to do SAST) # requires these secrets: POLARIS_SERVER_URL, POLARIS_ACCESS_TOKEN