Add Synopsys Intelligent Security Scan workflow#5
Add Synopsys Intelligent Security Scan workflow#5Lawrence Lucas Large (LukeLarge) wants to merge 1 commit intodevelopfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds a new GitHub Actions workflow for Synopsys Intelligent Security Scan, which provides automated security scanning capabilities including Static Application Security Testing (SAST) with Polaris and Software Composition Analysis (SCA) with Black Duck.
- Implements a scheduled security scan workflow that runs on push/PR to the
developbranch and weekly via cron - Integrates Synopsys Intelligent Security Scan with conditional SAST and SCA scanning
- Uploads security scan results in SARIF format to GitHub Security tab
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| --polaris.project.name={{PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} | ||
| --blackduck.project.name={{PROJECT_NAME}}:{{PROJECT_VERSION}} --blackduck.url=${{secrets.BLACKDUCK_URL}} --blackduck.api.token=${{secrets.BLACKDUCK_TOKEN}} |
There was a problem hiding this comment.
Placeholder values {{PROJECT_NAME}} and {{PROJECT_VERSION}} need to be replaced with actual values. These templates are not valid GitHub Actions syntax and will be passed as literal strings to the workflow arguments.
| --polaris.project.name={{PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} | |
| --blackduck.project.name={{PROJECT_NAME}}:{{PROJECT_VERSION}} --blackduck.url=${{secrets.BLACKDUCK_URL}} --blackduck.api.token=${{secrets.BLACKDUCK_TOKEN}} | |
| --polaris.project.name=${{ github.event.repository.name }} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} | |
| --blackduck.project.name=${{ github.event.repository.name }}:${{ github.ref_name }} --blackduck.url=${{secrets.BLACKDUCK_URL}} --blackduck.api.token=${{secrets.BLACKDUCK_TOKEN}} |
| export POLARIS_SERVER_URL=${{ secrets.POLARIS_SERVER_URL}} | ||
| export POLARIS_ACCESS_TOKEN=${{ secrets.POLARIS_ACCESS_TOKEN}} |
There was a problem hiding this comment.
Inconsistent spacing in secret references. Lines 46-47 have a space before the closing braces (POLARIS_SERVER_URL}} and POLARIS_ACCESS_TOKEN}}), while other secret references in the file don't have this spacing (e.g., line 48 uses secrets.POLARIS_SERVER_URL}}). This inconsistency should be fixed for maintainability.
| export POLARIS_SERVER_URL=${{ secrets.POLARIS_SERVER_URL}} | |
| export POLARIS_ACCESS_TOKEN=${{ secrets.POLARIS_ACCESS_TOKEN}} | |
| export POLARIS_SERVER_URL=${{secrets.POLARIS_SERVER_URL}} | |
| export POLARIS_ACCESS_TOKEN=${{secrets.POLARIS_ACCESS_TOKEN}} |
| export POLARIS_SERVER_URL=${{ secrets.POLARIS_SERVER_URL}} | ||
| export POLARIS_ACCESS_TOKEN=${{ secrets.POLARIS_ACCESS_TOKEN}} | ||
| wget -q ${{ secrets.POLARIS_SERVER_URL}}/api/tools/polaris_cli-linux64.zip |
There was a problem hiding this comment.
Inconsistent spacing in secret reference. Line 48 has a space before the closing brace (POLARIS_SERVER_URL}}), while the same secret reference on line 46 also has this issue. This should be consistent with other secret references in the file (e.g., line 34).
| export POLARIS_SERVER_URL=${{ secrets.POLARIS_SERVER_URL}} | |
| export POLARIS_ACCESS_TOKEN=${{ secrets.POLARIS_ACCESS_TOKEN}} | |
| wget -q ${{ secrets.POLARIS_SERVER_URL}}/api/tools/polaris_cli-linux64.zip | |
| export POLARIS_SERVER_URL=${{secrets.POLARIS_SERVER_URL}} | |
| export POLARIS_ACCESS_TOKEN=${{ secrets.POLARIS_ACCESS_TOKEN}} | |
| wget -q ${{secrets.POLARIS_SERVER_URL}}/api/tools/polaris_cli-linux64.zip |
| if: ${{steps.prescription.outputs.scaScan == 'true' }} | ||
| uses: blackducksoftware/github-action@9ea442b34409737f64743781e9adc71fd8e17d38 | ||
| with: | ||
| args: '--blackduck.url="${{ secrets.BLACKDUCK_URL}}" --blackduck.api.token="${{ secrets.BLACKDUCK_TOKEN}}" --detect.tools="SIGNATURE_SCAN,DETECTOR"' |
There was a problem hiding this comment.
Inconsistent spacing in secret references. Line 58 has spaces before the closing braces in both BLACKDUCK_URL}} and BLACKDUCK_TOKEN}}, which is inconsistent with other secret references in the file.
| args: '--blackduck.url="${{ secrets.BLACKDUCK_URL}}" --blackduck.api.token="${{ secrets.BLACKDUCK_TOKEN}}" --detect.tools="SIGNATURE_SCAN,DETECTOR"' | |
| args: '--blackduck.url="${{secrets.BLACKDUCK_URL}}" --blackduck.api.token="${{secrets.BLACKDUCK_TOKEN}}" --detect.tools="SIGNATURE_SCAN,DETECTOR"' |
| additionalWorkflowArgs: --IS_SAST_ENABLED=${{steps.prescription.outputs.sastScan}} --IS_SCA_ENABLED=${{steps.prescription.outputs.scaScan}} | ||
| --polaris.project.name={{PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} | ||
| --blackduck.project.name={{PROJECT_NAME}}:{{PROJECT_VERSION}} --blackduck.url=${{secrets.BLACKDUCK_URL}} --blackduck.api.token=${{secrets.BLACKDUCK_TOKEN}} |
There was a problem hiding this comment.
The additionalWorkflowArgs value spans multiple lines (68-69) without proper YAML multi-line syntax. This should use proper YAML multi-line string syntax (e.g., >- or |) to ensure the arguments are correctly interpreted as a single string value.
| additionalWorkflowArgs: --IS_SAST_ENABLED=${{steps.prescription.outputs.sastScan}} --IS_SCA_ENABLED=${{steps.prescription.outputs.scaScan}} | |
| --polaris.project.name={{PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} | |
| --blackduck.project.name={{PROJECT_NAME}}:{{PROJECT_VERSION}} --blackduck.url=${{secrets.BLACKDUCK_URL}} --blackduck.api.token=${{secrets.BLACKDUCK_TOKEN}} | |
| additionalWorkflowArgs: >- | |
| --IS_SAST_ENABLED=${{steps.prescription.outputs.sastScan}} --IS_SCA_ENABLED=${{steps.prescription.outputs.scaScan}} | |
| --polaris.project.name={{PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} | |
| --blackduck.project.name={{PROJECT_NAME}}:{{PROJECT_VERSION}} --blackduck.url=${{secrets.BLACKDUCK_URL}} --blackduck.api.token=${{secrets.BLACKDUCK_TOKEN}} |
| run: | | ||
| export POLARIS_SERVER_URL=${{ secrets.POLARIS_SERVER_URL}} | ||
| export POLARIS_ACCESS_TOKEN=${{ secrets.POLARIS_ACCESS_TOKEN}} | ||
| wget -q ${{ secrets.POLARIS_SERVER_URL}}/api/tools/polaris_cli-linux64.zip | ||
| unzip -j polaris_cli-linux64.zip -d /tmp | ||
| /tmp/polaris analyze -w |
There was a problem hiding this comment.
Missing error handling for the wget and unzip commands. If either command fails (e.g., network issues, invalid URL, corrupted zip file), the workflow will continue to the next command which could lead to unclear failures. Consider adding error handling or using set -e to fail fast on errors.
There was a problem hiding this comment.
Copilot open a new pull request to apply changes based on this feedback
|
Lawrence Lucas Large (@LukeLarge) I've opened a new pull request, #8, to work on those changes. Once the pull request is ready, I'll request review from you. |
|
Copilot open a new pull request to apply changes based on the comments in this thread |
|
Lawrence Lucas Large (@LukeLarge) I've opened a new pull request, #9, to work on those changes. Once the pull request is ready, I'll request review from you. |
|
Copilot open a new pull request to apply changes based on the comments in this thread |
|
Lawrence Lucas Large (@LukeLarge) I've opened a new pull request, #10, to work on those changes. Once the pull request is ready, I'll request review from you. |
Lawrence Lucas Large (LukeLarge)
left a comment
Lawrence Lucas Large (LukeLarge)
left a comment
There was a problem hiding this comment.
Add Synopsys Intelligent Security Scan workflow
#5
Requires
Supports