From 19789d166972e7694a2477bcbbc32927069099e2 Mon Sep 17 00:00:00 2001 From: John McCrae Date: Fri, 7 Nov 2025 11:11:27 -0800 Subject: [PATCH 01/12] creating our own branch and adding 2 new detection items to it. Signed-off-by: John McCrae --- .github/workflows/ci-main-pull-request.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index 2736c91..ac17a7c 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -56,6 +56,16 @@ on: required: false type: string default: '1.0.0' + detect-policy-check-fail-on-severities: + description: 'Detect policy check on failure of prior steps, prevents an upload of SBOM or BlackDuck SCA scan if prior steps failed' + required: false + type: string + default: 'ALL' + blackduck-break-build: + description: 'Break the build if BlackDuck SCA scan finds new high or critical vulnerabilities' + required: false + type: boolean + default: true detect-version-source-type: # options include "none" (do not detect), "file", "github-tag" or "github-release" description: 'flag to determine how to detect version dynamically' required: false From 1ea2311f3325a030da020caa4c13e26797557fce Mon Sep 17 00:00:00 2001 From: John McCrae Date: Fri, 7 Nov 2025 12:13:38 -0800 Subject: [PATCH 02/12] created our own branch in commmon-worflows and adding new items from it. Signed-off-by: John McCrae --- .github/workflows/ci-main-pull-request.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index ac17a7c..d295bce 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -66,6 +66,11 @@ on: required: false type: boolean default: true + blackduck-bridge-break: + description: 'Break the build if BlackDuck SCA scan finds new bridge vulnerabilities' + required: false + type: boolean + default: true detect-version-source-type: # options include "none" (do not detect), "file", "github-tag" or "github-release" description: 'flag to determine how to detect version dynamically' required: false From 73c1b2971052231f7cbe3ff9dfaf6ea292a7a8aa Mon Sep 17 00:00:00 2001 From: John McCrae Date: Fri, 7 Nov 2025 12:32:13 -0800 Subject: [PATCH 03/12] created our own branch in commmon-worflows and adding new items from it. Signed-off-by: John McCrae --- .github/workflows/ci-main-pull-request.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index d295bce..66d8fe2 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -66,7 +66,7 @@ on: required: false type: boolean default: true - blackduck-bridge-break: + bridge-break: description: 'Break the build if BlackDuck SCA scan finds new bridge vulnerabilities' required: false type: boolean From 52a9af9b7e96a3c145755f89db549c3d9ac884f3 Mon Sep 17 00:00:00 2001 From: John McCrae Date: Tue, 9 Dec 2025 09:21:49 -0800 Subject: [PATCH 04/12] updating security scan version Signed-off-by: John McCrae --- .github/workflows/sbom.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 3ba50d1..661d9d1 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -202,7 +202,7 @@ jobs: # echo "BLACKDUCK_SBOM_API_KEY: ${{ secrets.BLACKDUCK_SBOM_API_KEY }}" no longer used, see BLACKDUCK_SCA_TOKEN - name: BlackDuck SBOM scan - uses: blackduck-inc/black-duck-security-scan@v2.1.1 + uses: blackduck-inc/black-duck-security-scan@v2.6.0 continue-on-error: true # Allow pipeline to continue even with policy violations env: GOPRIVATE: ${{ inputs.go-private-modules }} From 88f6d078a5e9f9333a649dc8b3105a8c42c9afe1 Mon Sep 17 00:00:00 2001 From: John McCrae Date: Tue, 9 Dec 2025 09:33:10 -0800 Subject: [PATCH 05/12] updating security scan version Signed-off-by: John McCrae --- .github/workflows/ci-main-pull-request.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index 66d8fe2..d17ad8a 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -71,6 +71,11 @@ on: required: false type: boolean default: true + detect-blackduck-scan-mode: + description: 'Mode for BlackDuck SCA scan detection - options include RAPID,STATELESS,INTELLIGENT' + required: false + type: string + default: 'INTELLIGENT' detect-version-source-type: # options include "none" (do not detect), "file", "github-tag" or "github-release" description: 'flag to determine how to detect version dynamically' required: false From 5c909c01a4a153e2387539aac444a2b289b143eb Mon Sep 17 00:00:00 2001 From: John McCrae Date: Tue, 9 Dec 2025 10:01:55 -0800 Subject: [PATCH 06/12] updating security scan version Signed-off-by: John McCrae --- .github/workflows/stubs/ci-main-pull-request-stub.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stubs/ci-main-pull-request-stub.yml b/.github/workflows/stubs/ci-main-pull-request-stub.yml index c92e8c0..6626b2b 100644 --- a/.github/workflows/stubs/ci-main-pull-request-stub.yml +++ b/.github/workflows/stubs/ci-main-pull-request-stub.yml @@ -29,7 +29,7 @@ jobs: echo "CI main pull request stub version $STUB_VERSION" call-ci-main-pr-check-pipeline: - uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@main + uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@chef-19 secrets: inherit permissions: id-token: write From 3d4b7fc38e91376aa0a563ab61fbfc17bbc25ee9 Mon Sep 17 00:00:00 2001 From: John McCrae Date: Wed, 10 Dec 2025 09:34:33 -0800 Subject: [PATCH 07/12] tweaking the sbom.yml file Signed-off-by: John McCrae --- .github/workflows/ci-main-pull-request.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index d17ad8a..5b30d9f 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -948,7 +948,7 @@ jobs: generate-sbom: name: 'Generating SBOM' if: ${{ inputs.generate-sbom == true }} - uses: chef/common-github-actions/.github/workflows/sbom.yml@main + uses: chef/common-github-actions/.github/workflows/sbom.yml@chef-19 needs: ci-build secrets: inherit with: From a030e05b5a1b3cf274c9324a17d15c3081e0bf2d Mon Sep 17 00:00:00 2001 From: John McCrae Date: Wed, 10 Dec 2025 09:45:15 -0800 Subject: [PATCH 08/12] tweaking the sbom.yml file Signed-off-by: John McCrae --- .github/workflows/ci-main-pull-request.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index 5b30d9f..ebe1e3f 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -961,6 +961,7 @@ jobs: generate-msft-sbom: ${{ inputs.generate-msft-sbom }} license_scout: ${{ inputs.license_scout }} go-private-modules: ${{ inputs.go-private-modules }} + detect-blackduck-scan-mode: ${{ inputs.detect-blackduck-scan-mode }} quality-dashboard: name: 'Reporting to quality dashboard' From accbf5a5e877d9cb07ed8c566fa85b3ff278ae2e Mon Sep 17 00:00:00 2001 From: John McCrae Date: Wed, 10 Dec 2025 09:47:09 -0800 Subject: [PATCH 09/12] tweaking the sbom.yml file Signed-off-by: John McCrae --- .github/workflows/ci-main-pull-request.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index ebe1e3f..5b30d9f 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -961,7 +961,6 @@ jobs: generate-msft-sbom: ${{ inputs.generate-msft-sbom }} license_scout: ${{ inputs.license_scout }} go-private-modules: ${{ inputs.go-private-modules }} - detect-blackduck-scan-mode: ${{ inputs.detect-blackduck-scan-mode }} quality-dashboard: name: 'Reporting to quality dashboard' From fa1fdc394d876de8246ab0f557b44291134a47d7 Mon Sep 17 00:00:00 2001 From: John McCrae Date: Wed, 10 Dec 2025 12:47:10 -0800 Subject: [PATCH 10/12] tweaking the sbom.yml file Signed-off-by: John McCrae --- .github/workflows/ci-main-pull-request.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index 5b30d9f..4683705 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -76,6 +76,11 @@ on: required: false type: string default: 'INTELLIGENT' + blackducksca_scan_full: + description: 'Scan Mode. (true for intelligent scan & false for rapid scan)' + required: false + type: boolean + default: false detect-version-source-type: # options include "none" (do not detect), "file", "github-tag" or "github-release" description: 'flag to determine how to detect version dynamically' required: false From bcc0a68a9490bbf02cd62059216e09dc534a65fb Mon Sep 17 00:00:00 2001 From: John McCrae Date: Wed, 10 Dec 2025 12:56:37 -0800 Subject: [PATCH 11/12] tweaking the sbom.yml file Signed-off-by: John McCrae --- .github/workflows/ci-main-pull-request.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index 4683705..3fad394 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -76,7 +76,7 @@ on: required: false type: string default: 'INTELLIGENT' - blackducksca_scan_full: + blackducksca-scan-full: description: 'Scan Mode. (true for intelligent scan & false for rapid scan)' required: false type: boolean From 08aa16a4f2787a81b431d08fdbb38bb08e967fac Mon Sep 17 00:00:00 2001 From: John McCrae Date: Wed, 10 Dec 2025 13:13:54 -0800 Subject: [PATCH 12/12] tweaking the sbom.yml file Signed-off-by: John McCrae --- .github/workflows/ci-main-pull-request.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index 18d6c8a..4451aa2 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -76,7 +76,7 @@ on: required: false type: string default: 'INTELLIGENT' - blackducksca-scan-full: + blackducksca_scan_full: description: 'Scan Mode. (true for intelligent scan & false for rapid scan)' required: false type: boolean