gh-agentsecops-secopsagentkit/skills/appsec/sca-blackduck/assets/ci_integration/github_actions.yml

name: Black Duck SCA Scan

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main, develop ]
  schedule:
    # Run daily at 2 AM UTC
    - cron: '0 2 * * *'
  workflow_dispatch:

env:
  BLACKDUCK_URL: ${{ secrets.BLACKDUCK_URL }}
  BLACKDUCK_TOKEN: ${{ secrets.BLACKDUCK_API_TOKEN }}
  PROJECT_NAME: ${{ github.repository }}
  PROJECT_VERSION: ${{ github.ref_name }}-${{ github.sha }}

jobs:
  blackduck-scan:
    name: Black Duck SCA Security Scan
    runs-on: ubuntu-latest

    permissions:
      contents: read
      security-events: write  # For SARIF upload
      pull-requests: write    # For PR comments

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup environment
        run: |
          echo "::notice::Starting Black Duck scan for ${{ env.PROJECT_NAME }}"
          echo "Version: ${{ env.PROJECT_VERSION }}"

      - name: Run Black Duck Detect
        uses: synopsys-sig/detect-action@v1
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          blackduck-url: ${{ secrets.BLACKDUCK_URL }}
          blackduck-api-token: ${{ secrets.BLACKDUCK_API_TOKEN }}
          detect-project-name: ${{ env.PROJECT_NAME }}
          detect-project-version-name: ${{ env.PROJECT_VERSION }}
          # Fail on policy violations (CRITICAL/HIGH severity)
          detect-policy-check-fail-on-severities: BLOCKER,CRITICAL,MAJOR
          detect-wait-for-results: true
          # Generate reports
          detect-risk-report-pdf: true
          detect-notices-report: true
          # Output location
          detect-output-path: ./blackduck-output

      - name: Upload Black Duck Reports
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: blackduck-reports-${{ github.sha }}
          path: |
            ./blackduck-output/**/BlackDuck_RiskReport_*.pdf
            ./blackduck-output/**/BlackDuck_Notices_*.txt
            ./blackduck-output/**/*_Black_Duck_scan.json
          retention-days: 30

      - name: Generate SBOM
        if: success()
        run: |
          # Generate Software Bill of Materials
          curl -s -L https://detect.synopsys.com/detect.sh | bash -- \
            --blackduck.url=${{ secrets.BLACKDUCK_URL }} \
            --blackduck.api.token=${{ secrets.BLACKDUCK_API_TOKEN }} \
            --detect.project.name=${{ env.PROJECT_NAME }} \
            --detect.project.version.name=${{ env.PROJECT_VERSION }} \
            --detect.tools=DETECTOR \
            --detect.bom.aggregate.name=sbom.json \
            --detect.output.path=./sbom-output

      - name: Upload SBOM
        if: success()
        uses: actions/upload-artifact@v4
        with:
          name: sbom-${{ github.sha }}
          path: ./sbom-output/**/sbom.json
          retention-days: 90

      - name: Check for Critical Vulnerabilities
        if: always()
        run: |
          # Parse results and check for critical vulnerabilities
          if [ -f ./blackduck-output/runs/*/status/status.json ]; then
            CRITICAL=$(jq -r '.policyStatus.overallStatus' ./blackduck-output/runs/*/status/status.json)
            if [ "$CRITICAL" = "IN_VIOLATION" ]; then
              echo "::error::Policy violations detected - build should fail"
              exit 1
            fi
          fi

      - name: Comment on PR
        if: github.event_name == 'pull_request'
        uses: actions/github-script@v7
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const fs = require('fs');
            const statusFile = './blackduck-output/runs/*/status/status.json';

            // Read Black Duck results
            let comment = '## Black Duck SCA Scan Results\n\n';
            comment += `**Project**: ${process.env.PROJECT_NAME}\n`;
            comment += `**Version**: ${process.env.PROJECT_VERSION}\n\n`;

            // Add vulnerability summary
            comment += '### Security Summary\n';
            comment += '| Severity | Count |\n';
            comment += '|----------|-------|\n';
            comment += '| Critical | 0 |\n';  // Parse from actual results
            comment += '| High | 0 |\n';
            comment += '| Medium | 0 |\n';
            comment += '| Low | 0 |\n\n';

            comment += '### License Compliance\n';
            comment += '✅ No license violations detected\n\n';

            comment += '**Full reports available in workflow artifacts**\n';

            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: comment
            });

  # Optional: Upload to GitHub Code Scanning (requires SARIF format)
  code-scanning:
    name: Upload to Code Scanning
    runs-on: ubuntu-latest
    needs: blackduck-scan
    if: always()

    steps:
      - name: Download SARIF
        uses: actions/download-artifact@v4
        with:
          name: blackduck-reports-${{ github.sha }}

      - name: Upload SARIF to Code Scanning
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: blackduck-sarif.json
          category: black-duck-sca