Live, executable samples using the Black Duck Security Scan Action with Black Duck SCA
| How To? | Details | Workflow | Results | Status |
|---|---|---|---|---|
| Scan repository with build as a pre-step (Recommended) | This recommended method ensures SAST analysis on compiled code and artifacts through a pre-build step for comprehensive vulnerability detection | Workflow | Results |  |
| Scan repository in an environment where build is not an option | This option is less accurate and should be used when you can't build your repository | Workflow | Results |  |
| PR Comments | For each new vulnerable component that the developer introduces with his/her changes, this integration is capable of adding a comment to the pull request. PR comments enable the developer to quickly view, understand and fix the issue before merging the pull request Expected Result: FAIL |
Workflow | Results |  |
| Create Automatic FixPRs | Fix PR feature automatically creates PRs for vulnerable components found in the scan. This sample shows how you can configure the fix PR feature | Workflow | Results |  |
| Generate Sarif Reports | This sample shows how you can create a SARIF file for SCA issues found in the scan | Workflow | Results |  |
| Import issues into GitHub Advanced Security | This sample shows how you can post SCA issues found in the scan to Code Scanning tab in GitHub Advanced Security | Workflow | Results | |
| Build Break | The ability to break or not break a build when policy violations are found is configurable. This sample shows you how to configure the build break options. Expected Result: FAIL |
Workflow | Results |  |
| Passing Detect tool arguments from Black Duck Sca scans | To leverage advanced SCA features, you need to pass options to Detect. This sample shows how you can configure Detect options | Workflow | Results |  |
| Run scans asynchronously to avoid holding up the pipeline during scanning | By default, the pipeline is held until the scan finishes. You can configure the workflow in such a way where the pipeline doesn't wait for the scan to finish and returns immediately after kicking off the scan. Note that post scan options are not triggered when you choose to not wait for the scan to finish | Workflow | Results |  |
| Simplified workflow using default configurations for beginners | Basic workflow demonstrating all Black Duck SCA features with default configurations. Ideal for beginners to explore features quickly | Workflow | Results |  |
| Detailed workflow with full configurations for advanced users | Comprehensive workflow demonstrating all Black Duck SCA capabilities with full configurations. Ideal for advanced users requiring granular control and customization capabilities | Workflow | Results |  |
| How To? | Details | Workflow | Results | Status |
|---|---|---|---|---|
| Scan repository with build as a pre-step (Recommended) | This recommended method ensures SAST analysis on compiled code and artifacts through a pre-build step for comprehensive vulnerability detection | Workflow | Results |  |
Using the Black Duck Security Scan Action with Black Duck SCA Documentation