Versions Compared

Old Version 47

changes.mady.by.user Ray O'Meara

Saved on

compared with

New Version 48

changes.mady.by.user Ray O'Meara

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
Table of Contents
excludeTable of Contents

...

Code Block
themeRDark
titleSample build specification YAML step for Black Duck
- name: 'gcr.io/cloud-marketplace/blackduck-devpublic/googlesynopsys-cloudbuild-scanner'
  secretEnv: ['BD_TOKEN']
  args:
  - '--blackduck.url'
  - '<<Black Duck URL>>'
  - '--blackduck.api.token'
  - '$$BD_TOKEN'
  - '--blackduck.trust.cert'
  - 'true'
  - '--detect.project.name'
  - 'ducky-crm-gcloud'
  - '--detect.project.version.name'
  - 'source'
  - '--detect.tools'
  - 'SIGNATURE_SCAN'
  - '--detect.source.path'
  - '/workspace'

secrets:
- kmsKeyName: projects/[PROJECT_ID]/locations/[Location]/keyRings/[Keyring name]/cryptoKeys/[Key name]
  secretEnv:
    BD_TOKEN: <base64-encoded encrypted Blackduck Token from previous step>

...

Google's infrastructure is unable to read an environment variable in the value for the kmsKeyName field.  Therefore, you must provide the hard-coded project ID value in the kmsKeyName field. 
In the build specification YAML file example, the $PROJECT_ID is not used in the kmsKeyName field because you must provide a hard-coded value.

Note: If your instance of Black Duck uses a self-signed certificate, ensure that you include the --blackduck.trust.cert argument in the args section of the YAML/JSON file that invokes the Cloud Build scanner. This allows the scanner to connect to a Black Duck instance whose certificate is not signed by a trusted third party. Refer to the build spec file example.


Caution: Build errors might occur when the --detect.tools argument and value are not included in the list of arguments.

...

As an alternative to invoking Google Cloud Build with a build-management system such as Jenkins, you can invoke the build process with Google Container Registry's build triggers.  You can easily create a build trigger that instructs Google Cloud Build to automatically build your image whenever changes are pushed to the build source from any repository, including a cloud storage bucket. Click here for documentation about Google's Build Trigger functionality. 

Note: To use Build Triggers, your repository must contain build configuration information in a cloudbuild.yaml file.

Submitting a build request using gcloud and verifying the results

...

Code Block
gcloud builds submit --config cloudbuild.yaml .

In this example, cloudbuild.yaml is the build configuration file.  You must run this command from the source code home directory where the build specification file lives. After a successful run, a message displays, which is similar to the following example:

You should now be able to see the scan results in Black Duck.

...