Versions Compared

Old Version 50

changes.mady.by.user Ray O'Meara

Saved on

compared with

New Version 51

changes.mady.by.user Chris Potts

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
Table of Contents
excludeTable of Contents

...

The Black Duck integration with Google Cloud Build leverages a special Docker image that contains Synopsys Detect, which is publicly available in the Google Container Registry.  To invoke Synopsys Detect in Google Cloud Build, modify your Google Cloud Build JSON/YAML build configuration scripts to invoke Synopsys Detect as part of a custom post-build step. To maximize security, Synopsys recommends protecting your Black Duck credentials by using Google's Key Management Service.

...

Google's infrastructure is unable to read an environment variable in the value for the kmsKeyName field.  Therefore, you must provide the hard-coded project ID value in the kmsKeyName field. 
In the build specification YAML file example, the $PROJECT_ID is not used in the kmsKeyName field because you must provide a hard-coded value.

Note: If your instance of Black Duck uses a self-signed certificate, ensure that you include the --blackduck.trust.cert argument in the args section of the YAML/JSON file that invokes the Cloud Build scanner. This allows the scanner to connect to a Black Duck instance whose certificate is not signed by a trusted third party. Refer to the build spec file example.


Caution: Build errors might occur when the --detect.tools argument and value are not included in the list of arguments.

...

As an alternative to invoking Google Cloud Build with a build-management system such as Jenkins, you can invoke the build process with Google Container Registry's build triggers.  You can easily create a build trigger that instructs Google Cloud Build to automatically build your image whenever changes are pushed to the build source from any repository, including a cloud storage bucket. Click here for documentation about Google's Build Trigger functionality. 

Note: To use Build Triggers, your repository must contain build configuration information in a cloudbuild.yaml file.

Submitting a build request using gcloud and verifying the results

...

Code Block
gcloud builds submit --config cloudbuild.yaml .

In this example, cloudbuild.yaml is the build configuration file.  You must run this command from the source code home directory where the build specification file lives. After a successful run, a message displays, which is similar to the following example:

You should now be able to see the scan results in Black Duck.

...

If you're using Google Cloud Binary Authorization and you want to create an attestation from the result of the Black Duck scan, click here for instructions.