Introduction
...
- Create a KeyRing and a CryptoKey in the Encryption keys section of IAM.
- Ensure that Google users have access to the KeyRing and CryptoKey just created by adding the allAuthenticatedUsers members, assigned with the owner role, to the CryptoKey permissions. For additional information about KMS permissions and roles, refer to the KMS Permissions and Roles page.
- Generate an Access Token for the Application you're scanning with.
- In Black Duck, generate it by navigating to the Profile section for your user in the top right of the screen.
- In Polaris, generate it by navigating to your user Profile in the top left of the screen.
Encrypt the token by using gcloud's KMS encrypt with the KeyRing and CryptoKey names that were created in the previous steps as shown in the following command:
Code Block theme RDark title KMS commands # - Optional, save the Token to an Environment Variable export TOKEN=<<Token from Black Duck or Polaris>> # - Echo the Token Value, Piped to KMS Encrypt, then Piped to base64 echo -n $TOKEN | gcloud kms encrypt \ --plaintext-file=- \ # - reads from stdin --ciphertext-file=- \ # - writes to stdout --location=global \ --keyring=[KEYRING-NAME] \ --key=[KEY-NAME] | base64
- The command in step four outputs a base64-encoded string when is runs sucessfully.
Copy this string, and post it in the build configuration file under secrets > secretsEnv.
Sample build configuration file with Secrets decrypted with KMS
Code Block | ||||
---|---|---|---|---|
| ||||
steps: - name: 'gcr.io/cloud-marketplace/blackduck-devpublic/googlesynopsys-cloudbuild-scanner' secretEnv: [ 'BD_TOKEN' ] args: - '--blackduck.url' - '<<Black Duck URL>>' # The URL of your Black Duck Instance - '--blackduck.api.token' - '$$BD_TOKEN' # Black Duck API Token decrypted by KMS - '--detect.project.name' - '<<Project_Name>>' # Project Name to map scan to in Black Duck UI - '--detect.project.version.name' - '<<Project Version>>' # Project Version to map scan to in Black Duck UI - '--detect.tools' - 'SIGNATURE_SCAN' # List of Scanners to Run - '--detect.source.path' - '/workspace' # Target for Signature Scan secrets: - kmsKeyName: projects/[PROJECT_ID]/locations/global/keyRings/[KEY_RING_NAME]/cryptoKeys/[KEY_NAME] secretEnv: BD_TOKEN: <<base64 encoded encrypted Black Duck API Token>> |
...