To communicate with either Coverity on Polaris or Black Duck, Synopsys Detect must first authenticate its connection. To ensure that Synopsys Detect can authenticate, you must provide the appropriate URLs and access tokens. While you can pass these values to Synopsys Detect at invocation, this is not recommended because the values are not encrypted. A more secure approach is to leverage the Google's Key Management Service to protect sensitive values and make them available to Cloud Build.
Depending on the tools you're scanning with, different access secrets might be required.
Here's a list of requirements:
The following steps describe adding the parameters and making them available to Cloud Build:
The following procedure shows how to use KMS to encrypt a secret:
Encrypt the token by using gcloud's KMS encrypt with the KeyRing and CryptoKey names that were created in the previous steps as shown in the following command:
# - Optional, save the Token to an Environment Variable export TOKEN=<<Token from Black Duck or Polaris>> # - Echo the Token Value, Piped to KMS Encrypt, then Piped to base64 echo -n $TOKEN | gcloud kms encrypt \ --plaintext-file=- \ # - reads from stdin --ciphertext-file=- \ # - writes to stdout --location=global \ --keyring=[KEYRING-NAME] \ --key=[KEY-NAME] | base64 |
steps: - name: 'gcr.io/cloud-marketplace/blackduck-public/synopsys-cloudbuild-scanner' secretEnv: [ 'BD_TOKEN' ] args: - '--blackduck.url' - '<<Black Duck URL>>' # The URL of your Black Duck Instance - '--blackduck.api.token' - '$$BD_TOKEN' # Black Duck API Token decrypted by KMS - '--detect.project.name' - '<<Project_Name>>' # Project Name to map scan to in Black Duck UI - '--detect.project.version.name' - '<<Project Version>>' # Project Version to map scan to in Black Duck UI - '--detect.tools' - 'SIGNATURE_SCAN' # List of Scanners to Run - '--detect.source.path' - '/workspace' # Target for Signature Scan secrets: - kmsKeyName: projects/[PROJECT_ID]/locations/global/keyRings/[KEY_RING_NAME]/cryptoKeys/[KEY_NAME] secretEnv: BD_TOKEN: <<base64 encoded encrypted Black Duck API Token>> |