Synopsys Detect GitHub Action

This solution is a prototype and is not fully supported by Synopsys.
We welcome early adopters to provide design input.
Email your questions to partner-solutions@synopsys.com, or open a pull request in our GitHub repository.

Table of Contents


Overview

The Synopsys Detect GitHub Action makes it easy to scan GitHub repositories with Synopsys application security tools such as Black Duck. Synopsys Detect makes it easy to set up and scan codebases that use a variety of languages and package managers. The Synopsys Detect GitHub Action enables your organization to easily add vulnerability testing for several GitHub platform events, such as push, pull, issue, and release.


In the following procedure, a Maven project is used as an example.

Before you begin

If this is the first time you are using GitHub Actions in a workflow, refer to the Creating a workflow with GitHub Actions guide.

Invoking Synopsys Detect

  1. For GitHub Actions that invoke a scan, do the following.
    • When the action invokes a Black Duck scan:
      Go to the repository settings and add the Black Duck URL, and API token as secrets.



  2. Select the Actions tab in your GitHub Repository.
  3. Click New Workflow.
    1. Select a starter workflow, or click the Set up a workflow yourself button.
    2. Search for Synopsys in the Marketplace search box, and Select the Synopsys Detect GitHub Action.
  4. Add the args line shown in the following screenshot. You can add more arguments based on the Synopsys Detect documentation. For example, to break the workflow based on a Black Duck Policy Violations, add the --detect.policy.check.fail.on.severities argument. 
    args: --blackduck.url="${{ secrets.BLACKDUCK_URL}}" --blackduck.api.token="${{ secrets.BLACKDUCK_API_TOKEN}}"

  5. Run your workflow with the appropriate Github Event trigger.

    Synopsys Detect is now ready to scan your repository for any event you have associated with your workflow. 
    The logs show the Detect result code and status.

    If Detect throws a result code other than 0, the workflow fails. Black Duck policy violations (return code = 3) show up as warning messages in the logs.



Release Notes

Version 2.0.0
  • Introduced usability improvements through JavaScript
Version 1.0.0
  • First release of product.