Introduction
Architecture
Onboard
Introduction
Users
Teams
Introduction
IntroductionPromote an image in Amazon ECRDownload a file from JFrog ArtifactoryMove or copy an image from JFrog ArtifactoryUpload a file to JFrog ArtifactoryRegister a build artifactRegister a deployed environment artifactStore an object on Amazon S3Retrieve an object from Amazon S3
IntroductionCreate or update a functionInvoke a function
IntroductionRun an AWS CodePipelineRun a Bamboo projectRun a Bitbucket pipelineRun a CloudBees CI jobRun a CircleCI workflowRun a GitHub Actions workflowRun a GitLab pipelineRun a Harness pipelineRun a Jenkins® jobRun a JFrog pipelineRun a TeamCity project
Check out a Git repository
IntroductionAWS credentialsECR credentialsEKS credentialsGit global credentialsOCI credentials
IntroductionRun Ansible PlaybookRun Argo WorkflowsDeploy with AWS CodeDeployCopy a remote image with CraneDeploy a binary with EC2Deploy to ECSRender an ECS task definitionDeploy with AWS Elastic BeanstalkDeploy with HerokuBuild a container image with KanikoDeploy with OctopusDeploy with OpenShiftDeploy with SpinnakerDeploy with Tosca
Publish evidence items
IntroductionHelm chart installHelm chart packageHelm chart publishHelm chart uninstall
IntroductionCreate a Kubernetes namespaceCreate/update a Kubernetes resourceDeploy to a Kubernetes cluster
IntroductionVerify with NewRelic
Execute remote commands via SSH
IntroductionAnchoreAquasecJFrog XraySnyk ContainerSonatype (Nexus) ContainerTrivy
IntroductionStackhawkZAP
IntroductionCheckmarxCoverity on PolarisFind Security BugsGitHub Security ScannerGosecMendNexus IQSnykSonarQube bundledSonarQube
IntroductionBlack DuckMendSnyk
IntroductionTruffleHog ContainerTruffleHog CodeTruffleHog S3
IntroductionCreate a change requestUpdate or close a change requestGet a change request current stateQuery a change request approval
Publish test results
Multi-workflows dispatch
Introduction
Introduction`cloudbees` and other context objectsenvnameonjobs.<job_id>.delegates.<job_id>.env.<job_id>.environment.<job_id>.if.<job_id>.needs.<job_id>.outputs.<job_id>.permissionsjobs.<job_id>.uses.<job_id>.services.<job_id>.services.<service_id>.services.<service_id>.args.services.<service_id>.env.services.<service_id>.imagejobs.<job_id>.steps.<job_id>.steps[*].id.<job_id>.steps[*].env.<job_id>.steps[*].if.<job_id>.steps[*].name.<job_id>.steps[*].run.<job_id>.steps[*].shell.<job_id>.steps[*].uses.<job_id>.steps[*].with.<job_id>.steps[*].with.args.<job_id>.steps[*].with.entrypoint.<job_id>.steps[*].timeout-minutesjobs.<job_id>.timeout-minutes
An example workflow
Manage workflows
Reusable workflows
Personal access tokens
Trigger a workflow remotely
IntroductionManual approval
Artifacts
IntroductionJob logsService logsEvidenceTest resultsBuild artifactsDeployments
CI insights for Jenkins
Introduction
API examples
API reference

Cloudbees action: Scan with Black Duck SCA

2 minute read

Use this action to scan repositories for dependency vulnerabilities with the Black Duck Software Composition Analysis (SCA) scanner.

Scanner information

The Black Duck SCA scanner architectural components are:

  • Client-side: The Black Duck Detect scanning tool, the Signature Scanner command line tool, and the REST API.

  • Server-side: The Black Duck server.

  • Data center: The Black Duck KnowledgeBase open-source software database.

The scanning process is as follows:

  1. The Black Duck Detect tool is used to authenticate and initiate the code scan.

  2. Codebases are scanned on the client side.

  3. The scan data is uploaded to the Black Duck server with the Detect tool. The completed scan data does not contain any source code, to maintain your code security. The completed scan contains only file and directory signatures, and information derived from package management files.

  4. The scan data is sent to the Black Duck KnowledgeBase, and open source components in your code are matched and identified. The matching/identification process is based on your package manager data and SHA1 hashes created by the Signature Scanner when it scans your files and directories.

  5. The REST API is used to fetch the bearer token and retrieve the scanning results.

  6. The matched open source components are reported as a viewable Bill of Materials that contains the associated security, licensing, and operational risks of the discovered components.

For more information about the Black Duck SCA scanner, refer to the product documentation.
All CloudBees action repositories are listed at CloudBees, Inc. on GitHub.

Inputs

Table 1. Input details
Input name Data type Required? Description

server-url

String

Yes

The Black Duck server URL.

api-token

String

Yes

The Black Duck client secret.

project-name

String

No

The Black Duck project name.

project-version

String

No

The Black Duck project version.

Usage example

In your YAML file, add:

      - name: Scan with Black Duck SCA
        uses: https://github.com/cloudbees-io/blackduck-sca-scan-dependency@v1
        with:
          server-url: ${{ vars.BLACK_DUCK_URL }}
          api-token: ${{ secrets.BLACK_DUCK_TOKEN }}
Introduction
Mend