Use these GitHub Actions to run security scans from GHA workflows and publish findings to CloudBees Unify. After a scan completes, findings are displayed in the component security center.
For scanner concepts and implicit scanning, refer to Configure SAST scanning and Configure implicit security analysis.
Supported scanners:
Black Duck SCA scan
Black Duck is a software composition analysis (SCA) scanning solution that helps organizations manage risks associated with open-source software in terms of security, license compliance, and code quality.
Use the blackduck-scan-publish action to scan repositories for dependency vulnerabilities with the Black Duck SCA scanner, and then view comprehensive security results in CloudBees Unify.
You can also use the action output as a quality gate for the next step or job in your workflow.
This action is available on the GitHub Marketplace.
Add a Black Duck scan to your workflows in CloudBees Unify to:
-
Detect open-source and third-party dependencies in software, source code, and artifacts with multiple analysis techniques.
-
Identify code vulnerabilities and receive timely security advisories.
-
Gain insight into security risks and how to fix vulnerabilities.
CloudBees Unify enables you to run a Black Duck scan either implicitly or explicitly. An implicit scan is automatically triggered; an explicit scan is one you configure to be invoked in a step of your workflow. To learn more, refer to Configure implicit security analysis.
How the scanner works
The Black Duck SCA scanner architectural components are:
-
Client-side: The Black Duck Detect scanning tool, the Signature Scanner command-line tool, and the REST API.
-
Server-side: The Black Duck server.
-
Data center: The Black Duck KnowledgeBase open-source software database.
The scanning process is as follows:
-
The Black Duck Detect tool is used to authenticate and initiate the code scan.
-
Codebases are scanned on the client side.
-
The scan data is uploaded to the Black Duck server with the Detect tool. The completed scan data does not contain any source code, to maintain your code security. The completed scan contains only file and directory signatures, and information derived from package management files.
-
The scan data is sent to the Black Duck KnowledgeBase, and open-source components in your code are matched and identified. The matching/identification process is based on your package manager data and SHA1 hashes created by the Signature Scanner when it scans your files and directories.
-
The REST API is used to fetch the bearer token and retrieve the scanning results.
-
The matched open-source components are reported as a viewable Bill of Materials that contains the associated security, licensing, and operational risks of the discovered components.
| For more information about the Black Duck SCA scanner, refer to the Black Duck documentation. |
Inputs
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
Yes |
The Black Duck client secret. |
|
String |
Yes |
The Black Duck server URL. |
|
String |
No |
The CloudBees Unify URL.
The default value is |
|
String |
No |
Specify any Black Duck Detect properties. |
|
String |
No |
The Black Duck project name. |
|
String |
No |
The Black Duck project version. |
Outputs
| Output name | Data type | Description |
|---|---|---|
|
String |
The number of Critical security findings discovered during the scan. |
|
String |
The number of Very high security findings discovered during the scan. |
|
String |
The number of High security findings discovered during the scan. |
|
String |
The number of Medium security findings discovered during the scan. |
|
String |
The number of Low security findings discovered during the scan. |
This action uses GitHub OIDC authentication to securely communicate with CloudBees Unify.
Set permissions to id-token: write in your workflow.
|
Usage examples
The following is a basic example of using this action:
permissions: id-token: write contents: read steps: - name: Scan with Black Duck SCA uses: cloudbees-io-gha/blackduck-scan-publish@v2 with: api-token: ${{ secrets.BLACK_DUCK_TOKEN }} server-url: ${{ vars.BLACK_DUCK_URL }}
In the following example, the Black Duck Detect properties logging.level.detect and blackduck.offline.mode are specified:
You can use the output values from this action in downstream steps and jobs. The following example uses the action output in a downstream step of the same job:
The following example uses the action output in a downstream job:
If you are using a CloudBees Unify workflow rather than a GHA workflow, explicitly scan with the CloudBees Black Duck action.
Coverity SAST scan
Use the coverity-scan-publish action to perform static application security testing (SAST) on a repository with the Coverity on Polaris scanner from Black Duck, and then view comprehensive security results in CloudBees Unify.
This action is available on the GitHub Marketplace.
This action uses GitHub OIDC authentication to securely communicate with CloudBees Unify.
Set permissions to id-token: write in your workflow.
|
Inputs
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
Yes |
The Coverity on Polaris API token. |
|
String |
Yes |
The Coverity on Polaris server URL. |
|
String |
No |
The CloudBees Unify URL.
The default value is |
Usage example
The following is a basic example of using this action:
permissions: id-token: write contents: read steps: - name: Scan with Coverity on Polaris uses: cloudbees-io-gha/coverity-scan-publish@v2 with: api-token: ${{ secrets.COVERITY_POLARIS_TOKEN }} server-url: ${{ vars.COVERITY_POLARIS_SERVER_URL }}
Gitleaks scan
Use the gitleaks-scan-publish action to perform static application security testing (SAST) on a repository with the Gitleaks scanner, and then view comprehensive security results in CloudBees Unify.
Inputs
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
Yes |
The CloudBees Unify personal access token. |
|
String |
No |
The CloudBees Unify URL.
The default value is |
|
String |
No |
The commit reference to be checked out and archived. |
Gosec scan
Use the gosec-scan-publish action to perform static application security testing (SAST) on a repository with the open-source Golang Security Checker (Gosec) scanner, and then view comprehensive security results in CloudBees Unify.
Inputs
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
Yes |
The CloudBees Unify personal access token. |
|
String |
No |
The CloudBees Unify URL.
The default value is |
Grype scan
Use the grype-scan-publish action to perform static application security testing (SAST) on a binary TAR file with the Grype scanner, and then view comprehensive security results in CloudBees Unify.
Inputs
| Input name | Data type | Required? | Description | ||
|---|---|---|---|---|---|
|
String |
Yes |
The path of the binary to be scanned.
|
||
|
String |
Yes |
The CloudBees Unify personal access token. |
||
|
String |
No |
The CloudBees Unify URL.
The default value is |
Perforce Klocwork SAST scan
Use the perforce-klocwork-sast-publish action to analyze source code for security vulnerabilities and quality defects using the Perforce Klocwork SAST scanner.
The action output can be used as a quality gate in subsequent GitHub Actions steps or jobs.
This action is available on the GitHub Marketplace.
Add a Klocwork scan to your workflows in CloudBees Unify to:
-
Detect security vulnerabilities and quality defects in source code.
-
Identify potential security flaws early in the development lifecycle.
-
Gain insight into code quality risks and how to fix issues.
-
Ensure compliance with industry standards such as OWASP, CWE, CERT, and MISRA.
CloudBees Unify enables you to run a Klocwork scan either implicitly or explicitly. An implicit scan is automatically triggered; an explicit scan is one you configure to be invoked in a step of your workflow. To learn more, refer to Configure implicit security analysis.
How the scanner works
The Klocwork SAST scanner architectural components are:
-
Client-side: The Klocwork analysis engine and command-line tools (
kwbuildproject,kwciagent). -
Server-side: The Klocwork Server for centralized analysis results management.
-
Analysis engine: Proprietary static analysis engine with deep dataflow and control flow analysis capabilities.
The scanning process is as follows:
-
The Klocwork build specification is created to capture the build configuration of your project.
-
Source code is analyzed on the client side using the Klocwork analysis engine.
-
The analysis results are uploaded to the Klocwork Server (if configured).
-
Security vulnerabilities and quality defects are identified based on enabled checkers and taxonomies.
-
Results are reported with severity levels, detailed descriptions, and remediation guidance.
-
The scan results are made available as actionable outputs for quality gates and downstream workflow steps.
| For more information about the Perforce Klocwork SAST scanner, refer to the Perforce Klocwork documentation. |
Inputs
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
Yes |
The Klocwork server URL. |
|
String |
Yes |
Klocwork username. |
|
String |
No |
Klocwork password. |
|
String |
No |
Klocwork application token. |
|
String |
Yes |
Klocwork build tool [make / cmake / python / maven / dotnet]. |
|
String |
No |
Klocwork build directory [default is root folder /]. |
|
String |
Yes |
Specify the ref to be checked out and scanned. |
|
String |
No |
Klocwork build name. |
|
String |
No |
Klocwork scan build options [e.g., make <target-name> -j4]. |
|
String |
No |
Klocwork build specification file path [e.g., /tmp/kwinject.out]. |
|
Boolean |
No |
Enable Klocwork Agent Scan [default is full scan]. |
|
String |
No |
Klocwork license server hostname [default is server hostname]. |
|
String |
No |
Klocwork license server port [default is 27000]. |
|
String |
No |
Klocwork project name. |
|
String |
No |
Klocwork scan waiting time in seconds [e.g., 3600]. |
|
String |
No |
Klocwork scan tables directory [e.g., /tmp/tables]. |
|
Boolean |
No |
Enable Klocwork Local Scan [performs analysis locally on the agent only and does not push results to the Klocwork Server]. |
|
String |
No |
Klocwork |
|
String |
No |
Klocwork |
|
String |
No |
The file path of the code to be scanned. |
For C/C++/.NET projects, since kwinject is used for building the specification file, the build-options parameter is mandatory.
You must pass the appropriate build command with options.
For example, if make is the build tool, the build-options should be specified like make targetName -j14 or similar build commands specific to your project configuration.
|
Outputs
| Output name | Data type | Description |
|---|---|---|
|
String |
The number of Critical severity issues discovered during the scan. |
|
String |
The number of High severity issues discovered during the scan. |
|
String |
The number of Medium severity issues discovered during the scan. |
|
String |
The number of Low severity issues discovered during the scan. |
|
String |
The total number of issues discovered during the scan. |
This action uses GitHub OIDC authentication to securely communicate with CloudBees Unify.
Set permissions to id-token: write in your workflow.
|
Usage examples
In the following example, the Klocwork command reference provides detailed guidance on specifying build-options according to the build-tool used.
For instance, if the build-tool is make, the build-options should include the build command and relevant flags, such as make targetName -j14, to ensure that kwinject can correctly generate the build specification file.
permissions: id-token: write contents: read steps: - name: Scan with Perforce Klocwork SAST scanner uses: cloudbees-io-gha/perforce-klocwork-sast-publish@v1 with: url: ${{ vars.KLOCWORK_URL }} token: ${{ secrets.KLOCWORK_APP_TOKEN }} license-host: ${{ vars.KLOCWORK_LICENSE }} username: ${{ vars.KLOCWORK_USERNAME }} project-name: test-c-project build-directory: / build-tool: make build-options: make clean <target-name> --ignore-errors enable-agent-scan: false enable-local-scan: false
You can use the output values from this action in downstream steps and jobs. The following example uses the action output in a downstream step of the same job:
The following example uses the action output in a downstream job:
Trivy scan
Use the trivy-scan-publish action to perform static application security testing (SAST) on a binary TAR file with the Trivy scanner, and then view comprehensive security results in CloudBees Unify.
This action is available on the GitHub Marketplace.
This action uses GitHub OIDC authentication to securely communicate with CloudBees Unify.
Set permissions to id-token: write in your workflow.
|
Inputs
| Input name | Data type | Required? | Description | ||
|---|---|---|---|---|---|
|
String |
Yes |
The path of the binary to be scanned.
|
||
|
String |
No |
The CloudBees Unify URL.
The default value is |
||
|
Boolean |
No |
The option to perform license scanning.
Specify |
Usage examples
The following is a basic example of using this action:
permissions: id-token: write contents: read steps: - name: Trivy SAST scan uses: cloudbees-io-gha/trivy-scan-publish@v2 with: binary-tar-path: example-tar-path.tar
In the following example, the license option is enabled to scan the binary for license files, and then output the risk to CloudBees Unify analytics dashboards. To learn more, refer to the Trivy license scanning documentation.
permissions: id-token: write contents: read steps: - name: Trivy SAST scan uses: cloudbees-io-gha/trivy-scan-publish@v2 with: binary-tar-path: example-tar-path.tar license: true