Create black-duck-security-scan-ci.yml

[Android-studio61]

Pull_request

---

Summary by cubic

Add a GitHub Actions workflow to run Black Duck SCA/SAST scans (Black Duck, Coverity, Polaris, SRM) on push/PR to main and on a weekly schedule, with results posted to PRs and security events.

• New Features

  • New workflow: .github/workflows/black-duck-security-scan-ci.yml
  • Uses blackduck-inc/black-duck-security-scan (pinned) with SCA and SAST via Black Duck, Coverity, Polaris, and SRM
  • Triggers: push and PR to main, plus weekly cron (Tue 21:42 UTC)
  • Permissions: contents read, pull-requests write, security-events write

• Migration

  • Ensure repository configuration includes:
    • Vars: BLACKDUCKSCA_URL, COVERITY_URL, POLARIS_SERVER_URL, SRM_URL
    • Secrets: BLACKDUCKSCA_TOKEN, COVERITY_USER, COVERITY_PASSPHRASE, POLARIS_ACCESS_TOKEN, SRM_API_KEY

^{Written for commit 028ab96. Summary will update on new commits.}

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
gh-aw	Building	Preview, Comment	May 6, 2026 1:01pm

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[github-actions]

✅ smoke-ci: safeoutputs CLI comment + comment-memory run (25436832112)

Generated by Smoke CI for issue #40 · ◷

[github-actions]

Comment Memory

CI lights the path
Green checks bloom at dawn
Quiet bots still sing

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Generated by Smoke CI for issue #40 · ◷

[cubic-dev-ai]

2 issues found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/black-duck-security-scan-ci.yml">

<violation number="1" location=".github/workflows/black-duck-security-scan-ci.yml:22">
P2: This will fail on `pull_request` runs from forks because required secrets aren’t available. Add a job-level `if:` to skip fork PRs (or use a safer two-workflow pattern) to avoid noisy failures.</violation>

<violation number="2" location=".github/workflows/black-duck-security-scan-ci.yml:32">
P1: Pin `actions/checkout` to a full commit SHA (this repo already does elsewhere). Using `@v4` is a mutable reference and increases supply-chain risk.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P1: Pin actions/checkout to a full commit SHA (this repo already does elsewhere). Using @v4 is a mutable reference and increases supply-chain risk.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/black-duck-security-scan-ci.yml, line 32:

<comment>Pin `actions/checkout` to a full commit SHA (this repo already does elsewhere). Using `@v4` is a mutable reference and increases supply-chain risk.</comment>

<file context>
@@ -0,0 +1,54 @@
+
+    steps:
+      - name: Checkout source
+        uses: actions/checkout@v4
+      - name: Black Duck SCA scan
+        uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9
</file context>

Suggested change

	uses: actions/checkout@v4
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2