Open
Conversation
Signed-off-by: sandhi <sagarwal@progress.com>
sandhi18
requested review from
brianLoomis and
sean-sype-simmons
as code owners
Signed-off-by: sandhi <sagarwal@progress.com>
Signed-off-by: sandhi <sagarwal@progress.com>
sandhi18
force-pushed
the
sandhi/fix-blackduc-sca
branch
from
0321931 to
2c287a2
Compare
Signed-off-by: sandhi <sagarwal@progress.com>
Signed-off-by: sandhi <sagarwal@progress.com>
Signed-off-by: sandhi <sagarwal@progress.com>
sandhi18
force-pushed
the
sandhi/fix-blackduc-sca
branch
2 times, most recently
from
7c99705 to
0a6f563
Compare
Signed-off-by: sandhi <sagarwal@progress.com>
sandhi18
force-pushed
the
sandhi/fix-blackduc-sca
branch
18 times, most recently
from
9c76312 to
ab046cc
Compare
sandhi18
force-pushed
the
sandhi/fix-blackduc-sca
branch
15 times, most recently
from
859a181 to
9a4164d
Compare
Signed-off-by: sandhi <sagarwal@progress.com>
sandhi18
force-pushed
the
sandhi/fix-blackduc-sca
branch
from
9a4164d to
ca2e00f
Compare
sean-sype-simmons
approved these changes
Feb 24, 2026
sandhi18
force-pushed
the
sandhi/fix-blackduc-sca
branch
10 times, most recently
from
da39336 to
64eac6d
Compare
Signed-off-by: sandhi <sagarwal@progress.com>
sandhi18
force-pushed
the
sandhi/fix-blackduc-sca
branch
from
64eac6d to
8f14667
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request updates several GitHub Actions workflow files to improve support for multi-language projects (especially Ruby, Go, and Erlang), enhance security scanning controls, and increase flexibility for monorepo and non-root project structures. The changes add new input parameters, improve environment setup for different languages, and refine the handling of security and SCA scans.
Key changes:
Enhanced Security Scanning Controls
trivy-fail-on-high-criticalinput to.github/workflows/ci-main-pull-request.ymland a correspondingfail-on-high-criticalinput to.github/workflows/trivy.yml, allowing the pipeline to fail if Trivy finds HIGH or CRITICAL vulnerabilities. The Trivy workflow now conditionally fails the build based on this input. [1] [2] [3] [4]Improved Support for Monorepo and Non-root Ruby Projects
ruby-app-directoryinput to both the main CI and SBOM workflows, enabling specification of a subdirectory containing the RubyGemfile. All relevant steps (Ruby setup, bundle install, artifact upload, and BlackDuck scan) now respect this input, making the workflows compatible with monorepos or projects where theGemfileis not in the root. [1] [2] [3] [4] [5] [6] [7]Language-specific Environment Setup
Added steps to set up Erlang/OTP and rebar3 for Erlang projects, and improved Ruby setup (including disabling bundler cache and supporting directory overrides). Also added a stub for
bundlein Erlang SAST scans to bypass unnecessary Ruby gem installations. [1] [2]For Go projects, added steps to configure git for private Go modules using the
GH_TOKENsecret. [1] [2]Improved Flexibility for Coverity/Polaris SAST Scans
polaris-coverity-clean-commandandpolaris-coverity-build-commanddefaults and descriptions to allow empty values for buildless analysis (e.g., Ruby, Python), increasing flexibility for language-specific SAST scans.Workflow Robustness and Minor Fixes
continue-on-errortofalsefor the Black Duck Polaris scan, ensuring that the pipeline fails on scan errors.checkout) for SBOM generation and related steps.These changes collectively make the CI/CD workflows more robust, modular, and suitable for complex multi-language repositories.