Black Duck Integration
Opsera’s Black Duck integration automates open source software scanning for security, quality, and license compliance risks within your CI/CD pipelines, providing actionable reports.
Key Values
Automated Open Source Risk Scanning Automatically scans every code change for security vulnerabilities, license issues, and operational risks in open source and third-party components.
Centralized Security and Compliance All Black Duck scan results are surfaced within Opsera’s Pipeline Summary, providing a unified view of security, licensing, and operational risks.
Pipeline Enforcement with Custom Thresholds You can set specific thresholds for security, license, and operational risks—if exceeded, the pipeline fails, preventing risky code from progressing.
Actionable Reporting and Insights Delivers clear, actionable reports and logs, allowing teams to quickly identify and remediate issues without switching tools.
Seamless Integration with CI/CD Easily add Black Duck as a native pipeline step in Opsera, supporting integration with major SCM tools like Bitbucket, GitHub, and GitLab.
Flexible Configuration Configure scans for specific files, directories, or entire repositories to match your team’s workflow and risk management needs.
Example Usecase
Automating Open Source Risk Management in a Java Application Pipeline
Scenario: Your team develops a Java-based application that relies on numerous open source libraries. To ensure compliance and security, you need to automatically scan every code change for open source vulnerabilities and license risks before deployment.
How Black Duck Integration Works:
Black Duck is added as a pipeline step in Opsera.
Each build triggers a scan of your codebase for open source components.
Scan results are checked against your team’s defined thresholds for security, license, and operational risks.
If any threshold is exceeded, the pipeline fails, preventing risky code from moving forward.
All findings are reported in Opsera’s Pipeline Summary, allowing your team to quickly review and remediate issues without switching tools.
Prerequisite
Black Duck Tool Registration Ensure to register the Black Duck tool in Opsera. For more info, see Black Duck Tool Registration.
Step-by-Step Procedure
Step 1: Create a Pipeline Step
Login to Opsera and navigate to Products > Pipelines.
Locate and open the required pipeline.
Click Edit Workflow and add new step to pipeline by clicking + icon.
Provide a Step Name and select Black Duck from the Tool drop-down.
Click Save.
Step 2: Configure BlackDuck Pipeline Step Details
Click the gear icon ⚙️ to configure the Black Duck pipeline step. Enter the following details:
BlackDuck Tool: Select a configured Black Duck tool.
SCM Service: Select Bitbucket, Github or GitLab.
Select Account: Select the SCM Account containing the Project with Files for Black Duck scan.
Repository: Select the Repository containing the Project with Files for Black Duck scan.
Branch: Provide the Branch where scan will occur.
Git File Path: Provide the path of file for scan.
Project Name: Provide the Branch where scan will occur.
Commands: Provide the Branch where scan will occur.
Runtime Variables: Provide the Branch where scan will occur.
Dependency: Select the Java Dependency and Maven Version.
Enable Client Side Thresholds:
Vulnerability threshold: Critical, High, Medium, Low, No and Unknown. Choose a numeric threshold count. License Threshold: Critical, High, Medium, Low, No, and Unknown. Choose a numeric threshold count. Operational Threshold: Critical, High, Medium, Low, No, and Unknown. Choose a numeric threshold count.
Click Save to save the step settings.
Step 3: View Scan Results
Trigger the pipeline to run by clicking Start Pipeline.
Once the pipeline run is complete, navigate to the pipeline’s Summary tab.
Scroll down within the Summary tab.
Locate and click the Black Duck Scan step to view the relevant Pipeline logs and scan results.
To access more detailed logs, under the Action column, click Console Output.
View the logs in the Console Log tab for in-depth scan execution details.
FAQs
1. What is the Black Duck integration in Opsera? Black Duck integration in Opsera allows security and development teams to automatically scan and identify open source and third-party code components within their codebase to manage security, quality, and license compliance risks.
2. Why should I use Black Duck integration? Using Black Duck integration helps in detecting vulnerabilities, managing open source license risks, and ensuring code quality by automating these checks within your CI/CD pipelines.
3.What code repositories does Black Duck integration support? Black Duck integration supports popular SCMs such as Bitbucket, GitHub, and GitLab1.
4.Can I set thresholds for vulnerabilities and licenses? Yes, you can set thresholds for vulnerability severity (Critical, High, Medium, Low, No, Unknown) and license types, and specify numeric counts for each threshold.
6. How do I view Black Duck scan results? After the pipeline runs, you can view the pipeline logs and console output in the Opsera interface to check the status and results of the Black Duck scan.
7. Who should use the Black Duck integration? The integration is intended for security teams, development teams, DevSecOps engineers, platform administrators, and compliance officers who are responsible for managing open source risks.
8.How does Black Duck integration help with compliance? Black Duck scans provide detailed reports and logs, helping organizations demonstrate compliance with security and license management policies.
Last updated
Was this helpful?