Skip to content

CHEF-21894: Add Gemfile.lock and comprehensive CI workflow for BlackDuck SCA #811

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sa-progress wants to merge 1 commit into
base: main
Choose a base branch
from
Open

CHEF-21894: Add Gemfile.lock and comprehensive CI workflow for BlackDuck SCA #811

sa-progress wants to merge 1 commit into from
+421 −45

Conversation

@sa-progress
Copy link
Contributor

@sa-progress sa-progress commented Nov 10, 2025

Summary

This PR adds Gemfile.lock and replaces the minimal trufflehog-only workflow with a comprehensive CI/CD pipeline aligned with InSpec 5.x standards, enabling full BlackDuck SCA and SAST scanning for the Train repository.

Changes

  • ✅ Added Gemfile.lock (121 gems) for accurate dependency scanning
  • ✅ Created comprehensive CI workflow: .github/workflows/ci-main-pull-request-stub.yml
  • ✅ Removed minimal workflow: .github/workflows/ci-main-pull-request-stub-trufflehog-only.yml
  • ✅ Enabled BlackDuck SCA scanning with HIGH accuracy threshold
  • ✅ Enabled BlackDuck SAST (Polaris) for security vulnerability scanning
  • ✅ Added Trivy container scanning
  • ✅ Enabled SBOM generation (GitHub SPDX + BlackDuck formats)
  • ✅ Configured build step required for dependency analysis
  • ✅ All commits include DCO sign-off

Why This Change?

BlackDuck SCA requires Gemfile.lock to accurately identify all Ruby gem dependencies and their specific versions for comprehensive vulnerability scanning. The previous trufflehog-only workflow provided minimal security scanning. This update brings Train's CI/CD pipeline to parity with InSpec 5.x standards.

CI/CD Enhancements

  • Security Scanning: BlackDuck SCA, BlackDuck SAST (Polaris), Trivy, TruffleHog
  • Code Quality: Complexity checks, SCC analysis
  • SBOM Generation: GitHub SPDX JSON + BlackDuck SBOM
  • Build Integration: Enabled for dependency resolution

AI Compliance

🤖 This PR was created with AI assistance (GitHub Copilot)

  • AI was used to: Generate Gemfile.lock, create comprehensive CI workflow based on InSpec 5.x template, ensure DCO compliance
  • Human review: Dependency verification, workflow configuration validation, security settings review
  • All work follows Progress AI policies and governance requirements

Testing

  • Gemfile.lock generated successfully via bundle install (121 gems)
  • CI workflow configuration validated against InSpec 5.x reference
  • All security scanning features enabled (SCA, SAST, Trivy, TruffleHog)
  • Build step configured for proper dependency analysis
  • Commit includes proper DCO sign-off

JIRA

CHEF-21894

Configuration Details

  • Language: Ruby (autodetect)
  • BlackDuck Project Group: Chef-Agents
  • BlackDuck Project Name: train
  • Polaris Application: Chef-Agents
  • Target Branches: main, release/**

@sa-progress
CHEF-21894: Add Gemfile.lock and comprehensive CI workflow for BlackD…
984ef11 
…uck SCA

- Added Gemfile.lock for accurate dependency scanning
- Replaced minimal trufflehog-only workflow with comprehensive CI pipeline
- Enabled BlackDuck SCA scanning with HIGH accuracy threshold
- Enabled BlackDuck SAST (Polaris) scanning for security vulnerabilities
- Added Trivy container scanning
- Enabled SBOM generation (GitHub SPDX + BlackDuck formats)
- Configured build step required for dependency analysis
- Force-added Gemfile.lock despite .gitignore for SBOM accuracy

This change aligns Train repository with InSpec 5.x CI/CD standards,
enabling comprehensive security scanning and dependency analysis.
BlackDuck SCA requires Gemfile.lock to accurately identify all Ruby
gem dependencies and their versions for vulnerability scanning.

Changes:
- New: .github/workflows/ci-main-pull-request-stub.yml (comprehensive CI)
- Removed: .github/workflows/ci-main-pull-request-stub-trufflehog-only.yml
- Added: Gemfile.lock (121 gems)

Signed-off-by: Samir Anand <[email protected]>
@sa-progress sa-progress requested a review from a team as a code owner November 10, 2025 10:25
@sa-progress sa-progress added the ai-assisted Work completed with AI assistance following Progress AI policies label Nov 10, 2025
@Vasu1105
Copy link
Contributor

Vasu1105 commented Nov 11, 2025

@sa-progress hold on merging this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@balasubramanian-s balasubramanian-s Awaiting requested review from balasubramanian-s balasubramanian-s is a code owner automatically assigned from inspec/inspec-core-team

@sathish-progress sathish-progress Awaiting requested review from sathish-progress sathish-progress is a code owner automatically assigned from inspec/inspec-core-team

At least 1 approving review is required to merge this pull request.

Assignees

@sa-progress sa-progress

Labels

ai-assisted Work completed with AI assistance following Progress AI policies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sa-progress @Vasu1105