feat: add risk score threshold input (814a7f3f) · Commits · to be continuous... / Dependency-Track

README.md

+14 −13

Original line number	Diff line number	Diff line
		@@ -56,7 +56,7 @@ Here are some details about mandatory and optional permissions used by the templ
		\| ------------------------------------------- \| ------------- \| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- \|
		\| `BOM_UPLOAD` \| mandatory \| Required to publish SBOM files to the Dependency Track server \|
		\| `PROJECT_CREATION_UPLOAD` \| optional \| This is required if you want to automatically create the project while uploading the SBOM files when the project does not exist (but the parent project must exist) \|
		\| `VIEW_VULNERABILITY` and `VIEW_PORTFOLIO` \| optional \| Required if you want to display found vulnerabilities after SBOM analysis.<br/>Granting those permissions without enabling [Portfolio ACLs](https://github.com/DependencyTrack/dependency-track/issues/1127) is not recommended in the general case as it gives a read access to all projects \|
		\| `VIEW_VULNERABILITY` and `VIEW_PORTFOLIO` \| optional \| Required if you want to display found vulnerabilities or compute a risk score after SBOM analysis.<br/>Granting those permissions without enabling [Portfolio ACLs](https://github.com/DependencyTrack/dependency-track/issues/1127) is not recommended in the general case as it gives a read access to all projects \|
		\| `VIEW_PORTFOLIO` and `PORTFOLIO_MANAGEMENT` \| optional \| Required if you want to automatically create one or several project ancestors prior to uploading the SBOM files.<br/>Granting those permissions is not recommended in the general case as they virtually give administration rights to the API Key owner \|

		### Multiple SBOM strategy
		@@ -166,7 +166,7 @@ Examples:
		The Dependency Track template uses the following configuration.

		\| Input / Variable \| Description \| Default value \|
		\| ---------------------------------------------------- \| ------------------------------------------------------------------------------------------------------------------------ \| --------------------------------------------------------------------------- \|
		\| -------------------------------------------------------- \| ------------------------------------------------------------------------------------------------------------------------ \| --------------------------------------------------------------------------- \|
		\| `sbom-scanner-image` / `DEPTRACK_SBOM_SCANNER_IMAGE` \| The container image with [Dependency Track SBOM Scanner](https://gitlab.com/to-be-continuous/tools/dt-sbom-scanner) tool \| `registry.gitlab.com/to-be-continuous/tools/dt-sbom-scanner:latest` \|
		\| `base-api-url` / `DEPTRACK_BASE_API_URL` \| Dependency Track server base API url (includes `/api`) \| _none_ (required) \|
		\| :lock: `DEPTRACK_API_KEY` \| Dependency Track API key \| _none_ (required) \|
		@@ -177,6 +177,7 @@ The Dependency Track template uses the following configuration.
		\| `merge-output` / `DEPTRACK_MERGE_OUTPUT` \| Output merged SBOM file (only used with merge enabled) - _for debugging purpose_ \| `reports/deptrack-merged.cyclonedx.json` \|
		\| `purl-max-len` / `DEPTRACK_PURL_MAX_LEN` \| PURLs max length (`-1`: auto, `0`: no trim, `>0`: trim to size - default: `-1`) \| `-1` (auto) \|
		\| `show-findings` / `DEPTRACK_SHOW_FINDINGS` \| Wait for analysis and display found vulnerabilities in logs \| _none_ (disabled) \|
		\| `risk-score-threshold` / `DEPTRACK_RISK_SCORE_THRESHOLD` \| Fail the job if risk score threshold is exceeded (`<0`: disabled - default: `-1`) \| `-1` (disabled) \|

		### Secrets management

kicker.json

+6 −0

Original line number	Diff line number	Diff line
		@@ -65,6 +65,12 @@
		"description": "Wait for analysis and display found vulnerabilities in logs",
		"type": "boolean",
		"default": "false"
		},
		{
		"name": "DEPTRACK_RISK_SCORE_THRESHOLD",
		"description": "Fail the job if risk score threshold is exceeded (`<0`: disabled - default: `-1`)",
		"type": "number",
		"default": "-1"
		}
		],
		"variants": [

templates/gitlab-ci-dependency-track.yml

+5 −0

Original line number	Diff line number	Diff line
		@@ -45,6 +45,10 @@ spec:
		description: Wait for analysis and display found vulnerabilities in logs
		type: boolean
		default: false
		risk-score-threshold:
		description: 'Fail the job if risk score threshold is exceeded (`<0`: disabled - default: `-1`)'
		type: number
		default: -1
		---
		# default workflow rules: Merge Request pipelines
		workflow:
		@@ -84,6 +88,7 @@ variables:
		DEPTRACK_PURL_MAX_LEN: $[[ inputs.purl-max-len ]]
		DEPTRACK_SBOM_PATTERNS: $[[ inputs.sbom-patterns ]]
		DEPTRACK_SHOW_FINDINGS: $[[ inputs.show-findings ]]
		DEPTRACK_RISK_SCORE_THRESHOLD: $[[ inputs.risk-score-threshold ]]

		# default production ref name (pattern)
		PROD_REF: '/^(master\|main)$/'

Original line number	Diff line number	Diff line
		@@ -56,7 +56,7 @@ Here are some details about mandatory and optional permissions used by the templ
		\| ------------------------------------------- \| ------------- \| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- \|
		\| `BOM_UPLOAD` \| mandatory \| Required to publish SBOM files to the Dependency Track server \|
		\| `PROJECT_CREATION_UPLOAD` \| optional \| This is required if you want to automatically create the project while uploading the SBOM files when the project does not exist (but the parent project must exist) \|
		\| `VIEW_VULNERABILITY` and `VIEW_PORTFOLIO` \| optional \| Required if you want to display found vulnerabilities after SBOM analysis.<br/>Granting those permissions without enabling [Portfolio ACLs](https://github.com/DependencyTrack/dependency-track/issues/1127) is not recommended in the general case as it gives a read access to all projects \|
		\| `VIEW_VULNERABILITY` and `VIEW_PORTFOLIO` \| optional \| Required if you want to display found vulnerabilities or compute a risk score after SBOM analysis.<br/>Granting those permissions without enabling [Portfolio ACLs](https://github.com/DependencyTrack/dependency-track/issues/1127) is not recommended in the general case as it gives a read access to all projects \|
		\| `VIEW_PORTFOLIO` and `PORTFOLIO_MANAGEMENT` \| optional \| Required if you want to automatically create one or several project ancestors prior to uploading the SBOM files.<br/>Granting those permissions is not recommended in the general case as they virtually give administration rights to the API Key owner \|

		### Multiple SBOM strategy
		@@ -166,7 +166,7 @@ Examples:
		The Dependency Track template uses the following configuration.

		\| Input / Variable \| Description \| Default value \|
		\| ---------------------------------------------------- \| ------------------------------------------------------------------------------------------------------------------------ \| --------------------------------------------------------------------------- \|
		\| -------------------------------------------------------- \| ------------------------------------------------------------------------------------------------------------------------ \| --------------------------------------------------------------------------- \|
		\| `sbom-scanner-image` / `DEPTRACK_SBOM_SCANNER_IMAGE` \| The container image with [Dependency Track SBOM Scanner](https://gitlab.com/to-be-continuous/tools/dt-sbom-scanner) tool \| `registry.gitlab.com/to-be-continuous/tools/dt-sbom-scanner:latest` \|
		\| `base-api-url` / `DEPTRACK_BASE_API_URL` \| Dependency Track server base API url (includes `/api`) \| _none_ (required) \|
		\| :lock: `DEPTRACK_API_KEY` \| Dependency Track API key \| _none_ (required) \|
		@@ -177,6 +177,7 @@ The Dependency Track template uses the following configuration.
		\| `merge-output` / `DEPTRACK_MERGE_OUTPUT` \| Output merged SBOM file (only used with merge enabled) - _for debugging purpose_ \| `reports/deptrack-merged.cyclonedx.json` \|
		\| `purl-max-len` / `DEPTRACK_PURL_MAX_LEN` \| PURLs max length (`-1`: auto, `0`: no trim, `>0`: trim to size - default: `-1`) \| `-1` (auto) \|
		\| `show-findings` / `DEPTRACK_SHOW_FINDINGS` \| Wait for analysis and display found vulnerabilities in logs \| _none_ (disabled) \|
		\| `risk-score-threshold` / `DEPTRACK_RISK_SCORE_THRESHOLD` \| Fail the job if risk score threshold is exceeded (`<0`: disabled - default: `-1`) \| `-1` (disabled) \|

		### Secrets management