train icon indicating copy to clipboard operation
train copied to clipboard
verified publisher icon inspec

CHEF-21894: Add Gemfile.lock and comprehensive CI workflow for BlackDuck SCA

Open sa-progress opened this issue 2 months ago • 1 comments

Summary

This PR adds Gemfile.lock and replaces the minimal trufflehog-only workflow with a comprehensive CI/CD pipeline aligned with InSpec 5.x standards, enabling full BlackDuck SCA and SAST scanning for the Train repository.

Changes

  • ✅ Added Gemfile.lock (121 gems) for accurate dependency scanning
  • ✅ Created comprehensive CI workflow: .github/workflows/ci-main-pull-request-stub.yml
  • ✅ Removed minimal workflow: .github/workflows/ci-main-pull-request-stub-trufflehog-only.yml
  • ✅ Enabled BlackDuck SCA scanning with HIGH accuracy threshold
  • ✅ Enabled BlackDuck SAST (Polaris) for security vulnerability scanning
  • ✅ Added Trivy container scanning
  • ✅ Enabled SBOM generation (GitHub SPDX + BlackDuck formats)
  • ✅ Configured build step required for dependency analysis
  • ✅ All commits include DCO sign-off

Why This Change?

BlackDuck SCA requires Gemfile.lock to accurately identify all Ruby gem dependencies and their specific versions for comprehensive vulnerability scanning. The previous trufflehog-only workflow provided minimal security scanning. This update brings Train's CI/CD pipeline to parity with InSpec 5.x standards.

CI/CD Enhancements

  • Security Scanning: BlackDuck SCA, BlackDuck SAST (Polaris), Trivy, TruffleHog
  • Code Quality: Complexity checks, SCC analysis
  • SBOM Generation: GitHub SPDX JSON + BlackDuck SBOM
  • Build Integration: Enabled for dependency resolution

AI Compliance

🤖 This PR was created with AI assistance (GitHub Copilot)

  • AI was used to: Generate Gemfile.lock, create comprehensive CI workflow based on InSpec 5.x template, ensure DCO compliance
  • Human review: Dependency verification, workflow configuration validation, security settings review
  • All work follows Progress AI policies and governance requirements

Testing

  • Gemfile.lock generated successfully via bundle install (121 gems)
  • CI workflow configuration validated against InSpec 5.x reference
  • All security scanning features enabled (SCA, SAST, Trivy, TruffleHog)
  • Build step configured for proper dependency analysis
  • Commit includes proper DCO sign-off

JIRA

CHEF-21894

Configuration Details

  • Language: Ruby (autodetect)
  • BlackDuck Project Group: Chef-Agents
  • BlackDuck Project Name: train
  • Polaris Application: Chef-Agents
  • Target Branches: main, release/**

sa-progress avatar Nov 10 '25 10:11 sa-progress

@sa-progress hold on merging this

Vasu1105 avatar Nov 11 '25 13:11 Vasu1105