GitHub Fixer for Polaris

Introduction

This guide provides step-by-step instructions on how to set up a GitHub Actions workflow that runs a Polaris SAST scan and automatically fixes vulnerabilities using Mobb.

Goal

Once this integration is complete, you will achieve the following:

Be automatically scanned for security vulnerabilities using Polaris by Black Duck.
Upload the scan results in SARIF format onto GitHub.
Trigger Mobb to analyze the findings and provide fixes.
Allow developers to review and apply fixes directly within GitHub.

Prerequisites

Before starting this integration, you will need:

A Polaris account with an active access token. See Generating a Polaris Access Token for instructions.
GitHub Advanced Security enabled for your repository (required for SARIF upload).
A Mobb API Token. See Generating a Mobb API Token for instructions.

Initial Setup - Secrets and Variables

Store the following in your GitHub repository under Settings -> Secrets and variables -> Actions:

Name

Type

Description

POLARIS_ACCESS_TOKEN

Secret

Your Polaris access token

MOBB_API_TOKEN

Secret

Your Mobb API token

POLARIS_SERVER_URL

Variable

Your Polaris server URL (e.g. https://polaris.blackduck.com)

Sample GitHub Action YAML

Example - Full Scan + Mobb autofixer triggered manually

# Mobb/Polaris Fixer
# This workflow runs a Polaris SAST scan and sends the results to Mobb Fixer.
#
# Secrets in use (add your missing ones):
# POLARIS_ACCESS_TOKEN - your Polaris access token
# MOBB_API_TOKEN       - your Mobb API token
#
# Variables in use:
# POLARIS_SERVER_URL   - your Polaris server URL

name: "Mobb/Polaris Full Scan"

on:
  workflow_dispatch:
  push:
    branches: [main, master, develop, stage, release]

jobs:
  scan-and-fix:
    name: Scan with Polaris and fix with Mobb
    runs-on: ubuntu-latest
    timeout-minutes: 360
    permissions:
      contents: read
      pull-requests: write
      statuses: write
      security-events: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Run Polaris SAST scan
        uses: blackduck-inc/black-duck-security-scan@v2
        with:
          polaris_server_url: ${{ vars.POLARIS_SERVER_URL }}
          polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }}
          polaris_assessment_types: "SAST"
          polaris_application_name: ${{ github.event.repository.name }}
          polaris_project_name: ${{ github.event.repository.name }}
          polaris_reports_sarif_create: true

      - name: Upload SARIF file
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: .blackduck/integrations/polaris/sarif/report.sarif.json
          category: polaris-sast

      - name: Run Mobb on the findings and get fixes
        if: always()
        uses: mobb-dev/[email protected]
        with:
          report-file: ".blackduck/integrations/polaris/sarif/report.sarif.json"
          api-key: ${{ secrets.MOBB_API_TOKEN }}
          github-token: ${{ secrets.GITHUB_TOKEN }}

Polaris SARIF report generation is not supported for Pull Request scans. This workflow should only be triggered on push events or manually via workflow_dispatch. Enabling it on pull_request events will result in no SARIF being generated.

The SARIF report is written to .blackduck/integrations/polaris/sarif/report.sarif.json when using Bridge CLI version 3.5.0 or later. If you are using an older version of Bridge, the path will be .bridge/Polaris SARIF Generator/report.sarif.json — update the sarif_file and report-file fields accordingly.

For projects that require compilation (e.g. Java with Maven or Gradle), add the appropriate coverity_build_command and coverity_clean_command parameters to the Polaris scan step. See Generating a Polaris SAST Report for examples.

PreviousGitHub Fixer for GitHub Advanced Security NextGitLab Pipeline

Last updated 16 days ago

# Mobb/Polaris Fixer
# This workflow runs a Polaris SAST scan and sends the results to Mobb Fixer.
#
# Secrets in use (add your missing ones):
# POLARIS_ACCESS_TOKEN - your Polaris access token
# MOBB_API_TOKEN       - your Mobb API token
#
# Variables in use:
# POLARIS_SERVER_URL   - your Polaris server URL

name: "Mobb/Polaris Full Scan"

on:
  workflow_dispatch:
  push:
    branches: [main, master, develop, stage, release]

jobs:
  scan-and-fix:
    name: Scan with Polaris and fix with Mobb
    runs-on: ubuntu-latest
    timeout-minutes: 360
    permissions:
      contents: read
      pull-requests: write
      statuses: write
      security-events: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Run Polaris SAST scan
        uses: blackduck-inc/black-duck-security-scan@v2
        with:
          polaris_server_url: ${{ vars.POLARIS_SERVER_URL }}
          polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }}
          polaris_assessment_types: "SAST"
          polaris_application_name: ${{ github.event.repository.name }}
          polaris_project_name: ${{ github.event.repository.name }}
          polaris_reports_sarif_create: true

      - name: Upload SARIF file
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: .blackduck/integrations/polaris/sarif/report.sarif.json
          category: polaris-sast

      - name: Run Mobb on the findings and get fixes
        if: always()
        uses: mobb-dev/[email protected]
        with:
          report-file: ".blackduck/integrations/polaris/sarif/report.sarif.json"
          api-key: ${{ secrets.MOBB_API_TOKEN }}
          github-token: ${{ secrets.GITHUB_TOKEN }}

hashtagIntroduction

hashtagGoal

hashtagPrerequisites

hashtagInitial Setup - Secrets and Variables

hashtagSample GitHub Action YAML

hashtagExample - Full Scan + Mobb autofixer triggered manually

Introduction

Goal

Prerequisites

Initial Setup - Secrets and Variables

Sample GitHub Action YAML

Example - Full Scan + Mobb autofixer triggered manually