# GitHub Fixer for Polaris

## Introduction

This guide provides step-by-step instructions on how to set up a GitHub Actions workflow that runs a Polaris SAST scan and automatically fixes vulnerabilities using Mobb.

## Goal

Once this integration is complete, you will achieve the following:

1. Be automatically scanned for security vulnerabilities using Polaris by Black Duck.
2. Upload the scan results in **SARIF format** onto GitHub.
3. Trigger Mobb to analyze the findings and provide fixes.
4. Allow developers to review and apply fixes directly within GitHub.

## Prerequisites

Before starting this integration, you will need:

* A [Polaris](https://polaris.blackduck.com) account with an active access token. See [Generating a Polaris Access Token](https://documentation.blackduck.com/bundle/coverity-on-polaris/page/topics/t_creating-tokens.html) for instructions.
* GitHub Advanced Security enabled for your repository (required for SARIF upload).
* A Mobb API Token. See [Generating a Mobb API Token](/mobb-user-docs/administration/access-tokens.md) for instructions.

## Initial Setup - Secrets and Variables

Store the following in your GitHub repository under **Settings -> Secrets and variables -> Actions**:

| Name                   | Type     | Description                                                    |
| ---------------------- | -------- | -------------------------------------------------------------- |
| `POLARIS_ACCESS_TOKEN` | Secret   | Your Polaris access token                                      |
| `MOBB_API_TOKEN`       | Secret   | Your Mobb API token                                            |
| `POLARIS_SERVER_URL`   | Variable | Your Polaris server URL (e.g. `https://polaris.blackduck.com`) |

## Sample GitHub Action YAML

### Example - Full Scan + Mobb autofixer triggered manually

```yaml
# Mobb/Polaris Fixer
# This workflow runs a Polaris SAST scan and sends the results to Mobb Fixer.
#
# Secrets in use (add your missing ones):
# POLARIS_ACCESS_TOKEN - your Polaris access token
# MOBB_API_TOKEN       - your Mobb API token
#
# Variables in use:
# POLARIS_SERVER_URL   - your Polaris server URL

name: "Mobb/Polaris Full Scan"

on:
  workflow_dispatch:
  push:
    branches: [main, master, develop, stage, release]

jobs:
  scan-and-fix:
    name: Scan with Polaris and fix with Mobb
    runs-on: ubuntu-latest
    timeout-minutes: 360
    permissions:
      contents: read
      pull-requests: write
      statuses: write
      security-events: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Run Polaris SAST scan
        uses: blackduck-inc/black-duck-security-scan@v2
        with:
          polaris_server_url: ${{ vars.POLARIS_SERVER_URL }}
          polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }}
          polaris_assessment_types: "SAST"
          polaris_application_name: ${{ github.event.repository.name }}
          polaris_project_name: ${{ github.event.repository.name }}
          polaris_reports_sarif_create: true

      - name: Upload SARIF file
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: .blackduck/integrations/polaris/sarif/report.sarif.json
          category: polaris-sast

      - name: Run Mobb on the findings and get fixes
        if: always()
        uses: mobb-dev/action@v1.1
        with:
          report-file: ".blackduck/integrations/polaris/sarif/report.sarif.json"
          api-key: ${{ secrets.MOBB_API_TOKEN }}
          github-token: ${{ secrets.GITHUB_TOKEN }}
```

{% hint style="warning" %}
Polaris SARIF report generation is **not supported for Pull Request scans**. This workflow should only be triggered on push events or manually via `workflow_dispatch`. Enabling it on `pull_request` events will result in no SARIF being generated.
{% endhint %}

{% hint style="info" %}
The SARIF report is written to `.blackduck/integrations/polaris/sarif/report.sarif.json` when using Bridge CLI version 3.5.0 or later. If you are using an older version of Bridge, the path will be `.bridge/Polaris SARIF Generator/report.sarif.json` — update the `sarif_file` and `report-file` fields accordingly.
{% endhint %}

{% hint style="info" %}
For projects that require compilation (e.g. Java with Maven or Gradle), add the appropriate `coverity_build_command` and `coverity_clean_command` parameters to the Polaris scan step. See [Generating a Polaris SAST Report](/mobb-user-docs/integrating-sast-findings/polaris/generating-a-polaris-sast-report.md) for examples.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.mobb.ai/mobb-user-docs/ci-cd-integrations/github-actions/github-fixer-for-polaris.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.