Build Block
To prevent the build from proceeding, include the .fd.config.yaml file in the root directory.
To block the build based on secrets and SAST issues, define the severity levels (critical
, high
, medium
, low
) in the .fd.config.yaml
file.
fail-build-on:
secrets:
- critical
Make sure the Docker run command includes the -e EXIT_ON_ERROR=true
variable to block the build if any issues occur.
Ensure that the DuckDefender.yml
file contains the -e EXIT_ON_ERROR=true
variable to block the build if any issues arise.
env:
docker_tag: flyingduckio/duckdefender:latest
name: DuckDefender
on:
push:
branches: [ "master", "main", "release", "develop" ]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Download latest DuckDefender
run: docker pull "${{env.docker_tag}}"
- name: Run DuckDefender
run: |
docker run \
-e EXIT_ON_ERROR=true \
-e GITHUB_REPOSITORY_OWNER="${{github.repository_owner}}" \
-e GITHUB_REPOSITORY_OWNER_ID="${{github.repository_owner_id}}" \
-e GITHUB_REPOSITORY="${{github.repository}}" \
-e GITHUB_REPOSITORY_ID="${{github.repository_id}}" \
-e GITHUB_EVENT_NAME="${{github.event_name}}" \
-e GITHUB_ACTOR="${{github.actor}}" \
-e GITHUB_ACTOR_ID="${{github.actor_id}}" \
-e FD_API_KEY="${{secrets.FD_API_KEY}}" \
-e GITHUB_TOKEN="${{github.token}}" \
-e GITHUB_HEAD_REF="${{github.head_ref}}" \
-e GITHUB_BASE_REF="${{github.base_ref}}" \
-e GITHUB_REF="${{github.ref}}" \
-e GITHUB_SHA="${{github.sha}}" \
-e WORKSPACE_PATH="/src" \
-v "${{ github.workspace }}":/src \
--entrypoint /bin/sh "${{env.docker_tag}}" -c "duckdefender code --all"
In normal GitHub Actions, runners like ubuntu-latest
, windows-latest
, and macos-latest
have limited resources and temporary environments, making it difficult to strictly block builds for SAST issues. With self-hosted runners, you get a persistent setup with pre-installed SAST tools, allowing better control to block builds when vulnerabilities are found. Since SAST scans can be resource-intensive, they might consume more build minutes, leading to extra costs or pipeline throttling.