Configuration
Build Block

Build Block

To prevent the build from proceeding, include the .fd.config.yaml file in the root directory.
To block the build based on secrets and SAST issues, define the severity levels (critical, high, medium, low) in the .fd.config.yaml file.

.fd.config.yaml
fail-build-on: 
  secrets:
    - critical

Make sure the Docker run command includes the -e EXIT_ON_ERROR=true variable to block the build if any issues occur.

Ensure that the DuckDefender.yml file contains the -e EXIT_ON_ERROR=true variable to block the build if any issues arise.

DuckDefender.yml
env:
  docker_tag: flyingduckio/duckdefender:latest
 
name: DuckDefender
  
on:
  push:
      branches: [ "master", "main", "release", "develop" ]
  
jobs:
  build:
    runs-on: ubuntu-latest
  
    steps:
      - uses: actions/checkout@v3
  
      - name: Download latest DuckDefender
        run: docker pull "${{env.docker_tag}}"
  
      - name: Run DuckDefender
        run: |
          docker run \
          -e EXIT_ON_ERROR=true \
          -e GITHUB_REPOSITORY_OWNER="${{github.repository_owner}}" \
          -e GITHUB_REPOSITORY_OWNER_ID="${{github.repository_owner_id}}" \
          -e GITHUB_REPOSITORY="${{github.repository}}" \
          -e GITHUB_REPOSITORY_ID="${{github.repository_id}}" \
          -e GITHUB_EVENT_NAME="${{github.event_name}}" \
          -e GITHUB_ACTOR="${{github.actor}}" \
          -e GITHUB_ACTOR_ID="${{github.actor_id}}" \
          -e FD_API_KEY="${{secrets.FD_API_KEY}}" \
          -e GITHUB_TOKEN="${{github.token}}" \
          -e GITHUB_HEAD_REF="${{github.head_ref}}" \
          -e GITHUB_BASE_REF="${{github.base_ref}}" \
          -e GITHUB_REF="${{github.ref}}" \
          -e GITHUB_SHA="${{github.sha}}" \
          -e WORKSPACE_PATH="/src" \
          -v "${{ github.workspace }}":/src \
          --entrypoint /bin/sh "${{env.docker_tag}}" -c "duckdefender code --all"

In normal GitHub Actions, runners like ubuntu-latest, windows-latest, and macos-latest have limited resources and temporary environments, making it difficult to strictly block builds for SAST issues. With self-hosted runners, you get a persistent setup with pre-installed SAST tools, allowing better control to block builds when vulnerabilities are found. Since SAST scans can be resource-intensive, they might consume more build minutes, leading to extra costs or pipeline throttling.

Pre-Commit ScanAws Resources