The site that you are currently viewing is a static version of the Software Factory documentation delivered with the

version v7.2.
For up-to-date documentation, see the latest version.

Secrets in Black Duck SCA

Secrets, tokens and credentials available to non-administrator users in Black Duck SCA.

API Tokens are the only authentication method available in the Software Factory, for both CI/CD pipelines and API access.

API Tokens

API tokens (referred to as “User Access Tokens” in the Black Duck documentation) are authentication credentials that replace username/password combinations when accessing Black Duck APIs and scanning tools.

API tokens are tied to a specific user account and inherit the same permissions and roles as that user.

Important

Black Duck does not provide project-level or group-level tokens (unlike GitLab’s Project Access Tokens or Group Access Tokens). All tokens are tied to individual user accounts.

Best Practices

Software Factory Recommendations
  • For CI/CD: Always use a dedicated service account, never personal user accounts
  • Use descriptive names for each token to identify its purpose
  • Create a new token for each use case—don’t reuse tokens across multiple places
  • Select only necessary permissions (use read-only access when possible)
  • Enable automated purge for inactive tokens
  • Rotate tokens regularly

Configuration

To generate an API token: go to user menu > My Access Tokens.

Key characteristics:

  • Scope: Read-only or Read+Write access (selected at creation time, cannot be modified later)
  • Expiration: Do not expire by default, but can be purged automatically after a configurable period of inactivity

Check the official Managing user access tokens documentation for more information.

Using in CI/CD

When using Black Duck scanning tools (Detect CLI or Signature Scanner), you can provide your API token through environment variables:

  • BLACKDUCK_API_TOKEN (recommended)
  • BD_API_TOKEN (alternative)
  • BD_HUB_TOKEN (legacy)

These variables are read by the scanning tools to authenticate with the Black Duck server.

Important

Always store these variables as masked/protected secrets in your CI/CD platform.

REST API Authentication (Bearer Tokens)

When calling the Black Duck REST API directly, your API Token must first be exchanged for a short-lived Bearer Token via a POST request to /api/tokens/authenticate.

Check the official Authenticating with the API documentation for more information.

Other Authentication Methods

Note

The following authentication methods are not available in the Software Factory.

  • Client Certificates (TLS/mTLS): certificate-based authentication for Black Duck servers. See the official documentation .
  • SCM Provider OAuth Credentials: OAuth integration with SCM platforms (GitLab). See the official documentation .