version v7.2.
For up-to-date documentation, see the
latest version.
Secrets in Black Duck SCA
2 minute read
API Tokens are the only authentication method available in the Software Factory, for both CI/CD pipelines and API access.
API Tokens
API tokens (referred to as “User Access Tokens” in the Black Duck documentation) are authentication credentials that replace username/password combinations when accessing Black Duck APIs and scanning tools.
API tokens are tied to a specific user account and inherit the same permissions and roles as that user.
Black Duck does not provide project-level or group-level tokens (unlike GitLab’s Project Access Tokens or Group Access Tokens). All tokens are tied to individual user accounts.
Best Practices
- For CI/CD: Always use a dedicated service account, never personal user accounts
- Use descriptive names for each token to identify its purpose
- Create a new token for each use case—don’t reuse tokens across multiple places
- Select only necessary permissions (use read-only access when possible)
- Enable automated purge for inactive tokens
- Rotate tokens regularly
Configuration
To generate an API token: go to user menu > My Access Tokens.
Key characteristics:
- Scope: Read-only or Read+Write access (selected at creation time, cannot be modified later)
- Expiration: Do not expire by default, but can be purged automatically after a configurable period of inactivity
Check the official Managing user access tokens documentation for more information.
Using in CI/CD
When using Black Duck scanning tools (Detect CLI or Signature Scanner), you can provide your API token through environment variables:
BLACKDUCK_API_TOKEN(recommended)BD_API_TOKEN(alternative)BD_HUB_TOKEN(legacy)
These variables are read by the scanning tools to authenticate with the Black Duck server.
Always store these variables as masked/protected secrets in your CI/CD platform.
REST API Authentication (Bearer Tokens)
When calling the Black Duck REST API directly, your API Token must first be exchanged for a
short-lived Bearer Token via a POST request to /api/tokens/authenticate.
Check the official Authenticating with the API documentation for more information.
Other Authentication Methods
The following authentication methods are not available in the Software Factory.
- Client Certificates (TLS/mTLS): certificate-based authentication for Black Duck servers. See the official documentation .
- SCM Provider OAuth Credentials: OAuth integration with SCM platforms (GitLab). See the official documentation .