2022-09-29 11:32:20 +01:00
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
2022-11-30 10:21:45 +00:00
# The Checkmarx One GitHub Action enables you to trigger SAST, SCA, and KICS scans directly from the GitHub workflow.
# It provides a wrapper around the Checkmarx One CLI Tool which creates a zip archive from your source code repository
# and uploads it to Checkmarx One for scanning. The Github Action provides easy integration with GitHub while enabling
2022-10-17 14:24:31 +01:00
# scan customization using the full functionality and flexibility of the CLI tool.
2022-11-30 10:21:45 +00:00
# This is a basic workflow to help you get started with Using Checkmarx One Action,
2022-10-12 16:05:01 +01:00
# documentation can be found here : https://checkmarx.com/resource/documents/en/34965-68702-checkmarx-one-github-actions.html
2022-09-29 11:32:20 +01:00
name : Checkmarx Scan
# Controls when the workflow will run
on :
pull_request :
types : [ opened, reopened, synchronize]
branches : [ $default-branch, $protected-branches ]
2022-10-12 16:20:46 +01:00
permissions :
contents : read
2022-09-29 11:32:20 +01:00
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs :
# This workflow contains a single job called "build"
build :
2022-10-12 16:20:46 +01:00
permissions :
contents : read # for actions/checkout to fetch code
security-events : write # for github/codeql-action/upload-sarif to upload SARIF results
actions : read # only required for a private repository by github/codeql-action/upload-sarif
2022-11-30 10:21:45 +00:00
2022-09-29 11:32:20 +01:00
# The type of runner that the job will run on
runs-on : ubuntu-latest
# Steps represent a sequence of tasks that will be executed as part of the job
steps :
# This step checks out a copy of your repository.
- name : Checkout repository
2024-01-03 02:09:21 -05:00
uses : actions/checkout@v4
2022-11-30 10:21:45 +00:00
# This step creates the Checkmarx One scan
2022-10-12 16:20:46 +01:00
- name : Checkmarx One scan
2022-10-20 15:14:03 +01:00
uses : checkmarx/ast-github-action@8e887bb93dacc44e0f5b64ee2b06d5815f89d4fc
2022-09-29 11:32:20 +01:00
with :
2022-10-12 16:05:01 +01:00
base_uri : https://ast.checkmarx.net # This should be replaced by your base uri for Checkmarx One
cx_client_id : ${{ secrets.CX_CLIENT_ID }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e
cx_client_secret : ${{ secrets.CX_CLIENT_SECRET }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e
cx_tenant : ${{ secrets.CX_TENANT }} # This should be replaced by your tenant for Checkmarx One
2022-09-29 11:32:20 +01:00
additional_params : --report-format sarif --output-path .
- name : Upload SARIF file
2024-04-25 13:24:02 -04:00
uses : github/codeql-action/upload-sarif@v3
2022-09-29 11:32:20 +01:00
with :
# Path to SARIF file relative to the root of the repository
2022-10-12 16:05:01 +01:00
sarif_file : cx_result.sarif