From 308401f5246098792d1a773569cb339141141361 Mon Sep 17 00:00:00 2001 From: DhavalPatelPersistent <93903969+DhavalPatelPersistent@users.noreply.github.com> Date: Mon, 25 Apr 2022 15:30:28 +0530 Subject: [PATCH 1/4] Update checkmarx.yml --- code-scanning/checkmarx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index 297cae0..ed13389 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -46,7 +46,7 @@ jobs: checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} scanners: sast - params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory + params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true # Upload the Report for CodeQL/Security Alerts - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 From ab9d895e8dfdfcc309424b079d074d637b744367 Mon Sep 17 00:00:00 2001 From: satyamchaurasiapersistent <102941840+satyamchaurasiapersistent@users.noreply.github.com> Date: Mon, 6 Jun 2022 11:45:21 +0530 Subject: [PATCH 2/4] Repo Url and SHA value updated. --- code-scanning/checkmarx.yml | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index ed13389..1c57150 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -17,27 +17,19 @@ on: - cron: $cron-weekly # A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action -permissions: - contents: read - jobs: # This workflow contains a single job called "build" build: # The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action - permissions: - contents: read # for actions/checkout to fetch code - issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues - pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 + - uses: actions/checkout@v2 # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs - name: Checkmarx CxFlow Action - uses: checkmarx-ts/checkmarx-cxflow-github-action@9975af7d6b957abec9ee9646effa3fb3b82c5314 + uses: checkmarx-ts/checkmarx-cxflow-github-action@49d8269b14ca87910ba003d47a31fa0c7a11f2fe with: project: ${{ secrets.CHECKMARX_PROJECT }} team: ${{ secrets.CHECKMARX_TEAMS }} @@ -46,9 +38,9 @@ jobs: checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} scanners: sast - params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true + params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory --repo-url=${{ github.event.repository.url }} # Upload the Report for CodeQL/Security Alerts - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v1 with: sarif_file: cx.sarif From 44f8355dd3fcc819e5064577d46aeb5d0b5070a4 Mon Sep 17 00:00:00 2001 From: Anton Krasovsky Date: Tue, 7 Jun 2022 17:57:25 +0100 Subject: [PATCH 3/4] Update workflow to use the newest version of 42Crunch REST API Static Security Testing Action --- code-scanning/crunch42.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/crunch42.yml b/code-scanning/crunch42.yml index 07cd73a..1ac846e 100644 --- a/code-scanning/crunch42.yml +++ b/code-scanning/crunch42.yml @@ -46,7 +46,7 @@ jobs: - uses: actions/checkout@v3 - name: 42Crunch REST API Static Security Testing - uses: 42Crunch/api-security-audit-action@96228d9c48873fe001354047d47fb62be42abeb1 + uses: 42Crunch/api-security-audit-action@f3a4f4d44ca6f538fe84361373d7a2a374018fdd with: # Please create free account at https://platform.42crunch.com/register # Follow these steps to configure API_TOKEN https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm From 7ba355c39e6939dea937ef47c51c708de6ec51a6 Mon Sep 17 00:00:00 2001 From: Satyam Chaurasia Date: Wed, 8 Jun 2022 06:39:55 +0530 Subject: [PATCH 4/4] Adding changes of version and repo URL issue --- code-scanning/checkmarx.yml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index 1c57150..e060654 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -17,16 +17,24 @@ on: - cron: $cron-weekly # A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action +permissions: + contents: read + jobs: # This workflow contains a single job called "build" build: # The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action + permissions: + contents: read # for actions/checkout to fetch code + issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues + pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs - name: Checkmarx CxFlow Action uses: checkmarx-ts/checkmarx-cxflow-github-action@49d8269b14ca87910ba003d47a31fa0c7a11f2fe @@ -38,9 +46,9 @@ jobs: checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} scanners: sast - params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory --repo-url=${{ github.event.repository.url }} + params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true --repo-url=${{ github.event.repository.url }} # Upload the Report for CodeQL/Security Alerts - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: cx.sarif