Merge pull request #192 from Checkmarx/elchanan/fix_sast_and_iac_vul

GitHub Action | Fix SAST & IAC Vul + Threshold (AST-47971)
Checkmarx · Sep 29, 2024 · 3b764b4 · 3b764b4
2 parents 9fda5a4 + 576c98f
commit 3b764b4
Show file tree

Hide file tree

Showing 10 changed files with 34 additions and 30 deletions.
diff --git a/.github/workflows/checkmarx-one-scan.yml b/.github/workflows/checkmarx-one-scan.yml
@@ -1,18 +1,25 @@
 name: Checkmarx One Scan
 
-on: [ pull_request, workflow_dispatch ]
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: '00 7 * * *' # Every day at 07:00
 
 jobs:
   cx-scan:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/[email protected].0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Checkmarx One CLI Action
-        uses: checkmarx/ast-github-action@main
+        uses: checkmarx/ast-github-action@9fda5a4a2c297608117a5a56af424502a9192e57 # v.2.0.34
         with:
           base_uri: ${{ secrets.AST_RND_SCANS_BASE_URI }}
           cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }}
           cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }}
           cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }}
-          additional_params: --tags phoenix --threshold "sast-high=1;sca-high=1;sca-medium=3;sca-low=1" --debug
+          additional_params: --tags phoenix --threshold "sast-critical=1;sast-high=1;sast-medium=1;sast-low=1;sca-critical=1;sca-high=1;sca-medium=1;sca-low=1;iac-security-critical=1;iac-security-high=1;iac-security-medium=1;iac-security-low=1;"
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
@@ -11,7 +11,7 @@ jobs:
     steps:
       - name: Dependabot metadata
         id: metadata
-        uses: dependabot/[email protected]
+        uses: dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 #v1.6.0
         with:
           github-token: "${{ secrets.PERSONAL_ACCESS_TOKEN }}"
       - name: Enable auto-merge for Dependabot PRs
@@ -20,6 +20,6 @@ jobs:
           GITHUB_TOKEN: ${{secrets.PERSONAL_ACCESS_TOKEN}}
         run: gh pr merge --auto --merge "$PR_URL"
       - name: Auto approve dependabot PRs
-        uses: hmarr/auto-approve-action@v3
+        uses: hmarr/auto-approve-action@a2e6f2a0ccf5c63ef8754de360464edbf47e66ee #v3
         with:
           github-token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -11,6 +11,6 @@ jobs:
     steps:
       - name: Create Release
         id: draf_release
-        uses: release-drafter/release-drafter@v5
+        uses: release-drafter/release-drafter@09c613e259eb8d4e7c81c2cb00618eb5fc4575a7 #v5
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -12,7 +12,7 @@ jobs:
     steps:
       - uses: actions/[email protected]
       - name: Create Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 #v1
         with:
           tag_name: ${{ github.ref_name }}
           generate_release_notes: true
@@ -31,7 +31,7 @@ jobs:
             echo "::set-output name=body_release::$body_release"
         - name: Converts Markdown to HTML
           id: convert
-          uses: lifepal/[email protected]
+          uses: lifepal/markdown-to-html@253bbd85fbdeafe2d1f18c1b9289be24e5cf8f8f #v1.2
           with:
             text: "${{ steps.release.outputs.body_release }}"
 
@@ -43,7 +43,7 @@ jobs:
             echo "::set-output name=clean::$clean"
         - name: Send a Notification
           id: notify
-          uses: thechetantalwar/teams-notify@v2
+          uses: thechetantalwar/teams-notify@8a78811f5e8f58cdd204efebd79158006428c46b #v2
           with:
             teams_webhook_url: ${{ secrets.TEAMS_WEBHOOK_URI }}
             message: "<h1>Checkmarx One Github Action ${{ github.ref_name }}</h1>${{ steps.clean.outputs.clean }}"
diff --git a/Dockerfile b/Dockerfile
@@ -1,11 +1,9 @@
-#Use AST Base image
-FROM checkmarx/ast-cli:2.2.5
+# Use AST Base image
+FROM checkmarx/ast-cli:2.2.8@sha256:6bdb2d0b18246ca1a269de2860938313ea14ca2d6e443c953c84fbac9ee5df85
 
-USER root
+# Copy the entrypoint script and properties used for the action
+COPY --chmod=500 entrypoint.sh /app/entrypoint.sh
+COPY --chmod=500 cleanup.sh /app/cleanup.sh
 
-#Copy the entrypoint script and properties used for the action
-COPY entrypoint.sh /app/entrypoint.sh
-COPY cleanup.sh /app/cleanup.sh
-
-RUN chmod +x /app/entrypoint.sh \
-    && chmod +x /app/cleanup.sh
+# Docker actions must be run by the default Docker user (root).
+USER root
diff --git a/cleanup.sh b/cleanup.sh
@@ -3,10 +3,10 @@
 cancelId=(`grep -E '"(ID)":"((\\"|[^"])*)"' ./output.log | cut -d',' -f1 | cut -d':' -f2 | tr -d '"'`)
 
 if [ -z "$cancelId" ]
-then 
+then
   echo "Scan not created. Terminating job."
-  
-else 
+
+else
   echo "Canceling scan with ID:" $cancelId
   /app/bin/cx scan cancel --scan-id "${cancelId}"
 fi

diff --git a/entrypoint.sh b/entrypoint.sh
@@ -19,7 +19,7 @@ fi
 
 
 if [ -n "$scanId" ]; then
-  /app/bin/cx results show --scan-id "${scanId}" --report-format markdown 
+  /app/bin/cx results show --scan-id "${scanId}" --report-format markdown
   cat ./cx_result.md >$GITHUB_STEP_SUMMARY
   rm ./cx_result.md
   echo "cxScanID=$scanId" >> $GITHUB_OUTPUT
@@ -29,7 +29,6 @@ if [ $exitCode -eq 0 ]
 then
   echo "Scan completed"
 else
-  echo "Scan failed" 
+  echo "Scan failed"
   exit $exitCode
-fi
-
+fi
diff --git a/sample-yml/checkmarx-ast-scan-pull-request.yml b/sample-yml/checkmarx-ast-scan-pull-request.yml
@@ -13,7 +13,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v2
       - name: Checkmarx AST CLI Action
-        uses: checkmarx/ast-github-action@main #Github Action version
+        uses: checkmarx/ast-github-action@1fe318de2993222574e6249750ba9000a4e2a6cd #main
         with:
           base_uri: https://ast.checkmarx.net/
           cx_tenant: your_tenant

diff --git a/sample-yml/checkmarx-ast-scan-push.yml b/sample-yml/checkmarx-ast-scan-push.yml
@@ -12,7 +12,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v2
       - name: Checkmarx AST CLI Action
-        uses: checkmarx/ast-github-action@main #Github Action version
+        uses: checkmarx/ast-github-action@1fe318de2993222574e6249750ba9000a4e2a6cd #main
         with:
           base_uri: https://ast.checkmarx.net/
           cx_tenant: your_tenant

diff --git a/sample-yml/checkmarx-ast-scan-sarif.yml b/sample-yml/checkmarx-ast-scan-sarif.yml
@@ -23,15 +23,15 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v2
       - name: Checkmarx scan
-        uses: checkmarx/ast-github-action@main
+        uses: checkmarx/ast-github-action@1fe318de2993222574e6249750ba9000a4e2a6cd #main
         with:
           base_uri: https://ast.checkmarx.net
           cx_client_id: ${{ secrets.CX_CLIENT_ID }}
           cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }}
           cx_tenant: ${{ secrets.CX_TENANT }} # This should be replaced by users' tenant name
           additional_params: --report-format sarif --output-path .
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@404b712ccd1b4eeea961470c9187609bd64e5db4 #v2
         with:
           # Path to SARIF file relative to the root of the repository
           sarif_file: cx_result.sarif