-
Notifications
You must be signed in to change notification settings - Fork 87
Configuration
- Main (Global) Properties
- Configuration Definitions
- WebHook Configuration
- Repository configuration blocks
- JSON Config Override
- BugTrackers
- Encryption
- External Scripting
- SAST Scan ID in Github Action Output variable
- Streaming CxFlow logs to AWS OpenSearch or ElasticSearch
- Issue Labels
CxFlow uses Spring Boot and for Server Mode, it requires an application.yml
file to drive the execution. The sections below outlines available properties and when/how they can be used in different execution modes. In addition, all the Spring Boot configuration rules apply. For additional information on Spring Boot, refer to
https://docs.spring.io/spring-boot/docs/current/reference/html/boot-features-external-config.html
Command-line arguments and environment variables prevail over values specified in application.yml
file. To allow for bootstrapping the launch process with various configurations, especially with containers, CxFlow uses overrides on the command line using the --property.name=Value
format as well as PROPERTY_NAME
environment variable overrides.
All the relevant configuration is defined by the application.yml
file that resides in the same directory as the JAR file, or if an explicit configuration override is provided on the command line as follows:
$ java -jar cx-flow-<version>.jar \
--spring.config.location=/path/to/application.yml
Please refer to the sample configuration for the entire YAML structure.
server:
port: ${PORT:8080}
logging:
file: flow.log
cx-flow:
contact: [email protected]
bug-tracker: Json
bug-tracker-impl:
- CxXml
- Csv
- Json
- GitLab
- GitHub
- Azure
- Rally
branches:
- develop
- main
- release`-\w+ # regular expressions supported. If branch-script is provided, this is ignored. branch-script: D:\\tmp\Branch.groovy #default empty/not used
filter-severity:
- High
filter-category:
- Stored_XSS
- SQL_Injection
filter-cwe:
- 89
- 79
filter-status:
- New
- Recurrent
filter-state:
- Confirmed
- Urgent
mitre-url: https://cwe.mitre.org/data/definitions/%s.html
deleteForkedProject: true
wiki-url: https://checkmarx.atlassian.net/wiki/spaces/AS/pages/79462432/Remediation+Guidance
track-application-only: false
web-hook-queue: 20
scan-result-queue: 8
break-build: false
scan-resubmit: false
branch-protection-enabled: false
preserve-project-name: false
http-connection-timeout: xxx # milliseconds - default 30000
http-read-timeout: xxx # milliseconds - default 120000
mail:
host: smtp.gmail.com
port: 587
username: xxx
password: xxx
enabled: true
notification: true # default is false
cc: [email protected] # comma-separated list of e-mails
zip-exclude: \.git/.*, .*\.png
zip-include: \.git/.*, .*\.png
comment-script: location/to/commentScript.groovy
checkmarx:
version: 9.0 # Not required for CxSAST version 8.x
username: xxx
password: xxx
client-secret: xxx
base-url: https://cx.aws.checkmarx.com
multi-tenant: true
scan-preset: Checkmarx Default
configuration: Default Configuration
team: /CxServer/SP/Machina # \CxServer\SP\Machina for CxSAST 8.x
scan-timeout: 120 # Webhook and --scan command line only, number of minutes
scan-polling: 20000
report-timeout: 300000
report-polling: 5000
preserve-xml: true
enabled-zip-scan: false
url: ${checkmarx.base-url}/cxrestapi
# WSDL Config
portal-url: ${checkmarx.base-url}/cxwebinterface/Portal/CxWebService.asmx
sdk-url: ${checkmarx.base-url}/cxwebinterface/SDK/CxSDKWebService.asmx
portal-wsdl: ${checkmarx.base-url}/Portal/CxWebService.asmx?wsdl
sdk-wsdl: ${checkmarx.base-url}/SDK/CxSDKWebService.asmx?wsdl
project-script: D:\\tmp\CxProject.groovy # default empty/not used
team-script: D:\\tmp\CxTeam.groovy # default empty/not used
custom-state-map:
"5": "SUSPICIOUS"
custom-state-false-positive-map:
"5": "SUSPICIOUS"
modify-branch-name-by-pattern-map:
"[[^a-zA-Z0-9-_.]+]": "_" # Key is having regular expression
# "[/]": "_" #Use this expression if you want to replace / by underscore
post-action-postback-id: 123456
settings-override: true #default false if not provide
cx-branch: false
scan-queuing: true
scan-queuing-timeout: 720 # Webhook and --scan command line only, number of minutes
email-notifications:
after-scan:
- [email protected]
before-scan:
- [email protected]
failed-scan:
- [email protected]
project-branching-check-count: 5
project-branching-check-interval: 10
restrict-results-to-branch: true
github:
webhook-token: XXXXX
token: XXXXX
url: https://github.com
api-url: https://api.github.com/repos/
false-positive-label: false-positive
block-merge: true
cx-summary-header: Checkmarx Scan Summary
cx-summary: true # default false if not provided
flow-summary-header: Violation Summary
flow-summary: true # default true if not provided
detailed-header: Details
detailed: true # default true if not provided
gitlab:
webhook-token: XXXXX
token: XXXXX
url: https://gitlab.com
api-url: https://gitlab.com/api/v4/
false-positive-label: false-positive
block-merge: true
bitbucket:
webhook-token: XXXXX
token: XXXXX
url: https://bitbucket.org
api-url: https://api.bitbucket.org
api-path: /2.0
false-positive-label: false-positive
azure:
webhook-token: xxxx
token: xxxx
url: https://dev.azure.com
issue-type: issue
api-version: 5.0
false-positive-label: false-positive
rally:
token: xxxx
rally-project-id: xxxx
rally-workspace-id: xxxx
url: https://rallydev.com
api-url: https://rally1.rallydev.com/slm/webservice/v2.0
jira:
url: https://xxxx.atlassian.net
username: XXXXX
token: XXXXX
project: <JIRA PROJECT KEY>
issue-type: <JIRA ISSUE TYPE>
label-prefix: <CUSTOM PREFIX NAME >
priorities:
Critical: Highest
High: High
Medium: Medium
Low: Low
Informational: Lowest
open-transition: In Review
close-transition: Done
open-status:
- To Do
- In Progress
- In Review
closed-status:
- Done
suppress-code-snippets:
- Hardcoded_Password_in_Connection_String
- Password_In_Comment
- Use_Of_Hardcoded_Password
fields:
- type: result
name: application
jira-field-name: Application
jira-field-type: label
- type: result
name: cve
jira-field-name: CVEs
jira-field-type: label
- type: result
name: cwe
jira-field-name: CWEs
jira-field-type: label
- type: result
name: category
jira-field-name: Category
jira-field-type: label
- type: result
name: loc
jira-field-name: LOC
jira-field-type: label
jira-default-value: XXXXX
json:
file-name-format: "[NAMESPACE]-[REPO]-[BRANCH]-[TIME].json"
data-folder: "C:\\tmp"
cx-xml:
file-name-format: "[NAMESPACE]-[REPO]-[BRANCH]-[TIME].xml"
data-folder: "C:\\tmp"
csv:
file-name-format: "[TEAM]-[PROJECT]-[TIME].csv"
data-folder: "C:\\tmp"
include-header: true
fields:
- header: Customer field (Application)
name: application
default-value: unknown
- header: Primary URL
name: static
default-value: ${tmp.url}
- header: severity
name: severity
- header: Vulnerability ID
name: summary
prefix: "[APP]:"
- header: file
name: filename
- header: Vulnerability ID
name: summary
- header: Vulnerability Name
name: category
- header: Category ID
name: cwe
- header: Description
name: summary
prefix: "*"
postfix: "*"
- header: Severity
name: severity
- header: recommendation
name: recommendation
Examples to convert YAML property to CLI property
#YAML
cx-flow:
bug-tracker:Json
#CLI
--cx-flow.bug-tracker=json
#YAML
cx-flow:
filter-category:
- Stored_XSS
- SQL_Injection
#CLI
--cx-flow.filter-category="Stored_XSS,SQL_Injection"
#YAML
cx-flow:
thresholds:
high: 10
medium: 10
low: 10
#CLI
--cx-flow.thresholds.high=10
--cx-flow.thresholds.medium=10
--cx-flow.thresholds.low=10
Examples to convert YAML property to Environment variables
#YAML
cx-flow:
bug-tracker:Json
#Environment variables
CXFLOW_BUGTRACKER=Json
#YAML
cx-flow:
filter-category:
- Stored_XSS
- SQL_Injection
#Environment variables
CXFLOW_FILTERCATEGORY="Stored_XSS,SQL_Injection"
#YAML
cx-flow:
thresholds:
high: 10
medium: 10
low: 10
#Environment variables
CXFLOW_THRESHOLDS_HIGH=10
CXFLOW_THRESHOLDS_MEDIUM=10
CXFLOW_THRESHOLDS_LOW=10
server:
port: ${PORT:8080}
Config | Default | Required | WebHook | Command Line | Notes |
---|---|---|---|---|---|
port |
8080 | No | Yes | No | The default value is 8080 unless an environment variable port is defined |
cx-flow:
contact: [email protected]
bug-tracker: Json
bug-tracker-impl:
- CxXml
- Csv
- Json
- GitLab
- GitHub
- Azure
- Rally
branches:
- develop
- main
- release`-\w+ # regular expressions supported. If branch-script is provided, this is ignored. branch-script: D:\\tmp\Branch.groovy #default empty/not used
filter-severity:
- High
filter-category:
- Stored_XSS
- SQL_Injection
filter-cwe:
- 89
- 79
filter-status:
- New
- Recurrent
filter-state:
- Confirmed
- Urgent
mitre-url: https://cwe.mitre.org/data/definitions/%s.html
deleteForkedProject: true
wiki-url: https://checkmarx.atlassian.net/wiki/spaces/AS/pages/79462432/Remediation+Guidance
track-application-only: false
web-hook-queue: 20
scan-result-queue: 8
branch-protection-enabled: false
break-build: false
scan-resubmit: false
preserve-project-name: false
http-connection-timeout: xxx # milliseconds - default 30000
http-read-timeout: xxx # milliseconds - default 120000
mail:
host: smtp.gmail.com
port: 587
username: xxx
password: xxx
enabled: true
notification: true # default is false
cc: [email protected] # comma-separated list of e-mails
zip-exclude: \.git/.*, .*\.png
zip-include: \.git/.*, .*\.png
comment-script: location/to/commentScript.groovy
core-poolsize: 54
max-poolsize: 302
queue-capacityarg: 600
Config | Default | Required | WebHook | Command Line | Notes |
---|---|---|---|---|---|
contact |
No | Contact email for the CxFlow administrator | |||
bug-tracker |
Yes | Yes | Yes | Must be one of the following: - None - Jira - Any value specified in the bug-tracker-impl custom bean implementations list (a white list of bug tracker implementations) Note: JIRA/EMAIL/NONE are built in and not required in the bug-tracker-impl list |
|
bug-tracker-impl |
No (Only if using one of the applicable bug tracker implementations) | Yes | Yes | List of available bug trackers (feedback channels). Currently support for: - Csv - Json - CxXML - GitLab - GitHub - Azure - Rally |
|
branches |
No | Yes | Yes | List of protected branches that drive scanning within the WebHook flow. If a pull or push event is initiated to one of the protected branches listed here, the scan is initiated. For example: - develop - main - security - release-\w+ If no value is provided, all branches are applicable. Regular expressions are supported. (i.e. release-\w+ will match any branches starting with "release-" followed by one or more alphanumeric characters. If a regular expression is used, it must match the complete branch name, not just a prefix.) |
|
branch-script |
No | Yes | No | A groovy script that can be used to decide, if a branch is applicable for scanning. This applies to any client custom lookups and other integrations. The script is passed as a "request" object of the type com.checkmarx.flow.dto.ScanRequest and must return boolean (true/false). If this script is provided, it is used for all decisions associated with determining applicability for a branch event to be scanned. **A sample script is attached to this page. | |
filter-severity |
No | Yes | Yes | The severity can be filtered during feedback (High, Medium, Low, Informational). If no value is provided, all severity levels are applicable. | |
filter-category |
No | Yes | Yes | The list of vulnerability types to be included with the results (Stored_XSS, SQL_Injection) as defined within Checkmarx. If no value is provided, all categories are applicable. | |
filter-cwe |
No | Yes | Yes | The list of CWEs to be included with the results (79, 89). If no value is provided, all categories are applicable. | |
filter-state |
No | Yes | Yes | The available options are To Verify, Confirmed, Urgent and Proposed Not Exploitable. This only allows for filtering the results that have been confirmed/validated within Checkmarx. | |
mitre-url |
No | Yes | Yes | Provides a link in the issue body for Jira, GitLab Issues and GitHub Issues to help guide developers. The link is not provided, if left empty or omitted. | |
wiki-url |
No | Yes | Yes | Provides a link in the issue body for Jira, GitLab Issues and GitHub Issues associated with internal program references (program/assessment methodology, remediation guidance, etc). The link is not provided, if left empty or omitted. | |
codebash-url |
No | Yes | Yes | Provides a link in the issue body for Jira, GitLab Issues and GitHub Issues associated with training. The link is titled 'Training' and is not provided, if left empty or omitted. | |
track-application-only |
false | No* | Yes | Yes | |
web-hook-queue |
100 | No* | Yes | No | The maximum number of active scans initiated via WebHook at a given time. Requests remain queued until a slot is free. |
scan-result-queue |
4 | No* | Yes | Yes | The maximum number of scan results being processed at the same time. Requests remain queued until a slot is free. As XML files can become large, it is important to limit the number that can be processed at the same time. |
break-build |
false | No* | No | Yes | A non-zero return code (10) is provide when any of the filtering criteria is met within scan results. See detail here |
branch-protection-enabled |
false | No* | No | Yes | If Value set is true then only protected branches will scanned by cx-flow |
http-connection-timeout |
30000 | No* | Yes | Yes | Http client connection timeout setting. Not applied for the Jira client. |
http-read-timeout |
120000 | No* | Yes | Yes | Http client read timeout setting. Not applied for the Jira client. |
mail |
enabled:false | No* | Yes | Yes | SMTP configuration - host, port, username, password, enabled (false by default). When enabled, email is a valid feedback channel, and an html template is used to provide result details. During WebHook execution, the email is sent to the list of committers in the push event. |
zip-exclude |
No | No | Yes | Comma-separated list of regexes. Instructs CxFlow to exclude specific files when it creates a zip archive. See the details here. | |
zip-include |
No | No | Yes | Comma-separated list of regexes. Instructs CxFlow to include specific files when it creates a zip archive. See the details here. | |
auto-profile |
false | No | Yes | No | During WebHook execution, language stats and files are gathered to help determine an appropriate preset to use. By default, the profiling initially occurs only when a project is new/created for the first time. Refer to CxFlow Automated Code Profiling for details. |
always-profile |
false | No | Yes | No | This enforces the auto-profile execution for each scan request regardless of whether the project is new or not. |
profiling-depth |
1 | No | Yes | No | The folder depth that is inspected for file names during the profiling process, which means looking for specific file references, i.e. web.xml/Web.config |
profile-config |
CxProfile.json | No | Yes | No | The file that contains the profile configuration mapping. |
scan-resubmit |
false | No | Yes | No | When True: If a scan is active for the same project, CxFlow cancels the active scan and submits a new scan. When False: If a scan is active for the same project, CxFlow does not submit a new scan. |
preserve-project-name |
false | No | Yes | Yes | When False: The project name will be the repository name after normalization (i.e. Front-End-dev). Legal characters are: a-z , A-Z , 0-9 , - , _ , . . All other characters will be replaced in the normalization process with "-". When True: The project name will be the exact project name inputted without normalization (i.e. Front End-dev). For attention: 1. Not all scanners allow project names with invalid characters. 2. The preserve-project-name parameter is also effective for project name coming from config-as-code. |
merge-id |
Merge Id | No | No | Yes | Pass Merge Id from CLI mode for Specific Merge Request. Used in by GiLab CI/CD Pipeline. |
merge-title |
Merge Title | No | No | Yes | Pass Merge Title from CLI mode for Specific Merge Request. Used in by GiLab CI/CD Pipeline. |
comment-script |
No | Yes | Yes | A groovy script that can be used to determine the scan comment to be sent to the CxSAST server during a scan. see details here | |
core-poolsize |
50 | No | No | Yes | The amount of worker which can work on a thread parallel. |
max-poolsize |
200 | No | No | Yes | The amount of threads which can be created parallel. |
queue-capacity |
10000 | No | No | Yes | When the amount of threads present are more than the max poolsize then the threads will wait in the queue. This parameter defines the size of that queue. |
comment |
No | No | Yes | User can store comments field in metadata about the scan. | |
overrideProjectSetting |
No | No | Yes | The utilization of this boolean variable empowers the user to restrict the override of project settings. By setting this variable, users can prevent any unauthorized alterations to the project's settings, ensuring stability and adherence to predefined configurations. This functionality serves as a safeguard against inadvertent or malicious changes that could potentially disrupt the project's operations. Thus, the boolean variable offers a valuable mechanism for maintaining the integrity and consistency of project settings, enhancing overall control and security within the system. Its implementation empowers users with the ability to govern and protect vital project parameters from unwarranted modifications. | |
enabledVulnerabilityScanners |
false | No | Yes | Yes | User can define which checkmarx tool they want to use like SAST, SCA or both. |
deleteForkedProject |
false | No | Yes | No | User can delete forked projects created on SAST portal. |
delete-branched-project |
false | No | Yes | No | User can delete branched project created on SAST portal. |
No* = Default is applied
cx-flow:
mail:
host: smtp.gmail.com
port: 587
username: xxx
password: xxx
enabled: true
notification: true # default is false
cc: [email protected] # comma-separated list of e-mails
Filtering, as specified above, is available on the following criteria:
cx-flow:
filter-severity: Medium
filter-category: Stored_XSS
filter-cwe: 79
filter-state: Confirmed
- Severity → Severity from Checkmarx
- Category → Vulnerability name within Checkmarx
- CWE → CWE value from Checkmarx
- State → Urgent | Confirmed
All values are case-sensitive as per the output from Checkmarx (i.e. High severity, Stored_XSS, Confirmed).
We can exclude vulnerabilities according to category, cwe and state.
cx-flow:
exclude-category: Stored_XSS
exclude-cwe: 79
exclude-state: Confirmed
- Category → Vulnerability name within Checkmarx
- CWE → CWE value from Checkmarx
- State → Urgent | Confirmed
All values are case-sensitive as per the output from Checkmarx (Stored_XSS, Confirmed).
The cx-flow.zip-exclude
configuration option instructs CxFlow to exclude specific files when it creates a zip archive.
The following option excludes all .png
files from the archive, as well as all files inside a root-level .git
directory:
cx-flow:
zip-exclude: \.git/.*, .*\.png
The meaning and syntax of the cx-flow.zip-exclude
option are different as opposed to the checkmarx.exclude-folders
and checkmarx.exclude-files
options.
- If User want to exclude folders or exclude files, settings-override should be true. If user is using CLI they can pass parameter as
--checkmarx.settings-override=true
- If user is using Github Action value of exclude files or folders should not be in double or single quotes. Example : If user want to exclude folder name abc he should pass parameter as
--checkmarx.exclude-folders=abc
or--checkmarx.exclude-folders=*abc
or ``--checkmarx.exclude-folders=*abc*
cx-flow.zip-exclude |
checkmarx.exclude-folders , checkmarx.exclude-files
|
---|---|
Uses regexes | Use wildcards |
Works locally, before the sources are sent for scan | Work in CxSAST when it already has the sources |
cx-flow.zip-exclude
is a comma-separated list. Each of the list items is a regex (not a wildcard). Spaces before and after a comma are ignored.
During zipping, CxFlow checks each file in the target directory against each of the regexes in cx-flow.zip-exclude
. If there is a match, CxFlow excludes the file from the archive. In this case, when log level is debug, CxFlow writes a message to the log having the following format:
match: <regex>|<relative_file_path>
CxFlow uses relative file path to test the regex match. E.g. if the following file exists:
c:\cxdev\projectsToScan\myproj\bin\internal-dir\exclude-me.txt
and we specify this CLI option: --f="c:\cxdev\projectsToScan\myproj
,
then CxFlow will check the following relative file path against the regexes:
bin/internal-dir/exclude-me.txt
CxFlow normalizes slashes in the relative path into a forward slash (/
).
For a file to be excluded, a regex must match the whole relative file path. Thus, the .*
regex expression should be used where necessary.
The cx-flow.zip-include
configuration option instructs CxFlow to include specific files when it creates a zip archive.
cx-flow:
zip-include: \.git/.*, .*\.png
Note: Process of zip-exclude and zip-include are same, the only difference is zip-exclude excludes the files from zip and zip-include includes only mentioned files to zip.
The configuration can be set or overridden at execution time using the command line (--cx-flow.break-build=true
) to exit the command line execution flow for a single project result or scan for results that meet the filter criteria.
For more details on break build, please refer to Thresholds and policies chapter.
Note: This does not apply to WebHooks or for batch cli execution (instance and team). It only works, if one project result is processed.
Config | Default | Required | WebHook | Command Line | Notes |
---|---|---|---|---|---|
username |
Yes | Yes | Yes | Service account for Checkmarx | |
password |
Yes | Yes | Yes | Service account password Checkmarx | |
client-secret |
Yes | Yes | Yes | OIDC client secret for API login to Checkmarx | |
scope |
Yes | Yes | Yes | While using scope value in CLI, it must be provided in double quotes "" otherwise an exception will be thrown. | |
base-url |
Yes | Yes | Yes | Base FQDN and port for Checkmarx | |
multi-tenant |
false | No* | Yes | Yes (Scan only) | If yes, the name space is created or reused, if it has been pre-registered or already created for previous scans) |
version |
Yes (if Using CxSAST 9.0 or higher) | Yes | Yes | Required for CxSAST version 9.0 and higher | |
scan-preset |
Checkmarx Default | No* | Yes | Yes (Scan only) | The default preset used for the triggered scan |
configuration |
Default Configuration | No* | Yes | Yes (Scan only) | Checkmarx scan configuration setting |
team |
Yes (not for XML parse mode) | Yes | Yes (Scan only) | Base team in Checkmarx to drive scanning and retrieving of results | |
scan-timeout |
120 | No* | Yes | Yes (scan only) | The amount of time (in minutes) that cx-flow will wait for a scan to complete to process the results. The Checkmarx scan remains as is, but no feedback is provided |
scan-polling |
20000 | No | Yes | Yes | The amount of time (in milliseconds) in which cx-flow pings CxSAST server to get the status of the scan (i.e Queued, Finished or Failed). |
report-timeout |
300000 | No | Yes | Yes | The amount of time (in milliseconds) for which cx-flow will wait for CxSAST to generate scan report.If report is not generated within 300000(in miliseconds)it will through Timeout exceeded during report generation as error message. |
report-polling |
5000 | No | Yes | Yes | The amount of time (in milliseconds) in which cx-flow pings CxSAST server to get the status of the report. |
preserve-xml |
false | No* | Yes | Yes | This flag is used to preserve the original XML results retrieved by the Checkmarx scan inside the ScanResults object to be later used by a Custom bug tracker implementation, if required. Currently, CxXMLIssueTracker uses this flag |
incremental |
false | No* | Yes | Yes | Enables support for incremental scan support when CxFlow is triggering scans. The incremental-num-scans and incremental-threshold values must not be exceeded for the last available full scan criteria. |
incremental-num-scans |
5 | No* | Yes | Yes (scan only) | The maximum number of scans before a full scan is required |
project-script |
No | Yes | Yes | A groovy script that can be used for deciding the name of the project to create/use in Checkmarx. This is to allow for any client custom lookups and other integrations. The script is passed a "request" object, which is of type com.checkmarx.flow.dto.ScanRequest, and must return String representing the team name to be used. If this script is provided, it is used for all decisions associated with the determining project name | |
team-script |
No | Yes | Yes | A groovy script that can be used for deciding the team to use in Checkmarx. This is to allow for any client custom lookups and other integrations. The script is passed a "request" object, which is of type com.checkmarx.flow.dto.ScanRequest, and must return String representing the team path to be used. If this script is provided, it is used for all decisions associated with determining project name. | |
incremental-threshold |
7 | No* | Yes | Yes (scan only) | The maximum number of days before a full scan is required |
offline |
false | No* | No | Yes (parse only) | Use Table this only when parsing Checkmarx XML, this flag removes the dependency from Checkmarx APIs when parsing results. This skips retrieving the issue description from Checkmarx. |
exclude-files |
No | Yes | Yes | Files to be excluded from Scan | |
exclude-folders |
No | Yes | Yes | Folders to be excluded from Scan | |
custom-state-map |
No | No | Yes | A map of custom result state identifiers to custom result state names | |
custom-state-false-positive-map |
No | No | Yes | If user want to consider custom result state identifiers as false positive they can use this map. | |
modify-branch-name-by-pattern-map |
No | No | Yes | If a user's project name contains the branch name and the Govy script is modifying both the project name and the branch name because the branch name was detected, we can utilize this parameter to synchronize and adjust the branch name accordingly. E.g- Project name : project name : abc-feature/1.0 and Branch Name : feature/1.0 and grrovy script changed projectname to : abc-feature_1.0 Branch then we have to replace / by _ which cann be done using this parameter map. | |
post-action-postback-id |
No | Yes | Yes | Sets the SAST project's post-scan action to use the post-scan action with the provided Id defined in SAST.If not provided, the project does not get configured to use a post-scan action. | |
settings-override |
No | Yes | Yes | Defaults value false, if set to true the projects settings are re-written/overridden when each SAST scan is invoked from CxFlow | |
cx-branch |
false | No | Yes | Yes | A flag to enable branching of projects in CxSAST. |
scan-queuing |
false | No | Yes | Yes | A flag to enable queuing of scan events. |
scan-queuing-timeout |
720 | No | Yes | Yes | The amount of time (in minutes) for which cx-flow will keep a scan event data in its queue before sending to CxSAST, when all the available concurrent scans in CxSAST are in use. |
disable-clubbing |
false | No | Yes | Yes | If set to true, results are not grouped at all.By default, results are grouped only by vulnerability and filename. |
email-notifications |
No | Yes (Scan only) | A map containing any or all of the following keys: after-scan , before-scan , failed-scan . The vaue of each key is a list of email addresses to which a notification should be sent in the case of the relevant event. |
||
project-branching-check-count |
3 | No | Yes | Yes (Scan only) | The number of times to check the project branching status after a project has been branched. Only relevant for versions of CxSAST that support the querying of the branching status (API version 4 and higher). |
project-branching-check-interval |
5 | No | Yes | Yes (Scan only) | The interval between checks of the project branching status. For versions of CxSAST that do not support querying the project branching status, execution will pause once for the specified duration. |
restrict-results-to-branch |
false | No | Yes | Yes (Scan only) | If set to true , when scanning a branched project, only results detected on the branch are reported. As the OData API is needed for this functionality, the CxSAST user used must be a assigned a role with the “API” permission. Also, the client-id property should be set to “resource_owner_sast_client” and the scope property should be set to “access_control_api sast_api”. |
forcescan |
false | No | Yes | Yes (--forcescan) | Specifies whether the code should be scanned regardless of unchanged code |
delete-running-scans |
false | No | Yes | Yes | used while deleting running scan when project needs to be deleted |
GITLAB_ERROR_MERGE (YML Parameter) |
false | No | No | No | To enable pull request status checks in GITLAB, set value to true. |
GITLAB_BLOCK_MERGE (YML Parameter) |
false | No | No | No | To enable pull request status checks in GITLAB, set value to true. |
cxflow.enabledVulnerabilityScanners |
false | No | Yes | Yes | User can define which checkmarx tool they want to use like SAST, SCA or both. |
checkmarx.considerScanningStatus |
false | No | Yes | Yes | By default, Checkmarx only includes completed scans (finished status) in incremental scans. This means it ignores scans that are currently running (scanning) or waiting to be processed (new queue). Enabling a feature this variable "cxflow" expands what incremental scans consider. With cxflow, scans in progress and those queued up are also taken into account, providing a more comprehensive view of your code's security posture. |
enabled-zip-scan |
false | No | Yes | Yes | When enabled-zip-scan is set to true then cx-flow will first clone the repository locally, and then it will zip the repository and send it for scanning. |
truststorepath |
false | No | Yes | Yes | User need to provide path of custom keystore along with file name. |
truststorepassword |
false | No | Yes | Yes | User need to provide custom keystore password. |
customkeystore |
false | No | Yes | Yes | When customkeystore is set to true then cx-flow will consider custom keystore. |
trustcerts |
false | No | Yes | Yes | If this option is true Cx-flow will bypass SSL. Default value is false so it will not bypass SSL. |
isBranchedIncremental |
false | No | Yes | Yes | If this option is true Cx-flow will do incremental scan for first time created branched project. |
cancelInpregressScan |
false | No | Yes | Yes | If a scan timeout occurs and the user requests to cancel the in-progress scan, set this boolean variable to true. |
No* = Default is applied |
Custom Checkmarx Field Name | Required | WebHook | Command Line | Notes |
---|---|---|---|---|
jira-project |
No | Yes | Yes | Custom Checkmarx field name to override Jira Project setting for a given Checkmarx scan result / project |
jira-issuetype |
No | Yes | Yes | Custom Checkmarx field name to override Jira Issue Type settings for a given Checkmarx scan result / project |
jira-fields |
No | Yes | Yes | Custom Checkmarx field name to override Jira custom field mappings for a given Checkmarx scan result / project |
jira-assignee |
No | Yes | Yes | Custom Checkmarx field name to override Jira assignees for a given Checkmarx scan result / project |
checkmarx:
version: 9.0 # Required for version 9.x
username: xxxxx
password: xxxxx
client-id: resource_owner_client
client-secret: 014DF517-39D1-4453-B7B3-9930C563627C
scope: access_control_api sast_rest_api # Required for version 9.x
base-url: http://cx.local
multi-tenant: true
configuration: Default Configuration
scan-preset: Checkmarx Default
team: /CxServer/Checkmarx/CxFlow
url: ${checkmarx.base-url}/cxrestapi
preserve-xml: true
incremental: true
trustcerts: true
portal-url: ${checkmarx.base-url}/cxwebinterface/Portal/CxWebService.asmx
exclude-files: "*.tst,*.json"
exclude-folders: ".git,test"
cx-branch: false
scan-queuing: true
scan-timeout: 120
scan-polling: 20000
report-timeout: 300000
report-polling: 5000
scan-queuing-timeout: 720 # Webhook and --scan command line only, number of minutes
Note:
- Make sure to include
version: 9.0
(or higher) andscope: access_control_api sast_rest_api
- The Team path must include the unix path separator /, the path is for example defined as follows:
/CxServer/Checkmarx/CxFlow
On using post back mode, Checkmarx post back action will be added to the Checkmarx project and that action will trigger the /postbackAction endpoint on CxFlow.
checkmarx
...
post-action-postback-id: 123456
For more details on postback mode, Please refer to CxSAST Version 9.0 chapter
The configuration can be set to override project settings with Cxflow configuration when triggering new scan for SAST project, or to avoid project setting update if property set to 'false'.
Defaults value is false, if set to true the projects settings like "scan-preset","post-action-postback-id" are re-written/overridden when each SAST scan is invoked from CxFlow.
checkmarx
...
settings-override: true #default false if not provide
A branched project is a child of a base project in CxSAST. Upon initiating a scan from the default branch of a repository, CxSAST creates a base project in the server with name RepoName-defaultBranchName
and any subsequent scans from the branches of that repository will create child projects off of it with name RepoName-currentBranchName
. The project count in CxSAST does not increase when a branched project is added. Branching of projects can be enabled by setting the cx-branch
property to true
.
- When you initiate a scan from the default branch of a repository, CxSAST automatically creates a base project on the server.
- The naming convention used is RepoName-defaultBranchName (e.g.,
MyRepo-main
ifmain
is your default branch).
- For scans initiated from other branches (not the default), CxSAST creates branched projects or child projects.
- These child projects are named using the convention
RepoName-currentBranchName
(e.g.,MyRepo-feature1
). - Importantly, the total project count in CxSAST does not increase when these branched projects are added. They are treated as extensions of the base project.
- To enable project branching, you need to set the
cx-branch
property totrue
. - Additionally, you must provide both the
default branch name
and thecurrent branch name
.
- The overall project count in CxSAST does not increase when branched projects are added. Branched projects are managed under the umbrella of the base project, which keeps the total project count static.
- When configuring the scan (e.g., via a CxSAST API or build pipeline), you might set these properties like this:
checkmarx:
...
cx-branch: true #default false if not provided
- CLI parameter to provide default branch name is
default-branch = main
and current branch can be passedbranch = feature1
. - In case of webhook it will be passed automatically in payloads.
If the number of concurrent scans which can run on CxSAST server is all utilized, then enabling scan-queuing
will allow CxFlow to keep the event of the scan within itself and let the existing scans finish before sending the new scan event to CxSAST. Cx-flow keeps events with itself for a number of minutes, specified by the scan-queuing-timeout
parameter, with a default value of 120 minutes.
checkmarx:
...
scan-queuing: true
scan-queuing-timeout: 720 #Amount of time in minutes
The amount of time (in minutes) for which cx-flow will wait for CxSAST scan to finish.If scan is not completed within 120(in minutes) then it will gives Timeout exceeded during scan as error messase.The default value of scanTimeout 120 minutes. The amount of time (in milliseconds) in which cx-flow pings CxSAST server to get the status of the scan (i.e Queued, Finished or Failed).The default value of scanPolling 20000 miliseconds.
checkmarx:
...
scan-timeout: 120 #Amount of time in minutes
scan-polling: 20000 #Amount of time in miliseconds
The amount of time (in milliseconds) for which cx-flow will wait for CxSAST to generate scan report.If report is not generated within 300000(in miliseconds)it will through Timeout exceeded during report generation as error message.The default value of reportTimeout 30000 miliseconds. The amount of time (in milliseconds) in which cx-flow pings CxSAST server to get the status of the report.The default value of reportPolling 5000 miliseconds.
checkmarx:
...
report-timeout: 300000 #Amount of time in miliseconds
report-polling: 5000 #Amount of time in miliseconds
If present, this property specifies the email notifications to be sent when a SAST scan is run. Notifications can be sent before a scan starts, after a scan finishes, and when a scan fails. The content of the email-notifications
property is a map from the following keys to lists of email receipients: after-scan
, before-scan
, failed-scan
.
checkmarx:
...
email-notifications:
after-scan:
- [email protected]
- [email protected]
before-scan:
- [email protected]
- [email protected]
failed-scan:
- [email protected]
- [email protected]
Email notifications can also be configured via conf-as-code.
Each repository type requires its own specific configuration block as defined below. Each of these have available overrides that can be provided in the form of URL parameters or as a JSON configuration blob that is base64 encoded and provided as an url parameter (override=).
WebHook scans are triggered based on the protected branches list. This configuration is under the config block.
The protected branches list can be provided in the application.yml file under the cx-flow
section, or it can be provided in the config-as-code file. If branches are provided in application.yml
as well as config-as-code file then the branches in config-as-code file will override the branches in application.yml
. If protected branches is not provided in either of the files then CxFlow triggers a scan for Push/Pull/Merge event for all the branches.
For Pull/Merge, if a request is made to pull/merge code into one of the listed protected branches, CxFlow triggers the scan. The pull/merge is commented with the filtered findings from Checkmarx.
For Push, the findings are published according to the specified bug-tracker in the main or overridden configuration - i.e. JSON/CSV/XML output or Jira defect.
For additional information, refer to the workflow for WebHooks.
@RequestParam(value = "application", required = false) String application,
@RequestParam(value = "branch", required = false) List<String> branch,
@RequestParam(value = "severity", required = false) List<String> severity,
@RequestParam(value = "cwe", required = false) List<String> cwe,
@RequestParam(value = "category", required = false) List<String> category,
@RequestParam(value = "project", required = false) String project,
@RequestParam(value = "team", required = false) String team,
@RequestParam(value = "status", required = false) List<String> status,
@RequestParam(value = "assignee", required = false) String assignee,
@RequestParam(value = "preset", required = false) String preset,
@RequestParam(value = "incremental", required = false) Boolean incremental,
@RequestParam(value = "exclude-files", required = false) List<String> excludeFiles,
@RequestParam(value = "exclude-folders", required = false) List<String> excludeFolders,
@RequestParam(value = "override", required = false) String override,
@RequestParam(value = "bug", required = false) String bug,
@RequestParam(value = "app-only", required = false) Boolean appOnlyTracking,
@RequestParam(value = "state", required = false) List<String> state,
@RequestParam(value = "threshold-high", required =false) Integer thresholdHigh,
@RequestParam(value = "threshold-medium", required =false) Integer thresholdMedium,
@RequestParam(value = "threshold-low", required = false) Integer thresholdLow,
@RequestParam(value = "threshold-info", required = false) Integer thresholdInfo
These parameters are related to the WebHook URL parameters above.
Configuration | Description |
---|---|
application |
Override the application name, which is directly linked to Jira and other defect management implementations for tracking purposes. |
branch |
Override the protected branches that drive the scan. For multiple branches, simply list the branch multiple times. i.e. branch=XXX&branch=YYYY
|
severity |
Override the severity filters. For multiple severity simply list multiple times, i.e. severity=High&severity=Medium
|
cwe |
Override the cwe filters. For multiple cwe, simply list the cwe multiple times, i.e. cwe=89&cwe=79
|
category |
Override the category filters. For multiple category, simply list category multiple times, i.e. category=Stored_XSS&category=SQL_Injection
|
project |
Override the project name that will be created/used in Checkmarx. This allows for greater flexibility for incremental scan relating to pull requests, i.e. use a standardized pull project name that is always used regardless of the branch - ?project=repo-pull
|
team |
Override the team within Checkmarx to use/create project under. |
state |
Override the state filters (Confirmed/Urgent). For multiple state, simply list the state multiple times, i.e. status=Confirmed&status=Urgent
|
status |
Override the status filter. For multiple status, simply list the status multiple times, i.e. status=New&status=Recurrent
|
assignee |
Override the assignee |
preset |
Override the Checkmarx preset rules for scanning |
incremental |
Override incremental property to enable/disable incremental scan support |
exclude-files |
Override file exclusions |
exclude-folders |
Override folder exclusions |
override |
Override a complete JSON blob as defined below |
bug |
Override the default configured bug |
app-only |
This forces Jira issues to be tracked according to the defined application / repo name, as opposed to defining uniqueness per namespace/repo/branch |
threshold-high |
Override High severity count threshold |
threshold-medium |
Override Medium severity count threshold |
threshold-low |
Override Low severity count threshold |
threshold-info |
Override Info severity count threshold |
Note: Overrides are not required. You only need it if you want to override the global configuration specified from the main application.yml
|
Notes: All the repository configurations have common elements such as:
- token → api token for the repo, to gain access (typically personal access token for a service account)
- web-token → CxFlow shared secret to be used when registering the webhook on the repo
- url → base url for the repo
- api-url → base url for the api endpoints for the repo
- block-merge → boolean, determine if merge should be blocked while scan is completing in Checkmarx
- cx-summary-header → Pull/Merge Markdown comment header for the Checkmarx Summary, if used
- cx-summary → boolean, determine if the base Checkmarx Summary is displayed (unfiltered)
- flow-summary-header → Pull/Merge Markdown comment header for the CxFlow Violation Summary, if used
- flow-summary → boolean, determine if the base CxFlow Violation Summary is displayed (filtered)
- detailed-header → Pull/Merge Markdown comment header for the CxFlow details, if used
- detailed → boolean, determine if the detailed CxFlow results (vulnerability lines/files are displayed
github:
webhook-token: xxxx
token: xxxx
url: https://github.com
api-url: https://api.github.com/repos/
false-positive-label: false-positive
block-merge: true
detailed: false
scan-submitted-comment: false
max-description-length : <should be greater than 4 and less than 50000>
max-delay : <minimum value should be 3>
comment-update: false
zero-vulnerability-summary: true
fields:
- type: result
name: application
- type: result
name: project
Configuration | Default | Description |
---|---|---|
webhook-token |
Token used as a shared secret when calling the CxFlow WebHook WebService. It authenticates users for the request. GitHub signs the request with this value, and the signature is validated on the receiving end. | |
token |
The API token with access to the repository, with at least Read only access to the code, the ability to add comments to pull requests, and the ability to create GitHub Issues. | |
url |
Main repo url for GitHub | |
api-url |
The API endpoint for GitHub, which is a different context or potentially FQDN than the main repo url. | |
false-positive-label |
false-positive | A label that can be defined within the GitHub Issue feedback that is used to ignore issues |
block-merge |
false | When triggering scans based on PullRequest, this will create a new status of pending, which will block the merge ability until the scan is complete in Checkmarx. |
scan-submitted-comment |
true | Comment on PullRequest with "Scan submitted (or not submitted) to Checkmarx ...". |
max-description-length |
50000 | Manages number of characters to view in issue description.(value should be greater than 4 and less than 50000) |
max-delay |
When Secondary rate limit is hit, it will delay each API call for issue creation(Mininum value should be 3) | |
comment-update |
true | if false, will create a new comment for every scan |
zero-vulnerability-summary |
false | if true, will not comment in PR decoration any details for scans as vulnerabilities are zero. |
fields |
Refer page: Bug-Trackers-and-Feedback-Channels Chapter Github Fields | |
Note: A service account is required with access to the repositories that will be scanned, pull requests that will be commented on, and GitHub issues that will be created/updated. |
gitlab:
webhook-token: xxxx
token: xxxx
url: https://gitlab.com
api-url: https://gitlab.com/api/v4/
false-positive-label: false-positive
block-merge: true
comment-update: false
zero-vulnerability-summary: true
fields:
- type: result
name: application
- type: result
name: project
Configuration | Default | Description |
---|---|---|
webhook-token |
Token used as a shared secret when calling the CxFlow WebHook WebService. It authenticates users for the request. | |
token |
This is the API token with access to the repository, with at least Read only access to code, the ability to add comments to pull requests, and the ability to create GitLab issues. | |
url |
Main repo url for GitLab. | |
api-url |
The API endpoint for GitLab, which serves a different context or potential FQDN than the main repo url. | |
false-positive-label |
false-positive | A label that can be defined within the GitLab Issue feedback to ignore issues |
block-merge |
false | When triggering scans based on Merge Request, the Merge request is marked as WIP in GitLab, which blocks the merge ability until the scan is complete in Checkmarx. |
scan-submitted-comment |
true | Comment on Merge Request with "Scan submitted (or not submitted) to Checkmarx ...". |
comment-update |
true | if false, will create a new comment for every scan |
zero-vulnerability-summary |
false | if true, will not comment in PR decoration any details for scans as vulnerabilities are zero. |
fields |
Refer page: Bug-Trackers-and-Feedback-Channels Chapter Gitlab Fields |
Note: A service account is required with access to the repositories that are going to be scanned, pull requests that are commented on, and GitLab issues that are created/updated.
azure:
webhook-token: cxflow:1234
token: xxxx
url: https://dev.azure.com/XXXXXX
issue-type: issue
api-version: 5.0
false-positive-label: false-positive
block-merge: true
closed-status: Closed
open-status: Active
zero-vulnerability-summary: true
Configuration | Default | Description |
---|---|---|
webhook-token |
: as defined when registering the event in ADO. Used as a shared secret when calling the CxFlow WebHook WebService. It authenticates users for the request. | |
token |
This is the API token with access to the repository. It has at least Read only access to code, the ability to add comments to pull requests, and the ability to create Azure WorkItems. | |
url |
Main repo url for Azure DevOps, including high level namespace. Note: this is only required when running from the command line and not for WebHooks. | |
issue-type |
issue | The WorkItem type within Azure, i.e. issue / impediment. |
issue-body |
description | The body to enter free text regarding the issue. The default across various workItem types are Description or System.Description. |
app-tag-prefix |
app | Used for tracking existing issues. Issues are tagged with this value, if app is provided (without namespace/repo/branch) |
owner-tag-prefix |
owner | Used for tracking existing issues. Issues are tagged with this value |
repo-tag-prefix |
repo | Used for tracking existing issues. Issues are tagged with this value |
branch-label-prefix |
branch | Used for tracking existing issues. Issues are tagged with this value |
api-version |
5.0 | Azure DevOps API version to use |
open-status |
Status when re-opening a a workItem | |
closed-status |
Status when closing a workItem | |
false-positive-label |
false-positive | A label/tag that can be defined within the Azure Issue feedback being used to ignore issues. |
block-merge |
false | When triggering scans is based on pull request, this marks the Pull in blocked state until the scan is complete at Checkmarx. |
zero-vulnerability-summary |
false | if true, will not comment in PR decoration any details for scans as vulnerabilities are zero. |
Note: A service account is required with access to the repositories that are scanned, pull requests that are commented on, and Azure WorkItems that are created/updated. |
sarif:
hassnippet: true
Configuration | Default | Description |
---|---|---|
hassnippet |
false | In Checkmarx CX-Flow, when the hasSnippet flag is set to true, the tool displays relevant code snippets under the "Region" section of the UI. These snippets provide a portion of the code where potential vulnerabilities are detected, giving developers context to better understand the issue. This feature helps in identifying the exact location of security concerns, streamlining the remediation process by offering precise, actionable insights directly within the code. |
Note: Command line parameter for snippet is --sarif.hassnippet=true
bitbucket:
webhook-token: xxx
token: <user>:xxx
url: http://bitbucket.org
api-url: http://api.bitbucket.org
api-path: /2.0
zero-vulnerability-summary: true
Configuration | Default | Description |
---|---|---|
webhook-token |
Token used as a shared secret when calling the CxFlow WebHook WebService. It authenticates users for the request. The Bitbucket cloud does not allow for a shared secret, therefore a URL parameter called token, must be provided in this case. | |
token |
This is the API token with access to the repository with at least Read only access to code and the ability to add comments to pull requests. BitBucket requires the : format in the configuration. userid:app password (Format while using BitBucket Cloud) userid:password (Format while using BitBucket Server) |
|
api-url |
- https://api.bitbucket.org (URL for the Cloud BitBucket) - https://api.companyxyzbitbucket (URL for the BitBucket server is just the server hostname with api. prefixed) |
|
url |
- https://bitbucket.org (URL for the Cloud BitBucket) - https://companyxyzbitbucket(URL for the BitBucket server is just the server hostname) |
|
api-path |
The API URL path (appended to the URL) for BitBucket | |
'scan-submitted-comment` | true | Comment on Merge Request with "Scan submitted (or not submitted) to Checkmarx ...". |
zero-vulnerability-summary |
false | if true, will not comment in PR decoration any details for scans as vulnerabilities are zero. |
Note: As mentioned in the prerequisites, a service account is required that has appropriate access to the repositories that will be scanned, pull requests that will be commented on, GitHub issues that will be created/updated. |
The sample below illustrates an override configuration in JSON format. It has similarities with the YAML config blocks. Its main use is to override cx-flow and Jira Yaml configuration.
for more details, please refer to Config as Code
{
"version": 1.0,
"project": "XYZ-${repo}-${branch}",
"team": "/a/b/c",
"sast": {
"preset": "",
"engineConfiguration": "",
"incremental": "false", // values: "true" or "false"
"forceScan": "true", // values: "true" or "false"
"fileExcludes": "*.pyc, *.test, *.class",
"folderExcludes": "*test, out/, *bin"
},
"additionalProperties": {
"cxFlow": {
"application": "test app",
"branches": ["develop", "main", "master"],
"emails": ["[email protected]"],
"bugTracker": "JIRA", // other possible values: "GitLab", "GitHub", "Azure"
"scanResubmit": "true", // values: "true" or "false"
"sshKeyIdentifier": "Key of the ssh-key-list parameter present in application.yml file."
"jira": {
"project": "APPSEC",
"issue_type": "Bug",
"assignee": "admin",
"opened_status": ["Open","Reopen"],
"closed_status": ["Closed","Done"],
"open_transition": "Reopen Issue",
"close_transition": "Close Issue",
"close_transition_field": "resolution",
"close_transition_value": "Done",
"priorities": {
"High": "High",
"Medium": "High",
"Low": "High"
},
"fields": [
{
"type": "cx", // cx, static, result
"name": "xxx",
"jira_field_name": "xxxx",
"jira_field_type": "text", // security text | label | single-select | multi-select
"jira_default_value": "xxx"
},
{
"type": "result",
"name": "xxx",
"jira_field_name": "xxxx",
"jira_field_type": "label"
},
{
"type": "static",
"name": "xxx",
"jira_field_name": "xxxx",
"jira_field_type": "label",
"jira_default_value": "xxx"
}
]
},
"filters": {
"severity": ["High", "Medium"],
"cwe": ["79", "89"],
"category": ["XSS_Reflected", "SQL_Injection"],
"status": ["New", "Recurring"],
"state": ["Confirmed", "To Verify"]
}
}
},
"customFields": {
"field1": "value1",
"field2": "value2"
},
"scanCustomFields": {
"field3": "value3",
"field4": "value4"
}
}
Refer to the Bug Tracker documentation for a list of all our Bug Trackers and Feedback Channels.
CxFlow is bundled with support for Jasypt for encrypting property files: http://www.jasypt.org/
Sample: https://www.ricston.com/blog/encrypting-properties-in-spring-boot-with-jasypt-spring-boot/
To avoid storing the decryption password in the YAML configuration, invoke CxFlow with the password and the encryption algorithm specified on the command line:
$ java -jar cx-flow-<version>.jar \
--jasypt.encryptor.password=passphrase \
--jasypt.encryptor.algorithm=PBEWITHHMACSHA512ANDAES_256
If desired, the password can also be specified in the YAML configuration file:
jasypt:
encryptor:
password: passphrase
algorithm: PBEWITHHMACSHA512ANDAES_256
NOTE: Choose the appropriate algorithm for your deployment. This is a sample.
Environment variables can be leveraged for injecting the required jasypt cli values specified above:
JASYPT_ENCRYPTOR.PASSWORD=passphrase
JASYPT_ENCRYPTOR.ALGORITHM=PBEWITHHMACSHA512ANDAES_256
To create encrypted text, use the following command line to produce a base-64 encoded string:
$ java -cp cx-flow-<version>.jar \
-Dloader.main=org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI \
org.springframework.boot.loader.PropertiesLauncher \
ivGeneratorClassName=org.jasypt.iv.RandomIvGenerator \
input="stuff to encrypt goes here" \
password=passphrase \
algorithm=PBEWITHHMACSHA512ANDAES_256
Encrypted values can be assigned to fields in the YAML configuration file using the format ENC(<base-64 encoded ciphertext>). Example:
jira:
token: ENC(r2Q0H31voNvp4NWHQ3bSkNzxmguHnHe/fuA+JiJ6DeOt8Fbzcslm6Hlly78dm6RONSaL8lGywG5atPC0xzyCsA==)
There are places where a custom groovy script can be used while executing CxFlow. These include:
- Deciding which branch is applicable for scanning.
- The project name to be used.
- The team to be used.
For additional information, refer to the External Scripting chapter.
If user want to use SAST Scan ID for further usage cx-flow stores SCAN ID in githuab output variable name : cxflowscanid
- name: Checkmarx CxFlow Action
id: step1
uses: cx-flow/[email protected]
project: ${{ github.event.repository.name }}
team: ${{ secrets.CHECKMARX_TEAMS }}
checkmarx_url: ${{ secrets.CHECKMARX_URL }}
checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }}
checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }}
checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }}
scanners: sast
params: --github --checkmarx.incremental=false --checkmarx.settings-override=true --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref_name }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true --repo-url=${{ github.event.repository.url }}
Steps to retrieve SCAN ID**** in output variable -
- Since Scan ID we are getting only after run of cx-flow, So we will use ID of Checkmarx CxFlow Action steps in output variable to fetch SCAN ID
outputs:
output1: ${{ steps.step1.outputs.cxflowscanid }}
- Now SCAN ID is stored in output1 variable which can be used in any jobs as per user convince.
NOTE: If SAST scan is taking time to scan files and other jobs are stuck due to this so user can run cx-flow in Async mode and with the help of SCAN ID from output variable, User can fetch results. In This way there is no jobs will be blocked due to processing of cx-flow.
Create an XML file named logback-spring.xml
with a Logback configuration similar to the XML below:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<appender name="CONSOLE" class="ch.qos.logback.core.ConsoleAppender">
<layout class="ch.qos.logback.classic.PatternLayout">
<pattern>%d{dd-MM-yyyy HH:mm:ss.SSS} %magenta([%thread]) %highlight(%-5level) %logger{36}.%M - %msg%n</pattern>
</layout>
</appender>
<appender name="FILE" class="ch.qos.logback.core.rolling.RollingFileAppender">
<encoder>
<pattern>%d{dd-MM-yyyy HH:mm:ss.SSS} [%thread] %-5level %logger{36}.%M - %msg%n</pattern>
</encoder>
<rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy">
<fileNamePattern>/logs/cxflow.%d{yyyy-MM-dd}.%i.log.gz</fileNamePattern>
<maxFileSize>10MB</maxFileSize>
<totalSizeCap>20GB</totalSizeCap>
<maxHistory>7</maxHistory>
</rollingPolicy>
</appender>
<logger name="com.checkmarx" level="INFO" />
<logger name="org.apache.http.wire" level="ERROR" />
<logger name="org.springframework.ws" level="ERROR" />
<root level="INFO">
<appender-ref ref="FILE" />
<appender-ref ref="CONSOLE" />
</root>
</configuration>
Place this file in a location where CxFlow can access it during execution.
Remove all logging configuration from the CxFlow configuration YAML file and replace it with this line:
logging.config: logback-spring.xml
Provide the full path of the logback-spring.xml
file.
This example is showing the pipeline configured for the AWS OpenSearch version of Logstash. The ElasticSearch version of Logstash is configured similarly. Please consult the appropriate Logstash documentation for a configuration that best fits your needs.
The pipeline configuration should look similar to the following example:
input {
file {
check_archive_validity => true
path => "/cxflow-logs/*.log"
}
}
output {
opensearch {
hosts => ["https://<your host url here>:443/"]
index => "cxflow-logs"
user => "<username>"
password => "<password>"
ecs_compatibility => "disabled"
ssl_certificate_verification => false
}
}
Adjust the path
configuration element as appropriate to tail logs where you set the CxFlow logs to be stored in the XML file created in Step 1. The OpenSearch configuration elements will need to be adjusted to fit your appropriate storage requirements for OpenSearch/ElasticSearch.
If Logstash has been configured correctly, the CxFlow logs will now be tailed and sent to OpenSearch/ElasticSearch.
- We can label SAST issue in GITHUB and GITLAB.If user want to create issue he can pass labels in following way-
github:
webhook-token: 12345
url: https://github.com
api-url: https://api.github.com/repos/
false-positive-label: false-positive
block-merge: true
error-merge: true
max-description-length : 400
cx-summary: true
issueslabel:
high: high,must fix
medium: Medium,Not critical
low: ignore
#max-delay : 3
gitlab:
webhook-token: 12345
url: https://gitlab.com
api-url: https://gitlab.com/api/v4/
false-positive-label: false-positive
block-merge: true
issueslabel:
high: high,must fix
medium: Medium,Not critical
low: ignore
- User can also pass this as command line parameter.
--gitlab.issueslabel.medium="Medium,Not critical" --gitlab.issueslabel.low="ignore" --gitlab.issueslabel.high="high,must fix" #assigns 2 labels, high and must fix" --gitlab.issueslabel.info="very low"
--github.issueslabel.medium="Medium,Not critical" --github.issueslabel.low="ignore" --github.issueslabel.high="high,must fix" #assigns 2 labels, high and must fix" --github.issueslabel.info="very low"