From 799fae9d01945cf0939b96a8216aab7279404f2d Mon Sep 17 00:00:00 2001 From: itsKedar <37594766+itsKedar@users.noreply.github.com> Date: Thu, 19 Sep 2024 12:37:05 +0530 Subject: [PATCH 1/3] added project and scan custom fields parameters --- action.yml | 13 +++++++++++++ entrypoint.sh | 2 +- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 540f0e5..8ec154a 100644 --- a/action.yml +++ b/action.yml @@ -142,6 +142,15 @@ inputs: required: false description: 'Jira Closed Status' default: '' + #######CLI Parameters ########### + project_custom_field: + required: false + description: 'checkmarx project custom field' + default: '' + scan_custom_field: + required: false + description: 'checkmarx scan custom field' + default: '' runs: using: 'docker' @@ -179,6 +188,8 @@ runs: - ${{ inputs.jira_close_transition }} - ${{ inputs.jira_open_status }} - ${{ inputs.jira_closed_status }} + - ${{ inputs.project_custom_field }} + - ${{ inputs.scan_custom_field }} env: TEAM: "${{ inputs.team }}" @@ -215,6 +226,8 @@ runs: JIRA_CLOSE_TRANSITION: ${{ inputs.jira_close_transition }} JIRA_OPEN_STATUS: ${{ inputs.jira_open_status }} JIRA_CLOSED_STATUS: ${{ inputs.jira_closed_status }} + PROJECT_CUSTOM_FIELD : ${{ inputs.project_custom_field }} + SCAN_CUSTOM_FIELD: ${{ inputs.scan_custom_field }} branding: icon: 'check' diff --git a/entrypoint.sh b/entrypoint.sh index 0322b00..1897ec6 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -19,7 +19,7 @@ else fi -java ${JAVA_OPTS} -jar /app/cx-flow.jar --SHA=$GITHUB_SHA --spring.profiles.active="${CX_FLOW_ENABLED_VULNERABILITY_SCANNERS}" --scan --github.api-url="${GITHUB_API_URL}/repos/" --cx-team="${TEAM}" --cx-project="${PROJECT}" --app="${APP}" --jira.url="${JIRA_URL}" --jira.username="${JIRA_USERNAME}" --jira.token="${JIRA_TOKEN}" --jira.project="${JIRA_PROJECT}" --jira.issue-type="${JIRA_ISSUE_TYPE}" --jira.open-transition="${JIRA_OPEN_TRANSITION}" --jira.close-transition="${JIRA_CLOSE_TRANSITION}" --jira.open-status="${JIRA_OPEN_STATUS}" --jira.closed-status="${JIRA_CLOSED_STATUS}" --f=. ${CXFLOW_PARAMS} 2> scanid$GITHUB_SHA.txt +java ${JAVA_OPTS} -jar /app/cx-flow.jar --SHA=$GITHUB_SHA --spring.profiles.active="${CX_FLOW_ENABLED_VULNERABILITY_SCANNERS}" --scan --github.api-url="${GITHUB_API_URL}/repos/" --cx-team="${TEAM}" --cx-project="${PROJECT}" --app="${APP}" --jira.url="${JIRA_URL}" --jira.username="${JIRA_USERNAME}" --jira.token="${JIRA_TOKEN}" --jira.project="${JIRA_PROJECT}" --jira.issue-type="${JIRA_ISSUE_TYPE}" --jira.open-transition="${JIRA_OPEN_TRANSITION}" --jira.close-transition="${JIRA_CLOSE_TRANSITION}" --jira.open-status="${JIRA_OPEN_STATUS}" --jira.closed-status="${JIRA_CLOSED_STATUS}" --project-custom-field="${PROJECT_CUSTOM_FIELD}" --scan-custom-field="${SCAN_CUSTOM_FIELD}" --f=. ${CXFLOW_PARAMS} 2> scanid$GITHUB_SHA.txt JAVA_RETURN_STATUS=$(echo $?) scanID=$(grep 'cxflowscanidextraction' scanid$GITHUB_SHA.txt | sed 's/.*cxflowscanidextractiongithubaction \(.*\)endofstatementscanidaction/\1/') echo "cxflowscanid=$scanID" >> $GITHUB_OUTPUT From 87eba18ead339a2ee92d0a458675e61412ef10da Mon Sep 17 00:00:00 2001 From: itsKedar <37594766+itsKedar@users.noreply.github.com> Date: Thu, 19 Sep 2024 13:20:55 +0530 Subject: [PATCH 2/3] added project and scan custom fields parameters --- action.yml | 29 ++++++++++++++++++++--------- entrypoint.sh | 2 +- 2 files changed, 21 insertions(+), 10 deletions(-) diff --git a/action.yml b/action.yml index 8ec154a..1d3a315 100644 --- a/action.yml +++ b/action.yml @@ -143,15 +143,22 @@ inputs: description: 'Jira Closed Status' default: '' #######CLI Parameters ########### - project_custom_field: + project_custom_field_key: required: false - description: 'checkmarx project custom field' + description: 'checkmarx project custom field key' default: '' - scan_custom_field: + project_custom_field_value: required: false - description: 'checkmarx scan custom field' + description: 'checkmarx project custom field value' + default: '' + scan_custom_field_key: + required: false + description: 'checkmarx scan custom field key' + default: '' + scan_custom_field_value: + required: false + description: 'checkmarx scan custom field value' default: '' - runs: using: 'docker' image: 'Dockerfile' @@ -188,8 +195,10 @@ runs: - ${{ inputs.jira_close_transition }} - ${{ inputs.jira_open_status }} - ${{ inputs.jira_closed_status }} - - ${{ inputs.project_custom_field }} - - ${{ inputs.scan_custom_field }} + - ${{ inputs.project_custom_field_key }} + - ${{ inputs.project_custom_field_value }} + - ${{ inputs.scan_custom_field_key }} + - ${{ inputs.scan_custom_field_value }} env: TEAM: "${{ inputs.team }}" @@ -226,8 +235,10 @@ runs: JIRA_CLOSE_TRANSITION: ${{ inputs.jira_close_transition }} JIRA_OPEN_STATUS: ${{ inputs.jira_open_status }} JIRA_CLOSED_STATUS: ${{ inputs.jira_closed_status }} - PROJECT_CUSTOM_FIELD : ${{ inputs.project_custom_field }} - SCAN_CUSTOM_FIELD: ${{ inputs.scan_custom_field }} + PROJECT_CUSTOM_FIELD_KEY : ${{ inputs.project_custom_field_key }} + PROJECT_CUSTOM_FIELD_VALUE : ${{ inputs.project_custom_field_value }} + SCAN_CUSTOM_FIELD_KEY: ${{ inputs.scan_custom_field_key }} + SCAN_CUSTOM_FIELD_VALUE: ${{ inputs.scan_custom_field_value }} branding: icon: 'check' diff --git a/entrypoint.sh b/entrypoint.sh index 1897ec6..599dbc2 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -19,7 +19,7 @@ else fi -java ${JAVA_OPTS} -jar /app/cx-flow.jar --SHA=$GITHUB_SHA --spring.profiles.active="${CX_FLOW_ENABLED_VULNERABILITY_SCANNERS}" --scan --github.api-url="${GITHUB_API_URL}/repos/" --cx-team="${TEAM}" --cx-project="${PROJECT}" --app="${APP}" --jira.url="${JIRA_URL}" --jira.username="${JIRA_USERNAME}" --jira.token="${JIRA_TOKEN}" --jira.project="${JIRA_PROJECT}" --jira.issue-type="${JIRA_ISSUE_TYPE}" --jira.open-transition="${JIRA_OPEN_TRANSITION}" --jira.close-transition="${JIRA_CLOSE_TRANSITION}" --jira.open-status="${JIRA_OPEN_STATUS}" --jira.closed-status="${JIRA_CLOSED_STATUS}" --project-custom-field="${PROJECT_CUSTOM_FIELD}" --scan-custom-field="${SCAN_CUSTOM_FIELD}" --f=. ${CXFLOW_PARAMS} 2> scanid$GITHUB_SHA.txt +java ${JAVA_OPTS} -jar /app/cx-flow.jar --SHA=$GITHUB_SHA --spring.profiles.active="${CX_FLOW_ENABLED_VULNERABILITY_SCANNERS}" --scan --github.api-url="${GITHUB_API_URL}/repos/" --cx-team="${TEAM}" --cx-project="${PROJECT}" --app="${APP}" --jira.url="${JIRA_URL}" --jira.username="${JIRA_USERNAME}" --jira.token="${JIRA_TOKEN}" --jira.project="${JIRA_PROJECT}" --jira.issue-type="${JIRA_ISSUE_TYPE}" --jira.open-transition="${JIRA_OPEN_TRANSITION}" --jira.close-transition="${JIRA_CLOSE_TRANSITION}" --jira.open-status="${JIRA_OPEN_STATUS}" --jira.closed-status="${JIRA_CLOSED_STATUS}" --project-custom-field="${PROJECT_CUSTOM_FIELD_KEY}":"${PROJECT_CUSTOM_FIELD_VALUE}" --scan-custom-field="${SCAN_CUSTOM_FIELD_KEY}":"${SCAN_CUSTOM_FIELD_VALUE}" --f=. ${CXFLOW_PARAMS} 2> scanid$GITHUB_SHA.txt JAVA_RETURN_STATUS=$(echo $?) scanID=$(grep 'cxflowscanidextraction' scanid$GITHUB_SHA.txt | sed 's/.*cxflowscanidextractiongithubaction \(.*\)endofstatementscanidaction/\1/') echo "cxflowscanid=$scanID" >> $GITHUB_OUTPUT From de1b01651196ccd9b447628d88b9a52c5f9252cc Mon Sep 17 00:00:00 2001 From: itsKedar <37594766+itsKedar@users.noreply.github.com> Date: Thu, 19 Sep 2024 13:28:52 +0530 Subject: [PATCH 3/3] Updated documentation --- README.md | 81 +++++++++++++++++++++++++++++-------------------------- 1 file changed, 43 insertions(+), 38 deletions(-) diff --git a/README.md b/README.md index 9c50376..99af72f 100644 --- a/README.md +++ b/README.md @@ -25,44 +25,49 @@ The GitHub action [![Latest Release](https://img.shields.io/github/v/release/ch *Note:* Please use [cx-flow-debian](https://github.com/checkmarx-ts/checkmarx-cxflow-github-debian) GitHub action for using cx-flow with the Debian operating system. This GitHub action supports Alpine OS. Every parameter is the same in both. ## Inputs -| Variable | Example Value   | Description   | Type | Required | Default | -|-------------------------|------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|----------|--------------------------------| -| checkmarx_url | https://checkmarx.company.com | Checkmarx Server URL | String | Yes | N/A | -| checkmarx_username | ${{ secrets.CHECKMARX_USERNAME }} | Checkmarx Username | String | Yes | N/A | -| checkmarx_password | ${{ secrets.CHECKMARX_PASSWORD }} | Checkmarx Password | Secure String | Yes | N/A | -| checkmarx_client_secret | ${{ secrets.CHECKMARX_CLIENT_SECRET }} | Checkmarx OIDC Client Secret Reference [1](https://checkmarx.atlassian.net/wiki/spaces/KC/pages/1187774721/Using+the+CxSAST+REST+API+v8.6.0+and+up), [2](https://checkmarx.atlassian.net/wiki/spaces/KC/pages/1187774721/Using+the+CxSAST+REST+API+v8.6.0+and+up) | Secure String | Yes | | -| team | /CxServer/SP/Company | Checkmarx Team for Project | String | No | /CxServer/SP/Company | -| project | ProjectName | Checkmarx Project | String | Yes | N/A | -| app | AppID-1234 | Unique Application Identifier used by downstream bug trackers (i.e. Jira) | String | No | SampleApp | -| preset | Checkmarx Express | Checkmarx scan preset (SAST) | String | No | High and Medium | -| break_build | true | Break build based on results? | Boolean | No | false | -| bug_tracker | Sarif, GitHubPull, GitHub | Bug-tracker used for scan results | String | No | Sarif | -| incremental | true | Trigger scan as incremental? (SAST) | Boolean | No | true | -| github_token | ${{ secrets.GITHUB_TOKEN }} | GitHub API Token, used for PR Feedback or GitHub Issue Feedback | String | No | ${{ github.token }} | -| repo-url | ${{ github.event.repository.url }} | GitHub Repository URL, used for Issue Feedback | String | Yes | NA | -| scanners | sast, cxgo, sca | Vulnerability Scanners (sast, sca, cxgo). Multiple comma seperated values allowed. | String | Yes | None | -| extra_certificates | certificates | Workspace subdirectory containing additional CxFlow X509 certificates (.crt) | String | No | None | -| sca_api_url | https://api-sca.checkmarx.net | API URL for SCA scan | String | No | https://api-sca.checkmarx.net | -| sca_app_url | https://sca.checkmarx.net | APP URL for SCA scan | String | No | https://sca.checkmarx.net | -| sca_access_control_url | https://platform.checkmarx.net | Access control URL for SCA scan | String | No | https://platform.checkmarx.net | -| sca_tenant | SCA-COMPANY_NAME | Tenant for the SCA project | String | No | N/A | -| sca_username | ${{ secrets.SCA_USERNAME }} | Username for SCA scan | String | No | N/A | -| sca_password | ${{ secrets.SCA_PASSWORD }} | Password for SCA scan | Secure String | No | N/A | -| cxgo_base_url | https://api.checkmarx.net | Base URL for CxGo Scan | String | No | https://api.checkmarx.net | -| cxgo_portal_url | https://cloud.checkmarx.net | Portal URL for CxGo Scan | String | No | https://cloud.checkmarx.net | -| cxgo_client_secret | ${{ secrets.CXGO_CLIENT_SECRET }} | CxGo Client secret | Secure String | No | N/A | -| jira_url | ${{ secrets.JIRA_URL }} | Jira Url | Secure String | No | N/A | -| jira_username | ${{ secrets.JIRA_USERNAME }} | Jira Username | Secure String | No | N/A | -| jira_token | ${{ secrets.JIRA_TOKEN }} | Jira Secret. This is personal access token, not password. | Secure String | No | N/A | -| jira_project | ${{ secrets.JIRA_PROJECT }} | Jira Project Name | Secure String | No | N/A | -| jira_issue_type | 'Application Security Bug' | Jira Issue Type | String | No | N/A | -| jira_open_transition | 'In Progress' | Jira Open Transition Status | String | No | N/A | -| jira_close_transition | 'Done' | Jira Close Transition Status | String | No | N/A | -| jira_open_status | 'Backlog,Selected for Development,In Progress' | Jira Open Status | String | No | N/A | -| jira_closed_status | 'Done' | Jira Closed Status | String | No | N/A | -| params | --severity=High --branch=${{ github.ref }} | Any additional parameters for CxFlow. For a full list of all the parameters, see the [following](https://github.com/checkmarx-ltd/cx-flow/wiki/Configuration). Special note about [filtering](#Filters) | String | No | N/A | -| java_opts | -Xms512m | Any Java options | String | No | N/A | - +| Variable | Example Value   | Description   | Type | Required | Default | +|----------------------------|------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|----------|--------------------------------| +| checkmarx_url | https://checkmarx.company.com | Checkmarx Server URL | String | Yes | N/A | +| checkmarx_username | ${{ secrets.CHECKMARX_USERNAME }} | Checkmarx Username | String | Yes | N/A | +| checkmarx_password | ${{ secrets.CHECKMARX_PASSWORD }} | Checkmarx Password | Secure String | Yes | N/A | +| checkmarx_client_secret | ${{ secrets.CHECKMARX_CLIENT_SECRET }} | Checkmarx OIDC Client Secret Reference [1](https://checkmarx.atlassian.net/wiki/spaces/KC/pages/1187774721/Using+the+CxSAST+REST+API+v8.6.0+and+up), [2](https://checkmarx.atlassian.net/wiki/spaces/KC/pages/1187774721/Using+the+CxSAST+REST+API+v8.6.0+and+up) | Secure String | Yes | | +| team | /CxServer/SP/Company | Checkmarx Team for Project | String | No | /CxServer/SP/Company | +| project | ProjectName | Checkmarx Project | String | Yes | N/A | +| app | AppID-1234 | Unique Application Identifier used by downstream bug trackers (i.e. Jira) | String | No | SampleApp | +| preset | Checkmarx Express | Checkmarx scan preset (SAST) | String | No | High and Medium | +| break_build | true | Break build based on results? | Boolean | No | false | +| bug_tracker | Sarif, GitHubPull, GitHub | Bug-tracker used for scan results | String | No | Sarif | +| incremental | true | Trigger scan as incremental? (SAST) | Boolean | No | true | +| github_token | ${{ secrets.GITHUB_TOKEN }} | GitHub API Token, used for PR Feedback or GitHub Issue Feedback | String | No | ${{ github.token }} | +| repo-url | ${{ github.event.repository.url }} | GitHub Repository URL, used for Issue Feedback | String | Yes | NA | +| scanners | sast, cxgo, sca | Vulnerability Scanners (sast, sca, cxgo). Multiple comma seperated values allowed. | String | Yes | None | +| extra_certificates | certificates | Workspace subdirectory containing additional CxFlow X509 certificates (.crt) | String | No | None | +| sca_api_url | https://api-sca.checkmarx.net | API URL for SCA scan | String | No | https://api-sca.checkmarx.net | +| sca_app_url | https://sca.checkmarx.net | APP URL for SCA scan | String | No | https://sca.checkmarx.net | +| sca_access_control_url | https://platform.checkmarx.net | Access control URL for SCA scan | String | No | https://platform.checkmarx.net | +| sca_tenant | SCA-COMPANY_NAME | Tenant for the SCA project | String | No | N/A | +| sca_username | ${{ secrets.SCA_USERNAME }} | Username for SCA scan | String | No | N/A | +| sca_password | ${{ secrets.SCA_PASSWORD }} | Password for SCA scan | Secure String | No | N/A | +| cxgo_base_url | https://api.checkmarx.net | Base URL for CxGo Scan | String | No | https://api.checkmarx.net | +| cxgo_portal_url | https://cloud.checkmarx.net | Portal URL for CxGo Scan | String | No | https://cloud.checkmarx.net | +| cxgo_client_secret | ${{ secrets.CXGO_CLIENT_SECRET }} | CxGo Client secret | Secure String | No | N/A | +| jira_url | ${{ secrets.JIRA_URL }} | Jira Url | Secure String | No | N/A | +| jira_username | ${{ secrets.JIRA_USERNAME }} | Jira Username | Secure String | No | N/A | +| jira_token | ${{ secrets.JIRA_TOKEN }} | Jira Secret. This is personal access token, not password. | Secure String | No | N/A | +| jira_project | ${{ secrets.JIRA_PROJECT }} | Jira Project Name | Secure String | No | N/A | +| jira_issue_type | 'Application Security Bug' | Jira Issue Type | String | No | N/A | +| jira_open_transition | 'In Progress' | Jira Open Transition Status | String | No | N/A | +| jira_close_transition | 'Done' | Jira Close Transition Status | String | No | N/A | +| jira_open_status | 'Backlog,Selected for Development,In Progress' | Jira Open Status | String | No | N/A | +| jira_closed_status | 'Done' | Jira Closed Status | String | No | N/A | +| project_custom_field_key | 'test' | project custom field key that is mentioned in Checkmarx SAST | String | No | N/A | +| project_custom_field_value | 'test1' | project custom field value that needs to be updated or added in checkmarx SAST | String | No | N/A | +| scan_custom_field_key | 'test' | scan custom field key that is mentioned in Checkmarx SAST Scan. | String | No | N/A | +| scan_custom_field_value | 'test1' | scan custom field value that needs to be added in Checkmarx SAST Scan. | String | No | N/A | +| params | --severity=High --branch=${{ github.ref }} | Any additional parameters for CxFlow. For a full list of all the parameters, see the [following](https://github.com/checkmarx-ltd/cx-flow/wiki/Configuration). Special note about [filtering](#Filters) | String | No | N/A | +| java_opts | -Xms512m | Any Java options | String | No | N/A | + +*Note:* Please use `--checkmarx.settings-override=true` in params while using `project-custom-field` or `scan-custom-field`. Make sure project_custom_field_key and project_custom_field_value both are mentioned. ## Secrets _Note: It is recommended to leverage secrets for any sensitive inputs_