GitHub Action
Checkmarx CxFlow Action
Checkmarx CxFlow GitHub Action with SARIF output.
Publish Security Alerts associated with the code in your Github Repository using Checkmarx with this Github Action Integration.
This is a Wrapper to trigger scans the latest version of CxFlow through Docker to launch Checkmarx SAST or SCA Scans.
- Checkmarx SAST (CxSAST) is an enterprise-grade flexible and accurate static analysis solution used to identify hundreds of security vulnerabilities in custom code. It is used by development, DevOps, and security teams to scan source code early in the SDLC, identify vulnerabilities and provide actionable insights to remediate them.
- Checkmarx SCA (CxSCA) is an effective next-gen software composition analysis solution designed to help development teams ship secure software quickly while giving AppSec teams the insight and control they need to improve your software security risk posture.
- Checkmarx Flow (CxFlow) is an SDLC orchestration module managing Applciaton Security Test (AST) scan initiation and results manangement.
Please find more info in the official website: Checkmarx.com
The GitHub action is only compatible with Checkmarx SAST 9.x and Checkmarx CxSCA.
Variable | Example Value | Description | Type | Required | Default |
---|---|---|---|---|---|
checkmarx_url | https://checkmarx.company.com | Checkmarx Server URL | String | Yes | N/A |
checkmarx_username | ${{ secrets.CHECKMARX_USERNAME }} | Checkmarx Username | String | Yes | N/A |
checkmarx_password | ${{ secrets.CHECKMARX_PASSWORD }} | Checkmarx Password | Secure String | Yes | N/A |
checkmarx_client_secret | ${{ secrets.CHECKMARX_CLIENT_SECRET }} | Checkmarx OIDC Client Secret Reference 1, 2 | Secure String | Yes | |
team | /CxServer/SP/Company | Checkmarx Team for Project | String | No | /CxServer/SP/Company |
project | ProjectName | Checkmarx Project | String | Yes | N/A |
app | AppID-1234 | Unique Application Identifier used by downstream bug trackers (i.e. Jira) | String | No | SampleApp |
preset | Checkmarx Express | Checkmarx scan preset (SAST) | String | No | High and Medium |
break_build | true | Break build based on results? | Boolean | No | false |
bug_tracker | Sarif, GitHubPull, GitHub | Bug-tracker used for scan results | String | No | Sarif |
incremental | true | Trigger scan as incremental? (SAST) | Boolean | No | true |
github_token | ${{ secrets.GITHUB_TOKEN }} | GitHub API Token, used for PR Feedback or GitHub Issue Feedback | String | No | ${{ github.token }} |
repo-url | ${{ github.event.repository.url }} | GitHub Repository URL, used for Issue Feedback | String | Yes | NA |
scanners | sast, cxgo, sca | Vulnerability Scanners (sast, sca, cxgo). Multiple comma seperated values allowed. | String | Yes | None |
sca_api_url | https://api-sca.checkmarx.net | API URL for SCA scan | String | No | https://api-sca.checkmarx.net |
sca_app_url | https://sca.checkmarx.net | APP URL for SCA scan | String | No | https://sca.checkmarx.net |
sca_access_control_url | https://platform.checkmarx.net | Access control URL for SCA scan | String | No | https://platform.checkmarx.net |
sca_tenant | SCA-COMPANY_NAME | Tenant for the SCA project | String | No | N/A |
sca_username | ${{ secrets.SCA_USERNAME }} | Username for SCA scan | String | No | N/A |
sca_password | ${{ secrets.SCA_PASSWORD }} | Password for SCA scan | Secure String | No | N/A |
cxgo_base_url | https://api.checkmarx.net | Base URL for CxGo Scan | String | No | https://api.checkmarx.net |
cxgo_portal_url | https://cloud.checkmarx.net | Portal URL for CxGo Scan | String | No | https://cloud.checkmarx.net |
cxgo_client_secret | ${{ secrets.CXGO_CLIENT_SECRET }} | CxGo Client secret | Secure String | No | N/A |
jira_url | ${{ secrets.JIRA_URL }} | Jira Url | Secure String | No | N/A |
jira_username | ${{ secrets.JIRA_USERNAME }} | Jira Username | Secure String | No | N/A |
jira_token | ${{ secrets.JIRA_TOKEN }} | Jira Secret. This is personal access token, not password. | Secure String | No | N/A |
jira_project | ${{ secrets.JIRA_PROJECT }} | Jira Project Name | Secure String | No | N/A |
jira_issue_type | 'Application Security Bug' | Jira Issue Type | String | No | N/A |
jira_open_transition | 'In Progress' | Jira Open Transition Status | String | No | N/A |
jira_close_transition | 'Done' | Jira Close Transition Status | String | No | N/A |
jira_open_status | 'Backlog,Selected for Development,In Progress' | Jira Open Status | String | No | N/A |
jira_closed_status | 'Done' | Jira Closed Status | String | No | N/A |
params | --severity=High --branch=${{ github.ref }} | Any additional parameters for CxFlow. For a full list of all the parameters, see the following. Special note about filtering | String | No |
Here is the example for additional parameters for CxFlow. For a full list of all the parameters, see the following
--sca.team ="/CxServer/Sca
--jira.url ="https://xxxx.atlassian.net"
Note: It is recommentded to leverage secrets for any sensitive inputs
- checkmarx_url: ${{ secrets.CHECKMARX_URL }}
- checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }}
- checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }}
- checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }}
- github_token: ${{ secrets.GITHUB_TOKEN }}
- sca_username: ${{ secrets.SCA_USERNAME }}
- sca_password: ${{ secrets.SCA_PASSWORD }}
- cxgo_client_secret: ${{ secrets.CXGO_CLIENT_SECRET }}
- jira_url: ${{ secrets.JIRA_URL }}
- jira_username: ${{ secrets.JIRA_USERNAME }}
- jira_token: ${{ secrets.JIRA_TOKEN }}
- jira_project: ${{ secrets.JIRA_PROJECT }}
Note: For filtering files in the params input, it is necessary to escape special characters
Here is an example of filtering files:
--cx-flow.zip-exclude="\.git\/.*,\.github\/.*,apps\/tests\/.*,apps\/docs/.*,apps\/web\/.*"
- Excluding the .git and .github folders from the zip file is highly important! Otherwise each commit will trigger a full scan due to changes in the files under these folders
- To recursively exclude all files under any folder named "tests" for example, add the following to the -cx-flow.zip-exclude line:
--cx-flow.zip-exclude="\.git\/.*,\.github\/.*,tests\/.*,.+\/tests\/.*"
The default output format for this GitHub Action is a SARIF output report stored in the working directory as ./cx.sarif
For full documentation on all the supported output formats and defect management integration, please see the following.
The file ./cx.sarif is created containing issue details based on the filtering policy of CxFlow. To make use of the report for CodeQL please make sure the following is considered. See sample useage below.
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v2
# Scan code with Checkmarx
- name: Checkmarx CxFlow Action
uses: checkmarx-ts/[email protected]
with:
project: GithubActionTest
team: /CxServer/SP/Checkmarx
checkmarx_url: ${{ secrets.CHECKMARX_URL }}
checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }}
checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }}
checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }}
# Upload SARIF report for CodeQL / Security Alerts PRocessing
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: cx.sarif
- Github PUSH workflow for SAST
- Github PUSH workflow for SCA
- Github PULL REQUEST workflow for SAST
- Github Cloud Local scan
- Github Cloud Remote scan
We welcome issues to and pull requests against this repository!
Checkmarx Github Action
Copyright (C) 2020 Checkmarx
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see https://www.gnu.org/licenses/.