Skip to content
You're viewing an older version of this GitHub Action. Do you want to see the latest version instead?
checkmarx-ts

GitHub Action

Checkmarx CxFlow Action

v1.6

Checkmarx CxFlow Action

checkmarx-ts

Checkmarx CxFlow Action

Simplify Checkmarx Scanning of source code along with Result consumption leveraging Checkmarx CxFlow solution

Installation

Copy and paste the following snippet into your .yml file.

              

- name: Checkmarx CxFlow Action

uses: checkmarx-ts/[email protected]

Learn more about this action in checkmarx-ts/checkmarx-cxflow-github-action

Choose a version

Checkmarx CxFlow Github Action Checkmarx Github

License: GPL-3.0 Latest Release Open Issues

Checkmarx CxFlow GitHub Action with SARIF output.

Publish Security Alerts associated with the code in your Github Repository using Checkmarx with this Github Action Integration.

This is a Wrapper to trigger scans the latest version of CxFlow through Docker to launch Checkmarx SAST or SCA Scans.

Checkmarx

  • Checkmarx SAST (CxSAST) is an enterprise-grade flexible and accurate static analysis solution used to identify hundreds of security vulnerabilities in custom code. It is used by development, DevOps, and security teams to scan source code early in the SDLC, identify vulnerabilities and provide actionable insights to remediate them.
  • Checkmarx SCA (CxSCA) is an effective next-gen software composition analysis solution designed to help development teams ship secure software quickly while giving AppSec teams the insight and control they need to improve your software security risk posture.
  • Checkmarx Flow (CxFlow) is an SDLC orchestration module managing Applciaton Security Test (AST) scan initiation and results manangement.

Please find more info in the official website: Checkmarx.com

Version Compatiblity

The GitHub action Latest Release is only compatible with Checkmarx SAST 9.x and Checkmarx CxSCA.

Inputs

Variable Example Value   Description   Type Required Default
checkmarx_url https://checkmarx.company.com Checkmarx Server URL String Yes N/A
checkmarx_username ${{ secrets.CHECKMARX_USERNAME }} Checkmarx Username String Yes N/A
checkmarx_password ${{ secrets.CHECKMARX_PASSWORD }} Checkmarx Password Secure String Yes N/A
checkmarx_client_secret ${{ secrets.CHECKMARX_CLIENT_SECRET }} Checkmarx OIDC Client Secret Reference 1, 2 Secure String Yes
team /CxServer/SP/Company Checkmarx Team for Project String No /CxServer/SP/Company
project ProjectName Checkmarx Project String Yes N/A
app AppID-1234 Unique Application Identifier used by downstream bug trackers (i.e. Jira) String No SampleApp
preset Checkmarx Express Checkmarx scan preset (SAST) String No High and Medium
break_build true Break build based on results? Boolean No false
bug_tracker Sarif, GitHubPull, GitHub Bug-tracker used for scan results String No Sarif
incremental true Trigger scan as incremental? (SAST) Boolean No true
github_token ${{ secrets.GITHUB_TOKEN }} GitHub API Token, used for PR Feedback or GitHub Issue Feedback String No ${{ github.token }}
repo-url ${{ github.event.repository.url }} GitHub Repository URL, used for Issue Feedback String Yes NA
scanners sast, cxgo, sca Vulnerability Scanners (sast, sca, cxgo). Multiple comma seperated values allowed. String Yes None
sca_api_url https://api-sca.checkmarx.net API URL for SCA scan String No https://api-sca.checkmarx.net
sca_app_url https://sca.checkmarx.net APP URL for SCA scan String No https://sca.checkmarx.net
sca_access_control_url https://platform.checkmarx.net Access control URL for SCA scan String No https://platform.checkmarx.net
sca_tenant SCA-COMPANY_NAME Tenant for the SCA project String No N/A
sca_username ${{ secrets.SCA_USERNAME }} Username for SCA scan String No N/A
sca_password ${{ secrets.SCA_PASSWORD }} Password for SCA scan Secure String No N/A
cxgo_base_url https://api.checkmarx.net Base URL for CxGo Scan String No https://api.checkmarx.net
cxgo_portal_url https://cloud.checkmarx.net Portal URL for CxGo Scan String No https://cloud.checkmarx.net
cxgo_client_secret ${{ secrets.CXGO_CLIENT_SECRET }} CxGo Client secret Secure String No N/A
jira_url ${{ secrets.JIRA_URL }} Jira Url Secure String No N/A
jira_username ${{ secrets.JIRA_USERNAME }} Jira Username Secure String No N/A
jira_token ${{ secrets.JIRA_TOKEN }} Jira Secret. This is personal access token, not password. Secure String No N/A
jira_project ${{ secrets.JIRA_PROJECT }} Jira Project Name Secure String No N/A
jira_issue_type 'Application Security Bug' Jira Issue Type String No N/A
jira_open_transition 'In Progress' Jira Open Transition Status String No N/A
jira_close_transition 'Done' Jira Close Transition Status String No N/A
jira_open_status 'Backlog,Selected for Development,In Progress' Jira Open Status String No N/A
jira_closed_status 'Done' Jira Closed Status String No N/A
params --severity=High --branch=${{ github.ref }} Any additional parameters for CxFlow. For a full list of all the parameters, see the following. Special note about filtering String No

Example for params

Here is the example for additional parameters for CxFlow. For a full list of all the parameters, see the following

    --sca.team ="/CxServer/Sca
    --jira.url ="https://xxxx.atlassian.net"

Secrets

Note: It is recommentded to leverage secrets for any sensitive inputs

  • checkmarx_url: ${{ secrets.CHECKMARX_URL }}
  • checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }}
  • checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }}
  • checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }}
  • github_token: ${{ secrets.GITHUB_TOKEN }}
  • sca_username: ${{ secrets.SCA_USERNAME }}
  • sca_password: ${{ secrets.SCA_PASSWORD }}
  • cxgo_client_secret: ${{ secrets.CXGO_CLIENT_SECRET }}
  • jira_url: ${{ secrets.JIRA_URL }}
  • jira_username: ${{ secrets.JIRA_USERNAME }}
  • jira_token: ${{ secrets.JIRA_TOKEN }}
  • jira_project: ${{ secrets.JIRA_PROJECT }}

Filters

Note: For filtering files in the params input, it is necessary to escape special characters

Here is an example of filtering files:

--cx-flow.zip-exclude="\.git\/.*,\.github\/.*,apps\/tests\/.*,apps\/docs/.*,apps\/web\/.*"

  • Excluding the .git and .github folders from the zip file is highly important! Otherwise each commit will trigger a full scan due to changes in the files under these folders
  • To recursively exclude all files under any folder named "tests" for example, add the following to the -cx-flow.zip-exclude line:
    --cx-flow.zip-exclude="\.git\/.*,\.github\/.*,tests\/.*,.+\/tests\/.*"

Outputs

The default output format for this GitHub Action is a SARIF output report stored in the working directory as ./cx.sarif

For full documentation on all the supported output formats and defect management integration, please see the following.

SARIF Report

The file ./cx.sarif is created containing issue details based on the filtering policy of CxFlow. To make use of the report for CodeQL please make sure the following is considered. See sample useage below.

Example usage

    # Steps represent a sequence of tasks that will be executed as part of the job
    steps:
    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
    - uses: actions/checkout@v2
    # Scan code with Checkmarx
    - name: Checkmarx CxFlow Action
      uses: checkmarx-ts/[email protected]
      with:
        project: GithubActionTest
        team: /CxServer/SP/Checkmarx
        checkmarx_url: ${{ secrets.CHECKMARX_URL }}
        checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }}
        checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }}
        checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }}
    # Upload SARIF report for CodeQL / Security Alerts PRocessing
    - name: Upload SARIF file
      uses: github/codeql-action/upload-sarif@v1
      with:
        sarif_file: cx.sarif

Sample Output (Security Alerts)

Sample Alert

Sample Workflow files

How To Contribute

We welcome issues to and pull requests against this repository!

License

Checkmarx Github Action

Copyright (C) 2020 Checkmarx

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see https://www.gnu.org/licenses/.