Bulk Action for Enabling Container Security for Code Repository Projects
Overview
When the New Container Security engine is enabled for an account, it is necessary to enable the Container Security scanner for each relevant project. This can be done simply by toggling the Container Security scanner On in the Checkmarx One web application (UI). Alternatively, the scanner can be enabled via REST API.
For customers with numerous Code Repository integration projects (i.e., projects imported via SCM integration), you may want to use a bulk action to activate the Container Security scanner for all Code Repository projects in your account. This article describes the APIs that will be used for this process, and presents a Python script that can be used to implement the bulk action.
 |
Workflow
The workflow for activating the Container Security scanner for all Code Repository projects is as follows:
Get a list of all projects, using the
GET /projects-overviewAPI, and filter the data for only Code Repository projects.For each relevant project, enable the Container Security scanner, using the
PUT /repos-manager/repo/{repoId}API.
Prerequisites
You need to have a JWT bearer access token for your Checkmarx One account, see here.
You need to know the base url of your Checkmarx One account.
Implementation Process
Step 1 - Get a list of relevant projects
Use the projects-overview API to get a list of all projects, and take the repoId and projectId for each Code Repository integration project.
API | Method | Purpose | Authentication |
|---|---|---|---|
| HTTP GET | Get the list of projects. | JWT bearer token |
Use the limit and offset parameters to fetch all of your projects.
For example:
https://anz.ast.checkmarx.net/api/projects-overview/?limit=100&offset=200
In the responses, identify all the projects that contain a value for the repoId attribute. These are the Code Repository import projects. You will take the repoId and projectId for each of these projects for use in the following step.
From the above example, you would take the following data for the first project returned:
"repoId": 124575 "projectId": "3b01c784-c494-469b-a551-2100de9d0e79"
Step 2 - Enable Container Security SCM Integration for each relevant project
Use the following API to set containerScannerEnabled true for each relevant project.
API | Method | Purpose | Authentication |
|---|---|---|---|
| HTTP PUT | Modify the code repository configuration. | JWT bearer token |
Continuing from the above example:
https://anz.ast.checkmarx.net/api/repos-manager/repo/124575?projectId=3b01c784-c494-469b-a551-2100de9d0e79
Notice
You can modify other settings in the same way. For example, you can enable AutoPRs or enable/disable other scanners.
In the Checkmarx One web application (UI), verify that Container Security is toggled on for each relevant project.
 |
Python Script for Enabling Container Security
The process described above can be implemented using a script that applies these updates across all of your Code Repository projects.
Sample Python script
We’ve created a sample script that you can use for this purpose.
This Python script uses the requests library for making API calls, and performs the following:
Fetches Project Data:
Uses the
GET /api/projects-overviewAPI to fetch project details paginated.
Filters SCM Projects:
Filters projects based on a
repoId(i.e.,repoIdis not 0), indicating that the project was imported from a SCM source.
Enables the Specified Scanner Property:
For each project with a
repoId, it makes aPUTrequest to thePUT /api/repos-manager/repoAPI, enabling or disabling a specified scanner property (e.g.,containerScannerEnabled).
Logs Progress:
Outputs the project name, ID, and repo ID to the console, along with a message confirming whether the scanner property was successfully enabled or disabled for the project.
Handles Pagination:
Automatically increments the
offsetand fetches and processes projects until all have been handled.
Executing the Python script
Prerequisites:
Ensure that you have Python installed on your system (Python 3.x recommended).
Ensure that you have the
requestslibrary installed. You can install it usingpip:pip install requests
Adjusting the script:
Replace
{checkmarx-url}with your Checkmarx instance base URL (e.g.,https://anz.ast.checkmarx.net)Replace
your-bearer-tokenwith your actual bearer token (JWT authentication token).
import requests
import json
# Description:
# This Python script automates the process of enabling or disabling a specific scanner property (e.g., `containerScannerEnabled`, `otherScannerEnabled`)
# for all projects in Checkmarx that were imported from an SCM (source code management) system (e.g., GitHub, GitLab).
# The script performs the following tasks:
# 1. Fetches project data using the Checkmarx API with pagination support.
# 2. Filters SCM-imported projects based on the presence of `repoId`.
# 3. Enables or disables the specified scanner property for each project using the Checkmarx API.
# 4. Prints progress and confirmation messages for each project updated.
# 5. Automatically handles pagination for large numbers of projects.
# Set your variables
CHECKMARX_URL = "https://{checkmarx-url}" # Replace with your Checkmarx URL
BEARER_TOKEN = "your-bearer-token" # Replace with your Bearer token
LIMIT = 100 # Set the limit for API calls (adjust as needed)
OFFSET = 0 # Set the offset for pagination (initially 0)
CONTAINER_SECURITY_ENDPOINT = "/api/repos-manager/repo" # Endpoint for enabling container security
# Set scanner property name (e.g., containerScannerEnabled, otherScannerEnabled, etc.)
SCANNER_PROPERTY = "containerScannerEnabled" # Change this to the property you want to enable/disable
SCANNER_ENABLED = True # Set the desired boolean value (True or False)
headers = {
'Authorization': f'Bearer {BEARER_TOKEN}',
'Content-Type': 'application/json'
}
def enable_scanner_property(project_id, repo_id, project_name):
"""Enables the specified scanner property for the given project."""
url = f"{CHECKMARX_URL}{CONTAINER_SECURITY_ENDPOINT}/{repo_id}?projectId={project_id}"
payload = {SCANNER_PROPERTY: SCANNER_ENABLED}
response = requests.put(url, headers=headers, json=payload)
if response.status_code == 200:
print(f"{SCANNER_PROPERTY} enabled for project '{project_name}' (ID: {project_id}, repo ID: {repo_id})")
else:
print(f"Failed to enable {SCANNER_PROPERTY} for project '{project_name}' (ID: {project_id}, repo ID: {repo_id})")
def fetch_projects(offset, limit):
"""Fetch projects with pagination."""
url = f"{CHECKMARX_URL}/api/projects-overview?limit={limit}&offset={offset}"
response = requests.get(url, headers=headers)
return response.json()
def main():
offset = OFFSET
limit = LIMIT
while True:
print(f"Fetching projects with offset {offset}...")
projects_data = fetch_projects(offset, limit)
total_count = projects_data.get('totalCount', 0)
# Loop through each project and enable the specified scanner property for SCM projects
for project in projects_data.get('projects', []):
if 'repoId' in project:
project_id = project['projectId']
repo_id = project['repoId']
project_name = project['projectName']
if repo_id == 0:
# If repoId is 0, skip the project and print a message
print(f"Skipping project '{project_name}' (ID: {project_id}) because it is not connected to a real SCM repository (repoId = 0).")
continue
enable_scanner_property(project_id, repo_id, project_name)
# Check if we've processed all projects
if total_count <= (offset + limit):
print("Processed all projects.")
break
# Update offset for next pagination
offset += limit
if __name__ == "__main__":
main()