GitHub Container Registry Integration for SCA Scanner

Step 1 - Setting up an Integration

To set up a GitHub Private Packages Integration:

In the main navigation, select Integrations > Cloud Connections.
In the Setup tab, under Private Registries for Containers, hover over the GitHub tile and click on Configuration. then click Start.
In the side panel that opens, click Start.
The GitHub Integration wizard opens.
Name Your Account and optionally fill in the Description and Associate Tags fields, then click Next.
Make a note of the name that you designated, as you will need to use this name in the following step.
Under Username enter the Username for your GitHub account.
In the API Key field, enter the API key for your JFrog Artifactory (as described above in Prerequisites).
In the URL field, enter the URL for your GitHub account using the format https://<packagemanager>.pkg.github.com.
Alternatively, if you have configured a CxLink to access this repo, enter the CxLink (using the following format: https://<subdomain>.<domain>/link/<UUID>). Learn more about CxLink here.
Click Add Account.

Monitoring Integration Status

You can monitor the status of your GitHub integrations to see whether or not the integration is connected. Possible statuses are:

Pending - The integration was just set up and hasn't connected yet.
Connected - The integration is running and you are able to scan images in your GitHub packages.
Disconnected - Checkmarx One is not currently able to access your private GitHub packages.

To monitor the integration status:

In the main navigation, select Integrations > Cloud Connections.
In the Cloud Connections tab, check the Status column for each of your integrations.

Step 2 - Project Configuration

For each project you want to scan, you must configure access to your private package repositories. This is done by using the templates provided below and applying them to your project configuration.

Prepare the configuration template

Copy the relevant template and replace the placeholder <MASK_NAME> with the name of the integration you defined in the GitHub integration wizard in the previous step.

Templates

Nuget

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
    <add key="Artifactory" value="${{cx.<MASK_NAME>.url}}/artifactory/api/nuget/v3/automatedtests-nuget/" />
  </packageSources>
  <packageSourceCredentials>
    <Artifactory>
      <add key="Username" value="${{cx.<MASK_NAME>.username}}" />
      <add key="ClearTextPassword" value="${{cx.<MASK_NAME>.password}}" />
    </Artifactory>
  </packageSourceCredentials>
</configuration>

Maven

<?xml version="1.0" encoding="UTF-8"?>
<settings xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.2.0 http://maven.apache.org/xsd/settings-1.2.0.xsd" xmlns="http://maven.apache.org/SETTINGS/1.2.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <servers>
    <server>
      <id>jfrog</id>
      <username>${{cx.<MASK_NAME>.username}}</username>
      <password>${{cx.<MASK_NAME>.password}}</password>
    </server>
  </servers>
  <profiles>
    <profile>
      <id>artifactory</id>
      <repositories>
        <repository>
          <id>central</id>
          <name>cx-virtual</name>
          <url>${{cx.<MASK_NAME>.url}}/artifactory/automatedtests-maven/</url>
          <snapshots>
            <enabled>true</enabled>
          </snapshots>
        </repository>
      </repositories>
    </profile>
  </profiles>
  <activeProfiles>
    <activeProfile>artifactory</activeProfile>
  </activeProfiles>
</settings>

Npm

Gradle

Pip

Apply the configuration to your project
You can apply the configuration using one of the following methods.
- Option A – Add configuration files to your repository
  Add the relevant template to your project’s source code using the folder structure shown below, based on your package manager.
  Notice
  If the config files already exist in your project, then you can add the template content to your existing file.
  - NuGet - ./.checkmarx/sca/nuget/NuGet.Config
  - Maven: - ./.checkmarx/sca/maven/settings.xml
  - npm - ./.checkmarx/sca/npm/.npmrc
  - Gradle - ./.checkmarx/sca/gradle/.npmrc
  - Pip - ./.checkmarx/sca/pip/pip.conf
- Option B – Apply configuration via API (no files added)
  Apply the configuration without adding any files to your project’s source code by sending one of the above templates in the request body of an API call.
  This approach is useful if you prefer not to commit registry configuration or credentials to your repository.
  For full details, see the SCA Private Registry Configuration API documentation.

In this section: