- Checkmarx Documentation
- Checkmarx One
- Checkmarx One Integrations
- CI/CD Integrations
- Checkmarx One GitHub Actions
Checkmarx One GitHub Actions
The Checkmarx One GitHub Action enables you to trigger SAST, SCA, IaC Security and API Security scans directly from the GitHub workflow. It provides a wrapper around the Checkmarx One CLI Tool which creates a zip archive from your source code repository and uploads it to Checkmarx One for scanning. The Github Action provides easy integration with GitHub while enabling scan customization using the full functionality and flexibility of the CLI tool.
The GitHub Action can be customized to trigger scans when particular actions (e.g., push, or pull request) occur on specific branches of your repo. You can also add pre and post scan steps to your workflow. For example, you can add a step to screen commits to verify if the changes made warrant running a new scan.
Note
The plugin code can be found here.
Notice
There is an alternative method for integrating GitHub with Checkmarx One which is done directly from Checkmarx One, see GitHub Cloud. That method is easier to implement but doesn’t enable full customization of the process.
Main Features
Automatically trigger CxSAST, CxSCA, IaC Security and API Security scans from the GitHub workflow
Supports use of CLI arguments to customize scan configuration, enabling you to:
Customize filters to specify which folders and files are scanned
Apply preset query configurations
Customize SCA scans using SCA Resolver
Set thresholds to break build
Shows scan results summary in the GitHub build logs
Supports generating reports that are integrated into the GitHub Security alerts
Decorates pull requests with info about new vulnerabilities that were identified as well as vulnerabilities that were fixed by the code changes
Prerequisites
The source code for your project is hosted on a GitHub repo (public or private)
You have a Checkmarx One account and you have an OAuth Client ID and Client Secret for that account. To create an OAuth client, see Creating an OAuth Client for Checkmarx One Integrations.