Skip to main content

Checkmarx One GitHub Actions

The Checkmarx One GitHub Action enables you to trigger SAST, SCA, IaC Security, API Security, Container Security and Software Supply Chain Security scans directly from the GitHub workflow. It provides a wrapper around the Checkmarx One CLI Tool which creates a zip archive from your source code repository and uploads it to Checkmarx One for scanning. The Github Action provides easy integration with GitHub while enabling scan customization using the full functionality and flexibility of the CLI tool.

The GitHub Action can be customized to trigger scans when particular actions (e.g., push, or pull request) occur on specific branches of your repo. You can also add pre and post scan steps to your workflow. For example, you can add a step to screen commits to verify if the changes made warrant running a new scan.

Note

The plugin code can be found here.

Notice

There is an alternative method for integrating GitHub with Checkmarx One which is done directly from Checkmarx One, see GitHub Cloud. That method is easier to implement but doesn’t enable full customization of the process.

Main Features

  • Automatically trigger CxSAST, CxSCA, IaC Security, API Security, Container Security and Software Supply Chain Security scans from the GitHub workflow

  • Supports use of CLI arguments to customize scan configuration, enabling you to:

    • Customize filters to specify which folders and files are scanned

    • Apply preset query configurations

    • Customize SCA scans using SCA Resolver

    • Set thresholds to break build

  • Shows scan results summary in the GitHub build logs

  • Supports generating reports that are integrated into the GitHub Security alerts

  • Decorates pull requests with info about new vulnerabilities that were identified as well as vulnerabilities that were fixed by the code changes

Prerequisites

  • The source code for your project is hosted on a GitHub repo (public or private)

  • You have a Checkmarx One account and you have an OAuth Client ID and Client Secret for that account. To create an OAuth client, see Creating an OAuth Client for Checkmarx One Integrations.

    Note

    The following are the minimum required roles for running an end-to-end flow of scanning a project and viewing results via the CLI or plugins:

    • CxOne composite role ast-scanner

    • CxOne role view-policy-management

    • IAM role default-roles

In this section: