Skip to main content

Checkmarx One GitHub Actions

The Checkmarx One GitHub Action enables you to trigger SAST, SCA, IaC Security and API Security scans directly from the GitHub workflow. It provides a wrapper around the Checkmarx One CLI Tool which creates a zip archive from your source code repository and uploads it to Checkmarx One for scanning. The Github Action provides easy integration with GitHub while enabling scan customization using the full functionality and flexibility of the CLI tool.

The GitHub Action can be customized to trigger scans when particular actions (e.g., push, or pull request) occur on specific branches of your repo. You can also add pre and post scan steps to your workflow. For example, you can add a step to screen commits to verify if the changes made warrant running a new scan.


The plugin code can be found here.


There is an alternative method for integrating GitHub with Checkmarx One which is done directly from Checkmarx One, see GitHub Cloud. That method is easier to implement but doesn’t enable full customization of the process.

Main Features

  • Automatically trigger CxSAST, CxSCA, IaC Security and API Security scans from the GitHub workflow

  • Supports use of CLI arguments to customize scan configuration, enabling you to:

    • Customize filters to specify which folders and files are scanned

    • Apply preset query configurations

    • Customize SCA scans using SCA Resolver

    • Set thresholds to break build

  • Shows scan results summary in the GitHub build logs

  • Supports generating reports that are integrated into the GitHub Security alerts

  • Decorates pull requests with info about new vulnerabilities that were identified as well as vulnerabilities that were fixed by the code changes