Configuring a GitHub Action with a Checkmarx One Workflow
You can add a Checkmarx One scan to an existing workflow or you can create a new workflow for the scan. There is an option to generate a report which imports the results into the GitHub Security alerts.
The following section describes how to create a new workflow with a Checkmarx One scan.
Navigate to your GitHub repository Actions tab and click New Workflow and then click on set up a workflow yourself.
The code editor is shown.
By default, the workflow is named main.yml, you can edit the name to describe the workflow, e.g., CheckmarxScan.
In the Edit new file section, customize the code to meet your needs regarding triggers, branches, etc.
In the Marketplace tab of the right-side panel, search for Checkmarx AST Github Action, and click on that item.
The .yml installation snippet is shown.
In the Marketplace section, copy the snippet, paste it into the “steps” section of the new project workflow below “runs-on”, and adjust the alignment as needed.
Notice
If you are running SCA Resolver as part of the scan then you need to modify the script accordingly. A sample script using Resolver is available here.
Customize the code as follows:
For base_uri, enter the base URL of your Checkmarx One Environment.
For cx_tenant, enter the name of your Checkmarx One tenant account.
For cx_client_id, enter
${{ secrets.CX_CLIENT_ID }}, whereCX_CLIENT_IDis the “Name” you used to store your Checkmarx OAuth Client ID in your GitHub repository.For cx_client_secret, enter
${{ secrets.CX_CLIENT_SECRET }}, whereCX_CLIENT_SECRETis the “Name” you used to store your Checkmarx OAuth Secret in your GitHub repository.For project_name, enter the name of an existing Project in Checkmarx One or enter a new name to create a new Project.
Notice
The project_name parameter must not be left blank. You can omit the project_name parameter completely, in which case it will default to
${{ github.repository }}.For branch, enter the name of an existing branch of your Project or enter a new name to create a new branch.
Notice
The branch parameter must not be left blank. You can omit the branch parameter completely, in which case it will default to
${{ github.ref }}.For additional_params, you can customize the Action by adding additional arguments, see Checkmarx One GitHub Action Configuration Variables.
If you want to import scan results into GitHub, do the following:
In the additional_params line add
--report-format sarif --output-path ..Add the following code to your .yml file:
- name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository sarif_file: cx_result.sarif
Click Start Commit.
In the dialog that opens, edit the name, add a description (optional), specify a branch, and then click Commit new file.
The Checkmarx One Action is added to the repo and an initial scan is run on the source code. Subsequent scans will be triggered each time a push commit is done.
Checkmarx One GitHub Action Configuration Variables
When you set up a Checkmarx One GitHub Action in a GitHub workflow you need to configure the following variables.
Variable | Required | Description | Possible Values | |
|---|---|---|---|---|
base_uri |
| The base URL of your Checkmarx One environment. | ||
cx_tenant |
| The name of your Checkmarx One Tenant Account. | e.g., MyOrganization | |
cx_client_id |
| The Checkmarx One client ID. Recommended to create a GitHub Secret. | e.g., | |
cx_client_secret |
| The Checkmarx One Client Secret. Recommended to create a GitHub Secret. | e.g., | |
project_name |
| The name that will be assigned to this Project in Checkmarx One. | e.g DemoProject Default: If no project name is specified, then the name of the GitHub repo is assigned to the project in Checkmarx One. | |
branch |
| The branch name that will be designated for this Project in Checkmarx One. | e.g., main Default: | |
additional_params |
| You can specify any CLI arguments that you would like to apply to scans of this project. See documentation here. | e.g., |
