- Checkmarx Documentation
- Checkmarx One
- Checkmarx One Integrations
- CI/CD Integrations
- Checkmarx One CLI Integrations for CI/CD
- Checkmarx One Bamboo Integration
Checkmarx One Bamboo Integration
You can integrate Checkmarx One into your Bamboo projects using our CLI Tool. You can run Checkmarx One scans as well as perform other Checkmarx One commands using the CLI Tool.
Prerequisites
You have a Checkmarx One account and you have an OAuth Client or API Key for Checkmarx One authentication. To generate the required authentication, see Authentication for Checkmarx One CLI and Plugins.
Notice
The OAuth method has an advantage in the fact that you can specify the precise permissions needed for the integration. As opposed to an API Key, which automatically inherits all permissions of the user who generates the key.
You have a Bamboo installation.
You have created project and plan in Bamboo, and made a note of the Project Key and Plan Key.
Setting up Checkmarx One CLI Integration
Before running Checkmarx One CLI commands in your Bamboo project, you need to configure a project and plan for running the CLI commands. This involves first configuring project variables for accessing Checkmarx One and then adding our Bamboo Specs .yaml file to your repo and configuring it for your project.
Once your project is set up, you can use CLI commands to run scans, retrieve scan results and perform CRUD actions on your Checkmarx One Projects and Applications. For an explanation of the CLI commands, see Checkmarx One CLI Commands.
Configuring Project Variables
Create variables for the parameters needed to connect to you Checkmarx One account.
Notice
The environment variables need to be set separately for each project in Bamboo.
In your Bamboo console, go to Project > {project_name} > Project settings > Variables.
Create project variables by entering a Variable name and Value for each of the variables described in the table below, and then clicking Add.
Project Variables
Key | Value |
---|---|
BASE_URI |
|
BASE_AUTH_URI |
|
TENANT | The name of your tenant account. |
Use one of the following authentication methods. | |
OAuth CLIENT_ID and SECRET (Recommended method) | These values are obtained from the Checkmarx One web application, see Creating an OAuth Client for Checkmarx One Integrations. |
API_KEY | This is obtained from the Checkmarx One web application, see Generating an API Key. |
Configuring a Project to Run Checkmarx One CLI Commands
Add the Bamboo Specs .yaml file from one of the integration examples provided below to your project repository.
Edit the Bamboo Specs .yaml file in your repository, replacing the
project-key
andkey
values with the Project key and Plan key values for this plan.Edit the Checkmarx One CLI command in the Bamboo Spec file, specifying the relevant scan parameters as described below. Alternatively, you can run other CLI commands, see Checkmarx One CLI Commands.
Access the project that you created in Bamboo by clicking Project > {project_name} > Repositories > Add repository and specifying the repo URL.
Edit the repository to enable Bamboo Specs by clicking Edit repository > Bamboo Specs and then enabling Scan for Bamboo Specs.
Scan the repository to add the Checkmarx One CLI as a plan to the project, by clicking Edit repository > Spec status and click Scan.
You can add triggers to run the plan, or you can run the plan manually by clickingProject>{project_name}>Plans>{plan_name}>Run plan.
Sample Bamboo Spec Files
We provide samples that use various methods for installing the Checkmarx One CLI.
Option 1 - Install the CLI using Homebrew
Notice
This option can be installed on any environment. This method includes installing Homebrew on your image.
version: 2 plan: project-key: TES key: RC name: Checkmarx ast-cli stages: - Stage 1: jobs: - Job cli Job cli: docker: image: ubuntu:latest tasks: - script: - /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" - /home/linuxbrew/.linuxbrew/bin/brew install checkmarx/ast-cli/ast-cli - /home/linuxbrew/.linuxbrew/Cellar/ast-cli/*/bin/cx \ - brew install checkmarx/ast-cli/ast-cli - cx scan create -s ${bamboo.build.working.directory} --project-name ${bamboo.planRepository.1.name} --base-uri ${bamboo.CX_BASE_URI} --tenant ${bamboo.CX_TENANT} --client-id ${bamboo.CX_CLIENT_ID} --client-secret ${bamboo.CX_CLIENT_ID_SECRET} --branch ${bamboo.planRepository.1.branchName}
Option 2 - Install the CLI using an Ubuntu image with Homebrew installed
version: 2 plan: project-key: TES key: RC name: Checkmarx ast-cli stages: - Stage 1: jobs: - Job cli Job cli: docker: image: homebrew/ubuntu18.04 tasks: - script: - brew install checkmarx/ast-cli/ast-cli - cx scan create -s ${bamboo.build.working.directory} --project-name ${bamboo.planRepository.1.name} --base-uri ${bamboo.CX_BASE_URI} --tenant ${bamboo.CX_TENANT} --client-id ${bamboo.CX_CLIENT_ID} --client-secret ${bamboo.CX_CLIENT_ID_SECRET} --branch ${bamboo.planRepository.1.branchName}
Option 3 - Install the CLI using the Checkmarx One CLI Docker Image
Notice
This option can be used on any environment. It uses a Bamboo supported plugin which offers additional configuration options.
version: 2 plan: project-key: Myproject key: MPCX name: Checkmarx Scan stages: - Default Stage: jobs: - Scan Scan: key: SCAN tasks: - checkout: force-clean-build: 'false' description: Checkout Default Repository - any-task: plugin-key: com.atlassian.bamboo.plugins.bamboo-docker-plugin:task.docker.cli configuration: commandOption: run image: checkmarx/ast-cli detach: 'false' serviceWait: 'false' command: /app/bin/cx scan create -s . --project-name mybamboo --base-uri ${bamboo.CX_BASE_URI} --tenant ${bamboo.CX_TENANT} --client-id ${bamboo.CX_CLIENT_ID} --client-secret ${bamboo.CX_CLIENT_ID_SECRET} --branch ${bamboo.planRepository.1.branchName} workDir: /data additionalArgs: --entrypoint="" hostDirectory_0: ${bamboo.working.directory} containerDataVolume_0: /data description: Ast Scan
Notice
Check for updates to the code samples in GitHub.
Configuring Scan Settings
The following snippet shows how you can run a Checkmarx One scan in Bamboo using the cx scan create
command with the minimum required parameters -s
(location of the source code), --project-name
(name of the Checkmarx One Project), and --branch
(name of the branch of the Checkmarx One Project) as well as the Project variables that you configured for connecting to Checkmarx One. For additional scan arguments see, scan create.
- cx scan create -s ${bamboo.build.working.directory} --project-name ${bamboo.planRepository.1.name} --base-uri ${bamboo.CX_BASE_URI} --tenant ${bamboo.CX_TENANT} --client-id ${bamboo.CX_CLIENT_ID} --client-secret ${bamboo.CX_CLIENT_ID_SECRET} --branch ${bamboo.planRepository.1.branchName}
Viewing Scan Results in Bamboo
Notice
As with all Checkmarx One scans, you can view the scan results in the Checkmarx One web application or via API.
If you would like to view the scan results directly in Bamboo.
Add scan results arguments to the scan command. For
report-format
enter summaryHTML, and specify the desiredoutput-path
andoutput-name
.Add an
artifacts
section with the name checkmarx, thelocation
specifying the {output-path} that you designated and thepattern
specifying {output-name}.html.- any-task: plugin-key: com.atlassian.bamboo.plugins.bamboo-docker-plugin:task.docker.cli configuration: commandOption: run image: checkmarx/ast-cli detach: 'false' serviceWait: 'false' command: /app/bin/cx scan create -s . --project-name mybamboo --base-uri ${bamboo.CX_BASE_URI} --tenant ${bamboo.CX_TENANT} --client-id ${bamboo.CX_CLIENT_ID} --client-secret ${bamboo.CX_CLIENT_ID_SECRET} --branch ${bamboo.planRepository.1.branchName} --report-format summaryHTML --output-path ./cx_results/ --output-name cx_results workDir: /data additionalArgs: --entrypoint="" hostDirectory_0: ${bamboo.working.directory} containerDataVolume_0: /data description: Ast Scan artifacts: - name: checkmarx location: cx_results pattern: cx_results.html shared: false required: false artifact-subscriptions: []
After running a scan, you can go to the Build page > Artifacts tab and click on the Checkmarx artifact to view the scan results summary as well as a link to the full results in the Checkmarx One web application.