CheckMarx Scan on Pull Request #37
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow executes Checkmarx scans (SAST & SCA) on pull requests. It runs in a self-hosted actions runner | |
| # hosted in AWS. The flow has 3 parts: 1) start the ec2 runner instance 2) carry out the scans via CxFlow and | |
| # 3) stop the ec2 runner instance. It uses the following GitHub secrets: | |
| # AWS_EC2_INSTANCE_ID | |
| # CHECKMARX_URL | |
| # CHECKMARX_USERNAME | |
| # CHECKMARX_PASSWORD | |
| # CHECKMARX_URL | |
| # CHECKMARX_CLIENT_SECRET | |
| # SCA_USERNAME | |
| # SCA_PASSWORD | |
| # | |
| # To change the severity threshold, modify the --cx-flow.filter-severity parameter in the CxFlow job below | |
| name: CheckMarx Scan on Pull Request | |
| on: | |
| #pull_request: | |
| workflow_dispatch: | |
| jobs: | |
| start-runner: | |
| name: Start self-hosted EC2 runner | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v3 | |
| with: | |
| role-to-assume: arn:aws:iam::143694264087:role/GithubActions | |
| role-session-name: github-actions-runner-start-ec2 | |
| aws-region: us-east-1 | |
| - name: Start AWS EC2 | |
| # Run AWS Command on the GitHub Hosted runner which starts the instance | |
| run: | | |
| aws ec2 start-instances --instance-ids ${{secrets.AWS_EC2_INSTANCE_ID }} | |
| run-cxflow: | |
| name: Execute CxFlow | |
| # The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action | |
| permissions: | |
| contents: read # for actions/checkout to fetch code | |
| issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues | |
| pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR | |
| security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
| actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | |
| id-token: write # For OIDC connection | |
| needs: start-runner # required to start the main job when the runner is ready | |
| runs-on: [self-hosted, AWS, AppSec] | |
| # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) | |
| steps: | |
| # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it | |
| - uses: actions/checkout@v4 | |
| # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs | |
| - name: Checkmarx CxFlow Action | |
| uses: checkmarx-ts/checkmarx-cxflow-github-action@49d8269b14ca87910ba003d47a31fa0c7a11f2fe | |
| with: | |
| project: sailpoint-oss-${{ github.event.repository.name }} | |
| team: CxServer/OSS | |
| # sast secrets | |
| checkmarx_url: ${{ secrets.CHECKMARX_URL }} | |
| checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} | |
| checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} | |
| checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} | |
| # sca secrets | |
| sca_api_url: https://api-sca.checkmarx.net | |
| sca_app_url: https://sca.checkmarx.net | |
| sca_access_control_url: https://platform.checkmarx.net | |
| sca_username: ${{ secrets.SCA_USERNAME }} | |
| sca_password: ${{ secrets.SCA_PASSWORD }} | |
| sca_tenant: sailpoint | |
| scanners: sast, sca | |
| params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity=high --cx-flow.filter-category --checkmarx.disable-clubbing=true --repo-url=${{ github.event.repository.url }} | |
| # Upload the Report for CodeQL/Security Alerts | |
| - name: Upload SARIF file | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: cx.sarif | |
| # post-job task is a script referenced in .env file (cleans up the _work directory) | |
| ############################# | |
| # We can't shut down the runner, as another workflow run might be queued up already. | |
| # Shutdown will be handled with a CloudWatch Alarm | |
| ############################# |