You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
76 lines
2.6 KiB
76 lines
2.6 KiB
name: Scan with Checkmarx |
|
|
|
on: |
|
workflow_call: |
|
inputs: |
|
incremental: |
|
description: "Perform incremental scan" |
|
type: boolean |
|
default: ${{ contains(github.event_name, 'pull_request') }} |
|
upload-sarif: |
|
description: "Upload SARIF output to GitHub" |
|
type: boolean |
|
default: true |
|
secrets: |
|
AZURE_SUBSCRIPTION_ID: |
|
required: true |
|
AZURE_TENANT_ID: |
|
required: true |
|
AZURE_CLIENT_ID: |
|
required: true |
|
|
|
permissions: {} |
|
|
|
jobs: |
|
sast: |
|
name: SAST scan |
|
runs-on: ubuntu-24.04 |
|
permissions: |
|
contents: read |
|
pull-requests: write |
|
security-events: write |
|
id-token: write |
|
|
|
steps: |
|
- name: Check out repo |
|
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 |
|
with: |
|
ref: ${{ github.event.pull_request.head.sha }} |
|
|
|
- name: Log in to Azure |
|
uses: bitwarden/gh-actions/azure-login@main |
|
with: |
|
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} |
|
tenant_id: ${{ secrets.AZURE_TENANT_ID }} |
|
client_id: ${{ secrets.AZURE_CLIENT_ID }} |
|
|
|
- name: Get Azure Key Vault secrets |
|
id: get-kv-secrets |
|
uses: bitwarden/gh-actions/get-keyvault-secrets@main |
|
with: |
|
keyvault: gh-org-bitwarden |
|
secrets: "CHECKMARX-TENANT,CHECKMARX-CLIENT-ID,CHECKMARX-SECRET" |
|
|
|
- name: Log out from Azure |
|
uses: bitwarden/gh-actions/azure-logout@main |
|
|
|
- name: Scan with Checkmarx |
|
uses: checkmarx/ast-github-action@427623bbb54f318e690463e11302a1eb1b9b2b5a # 2.3.25 |
|
with: |
|
project_name: ${{ github.repository }} |
|
cx_tenant: ${{ steps.get-kv-secrets.outputs.CHECKMARX-TENANT }} |
|
base_uri: https://ast.checkmarx.net/ |
|
cx_client_id: ${{ steps.get-kv-secrets.outputs.CHECKMARX-CLIENT-ID }} |
|
cx_client_secret: ${{ steps.get-kv-secrets.outputs.CHECKMARX-SECRET }} |
|
additional_params: | |
|
--report-format sarif \ |
|
--filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \ |
|
--output-path . ${{ inputs.incremental && '--sast-incremental' || '' }} \ |
|
|
|
- name: Upload Checkmarx results to GitHub |
|
if: inputs.upload-sarif |
|
uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11 |
|
with: |
|
sarif_file: cx_result.sarif |
|
sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }} |
|
ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}
|
|
|