Add support for custom base registry in Checkmarx AST GitHub Action

- Introduced new input parameters: `base_registry`, `base_registry_username`, and `base_registry_password` for authenticating with a custom container registry.
- Updated action logic to build and run the Docker image from a specified base registry if provided, defaulting to Docker Hub otherwise.
- Enhanced documentation in README.md to include configuration details for using a custom base registry.
- Added a new workflow to test the custom registry feature, ensuring proper functionality and integration.
- Updated Dockerfile to support the new base registry argument.

Author: cx-amol-mane

.github/workflows/release.yml

@@ -23,13 +23,14 @@ jobs:
       - name: Extract full CLI version from Dockerfile
         id: extract_cli_version
         run: |
-          IMAGE_LINE=$(grep -m 1 '^FROM' Dockerfile | awk '{print $2}')  # Extract the full image reference
+          # Extract the image reference (supports optional BASE_REGISTRY variable in FROM)
+          IMAGE_LINE=$(grep -m 1 'checkmarx/ast-cli:' Dockerfile | grep -oP 'checkmarx/ast-cli:[^[:space:]]+')
           IMAGE_TAG=$(echo "$IMAGE_LINE" | cut -d':' -f2-)  # Get everything after the first colon
 
           echo "Extracted CLI version: $IMAGE_TAG"
 
           echo "CLI_VERSION=$IMAGE_TAG" >> $GITHUB_ENV
-          echo "::set-output name=CLI_VERSION::$IMAGE_TAG"
+          echo "CLI_VERSION=$IMAGE_TAG" >> $GITHUB_OUTPUT
 
 
       - name: Tag

.github/workflows/test-custom-registry.yml

@@ -0,0 +1,110 @@
+name: Test Custom Registry Feature
+
+on:
+  workflow_dispatch:
+    inputs:
+      base_registry:
+        description: 'Custom registry URL (e.g., your-artifactory.jfrog.io)'
+        required: true
+        default: ''
+      skip_scan:
+        description: 'Skip actual scan (just test Docker build)'
+        type: boolean
+        default: false
+
+jobs:
+  test-custom-registry:
+    runs-on: ubuntu-latest
+    name: Test with Custom Registry
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # Step 1: Verify Docker is available
+      - name: Verify Docker
+        run: |
+          echo "Docker version:"
+          docker --version
+          echo ""
+          echo "Docker info:"
+          docker info
+
+      # Step 2: Test registry login (standalone test)
+      - name: Test Registry Login
+        run: |
+          echo "Testing login to: ${{ inputs.base_registry }}"
+          echo "${{ secrets.ARTIFACTORY_PASSWORD }}" | docker login "${{ inputs.base_registry }}" -u "${{ secrets.ARTIFACTORY_USERNAME }}" --password-stdin
+          echo "✅ Registry login successful!"
+
+      # Step 3: Test image pull (standalone test)
+      - name: Test Image Pull
+        run: |
+          echo "Testing image pull from custom registry..."
+          REGISTRY="${{ inputs.base_registry }}"
+          # Ensure registry ends with /
+          [[ "$REGISTRY" != */ ]] && REGISTRY="${REGISTRY}/"
+          
+          IMAGE="${REGISTRY}checkmarx/ast-cli:2.3.41"
+          echo "Pulling: $IMAGE"
+          
+          docker pull "$IMAGE"
+          echo "✅ Image pull successful!"
+          
+          echo ""
+          echo "Image details:"
+          docker inspect "$IMAGE" | jq '.[0].RepoTags, .[0].Created, .[0].Size'
+
+      # Step 4: Test Docker build with build-arg
+      - name: Test Docker Build
+        run: |
+          echo "Testing Docker build with custom base registry..."
+          REGISTRY="${{ inputs.base_registry }}"
+          [[ "$REGISTRY" != */ ]] && REGISTRY="${REGISTRY}/"
+          
+          echo "Building with BASE_REGISTRY=${REGISTRY}"
+          
+          docker build \
+            --build-arg BASE_REGISTRY="${REGISTRY}" \
+            -t checkmarx-ast-action:test \
+            .
+          
+          echo "✅ Docker build successful!"
+          
+          echo ""
+          echo "Built image details:"
+          docker images checkmarx-ast-action:test
+
+      # Step 5: Test full action (optional - if not skipping scan)
+      - name: Run Full Checkmarx Scan
+        if: ${{ inputs.skip_scan == false }}
+        uses: ./
+        with:
+          base_registry: ${{ inputs.base_registry }}
+          base_registry_username: ${{ secrets.ARTIFACTORY_USERNAME }}
+          base_registry_password: ${{ secrets.ARTIFACTORY_PASSWORD }}
+          base_uri: ${{ secrets.CX_BASE_URI }}
+          cx_tenant: ${{ secrets.CX_TENANT }}
+          cx_client_id: ${{ secrets.CX_CLIENT_ID }}
+          cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }}
+          project_name: ${{ github.repository }}-custom-registry-test
+          scan_params: --scan-types sast --sast-incremental
+
+      # Step 6: Summary
+      - name: Test Summary
+        run: |
+          echo "## Test Results" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "| Test | Status |" >> $GITHUB_STEP_SUMMARY
+          echo "|------|--------|" >> $GITHUB_STEP_SUMMARY
+          echo "| Registry Login | ✅ Passed |" >> $GITHUB_STEP_SUMMARY
+          echo "| Image Pull | ✅ Passed |" >> $GITHUB_STEP_SUMMARY
+          echo "| Docker Build | ✅ Passed |" >> $GITHUB_STEP_SUMMARY
+          if [ "${{ inputs.skip_scan }}" == "false" ]; then
+            echo "| Full Scan | ✅ Passed |" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "| Full Scan | ⏭️ Skipped |" >> $GITHUB_STEP_SUMMARY
+          fi
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Registry Used:** \`${{ inputs.base_registry }}\`" >> $GITHUB_STEP_SUMMARY
+

.github/workflows/update-docker-image.yml

@@ -38,8 +38,8 @@ jobs:
           DIGEST=$(curl -s -I -H "Authorization: Bearer $TOKEN" -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
             "https://registry.hub.docker.com/v2/${REPO}/manifests/${RELEASE_TAG}" | grep -i "Docker-Content-Digest" | awk '{print $2}' | tr -d '\r')
 
-          # Get the current tag from the Dockerfile
-          CURRENT_TAG=$(grep -oP '(?<=FROM checkmarx/ast-cli:)[^@]+' Dockerfile)
+          # Get the current tag from the Dockerfile (supports optional BASE_REGISTRY variable)
+          CURRENT_TAG=$(grep -oP '(?<=checkmarx/ast-cli:)[^@]+' Dockerfile)
 
           echo "RELEASE_TAG=$RELEASE_TAG" >> $GITHUB_ENV
           echo "DIGEST=$DIGEST" >> $GITHUB_ENV
@@ -48,7 +48,8 @@ jobs:
       - name: Update Dockerfile
         if: env.CURRENT_TAG != env.RELEASE_TAG
         run: |
-          sed -i "s|FROM checkmarx/ast-cli:.*@sha256:[a-f0-9]*|FROM checkmarx/ast-cli:${RELEASE_TAG}@${DIGEST}|" Dockerfile
+          # Update the base image tag (supports optional BASE_REGISTRY variable in FROM)
+          sed -i "s|checkmarx/ast-cli:.*@sha256:[a-f0-9]*|checkmarx/ast-cli:${RELEASE_TAG}@${DIGEST}|" Dockerfile
 
       - name: Commit Changes
         if: env.CURRENT_TAG != env.RELEASE_TAG

Dockerfile

@@ -1,5 +1,12 @@
+# Build-time argument for custom base registry
+# If BASE_REGISTRY is provided, it should be in format: my-registry.example.com/
+# If not provided, defaults to Docker Hub
+ARG BASE_REGISTRY=""
+
 # Use AST Base image
-FROM checkmarx/ast-cli:2.3.41@sha256:6eb696e1a1bcc45d7f980763f08f97ab7780e447604f34e83145ad064752ab72
+# When BASE_REGISTRY is empty, this resolves to checkmarx/ast-cli:...
+# When BASE_REGISTRY is set (e.g., "my-registry.example.com/"), this resolves to my-registry.example.com/checkmarx/ast-cli:...
+FROM ${BASE_REGISTRY}checkmarx/ast-cli:2.3.41@sha256:6eb696e1a1bcc45d7f980763f08f97ab7780e447604f34e83145ad064752ab72
 
 # Docker actions must be run by the default Docker user (root).
 USER root

README.md

@@ -98,6 +98,46 @@ Cloud](https---checkmarx-com-resource-documents-en-34965-68678-github-cloud.html
 
 -   You have a Checkmarx One account and you have an OAuth **Client ID** and **Client Secret** for that account. To create an OAuth client, see [Creating an OAuth Client for Checkmarx One Integrations](https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e).
 
+## Custom Base Registry
+
+For environments with restricted access to public Docker registries (e.g., Docker Hub), you can configure the action to pull the `checkmarx/ast-cli` base image from an internal/enterprise registry.
+
+### Configuration
+
+Use the following input parameters:
+
+| Parameter | Required | Description |
+|-----------|----------|-------------|
+| `base_registry` | No | Base container registry URL (e.g., `my-registry.example.com`). If not provided, defaults to Docker Hub. |
+| `base_registry_username` | No | Username for authenticating with the base container registry. |
+| `base_registry_password` | No | Password/token for authenticating with the base container registry. |
+
+### Example Usage
+
+```yaml
+- name: Checkmarx AST CLI Action
+  uses: checkmarx/ast-github-action@main
+  with:
+    # Custom base registry configuration
+    base_registry: my-enterprise-registry.example.com
+    base_registry_username: ${{ secrets.REGISTRY_USERNAME }}
+    base_registry_password: ${{ secrets.REGISTRY_PASSWORD }}
+
+    # Standard Checkmarx One configuration
+    base_uri: https://ast.checkmarx.net/
+    cx_tenant: your_tenant
+    cx_client_id: ${{ secrets.CX_CLIENT_ID }}
+    cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }}
+```
+
+### Setting Up Your Enterprise Registry
+
+1. Mirror or proxy the `checkmarx/ast-cli` image from Docker Hub to your internal registry
+2. Ensure the image is available at `<your-registry>/checkmarx/ast-cli:<tag>`
+3. Configure the action with your registry URL and credentials
+
+For a complete example workflow, see [`sample-yml/checkmarx-ast-scan-custom-registry.yml`](sample-yml/checkmarx-ast-scan-custom-registry.yml).
+
 
 ## Getting Started
 

action.yml

@@ -2,6 +2,18 @@ name: 'Checkmarx AST Github Action'
 description: 'Simplify Checkmarx Scanning of source code along with Result consumption leveraging Checkmarx AST solution.'
 author: 'Checkmarx'
 inputs:
+  base_registry:
+    required: false
+    default: ''
+    description: 'Base container registry for pulling checkmarx/ast-cli image (e.g., my-registry.example.com). If not provided, defaults to Docker Hub (docker.io).'
+  base_registry_username:
+    required: false
+    default: ''
+    description: 'Username for authenticating with the base container registry'
+  base_registry_password:
+    required: false
+    default: ''
+    description: 'Password/token for authenticating with the base container registry'
   base_uri:
     required: true
     description: 'Provide the AST portal URL'
@@ -62,51 +74,119 @@ inputs:
     required: false
     default: .
     description: "Source directory"
-outputs: 
+outputs:
   cxcli:
     description: output from cli
+    value: ${{ steps.run-scan.outputs.cxcli }}
   cxScanID:
     description: scan ID output from cli
+    value: ${{ steps.run-scan.outputs.cxScanID }}
 runs:
-  using: 'docker'
-  image: 'Dockerfile'
-  args:
-    - ${{ inputs.base_uri }}
-    - ${{ inputs.cx_tenant }}
-    - ${{ inputs.cx_client_id }}
-    - ${{ inputs.cx_client_secret }}
-    - ${{ inputs.github_token }}
-    - ${{ inputs.project_name }}
-    - ${{ inputs.additional_params }}
-    - ${{ inputs.global_params }}
-    - ${{ inputs.scan_params }}
-    - ${{ inputs.utils_params }}
-    - ${{ inputs.results_params }}
-    - ${{ inputs.repo_name }}
-    - ${{ inputs.namespace }}
-    - ${{ inputs.pr_number }}
-    - ${{ inputs.source_dir }}
-  entrypoint: '/app/entrypoint.sh'
-  post-if: cancelled()
-  post-entrypoint: '/app/cleanup.sh'
+  using: 'composite'
+  steps:
+    # Step 1: Login to base registry if credentials are provided
+    - name: Login to base registry
+      if: ${{ inputs.base_registry != '' && inputs.base_registry_username != '' && inputs.base_registry_password != '' }}
+      shell: bash
+      run: |
+        echo "Logging into base registry: ${{ inputs.base_registry }}"
+        echo "${{ inputs.base_registry_password }}" | docker login "${{ inputs.base_registry }}" -u "${{ inputs.base_registry_username }}" --password-stdin
+
+    # Step 2: Build Docker image with custom base registry
+    - name: Build Docker image
+      shell: bash
+      run: |
+        # Prepare the base registry argument
+        BASE_REGISTRY_ARG=""
+        if [ -n "${{ inputs.base_registry }}" ]; then
+          # Ensure registry ends with a slash
+          REGISTRY="${{ inputs.base_registry }}"
+          if [[ ! "$REGISTRY" == */ ]]; then
+            REGISTRY="${REGISTRY}/"
+          fi
+          BASE_REGISTRY_ARG="$REGISTRY"
+          echo "Using custom base registry: ${BASE_REGISTRY_ARG}"
+        else
+          echo "Using default Docker Hub registry"
+        fi
+
+        # Build the Docker image
+        docker build \
+          --build-arg BASE_REGISTRY="${BASE_REGISTRY_ARG}" \
+          -t checkmarx-ast-action:local \
+          "${{ github.action_path }}"
+
+    # Step 3: Run the scan
+    - name: Run Checkmarx scan
+      id: run-scan
+      shell: bash
+      env:
+        CX_BASE_URI: ${{ inputs.base_uri }}
+        CX_TENANT: ${{ inputs.cx_tenant }}
+        CX_CLIENT_ID: ${{ inputs.cx_client_id }}
+        CX_CLIENT_SECRET: ${{ inputs.cx_client_secret }}
+        GITHUB_TOKEN: ${{ inputs.github_token }}
+        BRANCH: ${{ inputs.branch }}
+        PROJECT_NAME: ${{ inputs.project_name }}
+        ADDITIONAL_PARAMS: ${{ inputs.additional_params }}
+        GLOBAL_PARAMS: ${{ inputs.global_params }}
+        SCAN_PARAMS: ${{ inputs.scan_params }}
+        UTILS_PARAMS: ${{ inputs.utils_params }}
+        RESULTS_PARAMS: ${{ inputs.results_params }}
+        REPO_NAME: ${{ inputs.repo_name }}
+        NAMESPACE: ${{ inputs.namespace }}
+        PR_NUMBER: ${{ inputs.pr_number }}
+        SOURCE_DIR: ${{ inputs.source_dir }}
+      run: |
+        # Create temporary files for outputs
+        OUTPUT_FILE=$(mktemp)
+        SUMMARY_FILE=$(mktemp)
+
+        # Run the Docker container with --rm flag for automatic cleanup
+        docker run --rm \
+          -e CX_BASE_URI="${CX_BASE_URI}" \
+          -e CX_TENANT="${CX_TENANT}" \
+          -e CX_CLIENT_ID="${CX_CLIENT_ID}" \
+          -e CX_CLIENT_SECRET="${CX_CLIENT_SECRET}" \
+          -e GITHUB_TOKEN="${GITHUB_TOKEN}" \
+          -e BRANCH="${BRANCH}" \
+          -e PROJECT_NAME="${PROJECT_NAME}" \
+          -e ADDITIONAL_PARAMS="${ADDITIONAL_PARAMS}" \
+          -e GLOBAL_PARAMS="${GLOBAL_PARAMS}" \
+          -e SCAN_PARAMS="${SCAN_PARAMS}" \
+          -e UTILS_PARAMS="${UTILS_PARAMS}" \
+          -e RESULTS_PARAMS="${RESULTS_PARAMS}" \
+          -e REPO_NAME="${REPO_NAME}" \
+          -e NAMESPACE="${NAMESPACE}" \
+          -e PR_NUMBER="${PR_NUMBER}" \
+          -e SOURCE_DIR="${SOURCE_DIR}" \
+          -e GITHUB_SERVER_URL="${GITHUB_SERVER_URL}" \
+          -e GITHUB_OUTPUT="/github/file_commands/output" \
+          -e GITHUB_STEP_SUMMARY="/github/file_commands/summary" \
+          -v "${OUTPUT_FILE}:/github/file_commands/output" \
+          -v "${SUMMARY_FILE}:/github/file_commands/summary" \
+          -v "${GITHUB_WORKSPACE}:/github/workspace" \
+          -w /github/workspace \
+          checkmarx-ast-action:local \
+          /app/entrypoint.sh
+
+        EXIT_CODE=$?
+
+        # Copy outputs to GitHub outputs file
+        if [ -f "${OUTPUT_FILE}" ]; then
+          cat "${OUTPUT_FILE}" >> $GITHUB_OUTPUT
+        fi
+
+        # Copy summary to GitHub step summary
+        if [ -f "${SUMMARY_FILE}" ]; then
+          cat "${SUMMARY_FILE}" >> $GITHUB_STEP_SUMMARY
+        fi
+
+        # Cleanup temp files
+        rm -f "${OUTPUT_FILE}" "${SUMMARY_FILE}"
+
+        exit $EXIT_CODE
 
-  env:
-    CX_BASE_URI: "${{ inputs.base_uri }}"
-    CX_TENANT: ${{ inputs.cx_tenant }}
-    CX_CLIENT_ID: ${{ inputs.cx_client_id }}
-    CX_CLIENT_SECRET: ${{ inputs.cx_client_secret }}
-    GITHUB_TOKEN: ${{ inputs.github_token }}
-    BRANCH: ${{ inputs.branch }}
-    PROJECT_NAME: ${{ inputs.project_name }}
-    ADDITIONAL_PARAMS: ${{ inputs.additional_params }}
-    GLOBAL_PARAMS: ${{ inputs.global_params }}
-    SCAN_PARAMS: ${{ inputs.scan_params }}
-    UTILS_PARAMS: ${{ inputs.utils_params }}
-    RESULTS_PARAMS: ${{ inputs.results_params }}
-    REPO_NAME: ${{ inputs.repo_name }}
-    NAMESPACE: ${{ inputs.namespace }}
-    PR_NUMBER: ${{ inputs.pr_number }}
-    SOURCE_DIR: ${{ inputs.source_dir }}
 branding:
   icon: 'check'
   color: 'green'