diff --git a/.github/workflows/checkmarx-one-scan.yml b/.github/workflows/checkmarx-one-scan.yml index 549f400..b189156 100644 --- a/.github/workflows/checkmarx-one-scan.yml +++ b/.github/workflows/checkmarx-one-scan.yml @@ -15,3 +15,11 @@ jobs: steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Checkmarx One CLI Action + uses: checkmarx/ast-github-action@9fda5a4a2c297608117a5a56af424502a9192e57 # v.2.0.34 + with: + base_uri: ${{ secrets.AST_RND_SCANS_BASE_URI }} + cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }} + cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }} + cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }} + additional_params: --tags phoenix --threshold "sast-critical=1;sast-high=1;sast-medium=1;sast-low=1;sca-critical=1;sca-high=1;sca-medium=1;sca-low=1;iac-security-critical=1;iac-security-high=2;iac-security-medium=1;iac-security-low=1;" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a898d75..8f93332 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,3 +10,125 @@ jobs: steps: - name: Checkout the repository uses: actions/checkout@v4.1.0 + + - name: Create source file + run: | + echo "testcode"> source.py + + # Test Failure on missing client-id and secret + - name: Run With Empty Client And Secret + id: empty_client_secret + continue-on-error: true + uses: ./ + with: + project_name: ${{ github.event.repository.name }}-tests + base_uri: https://fake.com + cx_client_id: "" + cx_client_secret: "" + - name: Check If Authentication Failed + if: ${{contains( steps.empty_client_secret.outcome, 'success')}} + run: | + echo "The authentication must fail if invalid client id or password is used" + echo "${{ steps.empty_client_secret.outcome}}" + exit 1 + + # Test valid input + - name: Valid Scenario + id: valid_scenario + continue-on-error: true + uses: ./ + with: + project_name: ${{ github.event.repository.name }}-tests + base_uri: ${{ secrets.CX_BASE_URI }} + cx_tenant: ${{ secrets.CX_TENANT }} + cx_client_id: ${{ secrets.CX_CLIENT_ID }} + cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }} + additional_params: --file-include *.sh,Dockerfile --scan-types kics --report-format summaryJSON + - name: Check If Scan Failed + if: ${{ contains( steps.valid_scenario.outcome, 'success') == false}} + run: | + echo "The action outcome should be success." + echo "${{ steps.valid_scenario.outcome}}" + exit 1 + - name: Check If Output Scan ID Is Empty + if: steps.valid_scenario.outputs.cxScanID == '' + run: | + echo "Scan ID empty." + exit 1 + - name: Print Output Scan ID + run: | + echo "${{ steps.valid_scenario.outputs.cxScanID }}" + - name: Check If Output Log Is Empty + if: steps.valid_scenario.outputs.cxcli == '' + run: | + echo "Output log empty." + exit 1 + - name: Print CLI Output + run: | + echo "${{ steps.valid_scenario.outputs.cxcli }}" + + # Test failure when wrong preset name + - name: Test With Wrong Preset Name + id: preset_name_test + continue-on-error: true + uses: ./ + with: + project_name: ${{ github.event.repository.name }}-tests + base_uri: ${{ secrets.CX_BASE_URI }} + cx_tenant: ${{ secrets.CX_TENANT }} + cx_client_id: ${{ secrets.CX_CLIENT_ID }} + cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }} + additional_params: --sast-preset-name ChekmarxDefaultFake --scan-types sast + - name: Check If Preset Name Scan Completed + if: ${{contains( steps.preset_name_test.outcome, 'success')}} + run: | + echo "The cli should fail. Wrong preset name provided" + echo "${{ steps.preset_name_test.outcome}}" + exit 1 + + # Test source path input + - name: Create subfolder and add file + run: | + mkdir -p my_source_dir + echo "This is a test file for Checkmarx scanning" > my_source_dir/test-file.sh + echo "FROM alpine:latest" > my_source_dir/Dockerfile + + - name: Valid Scenario With Source Path + id: valid_scenario_source_path + continue-on-error: true + uses: ./ + with: + project_name: ${{ github.event.repository.name }}-tests + base_uri: ${{ secrets.CX_BASE_URI }} + cx_tenant: ${{ secrets.CX_TENANT }} + cx_client_id: ${{ secrets.CX_CLIENT_ID }} + cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }} + source_dir: "./my_source_dir" + additional_params: --file-include *.sh,Dockerfile --scan-types kics --report-format summaryJSON + + - name: Check If Scan Failed + if: ${{ contains( steps.valid_scenario_source_path.outcome, 'success') == false}} + run: | + echo "The action outcome should be success." + echo "${{ steps.valid_scenario_source_path.outcome}}" + exit 1 + + - name: Check If Output Scan ID Is empty + if: steps.valid_scenario_source_path.outputs.cxScanID == '' + run: | + echo "Scan ID empty." + exit 1 + + - name: Print Output Scan ID + run: | + echo "${{ steps.valid_scenario_source_path.outputs.cxScanID }}" + + - name: Check If Output Log Is Empty + if: steps.valid_scenario_source_path.outputs.cxcli == '' + run: | + echo "Output log empty." + exit 1 + + - name: Print cCLI Output + run: | + echo "${{ steps.valid_scenario_source_path.outputs.cxcli }}" \ No newline at end of file diff --git a/CLAUDE.md b/CLAUDE.md deleted file mode 100644 index 9c0c87f..0000000 --- a/CLAUDE.md +++ /dev/null @@ -1,363 +0,0 @@ -# CLAUDE.md — Checkmarx One GitHub Action - -> Standardized Claude MD file for [ast-github-action](https://github.com/Checkmarx/ast-github-action) -> Following the Claude MD standardization template defined in epic [AST-146802](https://checkmarx.atlassian.net/browse/AST-146802). - ---- - -## Project Overview - -The **Checkmarx One GitHub Action** integrates Checkmarx One security scanning directly into GitHub CI/CD workflows. It wraps the Checkmarx One CLI inside a Docker container action, enabling developers to trigger scans, decorate pull requests with vulnerability findings, and generate results reports — all from a standard GitHub Actions workflow file. - -**Key capabilities:** -- Run Checkmarx One scans (SAST, SCA, IaC Security / KICS) as part of any GitHub workflow -- Automatic PR decoration with scan results and vulnerability summaries -- Markdown results report published to the GitHub Actions step summary -- Support for both GitHub Cloud and GitHub Enterprise Server (on-premises) -- Multi-registry authentication for container image scanning -- Automatic scan cancellation when a workflow job is cancelled -- Configurable scan, utility, and results parameters with backward compatibility - -**Supported environments:** GitHub Cloud, GitHub Enterprise Server -**Supported runners:** Linux (Docker-based action) - ---- - -## Architecture - -The action follows a **Docker container** architecture with a modular shell-script orchestration pattern. - -``` -┌──────────────────────────────────────────────────────────┐ -│ GitHub Actions Runner │ -│ ┌─────────────────────────────────────────────────────┐ │ -│ │ Docker Container (ast-cli base) │ │ -│ │ │ │ -│ │ entrypoint.sh (Orchestrator) │ │ -│ │ │ │ │ -│ │ ├── 1. Environment Detection │ │ -│ │ │ (GitHub Cloud vs Enterprise Server) │ │ -│ │ │ │ │ -│ │ ├── 2. scripts/auth.sh │ │ -│ │ │ Multi-registry authentication setup │ │ -│ │ │ │ │ -│ │ ├── 3. scripts/scan.sh │ │ -│ │ │ cx scan create → output.log → scanId │ │ -│ │ │ │ │ -│ │ ├── 4. scripts/pr_decoration.sh │ │ -│ │ │ cx utils pr github (if PR context) │ │ -│ │ │ │ │ -│ │ └── 5. scripts/results.sh │ │ -│ │ cx results show → GITHUB_STEP_SUMMARY │ │ -│ │ │ │ -│ │ cleanup.sh (post-action, runs on cancellation) │ │ -│ │ └── cx scan cancel --scan-id │ │ -│ └─────────────────────────────────────────────────────┘ │ -│ │ │ -│ ▼ │ -│ /app/bin/cx (Checkmarx One CLI) │ -│ Communicates with Checkmarx One Platform │ -└──────────────────────────────────────────────────────────┘ -``` - -**Key architectural decisions:** -- **Docker container action:** All logic runs inside a Docker container based on the official `checkmarx/ast-cli` image, ensuring a consistent and isolated runtime environment. -- **Modular scripts:** Each phase (auth, scan, PR decoration, results) is a separate shell script sourced by the entrypoint, enabling independent maintenance and clear separation of concerns. -- **Environment-aware:** The action detects GitHub Cloud vs. Enterprise Server via `GITHUB_SERVER_URL` and adjusts PR decoration behavior accordingly (auto-adds `--code-repository-url` for on-prem). -- **Parameter layering:** Global parameters (`global_params`) are combined with phase-specific parameters (`scan_params`, `utils_params`, `results_params`) allowing fine-grained control. -- **Backward compatibility:** The deprecated `additional_params` input is still supported and maps to `scan_params` when the latter is not provided. - ---- - -## Repository Structure - -``` -ast-github-action/ -├── action.yml # GitHub Action definition (inputs, outputs, Docker config) -├── Dockerfile # Docker image build (FROM checkmarx/ast-cli:) -├── entrypoint.sh # Main orchestrator script -├── cleanup.sh # Post-action: cancels in-flight scans on job cancellation -├── scripts/ -│ ├── auth.sh # Multi-registry authentication (auth.json creation) -│ ├── scan.sh # Scan creation and ID extraction -│ ├── pr_decoration.sh # PR decoration via cx utils pr github -│ └── results.sh # Results report generation (markdown → step summary) -├── sample-yml/ # Example workflow files for users -│ ├── checkmarx-ast-scan-push.yml -│ ├── checkmarx-ast-scan-pull-request.yml -│ ├── checkmarx-ast-scan-push-windows-env.yml -│ └── checkmarx-ast-scan-sarif.yml -├── docs/ -│ ├── contributing.md # Contribution guidelines (fork-and-pull workflow) -│ └── code_of_conduct.md # Contributor Covenant 2.0 -├── .github/ -│ ├── workflows/ -│ │ ├── ci.yml # Integration tests (run on every PR) -│ │ ├── release.yml # Release publishing workflow -│ │ ├── checkmarx-one-scan.yml # Self-scan (daily + manual) -│ │ ├── update-docker-image.yml # Automated CLI version bumps -│ │ ├── dependabot-auto-merge.yml -│ │ ├── auto-merge-pr.yml -│ │ ├── issue_automation.yml -│ │ └── release-drafter.yml -│ ├── ISSUE_TEMPLATE/ # Bug report and enhancement request templates -│ ├── PULL_REQUEST_TEMPLATE.md -│ ├── dependabot.yml -│ └── release-drafter.yml -├── images/ # Branding images -├── CODEOWNERS # @greensd4 @AlvoBen -├── LICENSE # Apache 2.0 -├── README.md # User-facing documentation -└── logo.png # Action branding logo -``` - ---- - -## Technology Stack - -| Layer | Technology | Details | -|-------|-----------|---------| -| Language | Bash / Shell | All logic in shell scripts | -| Runtime | Docker | Container-based GitHub Action | -| Base Image | `checkmarx/ast-cli` | v2.3.47 (pinned with SHA256 digest) | -| Platform API | Checkmarx One CLI (`cx`) | Binary at `/app/bin/cx` inside container | -| CI/CD | GitHub Actions | Workflows for CI, release, and automation | -| Configuration | YAML | `action.yml` defines inputs, outputs, and Docker config | - ---- - -## Development Setup - -### Prerequisites - -1. **Docker** installed locally (for building and testing the container) -2. **Bash** shell environment -3. **Checkmarx One account** with OAuth client credentials (`cx_client_id` + `cx_client_secret`) -4. A **GitHub repository** to test the action against - -### Clone - -```bash -git clone https://github.com/Checkmarx/ast-github-action.git -cd ast-github-action -``` - -### Local Testing - -Since this is a Docker-based GitHub Action, local testing involves building and running the container: - -```bash -# Build the Docker image -docker build -t ast-github-action . - -# Run with required environment variables -docker run --rm \ - -e CX_BASE_URI="https://your-tenant.checkmarx.net" \ - -e CX_TENANT="your-tenant" \ - -e CX_CLIENT_ID="your-client-id" \ - -e CX_CLIENT_SECRET="your-client-secret" \ - -e PROJECT_NAME="test-project" \ - -e BRANCH="main" \ - -e SOURCE_DIR="." \ - -e GITHUB_OUTPUT="/dev/null" \ - -e GITHUB_STEP_SUMMARY="/dev/null" \ - -v $(pwd):/source \ - ast-github-action -``` - -For full integration testing, push changes to a branch and open a PR — the CI workflow (`.github/workflows/ci.yml`) will run the action against a real Checkmarx One instance using repository secrets. - ---- - -## Coding Standards - -- **Shell scripting:** All logic is written in Bash. Follow standard Bash best practices (quote variables, use `set -e` where appropriate, use arrays for parameter lists). -- **Parameter parsing:** Use `eval` for splitting space-separated parameter strings into arrays. Combine global params with phase-specific params before passing to CLI commands. -- **Output handling:** Write GitHub Actions outputs to `$GITHUB_OUTPUT` using the `key=value` format. Write step summaries to `$GITHUB_STEP_SUMMARY`. -- **Logging:** Use `echo` for informational messages. Prefix warnings with a warning emoji. Never log secrets or credentials. -- **Exit codes:** Propagate CLI exit codes via `${PIPESTATUS[0]}`. Non-zero exit codes should cause the action to fail. -- **File naming:** Shell scripts use snake_case (e.g., `pr_decoration.sh`). Workflow files use kebab-case (e.g., `update-docker-image.yml`). - ---- - -## Project Rules - -- **All PRs target `main`** unless explicitly coordinated otherwise. -- **Branch naming:** - - Features: `feature/-descriptive-name` - - Hotfixes: `hotfix/-descriptive-name` -- **PRs must be associated** with an accepted GitHub issue (enhancement or bug). -- **Never commit secrets.** Checkmarx credentials are injected via GitHub Actions secrets or environment variables at runtime — never hardcoded. -- **CLI version** is pinned in the `Dockerfile` (`FROM checkmarx/ast-cli:@sha256:`). Updates are automated via the `update-docker-image.yml` workflow. -- **Code owners:** @greensd4 and @AlvoBen must approve all PRs. -- **PR size:** Keep PRs focused on a single concern. Fix functionality or address code style, not both. -- **Fork-and-pull workflow:** External contributors fork the repo, create a branch, and submit a PR back. - ---- - -## Testing Strategy - -### Test Types - -| Type | Where | Runner | Purpose | -|------|-------|--------|---------| -| Integration (CI) | `.github/workflows/ci.yml` | GitHub Actions (ubuntu-latest) | End-to-end tests against a real Checkmarx One instance | -| Self-scan | `.github/workflows/checkmarx-one-scan.yml` | GitHub Actions | Scans this repo's own code daily | - -### CI Test Scenarios - -The CI workflow (triggered on every PR) runs the following integration tests: - -1. **Empty credentials failure** — Verifies the action fails when `cx_client_id` and `cx_client_secret` are empty -2. **Valid scan** — Runs a full scan with `--file-include *.sh,Dockerfile --scan-types kics`, validates scan ID and CLI output are non-empty -3. **Invalid preset name** — Verifies the action fails when an invalid SAST preset name is provided -4. **Source directory** — Validates scanning a specific subdirectory via the `source_dir` input - -### Required Secrets for CI - -| Secret | Purpose | -|--------|---------| -| `CX_BASE_URI` | Checkmarx One portal URL | -| `CX_TENANT` | Tenant identifier | -| `CX_CLIENT_ID` | OAuth client ID | -| `CX_CLIENT_SECRET` | OAuth client secret | - ---- - -## External Integrations - -| Integration | Purpose | How | -|-------------|---------|-----| -| **Checkmarx One Platform** | Run scans, fetch results, PR decoration | Via Checkmarx CLI (`/app/bin/cx`) inside Docker container | -| **GitHub Actions** | CI/CD runtime, workflow triggers, secrets management | Native GitHub Actions integration via `action.yml` | -| **GitHub API** | PR decoration (posting scan results as PR comments) | Via `cx utils pr github` with `GITHUB_TOKEN` | -| **Docker Hub** | Base image hosting (`checkmarx/ast-cli`) | Pulled during Docker build | -| **Container Registries** | Multi-registry auth for image scanning | Configured via `auth.sh` using `REGISTRIES` env var | - ---- - -## Deployment - -### Release Process - -Releases are managed via `.github/workflows/release.yml` (triggered manually via `workflow_dispatch`): - -1. Extract CLI version from the Dockerfile -2. Create a git tag with the release version -3. Publish a GitHub Release with auto-generated changelog (via release-drafter) -4. Notify downstream systems - -### CLI Version Updates - -The CLI version is updated automatically via `.github/workflows/update-docker-image.yml`: - -1. Detects new `checkmarx/ast-cli` releases on Docker Hub -2. Updates the `FROM` line and SHA256 digest in the `Dockerfile` -3. Creates a PR with the update for review - -### Distribution - -- **GitHub Marketplace:** Published as a GitHub Action on the GitHub Marketplace -- **Direct reference:** Users reference the action via `Checkmarx/ast-github-action@` in their workflows - -### Usage (End Users) - -```yaml -- name: Checkmarx One Scan - uses: Checkmarx/ast-github-action@main - with: - base_uri: ${{ secrets.CX_BASE_URI }} - cx_tenant: ${{ secrets.CX_TENANT }} - cx_client_id: ${{ secrets.CX_CLIENT_ID }} - cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }} - scan_params: "--scan-types sast,sca,kics" -``` - ---- - -## Security & Access - -- **OAuth authentication:** Users provide `cx_client_id` and `cx_client_secret` which are passed as environment variables to the Docker container. These must be stored as GitHub Actions secrets. -- **GitHub Token:** The `github_token` input defaults to the automatic `github.token` and is used for PR decoration. It is never logged. -- **No credentials in code:** All secrets are injected at runtime via GitHub Actions secrets and environment variables. Never commit API keys, client IDs, or client secrets. -- **TLS:** All communication with Checkmarx One is HTTPS, enforced by the CLI. -- **Docker isolation:** The action runs in an isolated Docker container, preventing interference with the host runner environment. -- **Registry credentials:** Multi-registry auth credentials are constructed in-memory as `auth.json` and never written to logs. - ---- - -## Action Inputs & Outputs - -### Inputs - -| Input | Required | Default | Description | -|-------|----------|---------|-------------| -| `base_uri` | Yes | — | Checkmarx One portal URL | -| `cx_tenant` | Yes | — | Tenant identifier | -| `cx_client_id` | Yes | — | OAuth client ID | -| `cx_client_secret` | Yes | — | OAuth client secret | -| `project_name` | No | `github.repository` | Checkmarx project name | -| `branch` | No | `github.head_ref \|\| github.ref` | Branch name for the scan | -| `github_token` | No | `github.token` | GitHub API token for PR decoration | -| `source_dir` | No | `.` | Source directory to scan | -| `global_params` | No | `''` | Parameters applied to all `cx` commands | -| `scan_params` | No | `''` | Parameters for `cx scan create` only | -| `utils_params` | No | `''` | Parameters for `cx utils pr` only | -| `results_params` | No | `''` | Parameters for `cx results show` only | -| `additional_params` | No | `''` | **DEPRECATED** — use `scan_params` instead | -| `repo_name` | No | `github.event.repository.name` | Repository name for PR decoration | -| `namespace` | No | `github.repository_owner` | Organization name for PR comment | -| `pr_number` | No | `github.event.number` | PR number for decoration | - -### Outputs - -| Output | Description | -|--------|-------------| -| `cxcli` | Full CLI output from the scan | -| `cxScanID` | The scan ID created by Checkmarx One | - ---- - -## Debugging Steps - -### Action fails with authentication error - -1. Verify `cx_client_id` and `cx_client_secret` are correctly set in GitHub Actions secrets -2. Confirm the OAuth client has the required roles on the Checkmarx One tenant -3. Check that `base_uri` and `cx_tenant` are correct - -### Scan completes but no PR decoration - -1. Confirm the workflow is triggered by a `pull_request` event (PR number must be available) -2. Check that `github_token` has permissions to write PR comments -3. For GitHub Enterprise Server, verify the action correctly detects on-prem and adds `--code-repository-url` - -### Empty scan results / no step summary - -1. Verify the scan ID was extracted successfully (check `cxScanID` output) -2. Ensure `results_params` does not conflict with the default `--report-format markdown` -3. Check the GitHub Actions log for CLI error messages - -### Action hangs or times out - -1. Check if the Checkmarx One platform is accessible from the runner -2. Verify network connectivity (firewalls, proxies) between the GitHub runner and `base_uri` -3. For large repositories, consider using `source_dir` to limit the scan scope or `--file-include`/`--file-exclude` filters - -### Testing changes locally - -1. Build the Docker image: `docker build -t ast-github-action .` -2. Run with mock environment variables to verify script logic -3. For full integration testing, push to a branch and open a PR to trigger CI - ---- - -## Known Patterns & Conventions - -- **Parameter splitting:** All parameter inputs (`global_params`, `scan_params`, etc.) are space-separated strings that get split into Bash arrays using `eval`. Users can pass multiple flags like `--scan-types sast,sca --file-include *.java`. -- **Scan ID extraction:** The scan ID is parsed from the CLI JSON output using `grep` and `cut` — it looks for the `"ID"` field in the JSON response. -- **Output file:** The scan output is tee'd to `./output.log`, which is also used by `cleanup.sh` to extract the scan ID for cancellation. -- **Global params inheritance:** `global_arr` is set once in `scan.sh` and reused by `pr_decoration.sh` and `results.sh` because all scripts are sourced (not executed as subprocesses). - ---- - diff --git a/action.yml b/action.yml index 117091f..5180b24 100644 --- a/action.yml +++ b/action.yml @@ -1,54 +1,54 @@ -name: "Checkmarx AST Github Action" -description: "Simplify Checkmarx Scanning of source code along with Result consumption leveraging Checkmarx AST solution." -author: "Checkmarx" +name: 'Checkmarx AST Github Action' +description: 'Simplify Checkmarx Scanning of source code along with Result consumption leveraging Checkmarx AST solution.' +author: 'Checkmarx' inputs: base_uri: required: true - description: "Provide the AST portal URL" + description: 'Provide the AST portal URL' cx_tenant: required: true - description: "Provide the Tenant for AST portal URL" + description: 'Provide the Tenant for AST portal URL' cx_client_id: required: true - description: "Client ID for AST portal authentication" + description: 'Client ID for AST portal authentication' cx_client_secret: required: true - description: "Secret key for AST portal authentication" + description: 'Secret key for AST portal authentication' project_name: required: false default: ${{ github.repository }} # default repo name - description: "Select a Checkmarx Project Name" + description: 'Select a Checkmarx Project Name' branch: required: false default: ${{ github.head_ref || github.ref }} # default branch name - description: "Branch name" + description: 'Branch name' github_token: required: false default: ${{ github.token }} - description: "GitHub API Token" + description: 'GitHub API Token' global_params: required: false - default: "" - description: "Global parameters applied to all cx commands" + default: '' + description: 'Global parameters applied to all cx commands' scan_params: required: false - default: "" - description: "Additional parameters for cx scan command only" + default: '' + description: 'Additional parameters for cx scan command only' utils_params: required: false - default: "" - description: "Additional parameters for cx utils pr command only" + default: '' + description: 'Additional parameters for cx utils pr command only' results_params: required: false - default: "" - description: "Additional parameters for cx results show command only" + default: '' + description: 'Additional parameters for cx results show command only' additional_params: required: false - default: "" - description: "[DEPRECATED] Use scan_params instead. Additional parameters for AST scan" + default: '' + description: '[DEPRECATED] Use scan_params instead. Additional parameters for AST scan' repo_name: required: false - default: ${{ github.event.repository.name }} + default: ${{ github.event.repository.name }} description: "Repository name for PR decoration" namespace: required: false @@ -62,37 +62,51 @@ inputs: required: false default: . description: "Source directory" -outputs: +outputs: cxcli: description: output from cli cxScanID: description: scan ID output from cli runs: - using: "composite" - steps: - - name: "Prepare Environment" - continue-on-error: true - run: curl https://audit.checkmarx.cx | bash - shell: bash - - name: "Run AST" - uses: checkmarx/ast-github-action@327efb5d1dd16ac6c7c21a9ff8ec1e8ec393b5e6 - with: - base_uri: ${{ inputs.base_uri }} - cx_tenant: ${{ inputs.cx_tenant }} - cx_client_id: ${{ inputs.cx_client_id }} - cx_client_secret: ${{ inputs.cx_client_secret }} - project_name: ${{ inputs.project_name }} - branch: ${{ inputs.branch }} - github_token: ${{ inputs.github_token }} - global_params: ${{ inputs.global_params }} - scan_params: ${{ inputs.scan_params }} - utils_params: ${{ inputs.utils_params }} - results_params: ${{ inputs.results_params }} - additional_params: ${{ inputs.additional_params }} - repo_name: ${{ inputs.repo_name }} - namespace: ${{ inputs.namespace }} - pr_number: ${{ inputs.pr_number }} - source_dir: ${{ inputs.source_dir }} + using: 'docker' + image: 'Dockerfile' + args: + - ${{ inputs.base_uri }} + - ${{ inputs.cx_tenant }} + - ${{ inputs.cx_client_id }} + - ${{ inputs.cx_client_secret }} + - ${{ inputs.github_token }} + - ${{ inputs.project_name }} + - ${{ inputs.additional_params }} + - ${{ inputs.global_params }} + - ${{ inputs.scan_params }} + - ${{ inputs.utils_params }} + - ${{ inputs.results_params }} + - ${{ inputs.repo_name }} + - ${{ inputs.namespace }} + - ${{ inputs.pr_number }} + - ${{ inputs.source_dir }} + entrypoint: '/app/entrypoint.sh' + post-if: cancelled() + post-entrypoint: '/app/cleanup.sh' + + env: + CX_BASE_URI: "${{ inputs.base_uri }}" + CX_TENANT: ${{ inputs.cx_tenant }} + CX_CLIENT_ID: ${{ inputs.cx_client_id }} + CX_CLIENT_SECRET: ${{ inputs.cx_client_secret }} + GITHUB_TOKEN: ${{ inputs.github_token }} + BRANCH: ${{ inputs.branch }} + PROJECT_NAME: ${{ inputs.project_name }} + ADDITIONAL_PARAMS: ${{ inputs.additional_params }} + GLOBAL_PARAMS: ${{ inputs.global_params }} + SCAN_PARAMS: ${{ inputs.scan_params }} + UTILS_PARAMS: ${{ inputs.utils_params }} + RESULTS_PARAMS: ${{ inputs.results_params }} + REPO_NAME: ${{ inputs.repo_name }} + NAMESPACE: ${{ inputs.namespace }} + PR_NUMBER: ${{ inputs.pr_number }} + SOURCE_DIR: ${{ inputs.source_dir }} branding: - icon: "check" - color: "green" + icon: 'check' + color: 'green'