This repository has been archived by the owner on Apr 29, 2024. It is now read-only.
add gha security scan config #1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow is to automate Checkmarx SAST scans. It runs on a push to the main branch. | |
| # | |
| # The following GitHub Secrets must be first defined: | |
| # - CHECKMARX_URL | |
| # - CHECKMARX_USER | |
| # - CHECKMARX_PASSWORD | |
| # - CHECKMARX_CLIENT_SECRET | |
| # | |
| # For full documentation, including a list of all inputs, please refer to the README https://github.com/checkmarx-ts/checkmarx-cxflow-github-action | |
| name: Security Scans | |
| on: | |
| push: | |
| branches: | |
| - 'release\/*' | |
| - 'hotfix\/*' | |
| - test-whitesource | |
| - test-cx-scan | |
| - test-gha-security | |
| jobs: | |
| Checkmarx: | |
| name: Checkmarx CxFlow Action | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Checkmarx CxFlow Action | |
| uses: checkmarx-ts/[email protected] #Github Action version | |
| with: | |
| # report-file: checkmarx.json | |
| # auth-scopes: access_control_api sast_rest_api | |
| # version: '9.4' | |
| break_build: false | |
| checkmarx_url: ${{ vars.CHECKMARX_URL }} # To be stored in GitHub Secrets. | |
| checkmarx_username: ${{ vars.CHECKMARX_USERNAME }} # To be stored in GitHub Secrets. | |
| checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} # To be stored in GitHub Secrets. | |
| checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} # To be stored in GitHub Secrets. | |
| params: --namespace=${{ github.repository_owner }} --checkmarx.settings-override=true --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref_name }} --cx-flow.filterSeverity --cx-flow.filterCategory --checkmarx.disable-clubbing=true | |
| preset: Blackbaud SAST | |
| project: ${{ github.event.repository.name }} # <-- Insert Checkmarx SAST Project Name | |
| team: /CxServer/SP/Company/Everfi | |
| scanners: sast | |
| Mend: | |
| name: Mend Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Get branch name | |
| shell: bash | |
| run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT | |
| id: get_branch_name | |
| - name: Mend | |
| env: | |
| WHITESOURCE_API_KEY: ${{ secrets.WHITESOURCE_API_KEY }} | |
| WHITESOURCE_API_BASE_URL: ${{ vars.WHITESOURCE_API_BASE_URL }} | |
| WHITESOURCE_SERVER_URL: ${{ vars.WHITESOURCE_SERVER_URL }} | |
| BRANCH: ${{ steps.get_branch_name.outputs.branch }} | |
| shell: bash | |
| run: | | |
| echo $'\n'projectName=${{ github.event.repository.name }} >>scripts/whitesource/agent.config | |
| echo $'\n'productName=Forge >>scripts/whitesource/agent.config | |
| bash ./scripts/whitesource/scan.sh |