|
| 1 | +# This workflow uses actions that are not certified by GitHub. |
| 2 | +# They are provided by a third-party and are governed by |
| 3 | +# separate terms of service, privacy policy, and support |
| 4 | +# documentation. |
| 5 | + |
| 6 | +# The Checkmarx One GitHub Action enables you to trigger SAST, SCA, and KICS scans directly from the GitHub workflow. |
| 7 | +# It provides a wrapper around the Checkmarx One CLI Tool which creates a zip archive from your source code repository |
| 8 | +# and uploads it to Checkmarx One for scanning. The Github Action provides easy integration with GitHub while enabling |
| 9 | +# scan customization using the full functionality and flexibility of the CLI tool. |
| 10 | + |
| 11 | +# This is a basic workflow to help you get started with Using Checkmarx One Action, |
| 12 | +# documentation can be found here : https://checkmarx.com/resource/documents/en/34965-68702-checkmarx-one-github-actions.html |
| 13 | + |
| 14 | +name: Checkmarx Scan |
| 15 | + |
| 16 | +# Controls when the workflow will run |
| 17 | +on: |
| 18 | + pull_request: |
| 19 | + types: [opened, reopened, synchronize] |
| 20 | + branches: [ "supabase-postgreSQL" ] |
| 21 | + |
| 22 | +permissions: |
| 23 | + contents: read |
| 24 | + |
| 25 | +# A workflow run is made up of one or more jobs that can run sequentially or in parallel |
| 26 | +jobs: |
| 27 | + # This workflow contains a single job called "build" |
| 28 | + build: |
| 29 | + permissions: |
| 30 | + contents: read # for actions/checkout to fetch code |
| 31 | + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results |
| 32 | + actions: read # only required for a private repository by github/codeql-action/upload-sarif |
| 33 | + |
| 34 | + # The type of runner that the job will run on |
| 35 | + runs-on: ubuntu-latest |
| 36 | + |
| 37 | + # Steps represent a sequence of tasks that will be executed as part of the job |
| 38 | + steps: |
| 39 | + # This step checks out a copy of your repository. |
| 40 | + - name: Checkout repository |
| 41 | + uses: actions/checkout@v3 |
| 42 | + # This step creates the Checkmarx One scan |
| 43 | + - name: Checkmarx One scan |
| 44 | + uses: checkmarx/ast-github-action@8e887bb93dacc44e0f5b64ee2b06d5815f89d4fc |
| 45 | + with: |
| 46 | + base_uri: https://ast.checkmarx.net # This should be replaced by your base uri for Checkmarx One |
| 47 | + cx_client_id: ${{ secrets.CX_CLIENT_ID }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e |
| 48 | + cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e |
| 49 | + cx_tenant: ${{ secrets.CX_TENANT }} # This should be replaced by your tenant for Checkmarx One |
| 50 | + additional_params: --report-format sarif --output-path . |
| 51 | + - name: Upload SARIF file |
| 52 | + uses: github/codeql-action/upload-sarif@v2 |
| 53 | + with: |
| 54 | + # Path to SARIF file relative to the root of the repository |
| 55 | + sarif_file: cx_result.sarif |
0 commit comments