diff --git a/.github/workflows/checkmarx.yml b/.github/workflows/checkmarx.yml new file mode 100644 index 00000000..473345d6 --- /dev/null +++ b/.github/workflows/checkmarx.yml @@ -0,0 +1,27 @@ +# This workflow is to automate Checkmarx SAST scans. It runs on a push to release or hotfix branches +# For full documentation, including a list of all inputs, please refer to the README https://github.com/Checkmarx/ast-github-action + +name: Checkmarx One scan +on: + push: + branches: + - 'release/[0-9][0-9][0-9][0-9].[0-9][0-9]' + - 'hotfix/[0-9][0-9][0-9][0-9].[0-9][0-9].[0-9][0-9]' + - test-whitesource + - test-cx-scan +jobs: + Checkmarx_One: + name: Checkmarx One + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Checkmarx AST Github Action + uses: Checkmarx/ast-github-action@2.0.23 + with: + base_uri: ${{ vars.CHECKMARX_ONE_BASE_URI}} + cx_tenant: ${{ vars.CHECKMARX_ONE_TENANT }} + cx_client_id: ${{ vars.CHECKMARX_ONE_CLIENT_ID}} + cx_client_secret: ${{ secrets.CHECKMARX_ONE_CLIENT_SECRET }} + project_name: ${{ github.event.repository.name }} + additional_params: --sast-preset-name "BlackbaudSAST" --project-groups "Everfi" diff --git a/.github/workflows/checkmarx_and_whitesource.yml b/.github/workflows/checkmarx_and_whitesource.yml deleted file mode 100644 index a2d105d7..00000000 --- a/.github/workflows/checkmarx_and_whitesource.yml +++ /dev/null @@ -1,59 +0,0 @@ -# This workflow is to automate Checkmarx SAST scans. It runs on a push to the main branch. -# -# The following GitHub Secrets must be first defined: -# - CHECKMARX_URL -# - CHECKMARX_USER -# - CHECKMARX_PASSWORD -# - CHECKMARX_CLIENT_SECRET -# -# For full documentation, including a list of all inputs, please refer to the README https://github.com/checkmarx-ts/checkmarx-cxflow-github-action - - -name: Checkmarx and Whitesource scans -on: - push: - branches: - - master -jobs: - mend-scan: - name: Mend Scan - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4.1.0 - - name: Get branch name - shell: bash - run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT - id: get_branch_name - - name: Mend - env: - WHITESOURCE_API_KEY: ${{ secrets.WHITESOURCE_API_KEY }} - WHITESOURCE_API_BASE_URL: ${{ vars.WHITESOURCE_API_BASE_URL }} - WHITESOURCE_SERVER_URL: ${{ vars.WHITESOURCE_SERVER_URL }} - BRANCH: ${{ steps.get_branch_name.outputs.branch }} - shell: bash - run: | - echo $'\n'projectName=${{ github.event.repository.name }} >>./scripts/whitesource/agent.config - echo $'\n'productName=foundry >>./scripts/whitesource/agent.config - bash ./scripts/whitesource/mend_scan.sh - checkmarx-scan: - name: Checkmarx Scan - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4.1.0 - - name: Checkmarx CxFlow Action - uses: checkmarx-ts/checkmarx-cxflow-github-action@v1.4 #Github Action version - with: - # report-file: checkmarx.json - # auth-scopes: access_control_api sast_rest_api - # version: '9.4' - break_build: false - checkmarx_url: ${{ vars.CHECKMARX_URL }} # To be stored in GitHub Secrets. - checkmarx_username: ${{ vars.CHECKMARX_USERNAME }} # To be stored in GitHub Secrets. - checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} # To be stored in GitHub Secrets. - checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} # To be stored in GitHub Secrets. - params: --namespace=${{ github.repository_owner }} --checkmarx.settings-override=true --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref_name }} --cx-flow.filterSeverity --cx-flow.filterCategory --checkmarx.disable-clubbing=true - preset: Blackbaud SAST - project: ${{ github.event.repository.name }} # <-- Insert Checkmarx SAST Project Name - team: /CxServer/SP/Company/Everfi - scanners: sast