Checkmarx One GitHub Actions
The Checkmarx One GitHub Action enables you to trigger SAST, SCA, IaC Security and API Security scans directly from the GitHub workflow. It provides a wrapper around the Checkmarx One CLI Tool which creates a zip archive from your source code repository and uploads it to Checkmarx One for scanning. The Github Action provides easy integration with GitHub while enabling scan customization using the full functionality and flexibility of the CLI tool.
The GitHub Action can be customized to trigger scans when particular actions (e.g., push, or pull request) occur on specific branches of your repo. You can also add pre and post scan steps to your workflow. For example, you can add a step to screen commits to verify if the changes made warrant running a new scan.
Note
The plugin code can be found here.
Notice
There is an alternative method for integrating GitHub with Checkmarx One which is done directly from Checkmarx One, see GitHub Cloud. That method is easier to implement but doesn’t enable full customization of the process.
Main Features
Automatically trigger CxSAST, CxSCA, IaC Security and API Security scans from the GitHub workflow
Supports use of CLI arguments to customize scan configuration
Shows scan results summary in the GitHub build logs
Supports generating reports that are integrated into the GitHub Security alerts
Decorates pull requests with info about new vulnerabilities that were identified as well as vulnerabilities that were fixed by the code changes
Prerequisites
The source code for your project is hosted on a GitHub repo (public or private)
You have a Checkmarx One account and you have an OAuth2 Client ID and Client Secret for that account. To create an OAuth2 client, see Creating an OAuth2 Client for Checkmarx One Integrations.