Skip to main content

Checkmarx One CircleCI Integration

You can integrate Checkmarx One into your CircleCI pipelines using our CLI Tool. You can run Checkmarx One scans as well as perform other Checkmarx One commands using the CLI Tool.

Prerequisites

Initial Setup

Before running Checkmarx One CLI commands in your CircleCI pipelines, you need to configure access to Checkmarx One. This is done by specifying the server URLs, tenant account, and authentication credentials for accessing your Checkmarx One environment.

  1. In your CircleCI console, in the main navigation click on Project settings > Environment Variables, then click Add Environment Variable.

  2. Create variables by clicking Add Environment Variable and entering a Name and Value for each of the variables described in the table below.

6165397580.png

Repository Variables

Key

Value

BASE_URI

BASE_AUTH_URI

TENANT

The name of your tenant account.

Use one of the following authentication methods.

CLIENT_ID and SECRET

(for OAuth2, recommended)

These values are obtained from the Checkmarx One web application, see Creating an OAuth2 Client for Checkmarx One Integrations. (recommended method)

API_KEY

This is obtained from the Checkmarx One web application, see Generating an API Key.

Running CLI Commands in CircleCI

You can use CLI commands to run scans, retrieve scan results and perform CRUD actions on your Checkmarx One Projects and Applications. For an explanation of the CLI commands, see Checkmarx One CLI Commands.

Usage Example - Running a Checkmarx One Scan in CircleCI

The following snippet shows how you can run a Checkmarx One scan in CircleCI using our CLI Tool.

The snippet uses the scan create command with the minimum required parameters -s (location of the source code), --project-name (name of the Checkmarx One Project), and --branch (name of the branch of the Checkmarx One Project) as well as the repository variables that you configured for connecting to Checkmarx One. We also recommend using the --agent flag with the value CircleCI. For additional scan arguments see, scan create.

Option 1 (recommended): Use the Checkmarx One CLI docker image to trigger the scan:

version: 2
jobs:
  build:
    docker:
      - image: checkmarx/ast-cli
    steps:
      - checkout
      - run:
          name: "Run Scan"
          command: |
            /app/bin/cx \
            scan create \
            -s . \
            --agent CircleCI \
            --project-name $PROJECT \
            --branch $CX_BRANCH \
            --base-uri $CX_BASE_URI \
            --base-auth-uri $CX_BASE_AUTH_URI \
            --tenant $CX_TENANT \
            --client-id $CX_CLIENT_ID \
            --client-secret $CX_CLIENT_SECRET \

Option 2: Use the CircleCI base image and brew to install the Checkmarx One CLI and trigger the scan:

version: 2
jobs:
  build:
    docker:
      - image: cimg/base:2021.04
    steps:
      - run:
          name: "Run Scan"
          command: |
            /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
            /home/linuxbrew/.linuxbrew/bin/brew install checkmarx/ast-cli/ast-cli
            /home/linuxbrew/.linuxbrew/Cellar/ast-cli/*/bin/cx \
            scan create \
            -s . \
            --agent CircleCI \
            --project-name $PROJECT \
            --branch $CX_BRANCH \
            --base-uri $CX_BASE_URI \
            --base-auth-uri $CX_BASE_AUTH_URI \
            --tenant $CX_TENANT \
            --client-id $CX_CLIENT_ID \
            --client-secret $CX_CLIENT_SECRET

Notice

Check for updates to the code samples in GitHub.