Skip to main content

Using SCA Resolver in Checkmarx One CI/CD Integrations

You can run Checkmarx SCA Resolver with your Checkmarx One integrations, in order to resolve dependencies on-prem using pre-installed package managers. The Checkmarx One CLI Tool and plugins, run Resolver in Offline mode, which resolves the dependencies in the local build environment and outputs the results to a JSON file. Checkmarx One then bundles that data with additional Checkmarx One CLI data and sends it to the Checkmarx One Cloud for further processing.

Prerequisites

Running Scans Using SCA Resolver

  1. Use the following script to download and run SCA Resolver (for Linux64), as a step in the pipeline or as part of your script (depending on your platform).

    - wget https://sca-downloads.s3.amazonaws.com/cli/latest/ScaResolver-linux64.tar.gz
    - tar -xzvf ScaResolver-linux64.tar.gz
    - rm -rf ScaResolver-linux64.tar.gz

    Warning

    If you are using a different OS make sure to give the path to the appropriate installation file, as provided here.

  2. In the scan create command, add the following flag --sca-resolver ./ScaResolver.

    Notice

    If you are using a plugin, then this flag is added in the Additional parameters section of the scan configuration.

Customizing Resolver Configuration

You can add additional arguments to the run command in order to customize the package resolution process. For a complete list of SCA Resolver configuration arguments, see Checkmarx SCA Resolver Configuration Arguments.

Notice

Only arguments that can be used in Offline mode can be applied to scans run via the Checkmarx One CLI Tool and plugins.

To customize the Resolver Configuration:

  • Add the --sca-resolver-params flag to the scan create command followed by the additional arguments that you would like to add (surrounded by "").

For Example:

--sca-resolver ./ScaResolver --sca-resolver-params "--extract-archives zip,ear --extract-depth 3 --gradle-exclude-scopes api,testCompile"

Warning

Whenever a parameter value has a space or other special character in it, it needs to be escaped either by enclosing it in quotes or using an escape character. The specific syntax for escaping characters will vary depending on the command-line interface or programming language you are using.

Integration Examples

Github Action

The following example shows how to create a GitHub Action for running a Checkmarx One scan with SCA Resolver.

# Documentation:
# https://checkmarx.atlassian.net/wiki/spaces/Checkmarx One/pages/6147408761/CI+CD+with+CxSCA+Resolver
#

name: SCA Resolver Example

on:
  push:
    branches:
      [main]
  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v2

      - name: Download SCA Resolver
        run: |
          wget https://sca-downloads.s3.amazonaws.com/cli/latest/ScaResolver-linux64.tar.gz
          tar -xzvf ScaResolver-linux64.tar.gz
          rm -rf ScaResolver-linux64.tar.gz

      - name: Install Maven, NPM, ... # Add any necessary package management
        run: |
          sudo apt install maven npm

      - name: Run Checkmarx One CLI Scan
        run: |
          /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
          /home/linuxbrew/.linuxbrew/bin/brew install checkmarx/ast-cli/ast-cli
          /home/linuxbrew/.linuxbrew/Cellar/ast-cli/*/bin/cx \
            scan create \
            -s . \
            --agent GitHub \
            --project-name ${{ github.repository }} \
            --branch ${GITHUB_REF##*/} \
            --base-uri ${{ secrets.CX_BASE_URI }} \
            --tenant ${{ secrets.CX_TENANT }} \
            --client-id ${{ secrets.CX_CLIENT_ID }} \
            --client-secret ${{ secrets.CX_CLIENT_SECRET }} \
            --sca-resolver ./ScaResolver

Notice

Check for updates to the code samples in GitHub.

Bitbucket Pipelines

The following example shows how to run a Checkmarx One scan with SCA Resolver in a Bitbucket pipeline.

image: checkmarx/ast-cli

pipelines:
  default:
    - step:
        script:
          - wget https://sca-downloads.s3.amazonaws.com/cli/latest/ScaResolver-linux64.tar.gz
          - tar -xzvf ScaResolver-linux64.tar.gz
          - rm -rf ScaResolver-linux64.tar.gz
          - >-
            /app/bin/cx
            scan create
            -s .
            --agent Bitbucket
            --project-name $BITBUCKET_REPO_SLUG
            --branch $BITBUCKET_BRANCH
            --base-uri $BASE_URI
            --tenant $TENANT
            --client-id $CLIENT_ID
            --client-secret $CLIENT_SECRET
            --sca-resolver ./ScaResolver
            $ADDITIONAL_PARAMS

Notice

Check for updates to the code samples in GitHub.