Using SCA Resolver in Checkmarx One CI/CD Integrations
You can run Checkmarx SCA Resolver with your Checkmarx One integrations, in order to resolve dependencies on-prem using pre-installed package managers. The Checkmarx One CLI Tool and plugins, run Resolver in Offline mode, which resolves the dependencies in the local build environment and outputs the results to a JSON file. Checkmarx One then bundles that data with additional Checkmarx One CLI data and sends it to the Checkmarx One Cloud for further processing.
Prerequisites
You have set up a CI/CD integration for Checkmarx One using a plugin or our CLI Tool, see Checkmarx One CI/CD Integrations.
Running Scans Using SCA Resolver
Use the following script to download and run SCA Resolver (for Linux), as a step in the pipeline or as part of your script (depending on your platform).
- wget https://sca-downloads.s3.amazonaws.com/cli/latest/ScaResolver-linux64.tar.gz - tar -xzvf ScaResolver-linux64.tar.gz - rm -rf ScaResolver-linux64.tar.gz
2. In the scan create command, add the following flag --sca-resolver ./ScaResolver.
Notice
If you are using a plugin, then this flag is added in the Additional parameters section of the scan configuration.
Customizing Resolver Configuration
You can add additional arguments to the run command in order to customize the package resolution process. For a complete list of SCA Resolver configuration arguments, see Checkmarx SCA Resolver Configuration Arguments.
Notice
Only arguments that can be used in Offline mode can be applied to scans run via the Checkmarx One CLI Tool and plugins.
To customize the Resolver Configuration:
Add the
--sca-resolver-paramsflag to thescan createcommand followed by the additional arguments that you would like to add.
For Example:
--sca-resolver ./ScaResolver --sca-resolver-params "--extract-archives zip,ear --extract-depth 3 --gradle-exclude-scopes api,testCompile"
Notice
If you need to use spaces and/or quotes, wrap the arguments in double quotes and use single quotes inside the value.
Integration Examples
Github Action
The following example shows how to create a GitHub Action for running a Checkmarx One scan with SCA Resolver.
# Documentation:
# https://checkmarx.atlassian.net/wiki/spaces/Checkmarx One/pages/6147408761/CI+CD+with+CxSCA+Resolver
#
name: SCA Resolver Example
on:
push:
branches:
[main]
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/[email protected]
- name: Download SCA Resolver
run: |
wget https://sca-downloads.s3.amazonaws.com/cli/latest/ScaResolver-linux64.tar.gz
tar -xzvf ScaResolver-linux64.tar.gz
rm -rf ScaResolver-linux64.tar.gz
- name: Install Maven, NPM, ... # Add any necessary package management
run: |
sudo apt install maven npm
- name: Run Checkmarx One CLI Scan
run: |
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
/home/linuxbrew/.linuxbrew/bin/brew install checkmarx/ast-cli/ast-cli
/home/linuxbrew/.linuxbrew/Cellar/ast-cli/*/bin/cx \
scan create \
-s . \
--agent GitHub \
--project-name ${{ github.repository }} \
--branch ${GITHUB_REF##*/} \
--base-uri ${{ secrets.CX_BASE_URI }} \
--tenant ${{ secrets.CX_TENANT }} \
--client-id ${{ secrets.CX_CLIENT_ID }} \
--client-secret ${{ secrets.CX_CLIENT_SECRET }} \
--sca-resolver ./ScaResolverNotice
Check for updates to the code samples in GitHub.
Bitbucket Pipelines
The following example shows how to run a Checkmarx One scan with SCA Resolver in a Bitbucket pipeline.
image: checkmarx/ast-cli
pipelines:
default:
- step:
script:
- wget https://sca-downloads.s3.amazonaws.com/cli/latest/ScaResolver-linux64.tar.gz
- tar -xzvf ScaResolver-linux64.tar.gz
- rm -rf ScaResolver-linux64.tar.gz
- >-
/app/bin/cx
scan create
-s .
--agent Bitbucket
--project-name $BITBUCKET_REPO_SLUG
--branch $BITBUCKET_BRANCH
--base-uri $BASE_URI
--tenant $TENANT
--client-id $CLIENT_ID
--client-secret $CLIENT_SECRET
--sca-resolver ./ScaResolver
$ADDITIONAL_PARAMSNotice
Check for updates to the code samples in GitHub.