Sonar Results for Checkmarx One (Example for GitHub Action)
Introduction
You can export scan results directly to Sonar, enabling you to view the Checkmarx One results in your SonarQube or SonarCloud console.
This is done by adding the report flag --report-format sonar in the additional params of the CLI scan command. This generates a JSON that is formatted according to the Sonar specifications.
This capability is available for all CI/CD plugins and CLI integrations. The examples below show the integration for GitHub Action, but they can be generalized for other platforms.
Prerequisites
You have a Checkmarx One account and you have set up the appropriate Checkmarx One plugin or CLI integration in your CI/CD platform.
You have a SonarQube installation or access to a SonarCloud account.
Exporting Results to Sonar
Use the Checkmarx One plugin or CLI tool to create a Checkmarx One scan in your pipeline.
Add the report flag
--report-format sonarto the scan create command. For plugins, this argument is added in the Additional params section.Use the Sonar plugin to create a Sonar step in your pipeline.
Notice
There is an alternative method that uses a Maven command to send the results to Sonar, see the example below.
In the sonar arguments, add the following argument to point to the report file generated by Checkmarx One:
-Dsonar.externalIssuesReportPaths=./cx_result_sonar.json
Usage Example - GitHub Action
The following example shows how you can create a GitHub Action to run a Checkmarx One scan and export the results to Sonar.
Prerequisites
The following example assumes that you have:
Created the required secrets for use with the Checkmarx One GitHub Action, see Checkmarx One GitHub Actions Initial Setup, and have installed and configured the Checkmarx One Github Action Configuring a GitHub Action with a Checkmarx One Workflow.
Created a Sonar project and configured the Sonar GitHub Action, including creating the required secrets and adding the project to the root file.
Notice
The prerequisites differ slightly if you are using the alternative method, see example below.
 |
GitHub Action Example
The following is an example of the GitHub Action for running a Checkmarx One scan and exporting the results to Sonar.
name: Build
on:
push:
branches:
- main
jobs:
cx-scan:
name: Run Checkmarx One cli
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Checkmarx One CLI Action
uses: checkmarx/ast-github-action@main
with:
base_uri: ${{ secrets.BASE_URI }}
cx_tenant: ${{ secrets.TENANT }}
cx_client_id: ${{ secrets.CLIENT_ID }}
cx_client_secret: ${{ secrets.SECRET }}
additional_params: --report-format sonar
- name: Sonar CLI Action
uses: sonarsource/sonarqube-scan-action@master
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
args: >
-Dsonar.externalIssuesReportPaths=./cx_result_sonar.jsonAlternative Method - Using Maven command
The following example shows an alternative method that uses a Maven command instead of using the Sonar GitHub Action.
name: Security Scan
on:
push:
branches:
- main
jobs:
scan:
runs-on: ubuntu-latest
if: ${{ true }}
steps:
- uses: actions/checkout@v2
- run: |
git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/*
- name: Set up JDK 11
uses: actions/setup-java@v1
with:
java-version: 11.0.7
- name: Cache local Maven repository
uses: actions/cache@v2
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-maven-
- name: Cache SonarCloud packages
uses: actions/cache@v2
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Checkmarx One CLI Action
uses: checkmarx/ast-github-action@main
with:
base_uri: <AST Base URI>
cx_tenant: ${{ secrets.CX_TENANT }}
cx_client_id: ${{ secrets.CX_CLIENT_ID }}
cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }}
additional_params: --report-format sonar
- name: Sonar analyze
run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=<sonar_project_key> -Dsonar.organization=<sonar_organization> -Dsonar.externalIssuesReportPaths=./cx_result_sonar.json
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
GITHUB_TOKEN: ${{ github.token }}Notice
Check for updates to the code sample in GitHub.