GitHub Self-Hosted
Notice
It is possible to add the Checkmarx One external IP addresses to the customer Firewall allowlist - For more information see Checkmarx One External IPs
In addition, if the code repository is not internet accessible, it is possible to configure the code repository IP address instead of its hostname during the initial integration with the code repository - as it is not resolved via DNS.
Overview
Checkmarx One supports GitHub integration, enabling automated scanning of your GitHub projects whenever the code is updated. Checkmarx One's GitHub integration listens for GitHub commit events and uses a webhook to trigger Checkmarx scans when a push, or a pull request occurs. Once a scan is completed, the results can be viewed in the Checkmarx One Platform.
In addition, for pull requests, a comment is created in GitHub, which includes a scan summary, list of vulnerabilities and a link to view the scan results in Checkmarx One.
Notice
This integration supports both public and private git based repos.
The integration is done on a per project basis, with a specific Checkmarx One Project corresponding to a specific GitHub repo.
Notice
You can select several repos to create multiple integrations in a bulk action.
Prerequisites
The source code for your project is hosted on a GitHub repo.
You have an Checkmarx One account and have credentials to log in to your account.
The GitHub user has admin privileges for this repository, see Code Repository Integrations
You have your GitHub Client ID & Client Secret - See Retrieving GitHub Client ID & Client Secret
Retrieving GitHub Client ID & Client Secret
To retrieve GitHub Client ID & Client Secret, perform the following steps:
In your GitHub account, click on your user → User Settings (top right)
On the lest navigation, click on Developer settings
Click on OAuth Apps
Click on New OAuth App
Register a new OAuth App by configuring the following fields:
Application name
Homepage URL - Checkmarx One environment URL
Application description (Optional)
Authorization callback URL - Checkmarx One environment URL
Click on Register application
Copy the Client ID
Click on Generate a new client secret
Copy the Client Secret
Setting up the Integration and Initiating a Scan
To integrate your self hosted (on-prem) GitHub organization with Checkmarx One, perform the following:
In the Applications and Projects home page, click on New > New Project - Code Repository Integration.
The Import From window opens.
Select Self-hosted> GitHub
Configure the following fields and click Next:
Domain Name or IP Address - Your GitHub Self-Managed domain.
For example: GitHub.my_company.com
Client ID - See Retrieving GitHub Client ID & Client Secret for retrieving your Client ID.
Client Secret - See Retrieving GitHub Client ID & Client Secret for retrieving your Client Secret.
Click Authorize
Select the GitHub User/Organization or Group (for the requested repository) and click Select Organization
The screen contains the following functionalities:
Search bar - Users need to type the full organization name (GitHub limitation). The search is not case sensitive.
Infinite scroll - For enterprises with a large amount of organizations.
Note
In case you selected GitHub User skip step 6
In the Organization Settings screen you can decide whether to enable the "Monitor new repositories creation" feature. (The default is On)
For more information about the feature see Monitor New Repositories
Select the Repository inside the GitHub organization and click Next
In case that the organization contains active repositories, suggested repos will be presented and selected automatically. For additional information see Suggested Repositories.
Note
A separate Checkmarx One Project will be created for each repo that you import.
There can’t be more than one Checkmarx One Project per repo. Therefore, once a Project has been created for a repo, that repo is greyed out in the Import dialog.
In the Repositories Settings screen, perform the following and click Next
Select the scanners for All/Specific repositories
Select which Protected Branches to scan for each Repository.
Note
For additional information about Protected Branches see About Protected Branches
It is possible to specify the Groups to which you would like to assign the Project.
You can also add Tags to the Project. Tags can be added as a simple strings or as key:value pairs.
Select which Protected Branches to scan for each Repository and click Next
Note
For additional information about Protected Branches see About Protected Branches
In the Advanced Options screen it is possible to select Scanning the default branch upon the creation of the Project
Click Create Project
The Project is successfully created in the Applications and Projects home page, and the scan is initiated.
Note
In order to update the scanners see Imported Project Settings
