Skip to main content

GitHub Self-Hosted

Notice

It is possible to add the Checkmarx One external IP addresses to the customer Firewall allowlist - For more information see Checkmarx One External IPs

Additionally, if the code repository is not internet accessible, it is possible to configure the code repository IP address instead of its hostname during the initial integration with the code repository - as it is not resolved via DNS.

Overview

Checkmarx One supports GitHub integration, enabling automated scanning of your GitHub projects whenever the code is updated. Checkmarx One's GitHub integration listens for GitHub commit events and uses a webhook to trigger Checkmarx scans when a push, or a pull request occurs. Once a scan is completed, the results can be viewed in the Checkmarx One Platform.

In addition, for pull requests, a comment is created in GitHub, which includes a scan summary, list of vulnerabilities and a link to view the scan results in Checkmarx One.

Notice

This integration supports both public and private git based repos.

The integration is done on a per project basis, with a specific Checkmarx One Project corresponding to a specific GitHub repo.

Notice

You can select several repos to create multiple integrations in a bulk action.

Prerequisites

Retrieving GitHub Client ID & Client Secret

Setting up the Integration and Initiating a Scan

To integrate your self hosted (on-prem) GitHub organization with Checkmarx One, perform the following:

  1. In the Applications and Projects home page, click on New > New Project - Code Repository Integration.

    Code_Repo_Integration.png

    The Import From window opens.

    Image_946.png
  2. Select Self-hosted> GitHub.

    GitHub_SH_Select.png
  3. Configure the following fields and click Next:

  4. Click Authorize.

    6428295198.png
  5. Select the GitHub User/Organization or Group (for the requested repository) and click Select Organization.

    The screen contains the following functionalities:

    • Search bar - Users need to type the full organization name (GitHub limitation). The search is not case sensitive.

    • Infinite scroll - For enterprises with a large amount of organizations.

    Note

    In case you selected GitHub User skip step 6.

    GitHub_Select_Org.png
  6. In the Organization Settings screen you can decide whether to enable the "Monitor new repositories creation" feature.

    For more information about the feature see Monitor New Repositories.

    GitHub_Org_Settings.png
  7. Select the Repository inside the GitHub organization and click Next.

    In case that the organization contains active repositories, suggested repos will be presented and selected automatically. For additional information see Suggested Repositories.

    Note

    • A separate Checkmarx One Project will be created for each repo that you import.

    • There can’t be more than one Checkmarx One Project per repo. Therefore, once a Project has been created for a repo, that repo is greyed out in the Import dialog.

    GitHub_Select_Repo.png
  8. In the Repositories Settings screen, configure the following and click Next.

    • Permissions:

      • Scan Trigger: Push, Pull request - Enable/disable automatic scans for every push event or pull request.

      • Pull Request Decoration - Enable/disable pull request decoration.

        For additional information see Code Repository Integration Usage & Results.

    • Scanners: Select the scanners for All/Specific repositories. At lease 1 scanner must be selected for each repository.

    • Protected Branches: Select which Protected Branches to scan for each repository.

      Note

      For additional information about Protected Branches see About Protected Branches

    • Add SSH key.

    • Assign Groups: Specify the Groups to which you would like to assign the project.

    • Assign Tags: Add Tags to the Project. Tags can be added as a simple strings or as key:value pairs.

    • Set Criticality Level: Manually set the project criticality level.

      GitHub_Repo_Settings.png

    Note

    If multiple repositories are selected, an additional configuration option will appear at the top of the wizard for applying settings to all selected repositories. Configure the necessary parameters, then scroll down on the right-side panel and click Apply to all.

    For example:

    All_Repo_Settings.png
  9. Select which Protected Branches to scan for each Repository and click Next.

    Note

    For additional information about Protected Branches see About Protected Branches

    GitHub_Select_Branches.png
  10. In the Advanced Options screen it is possible to select Scanning the default branch upon the creation of the Project.

    Click Create Project.

    GitHub_Advanced_Options.png
  11. The Project is successfully created in the Applications and Projects home page, and the scan is initiated.

    Note

    In order to update the scanners see Imported Project Settings

    GitHub_SH_Scanning.png

Updating Project Settings

See Imported Project Settings.