This action internally uses the same Checkmarx One CLI as is used by the Checkmarx AST GitHub Action. There are a few significant differences with this action:
- The workflow supports both PR decorations with scan summaries and Sarif file uploads to for use with GitHub security.
- Execution is performed in your build environment container created with the Checkmarx Supply Chain Toolkit.
- Supply chain scanning is performed in the build environment container.
For the Quick Start, the following prerequisites apply:
- You have created a build environment container using the Checkmarx Supply Chain Toolkit and the runner can retrieve that container with the tag you provide as an input.
- You have created an OAuth client in Checkmarx One.
- You define the secret
CXONE_TENANT
that contains the name of your Checkmarx One tenant. - You define the secret
CXONE_CLIENT_ID
that contains the client ID of the created OAuth client. - You define the secret
CXONE_CLIENT_SECRET
that contains the client secret of the created OAuth client.
If your tenant is in the US1 environment, the following example workflow will perform a scan on pull requests or pushes targeting the master
branch:
name: Checkmarx Scan
on:
workflow_dispatch:
push:
branches:
- master
pull_request:
types:
- opened
- reopened
- synchronize
branches:
- master
jobs:
checkmarx-scan:
runs-on: ubuntu-latest
steps:
- name: Code Checkout
uses: actions/checkout@v4
- name: CxOne Scan
id: cxscan
uses: checkmarx-ts/cxone-plusplus-github-action@v1
with:
container-image: <<your image tag goes here>>
cx-tenant: ${{ secrets.CXONE_TENANT }}
cx-client-id: ${{ secrets.CXONE_CLIENT_ID }}
cx-client-secret: ${{ secrets.CXONE_CLIENT_SECRET }}
- name: Show outputs
shell: bash
run: |
echo ScanID: ${{ steps.cxscan.outputs.scan-id}}
echo ProjectID: ${{ steps.cxscan.outputs.project-id}}
If you are not in the US1 environment, you must provide inputs
base-uri
and base-auth-uri
to
define the API and authentication endpoints properly.
This action is an integration that uses the Checkmarx One CLI and the Checkmarx SCA Resolver. The inputs to this action translate to command line options found in the documentation. Please refer to this documentation if you need to include additional configuration not explicitly available through an input.
There are a number of options for both the CxOne CLI and SCA Resolver that can be provided as environment variables. Using GitHub's ability to define an environment for the repository may also be used to inject configuration settings into the execution of the CxOne CLI and SCA Resolver.
The base URI for the region endpoint where your tenant is located.
Default: URI for US1 environment
The base authentication URI for the region endpoint where your tenant is located.
Default: URI for US1 environment
It is advised to store this as a secret value.
The tenant identifier for your tenant.
It is advised to store this as a secret value.
The OAuth Client ID for API access.
It is advised to store this as a secret value.
The OAuth client secret key for API access.
The container tag that was made with the cx-supply-chain-toolkit.
The name of the project where the scan will be executed.
Default: The name of the repository.
Additional parameters passed to the CxOne CLI after scan create
.
If true, turn on debugging for the CxOne CLI and the composite action.
Default: false
The agent name to use when performing CxOne CLI commands. This value will show as the "Scan Origin" of each scan.
Default: cxonepp-gh-action
Additional parameters to pass to the CxOne CLI (proxy settings, etc) for all CxOne CLI invocations.
The name of the container registry to use for login.
Default: docker.io
It is advised to store this as a secret value.
The username for the container registry login.
It is advised to store this as a secret value.
The password for the container registry login.
If true, uploads the Sarif file to create entries on the GitHub security tab during push events.
Default: true
If true, attaches the Sarif file to the workflow as an artifact for push or pull request events.
Default: false
Additional parameters used when compiling reports, as described in the CxOne
CLI results show
command. Do not add the --filter
option; use the report-filters
input parameter to set filter options.
The criteria that selects what to include in any report results.
Default: --filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT"
If true, attaches the SBOM file to the workflow as an artifact.
Default: false
The SBOM standard format used when generating the SBOM file.
Default: CycloneDxJson
If true, emits the versions of the CxOne CLI and SCA Resolver in the action log.
Default: true
The command used to execute the container.
Default: 'docker run'
The parameters used when executing the container.
Default: "-t --rm -v ${GITHUB_WORKSPACE}:/sandbox/input:ro -v $(realpath ${GITHUB_WORKSPACE}/../output):/sandbox/output"
The GUID identifier for the scan that was performed by the action.
The GUID identifier for the project where the scan information can be found.
A deep link to the project overview for the project where the scan was performed.