mend and checkmarx scans workflow

EverFi · Apr 30, 2024 · 8cd9b52 · 8cd9b52
1 parent e39f8ef
commit 8cd9b52
Showing 1 changed file with 59 additions and 0 deletions.
diff --git a/.github/workflows/checkmarx_and_whitesource.yml b/.github/workflows/checkmarx_and_whitesource.yml
@@ -0,0 +1,59 @@
+# This workflow is to automate Checkmarx SAST scans.  It runs on a push to the main branch.
+#
+# The following GitHub Secrets must be first defined:
+#   - CHECKMARX_URL
+#   - CHECKMARX_USER
+#   - CHECKMARX_PASSWORD
+#   - CHECKMARX_CLIENT_SECRET
+#
+# For full documentation, including a list of all inputs, please refer to the README https://github.com/checkmarx-ts/checkmarx-cxflow-github-action
+
+
+name: Checkmarx and Whitesource scans
+on:
+  push:
+    branches:
+      - master
+jobs:
+  mend-scan:
+    name: Mend Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/[email protected]
+      - name: Get branch name
+        shell: bash
+        run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT
+        id: get_branch_name
+      - name: Mend
+        env:
+          WHITESOURCE_API_KEY: ${{ secrets.WHITESOURCE_API_KEY }}
+          WHITESOURCE_API_BASE_URL: ${{ vars.WHITESOURCE_API_BASE_URL }}
+          WHITESOURCE_SERVER_URL: ${{ vars.WHITESOURCE_SERVER_URL }}
+          BRANCH: ${{ steps.get_branch_name.outputs.branch }}
+        shell: bash
+        run: |
+          echo $'\n'projectName=${{ github.event.repository.name }} >>./scripts/whitesource/agent.config
+          echo $'\n'productName=foundry >>./scripts/whitesource/agent.config
+          bash ./scripts/whitesource/mend_scan.sh
+  checkmarx-scan:
+    name: Checkmarx Scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/[email protected]
+      - name: Checkmarx CxFlow Action
+        uses: checkmarx-ts/[email protected] #Github Action version
+        with:
+          # report-file: checkmarx.json
+          # auth-scopes: access_control_api sast_rest_api
+          # version: '9.4'
+          break_build: false
+          checkmarx_url: ${{ vars.CHECKMARX_URL }} # To be stored in GitHub Secrets.
+          checkmarx_username: ${{ vars.CHECKMARX_USERNAME }} # To be stored in GitHub Secrets.
+          checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} # To be stored in GitHub Secrets.
+          checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} # To be stored in GitHub Secrets.
+          params: --namespace=${{ github.repository_owner }} --checkmarx.settings-override=true --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref_name }} --cx-flow.filterSeverity --cx-flow.filterCategory  --checkmarx.disable-clubbing=true
+          preset: Blackbaud SAST
+          project: ${{ github.event.repository.name }} # <-- Insert Checkmarx SAST Project Name
+          team: /CxServer/SP/Company/Everfi
+          scanners: sast