Checkmarx scans #46
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Checkmarx scans | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: true | |
| on: | |
| schedule: | |
| - cron: 0 1 * * 1-5 | |
| workflow_dispatch: | |
| pull_request: | |
| branches: | |
| - master | |
| push: | |
| branches: | |
| - master | |
| jobs: | |
| pipeline-scan: | |
| name: Run a pipeline scan | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: routing | |
| run: | | |
| # Quality gate settings | |
| ENABLE_QG="true" | |
| if [[ "${{ vars.CHECKMARX_QUALITY_GATE }}" != "yes" ]]; then | |
| # disabling all QG in case of incident with the service | |
| ENABLE_QG="false" | |
| echo "Skipping analysis. Caused by QG override" | |
| elif [[ "${{ github.event_name }}" == "pull_request" && "${{ github.event.pull_request.user.id }}" == "49699333" ]]; then | |
| # disabling the QG in case of pull request opened by dependabot bot | |
| # As dependabot will not be able to access GH secrets | |
| ENABLE_QG="false" | |
| echo "Skipping analysis. Caused by dependabot PR" | |
| fi | |
| # Check forced full scan | |
| SCAN_MODE="--sast-incremental" | |
| if [[ "${{ github.event_name }}" == "schedule" || "${{ vars.CHECKMARX_FORCE_FULL_SCAN }}" == "yes" ]]; then | |
| SCAN_MODE="--sast-incremental=false" | |
| fi | |
| echo "scan_mode=$SCAN_MODE" >> $GITHUB_ENV | |
| echo "enable_analysis=$ENABLE_QG" >> $GITHUB_ENV | |
| cat $GITHUB_ENV | |
| - name: Checkout | |
| if: env.enable_analysis == 'true' | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Checkmarx One CLI Action | |
| if: env.enable_analysis == 'true' | |
| uses: checkmarx/ast-github-action@88c60148b7b9689d67eb05bf66a65bbb871f2f2c # v2.3.20 | |
| with: | |
| project_name: centreon-injector | |
| base_uri: ${{ secrets.AST_RND_SCANS_BASE_URI }} | |
| cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }} | |
| cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }} | |
| cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }} | |
| source_dir: "./" | |
| additional_params: --scan-types "sast,sca,api-security" ${{ env.scan_mode }} |