Add Checkmarx CxFlow GitHub Action for SAST scanning #9
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Checkmarx (CxFlow++) SAST on macOS self-hosted | |
| on: | |
| pull_request: | |
| branches: [ main ] | |
| push: | |
| branches: [ main ] | |
| workflow_dispatch: {} | |
| # Required so the action can upload SARIF (Security alerts) and (optionally) | |
| # comment on PRs or create issues if you enable those modes later. | |
| permissions: | |
| contents: read | |
| issues: write | |
| pull-requests: write | |
| security-events: write | |
| jobs: | |
| scan: | |
| # Match your self-hosted runner's labels exactly | |
| runs-on: [self-hosted, macOS, ARM64, checkmarx] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| # (Optional, but recommended) Install GNU sed so any sed usage inside the action | |
| # behaves consistently (GNU sed) on macOS. | |
| - name: Install GNU sed (macOS ARM64) | |
| shell: bash | |
| run: | | |
| set -e | |
| if ! command -v brew >/dev/null 2>&1; then | |
| /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" | |
| fi | |
| if [ -x /opt/homebrew/bin/brew ]; then | |
| eval "$(/opt/homebrew/bin/brew shellenv)" | |
| fi | |
| brew update | |
| brew install gnu-sed || brew reinstall gnu-sed | |
| # Prepend Homebrew bin so 'sed' resolves to GNU sed for subsequent steps | |
| echo "/opt/homebrew/bin" >> "$GITHUB_PATH" | |
| sed --version || true | |
| # Sanitize branch/ref so the project name never contains '/' | |
| # This avoids the action's internal {branch} substitution path and BSD sed differences. | |
| - name: Build sanitized project name | |
| shell: bash | |
| env: | |
| BRANCH: ${{ github.head_ref || github.ref_name }} | |
| run: | | |
| SANITIZED="${BRANCH//\//-}" | |
| echo "SANITIZED_BRANCH=$SANITIZED" >> "$GITHUB_ENV" | |
| echo "PROJECT_NAME=OpenSAMPL-${SANITIZED}" >> "$GITHUB_ENV" | |
| echo "Sanitized project name: $PROJECT_NAME" | |
| # CxFlow++ executes directly on the runner (composite action, no Docker), | |
| # so it's compatible with macOS self-hosted runners. | |
| - name: Checkmarx CxFlow++ SAST Scan | |
| uses: checkmarx-ts/checkmarx-cxflow-plusplus-github-action@v3 | |
| env: | |
| # Force the action to use the sanitized branch value internally if it tries to substitute {branch} | |
| PROPER_BRANCH_NAME: ${{ env.SANITIZED_BRANCH }} | |
| with: | |
| # ---- On-prem Checkmarx SAST connection ---- | |
| sast-url: ${{ secrets.CHECKMARX_URL }} # e.g., https://checkmarx.ornl.gov | |
| sast-username: ${{ secrets.CHECKMARX_USERNAME }} | |
| sast-password: ${{ secrets.CHECKMARX_PASSWORD }} | |
| sast-team: ${{ secrets.CHECKMARX_TEAMS }} | |
| # ---- Project naming (sanitized; no {branch} placeholder) ---- | |
| project-name: ${{ env.PROJECT_NAME }} | |
| # ---- Scan options ---- | |
| disable-sca-scan: true # keep SAST-only for now | |
| # ---- Explicitly disable SCA Resolver for PR and push ---- | |
| pull-request-cxflow-params: "--sca.enable-sca-resolver=false" | |
| push-cxflow-params: "--sca.enable-sca-resolver=false" | |
| - name: Upload SARIF to GitHub Security | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: cx.sarif |