diff --git a/.github/workflows/checkmarx.yml b/.github/workflows/checkmarx.yml new file mode 100644 index 0000000..64cac4b --- /dev/null +++ b/.github/workflows/checkmarx.yml @@ -0,0 +1,106 @@ +name: Checkmarx (CxFlow CLI) SAST on macOS self-hosted + +on: + pull_request: + branches: [ main ] + push: + branches: [ main ] + workflow_dispatch: {} + +permissions: + contents: read + issues: write + pull-requests: write + security-events: write # needed for SARIF upload to GitHub Security tab + +jobs: + scan: + runs-on: [self-hosted, macOS, ARM64, checkmarx] + + steps: + - uses: actions/checkout@v4 + + # Optional: install GNU sed (keeps sed behavior consistent on macOS if ever needed) + - name: Install GNU sed (macOS ARM64) + shell: bash + run: | + set -e + if ! command -v brew >/dev/null 2>&1; then + /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" + fi + if [ -x /opt/homebrew/bin/brew ]; then + eval "$(/opt/homebrew/bin/brew shellenv)" + fi + brew update + brew install gnu-sed || brew reinstall gnu-sed + echo "/opt/homebrew/bin" >> "$GITHUB_PATH" + sed --version || true + + # Sanitize branch/ref so project names never contain '/' + - name: Build sanitized project name + shell: bash + env: + BRANCH: ${{ github.head_ref || github.ref_name }} + run: | + SANITIZED="${BRANCH//\//-}" + echo "SANITIZED_BRANCH=$SANITIZED" >> "$GITHUB_ENV" + echo "PROJECT_NAME=OpenSAMPL-${SANITIZED}" >> "$GITHUB_ENV" + echo "Sanitized project name: $PROJECT_NAME" + + # Install Java if not present (Corretto JDK 17) + - name: Set up Java 17 (Corretto) + uses: actions/setup-java@v4 + with: + distribution: 'corretto' + java-version: '17' + + # Download the CxFlow CLI jar directly + - name: Download CxFlow CLI + shell: bash + run: | + set -e + CXFLOW_DIR="$RUNNER_TEMP/cxflow" + mkdir -p "$CXFLOW_DIR" + # Using version observed in your logs: 1.7.13 + curl -sSL -o "$CXFLOW_DIR/cx-flow.jar" \ + https://github.com/checkmarx-ltd/cx-flow/releases/download/1.7.13/cx-flow-1.7.13.jar + test -s "$CXFLOW_DIR/cx-flow.jar" || { echo "CxFlow jar download failed"; exit 1; } + echo "CXFLOW_DIR=$CXFLOW_DIR" >> "$GITHUB_ENV" + + # Run CxFlow SAST only, explicitly disabling SCA resolver and producing SARIF + - name: Orchestrate SAST scan with CxFlow CLI (resolver disabled) + shell: bash + env: + SARIF_FILE: ${{ env.CXFLOW_DIR }}/cx.sarif + CHECKMARX_BASE_URL: ${{ secrets.CHECKMARX_BASE_URL }} # e.g., https://checkmarx.ornl.gov (NO /cxrestapi) + CHECKMARX_USERNAME: ${{ secrets.CHECKMARX_USERNAME }} + CHECKMARX_PASSWORD: ${{ secrets.CHECKMARX_PASSWORD }} + CHECKMARX_CLIENT_SECRET: ${{ secrets.CHECKMARX_CLIENT_SECRET }} + CHECKMARX_TEAMS: ${{ secrets.CHECKMARX_TEAMS }} # e.g., \CxServer\SP\Company\ORNL + run: | + set -e + echo "Starting CxFlow CLI (SAST only, resolver disabled)..." + java -Xms512m -Xmx2048m -Djava.security.egd=file:/dev/./urandom \ + -jar "$CXFLOW_DIR/cx-flow.jar" \ + --scan --f=. \ + --bug-tracker="Sarif" \ + --cx-project="${PROJECT_NAME}" \ + --cx-team="${CHECKMARX_TEAMS}" \ + --namespace="${{ github.repository_owner }}" \ + --repo-name="${{ github.event.repository.name }}" \ + --branch="${SANITIZED_BRANCH}" \ + --logging.level.com.checkmarx="INFO" \ + --cx-flow.enabled-vulnerability-scanners="sast" \ + --checkmarx.base-url="${CHECKMARX_BASE_URL}" \ + --checkmarx.username="${CHECKMARX_USERNAME}" \ + --checkmarx.password="${CHECKMARX_PASSWORD}" \ + --checkmarx.client-secret="${CHECKMARX_CLIENT_SECRET}" \ + --sarif.file-output="${SARIF_FILE}" \ + --sca.enable-sca-resolver=false + + echo "CxFlow completed; SARIF at: ${SARIF_FILE}" + + - name: Upload SARIF to GitHub Security + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ env.CXFLOW_DIR }}/cx.sarif diff --git a/.github/workflows/selfhosted-smoke-test.yml b/.github/workflows/selfhosted-smoke-test.yml new file mode 100644 index 0000000..7e0d703 --- /dev/null +++ b/.github/workflows/selfhosted-smoke-test.yml @@ -0,0 +1,65 @@ +name: Self-hosted Runner Smoke Test + +on: + workflow_dispatch: {} # allows manual trigger from the Actions tab + push: + paths: + - .github/workflows/selfhosted-smoke-test.yml + +permissions: + contents: read + +jobs: + runner-check: + # If you added custom labels to your runner (e.g., 'macOS', 'ORNL'), + # replace 'self-hosted' with your specific labels: + # runs-on: [self-hosted, macOS] + runs-on: self-hosted + + steps: + - name: Checkout (no repo content needed but proves token works) + uses: actions/checkout@v4 + + - name: Print runner basics + run: | + echo "Runner name: $RUNNER_NAME" + echo "Runner OS: $RUNNER_OS" + echo "Runner arch: $RUNNER_ARCH" + echo "Workspace: $GITHUB_WORKSPACE" + echo "Repository: $GITHUB_REPOSITORY" + echo "Actor: $GITHUB_ACTOR" + echo "Ref: $GITHUB_REF" + echo "Commit SHA: $GITHUB_SHA" + echo "Labels: $RUNNER_LABELS" + + - name: List environment + run: env | sort + + - name: Verify outbound connectivity to GitHub + run: | + set -e + echo "Pinging api.github.com..." + curl -sS -I https://api.github.com | head -n 1 + echo "Pinging github.com..." + curl -sS -I https://github.com | head -n 1 + echo "Connectivity OK." + + - name: Verify connectivity to Checkmarx (HTTP(S) reachability) + # This confirms your runner can reach the on-prem server. + # If your Checkmarx uses a private CA, this may fail unless the CA is trusted locally. + continue-on-error: true + run: | + set -e + echo "Checking https://checkmarx.ornl.gov/cxrestapi/version..." + curl -sS -k https://checkmarx.ornl.gov/cxrestapi/version || true + echo "If this printed JSON version info, connectivity is good." + + - name: Runner file system sanity check + run: | + echo "Creating a temp file in $RUNNER_TEMP ..." + echo "Hello from self-hosted runner at $(date)" > "$RUNNER_TEMP/hello.txt" + ls -al "$RUNNER_TEMP" + cat "$RUNNER_TEMP/hello.txt" + + - name: Done + run: echo "✅ Self-hosted runner smoke test completed." \ No newline at end of file