ORNL · 2vz111 · Feb 3, 2026 · Feb 3, 2026 · Feb 3, 2026 · Feb 3, 2026
diff --git a/.github/workflows/checkmarx.yml b/.github/workflows/checkmarx.yml
@@ -0,0 +1,106 @@
+name: Checkmarx (CxFlow CLI) SAST on macOS self-hosted
+
+on:
+  pull_request:
+    branches: [ main ]
+  push:
+    branches: [ main ]
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+  security-events: write  # needed for SARIF upload to GitHub Security tab
+
+jobs:
+  scan:
+    runs-on: [self-hosted, macOS, ARM64, checkmarx]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      # Optional: install GNU sed (keeps sed behavior consistent on macOS if ever needed)
+      - name: Install GNU sed (macOS ARM64)
+        shell: bash
+        run: |
+          set -e
+          if ! command -v brew >/dev/null 2>&1; then
+            /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
+          fi
+          if [ -x /opt/homebrew/bin/brew ]; then
+            eval "$(/opt/homebrew/bin/brew shellenv)"
+          fi
+          brew update
+          brew install gnu-sed || brew reinstall gnu-sed
+          echo "/opt/homebrew/bin" >> "$GITHUB_PATH"
+          sed --version || true
+
+      # Sanitize branch/ref so project names never contain '/'
+      - name: Build sanitized project name
+        shell: bash
+        env:
+          BRANCH: ${{ github.head_ref || github.ref_name }}
+        run: |
+          SANITIZED="${BRANCH//\//-}"
+          echo "SANITIZED_BRANCH=$SANITIZED" >> "$GITHUB_ENV"
+          echo "PROJECT_NAME=OpenSAMPL-${SANITIZED}" >> "$GITHUB_ENV"
+          echo "Sanitized project name: $PROJECT_NAME"
+
+      # Install Java if not present (Corretto JDK 17)
+      - name: Set up Java 17 (Corretto)
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'corretto'
+          java-version: '17'
+
+      # Download the CxFlow CLI jar directly
+      - name: Download CxFlow CLI
+        shell: bash
+        run: |
+          set -e
+          CXFLOW_DIR="$RUNNER_TEMP/cxflow"
+          mkdir -p "$CXFLOW_DIR"
+          # Using version observed in your logs: 1.7.13
+          curl -sSL -o "$CXFLOW_DIR/cx-flow.jar" \
+            https://github.com/checkmarx-ltd/cx-flow/releases/download/1.7.13/cx-flow-1.7.13.jar
+          test -s "$CXFLOW_DIR/cx-flow.jar" || { echo "CxFlow jar download failed"; exit 1; }
+          echo "CXFLOW_DIR=$CXFLOW_DIR" >> "$GITHUB_ENV"
+
+      # Run CxFlow SAST only, explicitly disabling SCA resolver and producing SARIF
+      - name: Orchestrate SAST scan with CxFlow CLI (resolver disabled)
+        shell: bash
+        env:
+          SARIF_FILE: ${{ env.CXFLOW_DIR }}/cx.sarif
+          CHECKMARX_BASE_URL: ${{ secrets.CHECKMARX_BASE_URL }}     # e.g., https://checkmarx.ornl.gov (NO /cxrestapi)
+          CHECKMARX_USERNAME: ${{ secrets.CHECKMARX_USERNAME }}
+          CHECKMARX_PASSWORD: ${{ secrets.CHECKMARX_PASSWORD }}
+          CHECKMARX_CLIENT_SECRET: ${{ secrets.CHECKMARX_CLIENT_SECRET }}
+          CHECKMARX_TEAMS: ${{ secrets.CHECKMARX_TEAMS }}           # e.g., \CxServer\SP\Company\ORNL
+        run: |
+          set -e
+          echo "Starting CxFlow CLI (SAST only, resolver disabled)..."
+          java -Xms512m -Xmx2048m -Djava.security.egd=file:/dev/./urandom \
+            -jar "$CXFLOW_DIR/cx-flow.jar" \
+            --scan --f=. \
+            --bug-tracker="Sarif" \
+            --cx-project="${PROJECT_NAME}" \
+            --cx-team="${CHECKMARX_TEAMS}" \
+            --namespace="${{ github.repository_owner }}" \
+            --repo-name="${{ github.event.repository.name }}" \
+            --branch="${SANITIZED_BRANCH}" \
+            --logging.level.com.checkmarx="INFO" \
+            --cx-flow.enabled-vulnerability-scanners="sast" \
+            --checkmarx.base-url="${CHECKMARX_BASE_URL}" \
+            --checkmarx.username="${CHECKMARX_USERNAME}" \
+            --checkmarx.password="${CHECKMARX_PASSWORD}" \
+            --checkmarx.client-secret="${CHECKMARX_CLIENT_SECRET}" \
+            --sarif.file-output="${SARIF_FILE}" \
+            --sca.enable-sca-resolver=false
+
+          echo "CxFlow completed; SARIF at: ${SARIF_FILE}"
+
+      - name: Upload SARIF to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ env.CXFLOW_DIR }}/cx.sarif
diff --git a/.github/workflows/selfhosted-smoke-test.yml b/.github/workflows/selfhosted-smoke-test.yml
@@ -0,0 +1,65 @@
+name: Self-hosted Runner Smoke Test
+
+on:
+  workflow_dispatch: {}   # allows manual trigger from the Actions tab
+  push:
+    paths:
+      - .github/workflows/selfhosted-smoke-test.yml
+
+permissions:
+  contents: read
+
+jobs:
+  runner-check:
+    # If you added custom labels to your runner (e.g., 'macOS', 'ORNL'),
+    # replace 'self-hosted' with your specific labels:
+    # runs-on: [self-hosted, macOS]
+    runs-on: self-hosted
+
+    steps:
+      - name: Checkout (no repo content needed but proves token works)
+        uses: actions/checkout@v4
+
+      - name: Print runner basics
+        run: |
+          echo "Runner name: $RUNNER_NAME"
+          echo "Runner OS: $RUNNER_OS"
+          echo "Runner arch: $RUNNER_ARCH"
+          echo "Workspace: $GITHUB_WORKSPACE"
+          echo "Repository: $GITHUB_REPOSITORY"
+          echo "Actor: $GITHUB_ACTOR"
+          echo "Ref: $GITHUB_REF"
+          echo "Commit SHA: $GITHUB_SHA"
+          echo "Labels: $RUNNER_LABELS"
+
+      - name: List environment
+        run: env | sort
+
+      - name: Verify outbound connectivity to GitHub
+        run: |
+          set -e
+          echo "Pinging api.github.com..."
+          curl -sS -I https://api.github.com | head -n 1
+          echo "Pinging github.com..."
+          curl -sS -I https://github.com | head -n 1
+          echo "Connectivity OK."
+
+      - name: Verify connectivity to Checkmarx (HTTP(S) reachability)
+        # This confirms your runner can reach the on-prem server.
+        # If your Checkmarx uses a private CA, this may fail unless the CA is trusted locally.
+        continue-on-error: true
+        run: |
+          set -e
+          echo "Checking https://checkmarx.ornl.gov/cxrestapi/version..."
+          curl -sS -k https://checkmarx.ornl.gov/cxrestapi/version || true
+          echo "If this printed JSON version info, connectivity is good."
+
+      - name: Runner file system sanity check
+        run: |
+          echo "Creating a temp file in $RUNNER_TEMP ..."
+          echo "Hello from self-hosted runner at $(date)" > "$RUNNER_TEMP/hello.txt"
+          ls -al "$RUNNER_TEMP"
+          cat "$RUNNER_TEMP/hello.txt"
+
+      - name: Done
+        run: echo "✅ Self-hosted runner smoke test completed."