> For the complete CircleCI developer hub index, see [llms.txt](https://circleci.com/developer/llms.txt) # checkmarx-ts/cxflow Checkmarx CxFlow orb for executing Checkmarx Scans and Publishing results to various feedback channels. Additional information regarding Checkmarx can be found here: https://checkmarx.atlassian.net/wiki/spaces/KC/overview Additional information regarding CxFlow can be found here: https://github.com/checkmarx-ltd/cx-flow/wiki The following Environment Variables must be set within your CircleCI project for this orb to function: CHECKMARX_URL: High level dns entry for the Checkmarx Instance including protocol/port (i.e. https://cxsast.example.com) CHECKMARX_USERNAME: Service Account within Checkmarx that will be used for triggering scans and retrieving results CHECKMARX_PASSWORD: Password of the Service Account. CHECKMARX_CLIENT_SECRET: Client secret key associated with your Checkmarx SAST account AST_CLIENT_ID: Service account Client ID for Checkmarx AST AST_CLIENT_SECRET: Client secret key associated with your Checkmarx AST account SCA_USERNAME: Service Account within Checkmarx SCA that will be used for triggering scans and retrieving results SCA_PASSWORD: Password of the Checkmarx SCA Service Account SCA_TENANT: Tenant information of the Checkmarx SCA account CXGO_CLIENT_SECRET: Client secret key associated with your Checkmarx CxGo account ## Commands ### results Command is used to retrieve the latest Checkmarx scan results and publish results in in Json format or using a desired bug tracker supported by CxFlow | Parameter | Type | Default | Description | |---|---|---|---| | `app` | string | ${CIRCLE_PROJECT_REPONAME}-${CIRCLE_BRANCH} | Select an Application Name used by downstream bug tracker systems | | `apply-filters` | string | --filter-severity=High --filter-severity=Medium --filter-severity=Low | Select report filter criteria | | `ast-apiUrl` | string | | AST scan API URL | | `ast-incremental` | boolean | false | AST scan incremental? | | `ast-preset` | string | Checkmarx Default | Preset for Checkmarx AST Scan | | `ast-webAppUrl` | string | | AST scan Web App URL | | `auth-scopes` | string | sast_rest_api | Checkmarx Access Control Scopes | | `break` | boolean | false | Break build based on Checkmarx findings? | | `bug-tracker` | string | Json | Select a proper bug tracker | | `checkmarx-url` | string | ${CHECKMARX_URL} | Provide Checkmarx URL | | `cxgo-base-url` | string | https://api.checkmarx.net | Base URL for CxGo scan | | `cxgo-configuration` | string | | Configuration for CxGo scan | | `cxgo-multi-tenant` | boolean | true | Multi Tenant for CxGo | | `cxgo-portal-url` | string | https://cloud.checkmarx.net | Portal URL for CxGo scan | | `cxgo-scan-preset` | string | | Scan presets for CxGo | | `no-output-timeout` | string | 10m | Use this to configure the no_output_timeout value of the test run | | `params` | string | | Additional CLI parameters | | `project` | string | ${CIRCLE_PROJECT_REPONAME}-${CIRCLE_BRANCH} | Select a Checkmarx Project | | `report-file` | string | cx.json | Report filename | | `report-folder` | string | ./ | Folder to save report | | `sca-accessControlUrl` | string | | SCA SCAN Access Control URL | | `sca-apiUrl` | string | | SCA Scan API URL | | `sca-appUrl` | string | | SCA Scan APP URL | | `scanners` | string | sast | Vulnerabiility scanners | | `team` | string | \CxServer\SP\Company | Select a Checkmarx Team | | `version` | string | 8.9 | Select a Checkmarx version | ### scan Command is used to trigger scans to Checkmarx and publish results in in Json format or using a desired bug tracker supported by CxFlow | Parameter | Type | Default | Description | |---|---|---|---| | `app` | string | ${CIRCLE_PROJECT_REPONAME}-${CIRCLE_BRANCH} | Select an Application Name used by downstream bug tracker systems | | `apply-filters` | string | --filter-severity=High --filter-severity=Medium --filter-severity=Low | Select report filter criteria | | `ast-apiUrl` | string | | AST scan API URL | | `ast-incremental` | boolean | false | AST scan incremental? | | `ast-preset` | string | Checkmarx Default | Preset for Checkmarx AST Scan | | `ast-webAppUrl` | string | | AST scan Web App URL | | `auth-scopes` | string | sast_rest_api | Checkmarx Access Control Scopes | | `break` | boolean | false | Break build based on Checkmarx findings? | | `bug-tracker` | string | Json | Select a proper bug tracker | | `checkmarx-url` | string | ${CHECKMARX_URL} | Provide Checkmarx URL | | `cxgo-base-url` | string | https://api.checkmarx.net | Base URL for CxGo scan | | `cxgo-configuration` | string | | Configuration for CxGo scan | | `cxgo-multi-tenant` | boolean | true | Multi Tenant for CxGo | | `cxgo-portal-url` | string | https://cloud.checkmarx.net | Portal URL for CxGo scan | | `cxgo-scan-preset` | string | | Scan presets for CxGo | | `incremental` | boolean | true | Incremental Scans? | | `no-output-timeout` | string | 10m | Use this to configure the no_output_timeout value of the test run | | `params` | string | | Additional CLI parameters | | `preset` | string | Checkmarx Express | Select a Checkmarx Preset | | `project` | string | ${CIRCLE_PROJECT_REPONAME}-${CIRCLE_BRANCH} | Select a Checkmarx Project | | `report-file` | string | cx.json | Report filename | | `report-folder` | string | ./ | Folder to save report | | `sca-accessControlUrl` | string | | SCA SCAN Access Control URL | | `sca-apiUrl` | string | | SCA Scan API URL | | `sca-appUrl` | string | | SCA Scan APP URL | | `scan-configuration` | string | Default Configuration | Select a Scan Engine Configuration | | `scan-timeout` | integer | 120 | Maximum time to wait for a scan to complete (in minutes) | | `scanners` | string | sast | Vulnerabiility scanners | | `team` | string | \CxServer\SP\Company | Select a Checkmarx Team | | `version` | string | 9.4 | Select a Checkmarx version | ## Jobs ### results Job to retrieve the latest Checkmarx scan results and publish results in in Json format or using a desired bug tracker supported by CxFlow | Parameter | Type | Default | Description | |---|---|---|---| | `app` | string | ${CIRCLE_PROJECT_REPONAME}-${CIRCLE_BRANCH} | Select an Application Name used by downstream bug tracker systems | | `apply-filters` | string | --filter-severity=High --filter-severity=Medium --filter-severity=Low | Select report filter criteria | | `ast-apiUrl` | string | | AST scan API URL | | `ast-incremental` | boolean | false | AST scan incremental? | | `ast-preset` | string | Checkmarx Default | Preset for Checkmarx AST Scan | | `ast-webAppUrl` | string | | AST scan Web App URL | | `auth-scopes` | string | sast_rest_api | Checkmarx Access Control Scopes | | `break` | boolean | false | Break build based on Checkmarx findings? | | `bug-tracker` | string | Json | Select a proper bug tracker | | `checkmarx-url` | string | ${CHECKMARX_URL} | Provide Checkmarx URL | | `cxgo-base-url` | string | https://api.checkmarx.net | Base URL for CxGo scan | | `cxgo-configuration` | string | | Configuration for CxGo scan | | `cxgo-multi-tenant` | boolean | true | Multi Tenant for CxGo | | `cxgo-portal-url` | string | https://cloud.checkmarx.net | Portal URL for CxGo scan | | `cxgo-scan-preset` | string | | Scan presets for CxGo | | `no-output-timeout` | string | 10m | Use this to configure the no_output_timeout value of the test run | | `params` | string | | Additional CLI parameters | | `project` | string | ${CIRCLE_PROJECT_REPONAME}-${CIRCLE_BRANCH} | Select a Checkmarx Project | | `report-file` | string | cx.json | Report filename | | `report-folder` | string | ./ | Folder to save report | | `sca-accessControlUrl` | string | | SCA SCAN Access Control URL | | `sca-apiUrl` | string | | SCA Scan API URL | | `sca-appUrl` | string | | SCA Scan URL | | `scanners` | string | sast | Vulnerabiility scanners | | `tag` | string | latest | Select a Checkmarx version | | `team` | string | \CxServer\SP\Company | Select a Checkmarx Team | | `version` | string | 8.9 | Select a Checkmarx version | ### scan Job to trigger scans of current code base to Checkmarx and publish results in in Json format or using a desired bug tracker supported by CxFlow | Parameter | Type | Default | Description | |---|---|---|---| | `app` | string | ${CIRCLE_PROJECT_REPONAME}-${CIRCLE_BRANCH} | Select an Application Name used by downstream bug tracker systems | | `apply-filters` | string | --filter-severity=High --filter-severity=Medium --filter-severity=Low | Select report filter criteria | | `ast-apiUrl` | string | | AST scan API URL | | `ast-incremental` | boolean | false | AST scan incremental? | | `ast-preset` | string | Checkmarx Default | Preset for Checkmarx AST Scan | | `ast-webAppUrl` | string | | AST scan Web App URL | | `auth-scopes` | string | sast_rest_api | Checkmarx Access Control Scopes | | `break` | boolean | false | Break build based on Checkmarx findings? | | `bug-tracker` | string | Json | Select a proper bug tracker | | `checkmarx-url` | string | ${CHECKMARX_URL} | Provide Checkmarx URL | | `cxgo-base-url` | string | https://api.checkmarx.net | Base URL for CxGo scan | | `cxgo-configuration` | string | | Configuration for CxGo scan | | `cxgo-multi-tenant` | boolean | true | Multi Tenant for CxGo | | `cxgo-portal-url` | string | https://cloud.checkmarx.net | Portal URL for CxGo scan | | `cxgo-scan-preset` | string | | Scan presets for CxGo | | `incremental` | boolean | true | Incremental Scans? | | `no-output-timeout` | string | 10m | Use this to configure the no_output_timeout value of the test run | | `params` | string | | Additional CLI parameters | | `preset` | string | Checkmarx Express | Select a Checkmarx Preset | | `project` | string | ${CIRCLE_PROJECT_REPONAME}-${CIRCLE_BRANCH} | Select a Checkmarx Project | | `report-file` | string | cx.json | Report filename | | `report-folder` | string | ./ | Folder to save report | | `sca-accessControlUrl` | string | | SCA SCAN Access Control URL | | `sca-apiUrl` | string | | SCA Scan API URL | | `sca-appUrl` | string | | SCA Scan URL | | `scan-configuration` | string | Default Configuration | Select a Scan Engine Configuration | | `scan-timeout` | integer | 120 | Maximum time to wait for a scan to complete (in minutes) | | `scanners` | string | sast | Vulnerabiility scanners | | `tag` | string | latest | Select a Checkmarx version | | `team` | string | \CxServer\SP\Company | Select a Checkmarx Team | | `version` | string | 8.9 | Select a Checkmarx version | ## Executors ### default Select version of CxFlow to use. Any available tag from this list can be used: https://hub.docker.com/r/checkmarx/cx-flow/tags | Parameter | Type | Default | Description | |---|---|---|---| | `tag` | string | latest | Pick a specific checkmarx/cx-flow image variant: https://hub.docker.com/r/checkmarx/cx-flow/tags | ## Examples ### checkmarx-results-command Retrieve latest results for a given Checkmarx project and store a Json Vulnerability report as an artifact ```yaml jobs: cx-results: executor: cxflow/default steps: - cxflow/results: ast-apiUrl: http://cx-ast-testing.dev.checkmarx-ts.com ast-incremental: false ast-preset: Checkmarx Default ast-webAppUrl: http://cx-ast-testing.dev.checkmarx-ts.com cxgo-base-url: https://api.checkmarx.net cxgo-configuration: Default Configuration cxgo-multi-tenant: true cxgo-portal-url: https://cloud.checkmarx.net cxgo-scan-preset: 1,2,3,4,5,9 project: Riches report-file: checkmarx-results.json sca-accessControlUrl: https://platform.checkmarx.net sca-apiUrl: https://api.scacheckmarx.com sca-appUrl: https://sca.scacheckmarx.com scanners: sca,ast,cxgo,sast team: \CxServer\SP\Checkmarx - store_artifacts: path: checkmarx-results.json orbs: cxflow: checkmarx-ts/cxflow@1.0.5 version: 2.1 workflows: sast-results: jobs: - cx-results: filters: branches: only: master version: 2 ``` ### checkmarx-results-job Checkout code and run Checkmarx Scan and store the report as an artifact ```yaml orbs: cxflow: checkmarx-ts/cxflow@1.0.5 version: 2.1 workflows: sast-scan: jobs: - cxflow/results: ast-apiUrl: http://cx-ast-testing.dev.checkmarx-ts.com ast-incremental: false ast-preset: Checkmarx Default ast-webAppUrl: http://cx-ast-testing.dev.checkmarx-ts.com cxgo-base-url: https://api.checkmarx.net cxgo-configuration: Default Configuration cxgo-multi-tenant: true cxgo-portal-url: https://cloud.checkmarx.net cxgo-scan-preset: 1,2,3,4,5,9 filters: branches: only: - master project: CxProject report-file: vulns.json sca-accessControlUrl: https://platform.checkmarx.net sca-apiUrl: https://api.scacheckmarx.com sca-appUrl: https://sca.scacheckmarx.com scanners: sca,ast,cxgo,sast team: \CxServer\SP\Checkmarx version: 2 ``` ### checkmarx-scan-command Checkout code, run Checkmarx Scan, wait for results and store a Json Vulnerability report as an artifact ```yaml jobs: cx-scan: executor: cxflow/default steps: - checkout - cxflow/scan: ast-apiUrl: http://cx-ast-testing.dev.checkmarx-ts.com ast-incremental: false ast-preset: Checkmarx Default ast-webAppUrl: http://cx-ast-testing.dev.checkmarx-ts.com cxgo-base-url: https://api.checkmarx.net cxgo-configuration: Default Configuration cxgo-multi-tenant: true cxgo-portal-url: https://cloud.checkmarx.net cxgo-scan-preset: 1,2,3,4,5,9 preset: Checkmarx Express report-file: checkmarx.json sca-accessControlUrl: https://platform.checkmarx.net sca-apiUrl: https://api.scacheckmarx.com sca-appUrl: https://sca.scacheckmarx.com scanners: sca,ast,cxgo,sast team: \CxServer\SP\Checkmarx - store_artifacts: path: checkmarx.json orbs: cxflow: checkmarx-ts/cxflow@1.0.5 version: 2.1 workflows: sast-scan: jobs: - cx-scan: filters: branches: only: master version: 2 ``` ### checkmarx-scan-job Retrieve latest results for a given Checkmarx project and store a Json Vulnerability report as an artifact ```yaml orbs: cxflow: checkmarx-ts/cxflow@1.0.5 version: 2.1 workflows: sast-scan: jobs: - cxflow/scan: ast-apiUrl: http://cx-ast-testing.dev.checkmarx-ts.com ast-incremental: false ast-preset: Checkmarx Default ast-webAppUrl: http://cx-ast-testing.dev.checkmarx-ts.com cxgo-base-url: https://api.checkmarx.net cxgo-configuration: Default Configuration cxgo-multi-tenant: true cxgo-portal-url: https://cloud.checkmarx.net cxgo-scan-preset: 1,2,3,4,5,9 filters: branches: only: - master preset: Checkmarx Express project: CxProject report-file: vulns.json sca-accessControlUrl: https://platform.checkmarx.net sca-apiUrl: https://api.scacheckmarx.com sca-appUrl: https://sca.scacheckmarx.com scanners: sca,ast,cxgo,sast team: \CxServer\SP\Checkmarx version: 2 ```