From 1e615352589af19aef349bc7f64b7d6a587894b5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Chapron?=
 <34628915+sc979@users.noreply.github.com>
Date: Thu, 3 Jul 2025 14:14:58 +0200
Subject: [PATCH] ci(secu): force full scan on scheduled jobs and manage
 override (#5655)

---
 .github/workflows/checkmarx-analysis.yml | 36 ++++++++++++------------
 .github/workflows/gitleaks.yml           |  2 +-
 2 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/checkmarx-analysis.yml b/.github/workflows/checkmarx-analysis.yml
index be219a0be..441f8e052 100644
--- a/.github/workflows/checkmarx-analysis.yml
+++ b/.github/workflows/checkmarx-analysis.yml
@@ -21,43 +21,43 @@ on:
         required: true
 
 jobs:
-  build:
-    name: Binary preparation
+  pipeline-scan:
+    name: Run a pipeline scan
     runs-on: ubuntu-24.04
-    outputs:
-      enable_analysis: ${{ steps.routing.outputs.enable_analysis }}
 
     steps:
       - name: routing
-        id: routing
         run: |
           # Quality gate settings
           ENABLE_QG="true"
-          if [[ "${{ vars.CHECKMARX_QUALITY_GATE }}" != "true" ]]; then
+          if [[ "${{ vars.CHECKMARX_QUALITY_GATE }}" != "yes" ]]; then
             # disabling all QG in case of incident with the service
             ENABLE_QG="false"
             echo "Skipping analysis. Caused by QG override"
           elif [[ "${{ github.event_name }}" == "pull_request" && "${{ github.event.pull_request.user.id }}" == "49699333" ]]; then
             # disabling the QG in case of pull request opened by dependabot bot
-            # As dependabot will ne be able to access GH secrets
+            # As dependabot will not be able to access GH secrets
             ENABLE_QG="false"
             echo "Skipping analysis. Caused by dependabot PR"
           fi
-          echo "enable_analysis=$ENABLE_QG" >> $GITHUB_OUTPUT
-          cat $GITHUB_OUTPUT
 
-  pipeline-scan:
-    needs: [build]
-    name: Run a pipeline scan
-    runs-on: ubuntu-24.04
-    if: needs.build.outputs.enable_analysis == 'true'
+          # Check forced full scan
+          SCAN_MODE="--sast-incremental"
+          if [[ "${{ github.event_name }}" == "schedule" || "${{ vars.CHECKMARX_FORCE_FULL_SCAN }}" == "yes" ]]; then
+            SCAN_MODE="--sast-incremental=false"
+          fi
+
+          echo "scan_mode=$SCAN_MODE" >> $GITHUB_ENV
+          echo "enable_analysis=$ENABLE_QG" >> $GITHUB_ENV
+          cat $GITHUB_ENV
 
-    steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        if: env.enable_analysis  == 'true'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Checkmarx One CLI Action
-        uses: checkmarx/ast-github-action@ef93013c95adc60160bc22060875e90800d3ecfc # v.2.3.19
+        if: env.enable_analysis  == 'true'
+        uses: checkmarx/ast-github-action@88c60148b7b9689d67eb05bf66a65bbb871f2f2c # v2.3.20
         with:
           project_name: ${{ inputs.module_name }}
           base_uri: ${{ secrets.base_uri }}
@@ -65,4 +65,4 @@ jobs:
           cx_client_id: ${{ secrets.cx_client_id }}
           cx_client_secret: ${{ secrets.cx_client_secret }}
           source_dir: "./"
-          additional_params: --file-filter "!**/.githooks/**" --scan-types "sast,sca,api-security"
+          additional_params: --scan-types "sast,sca,api-security" ${{ env.scan_mode }}
diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
index 03e5814d0..a81ca2ccd 100644
--- a/.github/workflows/gitleaks.yml
+++ b/.github/workflows/gitleaks.yml
@@ -20,7 +20,7 @@ jobs:
       - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITLEAKS_LICENSE: "Centreon"
+          GITLEAKS_LICENSE: Centreon
           GITLEAKS_ENABLE_COMMENTS: false
           GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false
           GITLEAKS_ENABLE_SUMMARY: false