ci(secu): deploy checkmarx (#5588)

.github/CODEOWNERS

@@ -24,3 +24,4 @@ selinux/**                         @centreon/owners-pipelines
 
 .gitleaks.toml                      @centreon/owners-security
 .gitleaksignore                     @centreon/owners-security
+**/checkmarx-analysis.yml           @centreon/owners-security

.github/workflows/checkmarx-analysis.yml

@@ -0,0 +1,68 @@
+name: Checkmarx scans
+
+on:
+  workflow_call:
+    inputs:
+      module_name:
+        required: true
+        type: string
+      module_directory:
+        required: false
+        type: string
+
+    secrets:
+      base_uri:
+        required: true
+      cx_tenant:
+        required: true
+      cx_client_id:
+        required: true
+      cx_client_secret:
+        required: true
+
+jobs:
+  build:
+    name: Binary preparation
+    runs-on: ubuntu-24.04
+    outputs:
+      enable_analysis: ${{ steps.routing.outputs.enable_analysis }}
+
+    steps:
+      - name: routing
+        id: routing
+        run: |
+          # Quality gate settings
+          ENABLE_QG="true"
+          if [[ "${{ vars.CHECKMARX_QUALITY_GATE }}" != "true" ]]; then
+            # disabling all QG in case of incident with the service
+            ENABLE_QG="false"
+            echo "Skipping analysis. Caused by QG override"
+          elif [[ "${{ github.event_name }}" == "pull_request" && "${{ github.event.pull_request.user.id }}" == "49699333" ]]; then
+            # disabling the QG in case of pull request opened by dependabot bot
+            # As dependabot will ne be able to access GH secrets
+            ENABLE_QG="false"
+            echo "Skipping analysis. Caused by dependabot PR"
+          fi
+          echo "enable_analysis=$ENABLE_QG" >> $GITHUB_OUTPUT
+          cat $GITHUB_OUTPUT
+
+  pipeline-scan:
+    needs: [build]
+    name: Run a pipeline scan
+    runs-on: ubuntu-24.04
+    if: needs.build.outputs.enable_analysis == 'true'
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Checkmarx One CLI Action
+        uses: checkmarx/ast-github-action@ef93013c95adc60160bc22060875e90800d3ecfc # v.2.3.19
+        with:
+          project_name: ${{ inputs.module_name }}
+          base_uri: ${{ secrets.base_uri }}
+          cx_tenant: ${{ secrets.cx_tenant }}
+          cx_client_id: ${{ secrets.cx_client_id }}
+          cx_client_secret: ${{ secrets.cx_client_secret }}
+          source_dir: "./"
+          additional_params: --file-filter "!**/.githooks/**" --scan-types "sast,sca,api-security"

.github/workflows/plugins-analysis.yml

@@ -0,0 +1,41 @@
+name: plugins-analysis
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '30 0 * * 1-5'
+  pull_request:
+    branches:
+      - develop
+      - master
+  push:
+    branches:
+      - develop
+      - master
+
+jobs:
+  get-environment:
+    uses: ./.github/workflows/get-environment.yml
+
+  checkmarx-analysis:
+    needs: [get-environment]
+    if: |
+      needs.get-environment.outputs.skip_workflow == 'false' &&
+      github.event.pull_request.draft != 'true'
+    uses: ./.github/workflows/checkmarx-analysis.yml
+    with:
+      module_name: centreon-plugins
+    secrets:
+      base_uri: ${{ secrets.AST_RND_SCANS_BASE_URI }}
+      cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }}
+      cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }}
+      cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }}
+
+  set-skip-label:
+    needs: [get-environment, checkmarx-analysis]
+    if: needs.get-environment.outputs.skip_workflow == 'false'
+    uses: ./.github/workflows/set-pull-request-skip-label.yml