name: Checkmarx scans on: workflow_call: inputs: module_name: required: true type: string module_directory: required: false type: string secrets: base_uri: required: true cx_tenant: required: true cx_client_id: required: true cx_client_secret: required: true jobs: pipeline-scan: name: Run a pipeline scan runs-on: ubuntu-24.04 steps: - name: routing run: | # Quality gate settings ENABLE_QG="true" if [[ "${{ vars.CHECKMARX_QUALITY_GATE }}" != "yes" ]]; then # disabling all QG in case of incident with the service ENABLE_QG="false" echo "Skipping analysis. Caused by QG override" elif [[ "${{ github.event_name }}" == "pull_request" && "${{ github.event.pull_request.user.id }}" == "49699333" ]]; then # disabling the QG in case of pull request opened by dependabot bot # As dependabot will not be able to access GH secrets ENABLE_QG="false" echo "Skipping analysis. Caused by dependabot PR" fi # Check forced full scan SCAN_MODE="--sast-incremental" if [[ "${{ github.event_name }}" == "schedule" || "${{ vars.CHECKMARX_FORCE_FULL_SCAN }}" == "yes" ]]; then SCAN_MODE="--sast-incremental=false" fi echo "scan_mode=$SCAN_MODE" >> $GITHUB_ENV echo "enable_analysis=$ENABLE_QG" >> $GITHUB_ENV cat $GITHUB_ENV - name: Checkout if: env.enable_analysis == 'true' uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Checkmarx One CLI Action if: env.enable_analysis == 'true' uses: checkmarx/ast-github-action@88c60148b7b9689d67eb05bf66a65bbb871f2f2c # v2.3.20 with: project_name: ${{ inputs.module_name }} base_uri: ${{ secrets.base_uri }} cx_tenant: ${{ secrets.cx_tenant }} cx_client_id: ${{ secrets.cx_client_id }} cx_client_secret: ${{ secrets.cx_client_secret }} source_dir: "./" additional_params: --scan-types "sast,sca,api-security" ${{ env.scan_mode }}