centreon-plugins/.github/workflows/checkmarx-analysis.yml

name: Checkmarx scans

on:
  workflow_call:
    inputs:
      module_name:
        required: true
        type: string
      module_directory:
        required: false
        type: string

    secrets:
      base_uri:
        required: true
      cx_tenant:
        required: true
      cx_client_id:
        required: true
      cx_client_secret:
        required: true

jobs:
  pipeline-scan:
    name: Run a pipeline scan
    runs-on: ubuntu-24.04

    steps:
      - name: routing
        run: |
          # Quality gate settings
          ENABLE_QG="true"
          if [[ "${{ vars.CHECKMARX_QUALITY_GATE }}" != "yes" ]]; then
            # disabling all QG in case of incident with the service
            ENABLE_QG="false"
            echo "Skipping analysis. Caused by QG override"
          elif [[ "${{ github.event_name }}" == "pull_request" && "${{ github.event.pull_request.user.id }}" == "49699333" ]]; then
            # disabling the QG in case of pull request opened by dependabot bot
            # As dependabot will not be able to access GH secrets
            ENABLE_QG="false"
            echo "Skipping analysis. Caused by dependabot PR"
          fi

          # Check forced full scan
          SCAN_MODE="--sast-incremental"
          if [[ "${{ github.event_name }}" == "schedule" || "${{ vars.CHECKMARX_FORCE_FULL_SCAN }}" == "yes" ]]; then
            SCAN_MODE="--sast-incremental=false"
          fi

          echo "scan_mode=$SCAN_MODE" >> $GITHUB_ENV
          echo "enable_analysis=$ENABLE_QG" >> $GITHUB_ENV
          cat $GITHUB_ENV

      - name: Checkout
        if: env.enable_analysis  == 'true'
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Checkmarx One CLI Action
        if: env.enable_analysis  == 'true'
        uses: checkmarx/ast-github-action@88c60148b7b9689d67eb05bf66a65bbb871f2f2c # v2.3.20
        with:
          project_name: ${{ inputs.module_name }}
          base_uri: ${{ secrets.base_uri }}
          cx_tenant: ${{ secrets.cx_tenant }}
          cx_client_id: ${{ secrets.cx_client_id }}
          cx_client_secret: ${{ secrets.cx_client_secret }}
          source_dir: "./"
          additional_params: --scan-types "sast,sca,api-security" ${{ env.scan_mode }}