Use this action to scan application source code for security vulnerabilities with the Checkmarx One SAST scanner. You can also use the action output as a quality gate for the next step or job in your workflow.
Checkmarx One SAST is a Static Application Security Testing solution that scans your source code for security vulnerabilities without requiring compilation or building.
Add a Checkmarx One SAST scan to your workflows in CloudBees platform to:
-
Detect security vulnerabilities in your application source code.
-
Identify code security issues across multiple programming languages including Java, C#, Python, JavaScript, TypeScript, Go, PHP, Ruby, and more.
-
Filter scan results by severity level to focus on critical issues.
-
Gain insight into security risks with detailed vulnerability information and remediation guidance.
-
Ensure compliance with security best practices and industry standards.
-
Shift security left by catching issues early in the development lifecycle.
CloudBees platform enables you to run a Checkmarx One SAST scan either implicitly or explicitly.
An implicit scan is automatically triggered, and an explicit scan is one you configure to be invoked in a step of your workflow. To learn more about the differences between explicit and implicit scans, refer to Security scan actions.
To set up implicit scanning, refer to Code and binary security analysis.
The Checkmarx One SAST scanner architectural components are:
-
Checkmarx One Platform: Cloud-based platform for centralized vulnerability management and reporting.
-
Checkmarx SAST Engine: Static analysis engine that analyzes source code structure and data flows.
-
Checkmarx API: Provides programmatic access for initiating scans and retrieving results.
The scanning process is as follows:
-
The Checkmarx One SAST scanner identifies source code files in your repository.
-
Source code is analyzed using static analysis techniques to detect security vulnerabilities.
-
Security issues are identified based on Checkmarx’s comprehensive knowledge base of vulnerability patterns.
-
If a severity filter is specified, results are filtered to include only matching severity levels.
-
Results are reported with severity levels (Critical, Very High, High, Medium, Low), detailed descriptions, and remediation guidance.
-
The scan results are uploaded to the Checkmarx One platform for centralized tracking and management.
-
Results are made available as actionable outputs for quality gates and downstream workflow steps.
|
Note
|
For more information about the Checkmarx One SAST scanner, refer to the Checkmarx One documentation. |
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
Yes |
The Checkmarx One base URL (e.g., https://ast.checkmarx.net). |
|
String |
Yes |
The Checkmarx One tenant name. |
|
String |
Yes |
The Checkmarx One API key for authentication. |
|
String |
No |
Filter SAST results by severity. Comma-separated values: critical, high, medium, low, info. Leave empty to include all. |
|
String |
No |
Specify the ref to be checked out and scanned. |
|
String |
No |
The file path of the code to be scanned. |
| Output name | Data type | Description |
|---|---|---|
|
String |
The number of Critical severity issues discovered during the scan. |
|
String |
The number of Very High severity issues discovered during the scan. |
|
String |
The number of High severity issues discovered during the scan. |
|
String |
The number of Medium severity issues discovered during the scan. |
|
String |
The number of Low severity issues discovered during the scan. |
The following is a basic usage example for this action:
- name: Scan with Checkmarx One SAST
uses: cloudbees-io/checkmarxone-sast-plugin@v1
with:
api-key: ${{ secrets.CHECKMARXONE_API_KEY }}
url: ${{ vars.CHECKMARXONE_BASE_URL }}
tenant: ${{ vars.CHECKMARXONE_TENANT }}
ref: mainThe following CloudBees platform workflow example scans a Java application with Checkmarx One SAST.
name: checkmarxone-sast-scan
kind: workflow
apiVersion: automation.cloudbees.io/v1alpha1
on:
push:
branches:
- main
permissions:
scm-token-own: read
scm-token-org: read
id-token: write
jobs:
checkmarxone-sast-scan:
steps:
- name: Check out Java source code
uses: cloudbees-io/checkout@v1
- name: Checkmarx One SAST scan on Java code
uses: cloudbees-io/checkmarxone-sast-plugin@v1
with:
api-key: ${{ secrets.CHECKMARXONE_API_KEY }}
url: ${{ vars.CHECKMARXONE_BASE_URL }}
tenant: ${{ vars.CHECKMARXONE_TENANT }}
ref: mainThe following CloudBees platform workflow example scans a Python application with Checkmarx One SAST.
name: checkmarxone-sast-scan
kind: workflow
apiVersion: automation.cloudbees.io/v1alpha1
on:
push:
branches:
- main
permissions:
scm-token-own: read
scm-token-org: read
id-token: write
jobs:
checkmarxone-sast-scan:
steps:
- name: Check out Python source code
uses: cloudbees-io/checkout@v1
- name: Checkmarx One SAST scan on Python code
uses: cloudbees-io/checkmarxone-sast-plugin@v1
with:
api-key: ${{ secrets.CHECKMARXONE_API_KEY }}
url: ${{ vars.CHECKMARXONE_BASE_URL }}
tenant: ${{ vars.CHECKMARXONE_TENANT }}
ref: mainThe following CloudBees platform workflow example scans a JavaScript application with Checkmarx One SAST.
name: checkmarxone-sast-scan
kind: workflow
apiVersion: automation.cloudbees.io/v1alpha1
on:
push:
branches:
- main
permissions:
scm-token-own: read
scm-token-org: read
id-token: write
jobs:
checkmarxone-sast-scan:
steps:
- name: Check out JavaScript source code
uses: cloudbees-io/checkout@v1
- name: Checkmarx One SAST scan on JavaScript code
uses: cloudbees-io/checkmarxone-sast-plugin@v1
with:
api-key: ${{ secrets.CHECKMARXONE_API_KEY }}
url: ${{ vars.CHECKMARXONE_BASE_URL }}
tenant: ${{ vars.CHECKMARXONE_TENANT }}
ref: mainThe following CloudBees platform workflow example scans code and filters results to show only critical and high severity findings.
name: checkmarxone-sast-scan-filtered
kind: workflow
apiVersion: automation.cloudbees.io/v1alpha1
on:
push:
branches:
- main
permissions:
scm-token-own: read
scm-token-org: read
id-token: write
jobs:
checkmarxone-sast-scan:
steps:
- name: Check out source code
uses: cloudbees-io/checkout@v1
- name: Checkmarx One SAST scan with severity filter
uses: cloudbees-io/checkmarxone-sast-plugin@v1
with:
api-key: ${{ secrets.CHECKMARXONE_API_KEY }}
url: ${{ vars.CHECKMARXONE_BASE_URL }}
tenant: ${{ vars.CHECKMARXONE_TENANT }}
ref: main
severity: critical,highAccess the output values in downstream steps and jobs using the outputs context.
Use the output in your workflow as follows, where <action_step_ID> is the action step ID, and <severity> is an output parameter name, such as critical-count:
${{steps.<action_step_ID>.outputs.<severity>}}The following example uses the action output in a downstream step of the same job:
name: my-workflow
kind: workflow
apiVersion: automation.cloudbees.io/v1alpha1
on:
push:
branches:
- main
permissions:
scm-token-own: read
scm-token-org: read
id-token: write
jobs:
checkmarxone-sast-scan-job:
steps:
- name: check out source code
uses: cloudbees-io/checkout@v1
- id: checkmarxone-sast-step
name: checkmarxone sast scan
uses: cloudbees-io/checkmarxone-sast-plugin@v1
with:
api-key: ${{ secrets.CHECKMARXONE_API_KEY }}
url: ${{ vars.CHECKMARXONE_BASE_URL }}
tenant: ${{ vars.CHECKMARXONE_TENANT }}
ref: main
- name: source dir examine
uses: docker://golang:1.20.3-alpine3.17
shell: sh
run: |
ls -latR /cloudbees/workspace
- id: print-outputs-from-checkmarxone-sast-step
name: print outputs from upstream checkmarxone sast step
uses: docker://alpine:latest
run: |
# Printing all outputs
echo "Outputs from upstream Checkmarx One SAST step:"
echo "Critical count: ${{steps.checkmarxone-sast-step.outputs.critical-count}}"
echo "Very high count: ${{steps.checkmarxone-sast-step.outputs.very-high-count}}"
echo "High count: ${{steps.checkmarxone-sast-step.outputs.high-count}}"
echo "Medium count: ${{steps.checkmarxone-sast-step.outputs.medium-count}}"
echo "Low count: ${{steps.checkmarxone-sast-step.outputs.low-count}}"The following example uses the action output in a downstream job:
name: my-workflow
kind: workflow
apiVersion: automation.cloudbees.io/v1alpha1
on:
push:
branches:
- main
permissions:
scm-token-own: read
scm-token-org: read
id-token: write
jobs:
job1:
outputs:
checkmarxone-sast-job-output-critical: ${{ steps.checkmarxone-sast-step.outputs.critical-count }}
checkmarxone-sast-job-output-very-high: ${{ steps.checkmarxone-sast-step.outputs.very-high-count }}
checkmarxone-sast-job-output-high: ${{ steps.checkmarxone-sast-step.outputs.high-count }}
checkmarxone-sast-job-output-medium: ${{ steps.checkmarxone-sast-step.outputs.medium-count }}
checkmarxone-sast-job-output-low: ${{ steps.checkmarxone-sast-step.outputs.low-count }}
steps:
- name: check out source code
uses: cloudbees-io/checkout@v1
with:
repository: my-gh-repo-org/my-repo
ref: main
token: ${{ secrets.GIT_PAT }}
- id: checkmarxone-sast-step
name: checkmarxone sast scan
uses: cloudbees-io/checkmarxone-sast-plugin@v1
with:
api-key: ${{ secrets.CHECKMARXONE_API_KEY }}
url: ${{ vars.CHECKMARXONE_BASE_URL }}
tenant: ${{ vars.CHECKMARXONE_TENANT }}
ref: main
job2:
needs: job1
steps:
- id: print-outputs-from-job1
name: print outputs from upstream job1
uses: docker://alpine:latest
run: |
# Printing all outputs
echo "Outputs from upstream Checkmarx One SAST job:"
echo "Critical count: ${{ needs.job1.outputs.checkmarxone-sast-job-output-critical }}"
echo "Very high count: ${{ needs.job1.outputs.checkmarxone-sast-job-output-very-high }}"
echo "High count: ${{ needs.job1.outputs.checkmarxone-sast-job-output-high }}"
echo "Medium count: ${{ needs.job1.outputs.checkmarxone-sast-job-output-medium }}"
echo "Low count: ${{ needs.job1.outputs.checkmarxone-sast-job-output-low }}"This code is made available under the MIT license.
-
Learn more about using actions in CloudBees workflows.
-
Learn about CloudBees platform.
-
Learn about Checkmarx One SAST.