1616
1717permissions : {}
1818
19- # TODO: see https://bitwarden.atlassian.net/l/cp/SLtTZJ90 for configuration tips
2019jobs :
2120 check-run :
2221 name : Check PR run
@@ -25,99 +24,17 @@ jobs:
2524 contents : read
2625
2726 sast :
28- name : SAST scan
29- runs-on : ubuntu-22.04
27+ name : Checkmarx
28+ uses : bitwarden/gh-actions/.github/workflows/_checkmarx.yml@main
3029 needs : check-run
30+ with :
31+ upload-sarif : false # Private repo
32+ secrets :
33+ AZURE_SUBSCRIPTION_ID : ${{ secrets.AZURE_SUBSCRIPTION_ID }}
34+ AZURE_TENANT_ID : ${{ secrets.AZURE_TENANT_ID }}
35+ AZURE_CLIENT_ID : ${{ secrets.AZURE_CLIENT_ID }}
3136 permissions :
3237 contents : read
3338 pull-requests : write
3439 security-events : write
3540 id-token : write
36-
37- steps :
38- - name : Check out repo
39- uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
40- with :
41- ref : ${{ github.event.pull_request.head.sha }}
42-
43- - name : Log in to Azure
44- uses : bitwarden/gh-actions/azure-login@main
45- with :
46- subscription_id : ${{ secrets.AZURE_SUBSCRIPTION_ID }}
47- tenant_id : ${{ secrets.AZURE_TENANT_ID }}
48- client_id : ${{ secrets.AZURE_CLIENT_ID }}
49-
50- - name : Get Azure Key Vault secrets
51- id : get-kv-secrets
52- uses : bitwarden/gh-actions/get-keyvault-secrets@main
53- with :
54- keyvault : gh-org-bitwarden
55- secrets : " CHECKMARX-TENANT,CHECKMARX-CLIENT-ID,CHECKMARX-SECRET"
56-
57- - name : Log out from Azure
58- uses : bitwarden/gh-actions/azure-logout@main
59-
60- - name : Scan with Checkmarx
61- uses : checkmarx/ast-github-action@ef93013c95adc60160bc22060875e90800d3ecfc # 2.3.19
62- env :
63- INCREMENTAL : " ${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}"
64- with :
65- project_name : ${{ github.repository }}
66- cx_tenant : ${{ steps.get-kv-secrets.outputs.CHECKMARX-TENANT }}
67- base_uri : https://ast.checkmarx.net/
68- cx_client_id : ${{ steps.get-kv-secrets.outputs.CHECKMARX-CLIENT-ID }}
69- cx_client_secret : ${{ steps.get-kv-secrets.outputs.CHECKMARX-SECRET }}
70- additional_params : |
71- --report-format sarif \
72- --filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \
73- --output-path . ${{ env.INCREMENTAL }}
74-
75- name : Upload Checkmarx results to GitHub
76- uses : github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
77- with :
78- sarif_file : cx_result.sarif
79- sha : ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
80- ref : ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}
81-
82- quality :
83- name : Quality scan
84- runs-on : ubuntu-22.04
85- needs : check-run
86- permissions :
87- contents : read
88- pull-requests : write
89- id-token : write
90-
91- steps :
92- - name : Check out repo
93- uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
94- with :
95- fetch-depth : 0
96- ref : ${{ github.event.pull_request.head.sha }}
97-
98- - name : Log in to Azure
99- uses : bitwarden/gh-actions/azure-login@main
100- with :
101- subscription_id : ${{ secrets.AZURE_SUBSCRIPTION_ID }}
102- tenant_id : ${{ secrets.AZURE_TENANT_ID }}
103- client_id : ${{ secrets.AZURE_CLIENT_ID }}
104-
105- - name : Get Azure Key Vault secrets
106- id : get-kv-secrets
107- uses : bitwarden/gh-actions/get-keyvault-secrets@main
108- with :
109- keyvault : gh-org-bitwarden
110- secrets : " SONAR-TOKEN"
111-
112- - name : Log out from Azure
113- uses : bitwarden/gh-actions/azure-logout@main
114-
115- - name : Scan with SonarCloud
116- uses : sonarsource/sonarqube-scan-action@aa494459d7c39c106cc77b166de8b4250a32bb97 # v5.1.0
117- env :
118- SONAR_TOKEN : ${{ steps.get-kv-secrets.outputs.SONAR-TOKEN }}
119- with :
120- args : >
121- -Dsonar.organization=${{ github.repository_owner }}
122- -Dsonar.projectKey=${{ github.repository_owner }}_${{ github.event.repository.name }}
123- -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}
0 commit comments