midnight-node-docker/.github/workflows/checkmarx.yaml at 5c7d8be8eea4f2115b2104c53fdeae4b7eeb6b23 · midnightntwrk/midnight-node-docker · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
name: Checkmarx One Scan

# ↓ lock down top‐level permissions to only what we use
permissions:
  contents: read             # we only need to checkout code
  actions: read              # to query workflows/runs
  pull-requests: write       # to comment on or label PRs

on:
  pull_request:
    branches: [ '**' ]
  push:
    branches: [ 'main' ]
concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref }}
  cancel-in-progress: true
jobs:
  build:
    permissions:
      contents: read
      pull-requests: write
      statuses: write

    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  #v4.2.2

      - name: Install dependencies
        run: |
          python3 -m pip install --upgrade pip
          python3 -m pip install beautifulsoup4 requests

      - name: Scrape Checkmarx status
        run: |
          cat <<'EOF' > scrape_checkmarx.py
          import requests
          from bs4 import BeautifulSoup

          # URL of the status page
          url = "https://eu2-status.ast.checkmarx.net/"

          try:
              # Send a GET request to fetch the HTML content
              response = requests.get(url)
              response.raise_for_status()  # Check for request errors

              # Parse the HTML content
              soup = BeautifulSoup(response.text, 'html.parser')

              # Locate the status element based on its HTML structure
              status_element = soup.find('aside', class_='operational state-bar')

              # Check if the status is operational
              if status_element and 'Operating Normally' in status_element.text:
                  print("The status is operational with status")
                  print(status_element.text)
              else:
                  print("The status is not operational.")
          except requests.exceptions.RequestException as e:
              print(f"An error occurred: {e}")
          EOF
          python3 scrape_checkmarx.py

      - name: Check Checkmarx One server health
        run: |
          response=$(curl -s -o /dev/null -w "%{http_code}" https://ind-status.ast.checkmarx.net/)
          if [ "$response" != "200" ]; then
            echo "Checkmarx One server is down. Proceeding without breaking the build."
            exit 0  # Do not fail the build
          else
            echo "Checkmarx One server is healthy. Proceeding with scan."
          fi

      - name: Checkmarx One CLI Action
        uses: checkmarx/ast-github-action@fa338ce82069b297c4852ac77e2d168db9fb56d8 #2.3.21
        with:
          cx_tenant: ${{ secrets.CX_TENANT }}
          base_uri: https://eu-2.ast.checkmarx.net/
          cx_client_id: ${{ secrets.CX_CLIENT_ID }}
          cx_client_secret: ${{ secrets.CX_CLIENT_SECRET_EU }}
          additional_params: >
            --report-format sarif
            --scs-repo-url https://github.com/midnightntwrk/midnight-node-docker
            --scs-repo-token ${{ secrets.MIDNIGHTCI_REPO }}
      - name: Filter out repo level issues that github can't handle
        run: |
          mv ./cx_result.sarif ./cx_result.sarif.orig
          jq '. | .runs[0].results |= map(select(.locations[0].physicalLocation.artifactLocation.uri != ""))' cx_result.sarif.orig > cx_result.sarif

      # Upload results to github
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@0d17ea484359c43eb02ea30721ea1c9162d09b37  # v3.29.2
        with:
          sarif_file: cx_result.sarif