checkmarx packaged up as action (#52)

* feat: upgrade checkout action to latest version and pin to hash

* feat: use latest checkmarx action

Author: gilescope

.github/workflows/checkmarx.yaml

@@ -5,19 +5,10 @@ permissions:
   contents: read             # we only need to checkout code
   actions: read              # to query workflows/runs
   pull-requests: write       # to comment on or label PRs
-  security-events: write     # to upload the scan results
 
 on:
-  # pull_request_target allows secrets to be read from fork PRs.
-  # DO NOT build or run checked out code from this job.
-  #
-  # Please note: Due to how this job is run, any changes to this
-  # job will only take affect when merged to main.
-  #
-  # From https://michaelheap.com/access-secrets-from-forks/
-  # Also see https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
-  pull_request_target:
-    types: [opened, synchronize, reopened]
+  pull_request:
+    branches: [ '**' ]
   push:
     branches: [ 'main' ]
 concurrency:
@@ -28,94 +19,30 @@ jobs:
     permissions:
       contents: read
       pull-requests: write
-      statuses: write
       security-events: write
 
     runs-on: ubuntu-latest
 
     steps:
-      - name: Check access
-        if: ${{ github.event.pull_request.author_association != 'COLLABORATOR' && github.event.pull_request.author_association != 'OWNER' && github.event.pull_request.author_association != 'MEMBER' }}
-        run: |
-          echo "This job needs re-running by someone with collaboration permissions."
-          exit 1
-
-      # This is dangerous without the first access check
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  #v5.0.0
-        with:
-          # Yes we do need to specify head explicitly here (read github article)
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Install dependencies
-        run: |
-          python3 -m pip install --upgrade pip
-          python3 -m pip install beautifulsoup4 requests
-
-      - name: Scrape Checkmarx status
-        run: |
-          cat <<'EOF' > scrape_checkmarx.py
-          import requests
-          from bs4 import BeautifulSoup
-
-          # URL of the status page
-          url = "https://eu2-status.ast.checkmarx.net/"
-
-          try:
-              # Send a GET request to fetch the HTML content
-              response = requests.get(url)
-              response.raise_for_status()  # Check for request errors
-
-              # Parse the HTML content
-              soup = BeautifulSoup(response.text, 'html.parser')
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
 
-              # Locate the status element based on its HTML structure
-              status_element = soup.find('aside', class_='operational state-bar')
-
-              # Check if the status is operational
-              if status_element and 'Operating Normally' in status_element.text:
-                  print("The status is operational with status")
-                  print(status_element.text)
-              else:
-                  print("The status is not operational.")
-          except requests.exceptions.RequestException as e:
-              print(f"An error occurred: {e}")
-          EOF
-          python3 scrape_checkmarx.py
-
-      - name: Check Checkmarx One server health
-        run: |
-          response=$(curl -s -o /dev/null -w "%{http_code}" https://ind-status.ast.checkmarx.net/)
-          if [ "$response" != "200" ]; then
-            echo "Checkmarx One server is down. Proceeding without breaking the build."
-            exit 0  # Do not fail the build
-          else
-            echo "Checkmarx One server is healthy. Proceeding with scan."
-          fi
-
-      - name: Checkmarx One CLI Action
-        uses: checkmarx/ast-github-action@ef313c2c19e03e90ae35e795724fb1d20830dc33 #2.3.26
+      # TODO: Remove this checkout step once upload-sarif-github-action repo is made public
+      # Currently required because GitHub Actions can't directly reference private repos
+      - name: Checkout Upload action repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
         with:
-          cx_tenant: ${{ secrets.CX_TENANT }}
-          base_uri: https://eu-2.ast.checkmarx.net/
-          cx_client_id: ${{ secrets.CX_CLIENT_ID }}
-          cx_client_secret: ${{ secrets.CX_CLIENT_SECRET_EU }}
-          additional_params: >
-            --report-format sarif
-            --scs-repo-url https://github.com/midnightntwrk/midnight-node-docker
-            --scs-repo-token ${{ secrets.MIDNIGHTCI_REPO }}
-      - name: Filter out repo level issues that github can't handle
-        run: |
-          mv ./cx_result.sarif ./cx_result.sarif.orig
-          jq '.runs |= map(.results |= map(.locations |= map(if .physicalLocation.artifactLocation.uri == "" then .physicalLocation.artifactLocation.uri = "file:/README.md" else . end)))' cx_result.sarif.orig > cx_result.sarif
-
-      - uses: actions/upload-artifact@v4
-        with:
-          name: cx_result-sarif
-          path: cx_result.sarif
-
-      # Upload results to github
-      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@7273f08caa1dcf2c2837f362f1982de0ab4dc344  # v3.29.2
+          repository: midnightntwrk/upload-sarif-github-action
+          ref: 8202d2182e4c0ebec293f9d9140c3378a2afe16e
+          path: upload-sarif-github-action
+          token: ${{ secrets.MIDNIGHTCI_REPO }}
+
+      # Once public, can simplify to: uses: midnightntwrk/upload-sarif-github-action/checkmarx-scan@8202d2182e4c0ebec293f9d9140c3378a2afe16e
+      - name: Checkmarx Full Scan
+        uses: ./upload-sarif-github-action/checkmarx-scan
         with:
-          sarif_file: cx_result.sarif
+          cx-client-id: ${{ secrets.CX_CLIENT_ID }}
+          cx-client-secret: ${{ secrets.CX_CLIENT_SECRET_EU }}
+          cx-tenant: ${{ secrets.CX_TENANT }}
+          scs-repo-token: ${{ secrets.MIDNIGHTCI_REPO }}
+          upload-to-github: 'true'