Skip to content

test: Enable fork-friendly Checkmarx scanning with pull_request_target #55

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gilescope merged 1 commit into from
Sep 23, 2025
Merged

test: Enable fork-friendly Checkmarx scanning with pull_request_target #55

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 12 additions & 9 deletions .github/workflows/checkmarx.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,11 @@
name: Checkmarx One Scan
name: Checkmarx One Scan (Fork-Friendly)

# use only job-level permissions
permissions: {}

on:
pull_request:
pull_request_target: # Changed from pull_request to pull_request_target
types: [opened, synchronize, reopened]
branches: [ '**' ]
push:
branches: [ 'main' ]
Expand All @@ -25,25 +26,27 @@ jobs:
runs-on: ubuntu-latest

steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
# CRITICAL: DO NOT CHECKOUT THE PR CODE
# This is what makes it safe with pull_request_target

# TODO: Remove this checkout step once upload-sarif-github-action repo is made public
# Currently required because GitHub Actions can't directly reference private repos
- name: Checkout Upload action repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
with:
repository: midnightntwrk/upload-sarif-github-action
ref: 8202d2182e4c0ebec293f9d9140c3378a2afe16e
ref: sean/PM-19431-fork-friendly-checkmarx # Use branch until merged
path: upload-sarif-github-action
token: ${{ secrets.MIDNIGHTCI_REPO }}

# Once public, can simplify to: uses: midnightntwrk/upload-sarif-github-action/checkmarx-scan@8202d2182e4c0ebec293f9d9140c3378a2afe16e
- name: Checkmarx Full Scan
uses: ./upload-sarif-github-action/checkmarx-scan
# Once public and merged, can simplify to:
# uses: midnightntwrk/upload-sarif-github-action/checkmarx-scan-public@main
- name: Checkmarx Full Scan (Fork-Friendly)
uses: ./upload-sarif-github-action/checkmarx-scan-public
with:
project-name: midnightntwrk/midnight-node-docker
cx-client-id: ${{ secrets.CX_CLIENT_ID }}
cx-client-secret: ${{ secrets.CX_CLIENT_SECRET_EU }}
cx-tenant: ${{ secrets.CX_TENANT }}
scs-repo-token: ${{ secrets.MIDNIGHTCI_REPO }}
# repo-url and branch are auto-detected from PR context
upload-to-github: 'true'