From b58ccf0cbc664ba6dfd17859fc52a416f389721f Mon Sep 17 00:00:00 2001 From: repl-neha-belwal <91696048+repl-neha-belwal@users.noreply.github.com> Date: Mon, 21 Jul 2025 11:20:56 +0530 Subject: [PATCH 1/7] Create checkmarx.yml --- .github/workflows/checkmarx.yml | 48 +++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 .github/workflows/checkmarx.yml diff --git a/.github/workflows/checkmarx.yml b/.github/workflows/checkmarx.yml new file mode 100644 index 0000000000..d772d28180 --- /dev/null +++ b/.github/workflows/checkmarx.yml @@ -0,0 +1,48 @@ +on: + pull_request: {} + push: + branches: + - main + - master +name: Checkmarx SAST Scan +jobs: + checkmarx-scan: + name: Checkmarx SAST Scan + runs-on: ubuntu-latest + timeout-minutes: 300 + + steps: + - name: Checkout Code + uses: actions/checkout@v4 + + - name: Run Checkmarx SAST Scan + uses: checkmarx-ts/checkmarx-cxflow-github-action@v2.3 + with: + # Connection parameters + checkmarx_url: https://cmxext.deltek.com + checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} + checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} + checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} + team: "/CxServer/Security/Deltek/Replicon" + + # Project configuration + project: Replicon-${{ github.event.repository.name }} + scanners: sast + # bug_tracker: GitHub + incremental: false + break_build: false + + # Scan parameters and thresholds + params: >- + --logging.level.com.checkmarx=DEBUG + --namespace=${{ github.repository_owner}} + --checkmarx.settings-override=true + --repo-name=${{ github.event.repository.name}} + --branch=${{ github.ref_name || github.head_ref}} + --checkmarx.scan-timeout=1440 + --cx-flow.filterSeverity + --cx-flow.thresholds.high=1 + --cx-flow.thresholds.medium=1 + --cx-flow.scan-resubmit=true + ${{ github.event.number && format('--merge-id={0}', github.event.number)}} + From 6356ce3ad2381219a7a214da2423b55ad0013f84 Mon Sep 17 00:00:00 2001 From: repl-neha-belwal <91696048+repl-neha-belwal@users.noreply.github.com> Date: Mon, 21 Jul 2025 15:32:33 +0530 Subject: [PATCH 2/7] Update checkmarx.yml From dfabe74239c8997cfa4021e471bef46fb255e3f5 Mon Sep 17 00:00:00 2001 From: repl-neha-belwal <91696048+repl-neha-belwal@users.noreply.github.com> Date: Tue, 25 Nov 2025 12:12:23 +0530 Subject: [PATCH 3/7] Update Checkmarx workflow with scheduled scan support --- .github/workflows/checkmarx.yml | 58 ++++++++++++++++++++++++++------- 1 file changed, 46 insertions(+), 12 deletions(-) diff --git a/.github/workflows/checkmarx.yml b/.github/workflows/checkmarx.yml index d772d28180..c20cd591e5 100644 --- a/.github/workflows/checkmarx.yml +++ b/.github/workflows/checkmarx.yml @@ -4,17 +4,20 @@ on: branches: - main - master + schedule: + # Run on the 28th of every month at 2 AM UTC (safe for all months) + - cron: '0 2 28 * *' + workflow_dispatch: name: Checkmarx SAST Scan jobs: checkmarx-scan: - name: Checkmarx SAST Scan - runs-on: ubuntu-latest - timeout-minutes: 300 - - steps: + name: Checkmarx SAST Scan + runs-on: ubuntu-latest + timeout-minutes: 90 + if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch' # Skip this job on scheduled runs + steps: - name: Checkout Code uses: actions/checkout@v4 - - name: Run Checkmarx SAST Scan uses: checkmarx-ts/checkmarx-cxflow-github-action@v2.3 with: @@ -24,25 +27,56 @@ jobs: checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} team: "/CxServer/Security/Deltek/Replicon" - # Project configuration project: Replicon-${{ github.event.repository.name }} scanners: sast # bug_tracker: GitHub - incremental: false + incremental: true break_build: false - # Scan parameters and thresholds params: >- - --logging.level.com.checkmarx=DEBUG --namespace=${{ github.repository_owner}} --checkmarx.settings-override=true --repo-name=${{ github.event.repository.name}} --branch=${{ github.ref_name || github.head_ref}} - --checkmarx.scan-timeout=1440 --cx-flow.filterSeverity --cx-flow.thresholds.high=1 --cx-flow.thresholds.medium=1 --cx-flow.scan-resubmit=true ${{ github.event.number && format('--merge-id={0}', github.event.number)}} - + + checkmarx-scheduled-scan: + name: Checkmarx scheduled SAST Scan + runs-on: ubuntu-latest + timeout-minutes: 360 + if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' + steps: + - name: Checkout Code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.repository.default_branch }} + - name: Run Checkmarx SAST Scan + uses: checkmarx-ts/checkmarx-cxflow-github-action@v2.3 + with: + # Connection parameters + checkmarx_url: https://cmxext.deltek.com + checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} + checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} + checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} + team: "/CxServer/Security/Deltek/Replicon" + # Project configuration + project: Replicon-${{ github.event.repository.name }} + scanners: sast + # bug_tracker: GitHub + incremental: false + break_build: false + # Scan parameters and thresholds + params: >- + --namespace=${{ github.repository_owner}} + --checkmarx.settings-override=true + --repo-name=${{ github.event.repository.name}} + --branch=${{ github.event.repository.default_branch }} + --cx-flow.filterSeverity + --cx-flow.thresholds.high=1 + --cx-flow.thresholds.medium=1 + --cx-flow.scan-resubmit=true From ceef95611d48e96e45b4c37072ef76de2e7604e6 Mon Sep 17 00:00:00 2001 From: repl-neha-belwal <91696048+repl-neha-belwal@users.noreply.github.com> Date: Tue, 25 Nov 2025 13:46:03 +0530 Subject: [PATCH 4/7] Update Checkmarx workflow with scheduled scan support --- .github/workflows/checkmarx.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/checkmarx.yml b/.github/workflows/checkmarx.yml index c20cd591e5..d309ca35c1 100644 --- a/.github/workflows/checkmarx.yml +++ b/.github/workflows/checkmarx.yml @@ -27,6 +27,7 @@ jobs: checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} team: "/CxServer/Security/Deltek/Replicon" + preset: "ASA Premium" # Project configuration project: Replicon-${{ github.event.repository.name }} scanners: sast @@ -64,6 +65,7 @@ jobs: checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} team: "/CxServer/Security/Deltek/Replicon" + preset: "ASA Premium" # Project configuration project: Replicon-${{ github.event.repository.name }} scanners: sast From ce8d91a71fffa87a99cd7d81669cf533a8ce259d Mon Sep 17 00:00:00 2001 From: repl-neha-belwal <91696048+repl-neha-belwal@users.noreply.github.com> Date: Thu, 27 Nov 2025 12:32:21 +0530 Subject: [PATCH 5/7] schedule a full scan and update the regular scan workflow --- .github/workflows/checkmarx.yml | 134 +++++++++++++++++--------------- 1 file changed, 70 insertions(+), 64 deletions(-) diff --git a/.github/workflows/checkmarx.yml b/.github/workflows/checkmarx.yml index d309ca35c1..4870ff2f99 100644 --- a/.github/workflows/checkmarx.yml +++ b/.github/workflows/checkmarx.yml @@ -1,12 +1,11 @@ on: - pull_request: {} + pull_request: push: branches: - main - master schedule: - # Run on the 28th of every month at 2 AM UTC (safe for all months) - - cron: '0 2 28 * *' + - cron: '0 13 * * 6' workflow_dispatch: name: Checkmarx SAST Scan jobs: @@ -14,71 +13,78 @@ jobs: name: Checkmarx SAST Scan runs-on: ubuntu-latest timeout-minutes: 90 - if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch' # Skip this job on scheduled runs + if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch' + steps: - - name: Checkout Code - uses: actions/checkout@v4 - - name: Run Checkmarx SAST Scan - uses: checkmarx-ts/checkmarx-cxflow-github-action@v2.3 - with: - # Connection parameters - checkmarx_url: https://cmxext.deltek.com - checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} - checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} - checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} - team: "/CxServer/Security/Deltek/Replicon" - preset: "ASA Premium" - # Project configuration - project: Replicon-${{ github.event.repository.name }} - scanners: sast - # bug_tracker: GitHub - incremental: true - break_build: false - # Scan parameters and thresholds - params: >- - --namespace=${{ github.repository_owner}} - --checkmarx.settings-override=true - --repo-name=${{ github.event.repository.name}} - --branch=${{ github.ref_name || github.head_ref}} - --cx-flow.filterSeverity - --cx-flow.thresholds.high=1 - --cx-flow.thresholds.medium=1 - --cx-flow.scan-resubmit=true - ${{ github.event.number && format('--merge-id={0}', github.event.number)}} - + - name: Checkout Code + uses: actions/checkout@v4 + + - name: Run Checkmarx SAST Scan + uses: checkmarx-ts/checkmarx-cxflow-github-action@v2.3 + with: + # Connection parameters + checkmarx_url: https://cmxext.deltek.com + checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} + checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} + checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} + team: "/CxServer/Security/Deltek/Replicon" + preset: "ASA Premium" + + # Project configuration + project: Replicon-${{ github.event.repository.name }} + scanners: sast + incremental: true + break_build: false + + # Scan parameters and thresholds + params: >- + --namespace=${{ github.repository_owner}} + --checkmarx.settings-override=true + --repo-name=${{ github.event.repository.name}} + --branch=${{ github.ref_name || github.head_ref}} + --cx-flow.filterSeverity + --cx-flow.thresholds.high=1 + --cx-flow.thresholds.medium=1 + --cx-flow.scan-resubmit=true + ${{ github.event.number && format('--merge-id={0}', github.event.number)}} + checkmarx-scheduled-scan: name: Checkmarx scheduled SAST Scan runs-on: ubuntu-latest timeout-minutes: 360 if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' + steps: - - name: Checkout Code - uses: actions/checkout@v4 - with: - ref: ${{ github.event.repository.default_branch }} - - name: Run Checkmarx SAST Scan - uses: checkmarx-ts/checkmarx-cxflow-github-action@v2.3 - with: - # Connection parameters - checkmarx_url: https://cmxext.deltek.com - checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} - checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} - checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} - team: "/CxServer/Security/Deltek/Replicon" - preset: "ASA Premium" - # Project configuration - project: Replicon-${{ github.event.repository.name }} - scanners: sast - # bug_tracker: GitHub - incremental: false - break_build: false - # Scan parameters and thresholds - params: >- - --namespace=${{ github.repository_owner}} - --checkmarx.settings-override=true - --repo-name=${{ github.event.repository.name}} - --branch=${{ github.event.repository.default_branch }} - --cx-flow.filterSeverity - --cx-flow.thresholds.high=1 - --cx-flow.thresholds.medium=1 - --cx-flow.scan-resubmit=true + - name: Checkout Code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.repository.default_branch }} + + - name: Run Checkmarx SAST Scan + uses: checkmarx-ts/checkmarx-cxflow-github-action@v2.3 + with: + # Connection parameters + checkmarx_url: https://cmxext.deltek.com + checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} + checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} + checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} + team: "/CxServer/Security/Deltek/Replicon" + preset: "ASA Premium" + + # Project configuration + project: Replicon-${{ github.event.repository.name }} + scanners: sast + incremental: false + break_build: false + + # Scan parameters and thresholds + params: >- + --namespace=${{ github.repository_owner}} + --checkmarx.settings-override=true + --repo-name=${{ github.event.repository.name}} + --branch=${{ github.event.repository.default_branch }} + --cx-flow.filterSeverity + --cx-flow.thresholds.high=1 + --cx-flow.thresholds.medium=1 + --cx-flow.scan-resubmit=true + From c1b7d2cb1c7e6c9961614f5c9e469533236e20be Mon Sep 17 00:00:00 2001 From: repl-neha-belwal <91696048+repl-neha-belwal@users.noreply.github.com> Date: Tue, 2 Dec 2025 16:13:46 +0530 Subject: [PATCH 6/7] update concurrency settings --- .github/workflows/checkmarx.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/checkmarx.yml b/.github/workflows/checkmarx.yml index 4870ff2f99..cffc48778c 100644 --- a/.github/workflows/checkmarx.yml +++ b/.github/workflows/checkmarx.yml @@ -12,6 +12,9 @@ jobs: checkmarx-scan: name: Checkmarx SAST Scan runs-on: ubuntu-latest + concurrency: + group: checkmarx-${{ github.head_ref || github.ref }} + cancel-in-progress: true timeout-minutes: 90 if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch' @@ -51,6 +54,9 @@ jobs: checkmarx-scheduled-scan: name: Checkmarx scheduled SAST Scan runs-on: ubuntu-latest + concurrency: + group: checkmarx-scheduled-scan + cancel-in-progress: true timeout-minutes: 360 if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' From c227db44754553fdaf5c7b4935710656016c7024 Mon Sep 17 00:00:00 2001 From: repl-neha-belwal <91696048+repl-neha-belwal@users.noreply.github.com> Date: Thu, 4 Dec 2025 12:13:35 +0530 Subject: [PATCH 7/7] use reusable Workflows --- .github/workflows/checkmarx.yml | 96 ++++----------------------------- 1 file changed, 11 insertions(+), 85 deletions(-) diff --git a/.github/workflows/checkmarx.yml b/.github/workflows/checkmarx.yml index cffc48778c..f8509089d1 100644 --- a/.github/workflows/checkmarx.yml +++ b/.github/workflows/checkmarx.yml @@ -5,92 +5,18 @@ on: - main - master schedule: - - cron: '0 13 * * 6' + - cron: '0 13 * * 5' workflow_dispatch: name: Checkmarx SAST Scan jobs: - checkmarx-scan: - name: Checkmarx SAST Scan - runs-on: ubuntu-latest - concurrency: - group: checkmarx-${{ github.head_ref || github.ref }} - cancel-in-progress: true - timeout-minutes: 90 - if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch' + call-reusable-checkmarx: + name: Call Reusable Checkmarx Workflow + uses: Replicon/time-intelligence-web/.github/workflows/reusable-checkmarx.yml@main + with: + timeout_minutes: 90 + scheduled_timeout_minutes: 360 + secrets: + checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} + checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} + checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} - steps: - - name: Checkout Code - uses: actions/checkout@v4 - - - name: Run Checkmarx SAST Scan - uses: checkmarx-ts/checkmarx-cxflow-github-action@v2.3 - with: - # Connection parameters - checkmarx_url: https://cmxext.deltek.com - checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} - checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} - checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} - team: "/CxServer/Security/Deltek/Replicon" - preset: "ASA Premium" - - # Project configuration - project: Replicon-${{ github.event.repository.name }} - scanners: sast - incremental: true - break_build: false - - # Scan parameters and thresholds - params: >- - --namespace=${{ github.repository_owner}} - --checkmarx.settings-override=true - --repo-name=${{ github.event.repository.name}} - --branch=${{ github.ref_name || github.head_ref}} - --cx-flow.filterSeverity - --cx-flow.thresholds.high=1 - --cx-flow.thresholds.medium=1 - --cx-flow.scan-resubmit=true - ${{ github.event.number && format('--merge-id={0}', github.event.number)}} - - checkmarx-scheduled-scan: - name: Checkmarx scheduled SAST Scan - runs-on: ubuntu-latest - concurrency: - group: checkmarx-scheduled-scan - cancel-in-progress: true - timeout-minutes: 360 - if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' - - steps: - - name: Checkout Code - uses: actions/checkout@v4 - with: - ref: ${{ github.event.repository.default_branch }} - - - name: Run Checkmarx SAST Scan - uses: checkmarx-ts/checkmarx-cxflow-github-action@v2.3 - with: - # Connection parameters - checkmarx_url: https://cmxext.deltek.com - checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} - checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} - checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} - team: "/CxServer/Security/Deltek/Replicon" - preset: "ASA Premium" - - # Project configuration - project: Replicon-${{ github.event.repository.name }} - scanners: sast - incremental: false - break_build: false - - # Scan parameters and thresholds - params: >- - --namespace=${{ github.repository_owner}} - --checkmarx.settings-override=true - --repo-name=${{ github.event.repository.name}} - --branch=${{ github.event.repository.default_branch }} - --cx-flow.filterSeverity - --cx-flow.thresholds.high=1 - --cx-flow.thresholds.medium=1 - --cx-flow.scan-resubmit=true -