2020-01-28 00:40:53 +02:00
metadata :
name : checkmarxExecuteScan
description : Checkmarx is the recommended tool for security scans of JavaScript, iOS, Swift and Ruby code.
longDescription : |-
Checkmarx is a Static Application Security Testing (SAST) tool to analyze i.e. Java- or TypeScript, Swift, Golang, Ruby code,
and many other programming languages for security flaws based on a set of provided rules/queries that can be customized and extended.
This step by default enforces a specific audit baseline for findings and therefore ensures that :
2020-11-16 14:03:31 +02:00
2020-01-28 00:40:53 +02:00
* No 'To Verify' High and Medium issues exist in your project
* Total number of High and Medium 'Confirmed' or 'Urgent' issues is zero
* 10 % of all Low issues are 'Confirmed' or 'Not Exploitable'
You can adapt above thresholds specifically using the provided configuration parameters and i.e. check for `absolute`
thresholds instead of `percentage` whereas we strongly recommend you to stay with the defaults provided.
spec :
inputs :
secrets :
2020-08-31 16:10:28 +02:00
- name : checkmarxCredentialsId
2020-09-23 13:22:51 +02:00
description : Jenkins 'Username with password' credentials ID containing username and password to communicate with the Checkmarx backend.
2020-08-31 16:10:28 +02:00
type : jenkins
2022-08-09 13:56:01 +02:00
- name : githubTokenCredentialsId
description : Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub.
type : jenkins
2020-08-20 12:24:36 +02:00
resources :
- name : checkmarx
type : stash
2020-01-28 00:40:53 +02:00
params :
2022-02-17 16:16:55 +02:00
- name : assignees
description : Defines the assignees for the Github Issue created/updated with the results of the scan as a list of login names.
scope :
- PARAMETERS
- STAGES
- STEPS
type : "[]string"
default : [ ]
2020-08-31 16:10:28 +02:00
- name : avoidDuplicateProjectScans
type : bool
2022-12-03 07:43:32 +02:00
description : Tell Checkmarx to skip the scan if no code change is detected
2020-08-31 16:10:28 +02:00
scope :
- PARAMETERS
- STAGES
- STEPS
2020-11-25 14:47:26 +02:00
default : true
2022-12-03 07:43:32 +02:00
aliases :
- name : notForceScan
2020-08-31 16:10:28 +02:00
- name : filterPattern
type : string
description : The filter pattern used to zip the files relevant for scanning, patterns can be negated by setting an exclamation mark in front i.e. `!test/*.js` would avoid adding any javascript files located in the test directory
scope :
- PARAMETERS
- STAGES
- STEPS
default :
"!**/node_modules/**, !**/.xmake/**, !**/*_test.go, !**/vendor/**/*.go,
**/*.html, **/*.xml, **/*.go, **/*.py, **/*.js, **/*.scala, **/*.ts"
- name : fullScanCycle
type : string
description : Indicates how often a full scan should happen between the incremental scans when activated
scope :
- PARAMETERS
- STAGES
- STEPS
default : 5
- name : fullScansScheduled
type : bool
description : Whether full scans are to be scheduled or not. Should be used in relation with `incremental` and `fullScanCycle`
scope :
- PARAMETERS
- STAGES
- STEPS
default : true
- name : generatePdfReport
type : bool
description : Whether to generate a PDF report of the analysis results or not
scope :
- PARAMETERS
- STAGES
- STEPS
default : true
2022-02-17 16:16:55 +02:00
- name : githubApiUrl
description : "Set the GitHub API URL."
scope :
- GENERAL
- PARAMETERS
- STAGES
- STEPS
type : string
default : "https://api.github.com"
- name : githubToken
description : "GitHub personal access token as per
https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line"
scope :
- GENERAL
- PARAMETERS
- STAGES
- STEPS
type : string
secret : true
aliases :
- name : access_token
resourceRef :
- name : githubTokenCredentialsId
type : secret
- type : vaultSecret
default : github
name : githubVaultSecretName
2020-08-31 16:10:28 +02:00
- name : incremental
type : bool
description : Whether incremental scans are to be applied which optimizes the scan time but might reduce detection capabilities. Therefore full scans are still required from time to time and should be scheduled via `fullScansScheduled` and `fullScanCycle`
scope :
- PARAMETERS
- STAGES
- STEPS
default : true
2020-11-11 14:35:53 +02:00
- name : maxRetries
type : int
description : Maximum number of HTTP request retries upon intermittend connetion interrupts
scope :
- PARAMETERS
- STAGES
- STEPS
default : 3
2022-02-17 16:16:55 +02:00
- name : owner
aliases :
- name : githubOrg
description : "Set the GitHub organization."
resourceRef :
- name : commonPipelineEnvironment
param : github/owner
scope :
- GENERAL
- PARAMETERS
- STAGES
- STEPS
type : string
2020-08-31 16:10:28 +02:00
- name : password
type : string
description : The password to authenticate
mandatory : true
scope :
- PARAMETERS
- STAGES
- STEPS
secret : true
resourceRef :
- name : checkmarxCredentialsId
type : secret
param : password
2020-10-13 14:14:47 +02:00
- type : vaultSecret
2021-09-21 13:06:32 +02:00
name : checkmarxVaultSecretName
default : checkmarx
2020-08-31 16:10:28 +02:00
- name : preset
type : string
description : The preset to use for scanning, if not set explicitly the step will attempt to look up the project's setting based on the availability of `checkmarxCredentialsId`
scope :
- PARAMETERS
- STAGES
- STEPS
default : null
- name : projectName
aliases :
- name : checkmarxProject
- name : checkMarxProjectName
deprecated : true
type : string
description : The name of the Checkmarx project to scan into
mandatory : true
scope :
- PARAMETERS
- STAGES
- STEPS
- name : pullRequestName
type : string
description : Used to supply the name for the newly created PR project branch when being used in pull request scenarios
scope :
- PARAMETERS
- STAGES
- STEPS
2022-02-17 16:16:55 +02:00
- name : repository
aliases :
- name : githubRepo
description : "Set the GitHub repository."
resourceRef :
- name : commonPipelineEnvironment
param : github/repository
scope :
- GENERAL
- PARAMETERS
- STAGES
- STEPS
type : string
2020-08-31 16:10:28 +02:00
- name : serverUrl
aliases :
- name : checkmarxServerUrl
type : string
description : The URL pointing to the root of the Checkmarx server to be used
mandatory : true
scope :
- GENERAL
- PARAMETERS
- STAGES
- STEPS
2022-12-03 07:43:32 +02:00
- name : engineConfigurationID
2020-08-31 16:10:28 +02:00
type : string
2022-12-03 07:43:32 +02:00
description : The engine configuration ID to be used, if not set explicitly the project's default will be used
2020-08-31 16:10:28 +02:00
scope :
- PARAMETERS
- STAGES
- STEPS
2022-12-03 07:43:32 +02:00
aliases :
- name : sourceEncoding
2020-08-31 16:10:28 +02:00
- name : teamId
aliases :
- name : checkmarxGroupId
- name : groupId
deprecated : true
type : string
description : The group ID related to your team which can be obtained via the Pipeline Syntax plugin as described in the `Details` section
scope :
- PARAMETERS
- STAGES
- STEPS
- name : teamName
type : string
description : The full name of the team to assign newly created projects to which is preferred to teamId
scope :
- PARAMETERS
- STAGES
- STEPS
- name : username
type : string
description : The username to authenticate
mandatory : true
scope :
- PARAMETERS
- STAGES
- STEPS
secret : true
resourceRef :
- name : checkmarxCredentialsId
type : secret
param : username
2020-10-13 14:14:47 +02:00
- type : vaultSecret
2021-09-21 13:06:32 +02:00
name : checkmarxVaultSecretName
default : checkmarx
2020-09-18 08:19:34 +02:00
- name : verifyOnly
type : bool
description : Whether the step shall only apply verification checks or whether it does a full scan and check cycle
scope :
- PARAMETERS
- STAGES
- STEPS
default : false
2020-08-31 16:10:28 +02:00
- name : vulnerabilityThresholdEnabled
type : bool
description : Whether the thresholds are enabled or not. If enabled the build will be set to `vulnerabilityThresholdResult` in case a specific threshold value is exceeded
scope :
- PARAMETERS
- STAGES
- STEPS
default : true
- name : vulnerabilityThresholdHigh
type : int
description : The specific threshold for high severity findings
scope :
- PARAMETERS
- STAGES
- STEPS
default : 100
2022-08-05 00:17:07 +02:00
- name : vulnerabilityThresholdMedium
type : int
description : The specific threshold for medium severity findings
scope :
- PARAMETERS
- STAGES
- STEPS
default : 100
2020-08-31 16:10:28 +02:00
- name : vulnerabilityThresholdLow
type : int
description : The specific threshold for low severity findings
scope :
- PARAMETERS
- STAGES
- STEPS
default : 10
2022-08-05 00:17:07 +02:00
- name : vulnerabilityThresholdLowPerQuery
type : bool
description : Flag to activate/deactivate the threshold of low severity findings per query
scope :
- PARAMETERS
- STAGES
- STEPS
default : false
- name : vulnerabilityThresholdLowPerQueryMax
2020-08-31 16:10:28 +02:00
type : int
2022-08-05 00:17:07 +02:00
description : Upper threshold of low severity findings per query (in absolute number)
2020-08-31 16:10:28 +02:00
scope :
- PARAMETERS
- STAGES
- STEPS
2022-08-05 00:17:07 +02:00
default : 10
2020-08-31 16:10:28 +02:00
- name : vulnerabilityThresholdResult
type : string
description : The result of the build in case thresholds are enabled and exceeded
scope :
- PARAMETERS
- STAGES
- STEPS
default : FAILURE
possibleValues :
- FAILURE
- name : vulnerabilityThresholdUnit
type : string
description : The unit for the threshold to apply.
scope :
- PARAMETERS
- STAGES
- STEPS
default : percentage
2021-08-10 11:27:28 +02:00
- name : isOptimizedAndScheduled
type : bool
description : Whether the pipeline runs in optimized mode and the current execution is a scheduled one
resourceRef :
- name : commonPipelineEnvironment
param : custom/isOptimizedAndScheduled
scope :
- PARAMETERS
2022-03-02 16:46:56 +02:00
- name : createResultIssue
type : bool
2022-03-30 12:20:51 +02:00
description : Activate creation of a result issue in GitHub.
longDescription : |
Whether the step creates a GitHub issue containing the scan results in the originating repo.
Since optimized pipelines are headless the creation is implicitly activated for scheduled runs.
2022-03-02 16:46:56 +02:00
resourceRef :
- name : commonPipelineEnvironment
2022-03-31 10:52:54 +02:00
param : custom/isOptimizedAndScheduled
2022-03-02 16:46:56 +02:00
scope :
2022-03-30 12:20:51 +02:00
- GENERAL
2022-03-02 16:46:56 +02:00
- PARAMETERS
- STAGES
- STEPS
default : false
2022-04-04 16:12:35 +02:00
- name : convertToSarif
type : bool
2022-10-17 14:09:02 +02:00
description : "Convert the Checkmarx XML scan results to the open SARIF standard."
2022-04-04 16:12:35 +02:00
scope :
- PARAMETERS
- STAGES
- STEPS
2022-10-17 14:09:02 +02:00
default : true
2020-01-28 00:40:53 +02:00
outputs :
resources :
- name : influx
type : influx
params :
2021-03-18 11:32:03 +02:00
- name : step_data
fields :
- name : checkmarx
type : bool
2020-01-28 00:40:53 +02:00
- name : checkmarx_data
fields :
- name : high_issues
2021-03-10 17:00:53 +02:00
type : int
2022-11-03 09:48:17 +02:00
- name : high_not_false_positive
2021-03-10 17:00:53 +02:00
type : int
2020-01-28 00:40:53 +02:00
- name : high_not_exploitable
2021-03-10 17:00:53 +02:00
type : int
2020-01-28 00:40:53 +02:00
- name : high_confirmed
2021-03-10 17:00:53 +02:00
type : int
2020-01-28 00:40:53 +02:00
- name : high_urgent
2021-03-10 17:00:53 +02:00
type : int
2020-01-28 00:40:53 +02:00
- name : high_proposed_not_exploitable
2021-03-10 17:00:53 +02:00
type : int
2020-01-28 00:40:53 +02:00
- name : high_to_verify
2021-03-10 17:00:53 +02:00
type : int
2020-01-28 00:40:53 +02:00
- name : medium_issues
2021-03-10 17:00:53 +02:00
type : int
2022-11-03 09:48:17 +02:00
- name : medium_not_false_positive
2021-03-10 17:00:53 +02:00
type : int
2020-01-28 00:40:53 +02:00
- name : medium_not_exploitable
2021-03-10 17:00:53 +02:00
type : int
2020-01-28 00:40:53 +02:00
- name : medium_confirmed
2021-03-10 17:00:53 +02:00
type : int
2020-01-28 00:40:53 +02:00
- name : medium_urgent
2021-03-10 17:00:53 +02:00
type : int
2020-01-28 00:40:53 +02:00
- name : medium_proposed_not_exploitable
2021-03-10 17:00:53 +02:00
type : int
2020-01-28 00:40:53 +02:00
- name : medium_to_verify
2021-03-10 17:00:53 +02:00
type : int
2020-01-28 00:40:53 +02:00
- name : low_issues
2021-03-10 17:00:53 +02:00
type : int
2022-11-03 09:48:17 +02:00
- name : low_not_false_positive
2021-03-10 17:00:53 +02:00
type : int
2020-01-28 00:40:53 +02:00
- name : low_not_exploitable
2021-03-10 17:00:53 +02:00
type : int
2020-01-28 00:40:53 +02:00
- name : low_confirmed
2021-03-10 17:00:53 +02:00
type : int
2020-01-28 00:40:53 +02:00
- name : low_urgent
2021-03-10 17:00:53 +02:00
type : int
2020-01-28 00:40:53 +02:00
- name : low_proposed_not_exploitable
2021-03-10 17:00:53 +02:00
type : int
2020-01-28 00:40:53 +02:00
- name : low_to_verify
2021-03-10 17:00:53 +02:00
type : int
2020-01-28 00:40:53 +02:00
- name : information_issues
2021-03-10 17:00:53 +02:00
type : int
2022-11-03 09:48:17 +02:00
- name : information_not_false_positive
2021-03-10 17:00:53 +02:00
type : int
2020-01-28 00:40:53 +02:00
- name : information_not_exploitable
2021-03-10 17:00:53 +02:00
type : int
2020-01-28 00:40:53 +02:00
- name : information_confirmed
2021-03-10 17:00:53 +02:00
type : int
2020-01-28 00:40:53 +02:00
- name : information_urgent
2021-03-10 17:00:53 +02:00
type : int
2020-01-28 00:40:53 +02:00
- name : information_proposed_not_exploitable
2021-03-10 17:00:53 +02:00
type : int
2020-01-28 00:40:53 +02:00
- name : information_to_verify
2021-03-10 17:00:53 +02:00
type : int
- name : lines_of_code_scanned
type : int
- name : files_scanned
type : int
2020-01-28 00:40:53 +02:00
- name : initiator_name
- name : owner
- name : scan_id
- name : project_id
2020-10-19 13:09:17 +02:00
- name : projectName
2020-01-28 00:40:53 +02:00
- name : team
- name : team_full_path_on_report_date
- name : scan_start
- name : scan_time
- name : checkmarx_version
- name : scan_type
- name : preset
- name : deep_link
- name : report_creation_time
2022-02-21 10:01:05 +02:00
- name : reports
type : reports
params :
- filePattern : "**/piper_checkmarx_report.html"
type : checkmarx
- filePattern : "**/CxSASTResults_*.xml"
type : checkmarx
- filePattern : "**/ScanReport.*"
type : checkmarx
- filePattern : "**/toolrun_checkmarx_*.json"
type : checkmarx