metadata: name: checkmarxExecuteScan description: Checkmarx is the recommended tool for security scans of JavaScript, iOS, Swift and Ruby code. longDescription: |- Checkmarx is a Static Application Security Testing (SAST) tool to analyze i.e. Java- or TypeScript, Swift, Golang, Ruby code, and many other programming languages for security flaws based on a set of provided rules/queries that can be customized and extended. This step by default enforces a specific audit baseline for findings and therefore ensures that: * No 'To Verify' High and Medium issues exist in your project * Total number of High and Medium 'Confirmed' or 'Urgent' issues is zero * 10% of all Low issues are 'Confirmed' or 'Not Exploitable' You can adapt above thresholds specifically using the provided configuration parameters and i.e. check for `absolute` thresholds instead of `percentage` whereas we strongly recommend you to stay with the defaults provided. spec: inputs: secrets: - name: checkmarxCredentialsId description: The technical user/password credential used to communicate with the Checkmarx backend type: jenkins params: - name: avoidDuplicateProjectScans type: bool description: Whether duplicate scans of the same project state shall be avoided or not mandatory: false scope: - PARAMETERS - STAGES - STEPS default: false - name: filterPattern type: string description: The filter pattern used to zip the files relevant for scanning, patterns can be negated by setting an exclamation mark in front i.e. `!test/*.js` would avoid adding any javascript files located in the test directory mandatory: false scope: - PARAMETERS - STAGES - STEPS default: '!**/node_modules/**, !**/.xmake/**, !**/*_test.go, !**/vendor/**/*.go, **/*.html, **/*.xml, **/*.go, **/*.py, **/*.js, **/*.scala, **/*.ts' - name: fullScanCycle type: string description: Indicates how often a full scan should happen between the incremental scans when activated mandatory: false scope: - PARAMETERS - STAGES - STEPS default: 5 - name: fullScansScheduled type: bool description: Whether full scans are to be scheduled or not. Should be used in relation with `incremental` and `fullScanCycle` mandatory: false scope: - PARAMETERS - STAGES - STEPS default: true - name: generatePdfReport type: bool description: Whether to generate a PDF report of the analysis results or not mandatory: false scope: - PARAMETERS - STAGES - STEPS default: true - name: incremental type: bool description: Whether incremental scans are to be applied which optimizes the scan time but might reduce detection capabilities. Therefore full scans are still required from time to time and should be scheduled via `fullScansScheduled` and `fullScanCycle` mandatory: false scope: - PARAMETERS - STAGES - STEPS default: true - name: password type: string description: The password to authenticate mandatory: true scope: - PARAMETERS - STAGES - STEPS secret: true - name: preset type: string description: The preset to use for scanning, if not set explicitly the step will attempt to look up the project's setting based on the availability of `checkmarxCredentialsId` mandatory: false scope: - PARAMETERS - STAGES - STEPS default: null - name: projectName aliases: - name: checkmarxProject type: string description: The name of the Checkmarx project to scan into mandatory: true scope: - PARAMETERS - STAGES - STEPS - name: pullRequestName type: string description: Used to supply the name for the newly created PR project branch when being used in pull request scenarios mandatory: false scope: - PARAMETERS - STAGES - STEPS - name: serverUrl aliases: - name: checkmarxServerUrl type: string description: The URL pointing to the root of the Checkmarx server to be used mandatory: true scope: - GENERAL - PARAMETERS - STAGES - STEPS - name: sourceEncoding type: string description: The source encoding to be used, if not set explicitly the project's default will be used mandatory: false scope: - PARAMETERS - STAGES - STEPS default: '1' - name: teamId aliases: - name: checkmarxGroupId type: string description: The group ID related to your team which can be obtained via the Pipeline Syntax plugin as described in the `Details` section mandatory: false scope: - PARAMETERS - STAGES - STEPS - name: teamName type: string description: The full name of the team to assign newly created projects to which is preferred to teamId mandatory: false scope: - PARAMETERS - STAGES - STEPS - name: username type: string description: The username to authenticate mandatory: true scope: - PARAMETERS - STAGES - STEPS secret: true - name: vulnerabilityThresholdEnabled type: bool description: Whether the thresholds are enabled or not. If enabled the build will be set to `vulnerabilityThresholdResult` in case a specific threshold value is exceeded mandatory: false scope: - PARAMETERS - STAGES - STEPS default: true - name: vulnerabilityThresholdHigh type: int description: The specific threshold for high severity findings mandatory: false scope: - PARAMETERS - STAGES - STEPS default: 100 - name: vulnerabilityThresholdLow type: int description: The specific threshold for low severity findings mandatory: false scope: - PARAMETERS - STAGES - STEPS default: 10 - name: vulnerabilityThresholdMedium type: int description: The specific threshold for medium severity findings mandatory: false scope: - PARAMETERS - STAGES - STEPS default: 100 - name: vulnerabilityThresholdResult type: string description: The result of the build in case thresholds are enabled and exceeded mandatory: false scope: - PARAMETERS - STAGES - STEPS default: FAILURE possibleValues: - FAILURE - name: vulnerabilityThresholdUnit type: string description: The unit for the threshold to apply. mandatory: false scope: - PARAMETERS - STAGES - STEPS default: percentage outputs: resources: - name: influx type: influx params: - name: checkmarx_data fields: - name: high_issues - name: high_not_false_postive - name: high_not_exploitable - name: high_confirmed - name: high_urgent - name: high_proposed_not_exploitable - name: high_to_verify - name: medium_issues - name: medium_not_false_postive - name: medium_not_exploitable - name: medium_confirmed - name: medium_urgent - name: medium_proposed_not_exploitable - name: medium_to_verify - name: low_issues - name: low_not_false_postive - name: low_not_exploitable - name: low_confirmed - name: low_urgent - name: low_proposed_not_exploitable - name: low_to_verify - name: information_issues - name: information_not_false_postive - name: information_not_exploitable - name: information_confirmed - name: information_urgent - name: information_proposed_not_exploitable - name: information_to_verify - name: initiator_name - name: owner - name: scan_id - name: project_id - name: project_name - name: team - name: team_full_path_on_report_date - name: scan_start - name: scan_time - name: lines_of_code_scanned - name: files_scanned - name: checkmarx_version - name: scan_type - name: preset - name: deep_link - name: report_creation_time