github.com/jaylevin/jenkins-library@v1.230.4/resources/metadata/checkmarxExecuteScan.yaml (about) 1 metadata: 2 name: checkmarxExecuteScan 3 description: Checkmarx is the recommended tool for security scans of JavaScript, iOS, Swift and Ruby code. 4 longDescription: |- 5 Checkmarx is a Static Application Security Testing (SAST) tool to analyze i.e. Java- or TypeScript, Swift, Golang, Ruby code, 6 and many other programming languages for security flaws based on a set of provided rules/queries that can be customized and extended. 7 8 This step by default enforces a specific audit baseline for findings and therefore ensures that: 9 10 * No 'To Verify' High and Medium issues exist in your project 11 * Total number of High and Medium 'Confirmed' or 'Urgent' issues is zero 12 * 10% of all Low issues are 'Confirmed' or 'Not Exploitable' 13 14 You can adapt above thresholds specifically using the provided configuration parameters and i.e. check for `absolute` 15 thresholds instead of `percentage` whereas we strongly recommend you to stay with the defaults provided. 16 spec: 17 inputs: 18 secrets: 19 - name: checkmarxCredentialsId 20 description: Jenkins 'Username with password' credentials ID containing username and password to communicate with the Checkmarx backend. 21 type: jenkins 22 resources: 23 - name: checkmarx 24 type: stash 25 params: 26 - name: assignees 27 description: Defines the assignees for the Github Issue created/updated with the results of the scan as a list of login names. 28 scope: 29 - PARAMETERS 30 - STAGES 31 - STEPS 32 type: "[]string" 33 default: [] 34 - name: avoidDuplicateProjectScans 35 type: bool 36 description: Whether duplicate scans of the same project state shall be avoided or not 37 scope: 38 - PARAMETERS 39 - STAGES 40 - STEPS 41 default: true 42 - name: filterPattern 43 type: string 44 description: The filter pattern used to zip the files relevant for scanning, patterns can be negated by setting an exclamation mark in front i.e. `!test/*.js` would avoid adding any javascript files located in the test directory 45 scope: 46 - PARAMETERS 47 - STAGES 48 - STEPS 49 default: 50 "!**/node_modules/**, !**/.xmake/**, !**/*_test.go, !**/vendor/**/*.go, 51 **/*.html, **/*.xml, **/*.go, **/*.py, **/*.js, **/*.scala, **/*.ts" 52 - name: fullScanCycle 53 type: string 54 description: Indicates how often a full scan should happen between the incremental scans when activated 55 scope: 56 - PARAMETERS 57 - STAGES 58 - STEPS 59 default: 5 60 - name: fullScansScheduled 61 type: bool 62 description: Whether full scans are to be scheduled or not. Should be used in relation with `incremental` and `fullScanCycle` 63 scope: 64 - PARAMETERS 65 - STAGES 66 - STEPS 67 default: true 68 - name: generatePdfReport 69 type: bool 70 description: Whether to generate a PDF report of the analysis results or not 71 scope: 72 - PARAMETERS 73 - STAGES 74 - STEPS 75 default: true 76 - name: githubApiUrl 77 description: "Set the GitHub API URL." 78 scope: 79 - GENERAL 80 - PARAMETERS 81 - STAGES 82 - STEPS 83 type: string 84 default: "https://api.github.com" 85 - name: githubToken 86 description: "GitHub personal access token as per 87 https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line" 88 scope: 89 - GENERAL 90 - PARAMETERS 91 - STAGES 92 - STEPS 93 type: string 94 secret: true 95 aliases: 96 - name: access_token 97 resourceRef: 98 - name: githubTokenCredentialsId 99 type: secret 100 - type: vaultSecret 101 default: github 102 name: githubVaultSecretName 103 - name: incremental 104 type: bool 105 description: Whether incremental scans are to be applied which optimizes the scan time but might reduce detection capabilities. Therefore full scans are still required from time to time and should be scheduled via `fullScansScheduled` and `fullScanCycle` 106 scope: 107 - PARAMETERS 108 - STAGES 109 - STEPS 110 default: true 111 - name: maxRetries 112 type: int 113 description: Maximum number of HTTP request retries upon intermittend connetion interrupts 114 scope: 115 - PARAMETERS 116 - STAGES 117 - STEPS 118 default: 3 119 - name: owner 120 aliases: 121 - name: githubOrg 122 description: "Set the GitHub organization." 123 resourceRef: 124 - name: commonPipelineEnvironment 125 param: github/owner 126 scope: 127 - GENERAL 128 - PARAMETERS 129 - STAGES 130 - STEPS 131 type: string 132 - name: password 133 type: string 134 description: The password to authenticate 135 mandatory: true 136 scope: 137 - PARAMETERS 138 - STAGES 139 - STEPS 140 secret: true 141 resourceRef: 142 - name: checkmarxCredentialsId 143 type: secret 144 param: password 145 - type: vaultSecret 146 name: checkmarxVaultSecretName 147 default: checkmarx 148 - name: preset 149 type: string 150 description: The preset to use for scanning, if not set explicitly the step will attempt to look up the project's setting based on the availability of `checkmarxCredentialsId` 151 scope: 152 - PARAMETERS 153 - STAGES 154 - STEPS 155 default: null 156 - name: projectName 157 aliases: 158 - name: checkmarxProject 159 - name: checkMarxProjectName 160 deprecated: true 161 type: string 162 description: The name of the Checkmarx project to scan into 163 mandatory: true 164 scope: 165 - PARAMETERS 166 - STAGES 167 - STEPS 168 - name: pullRequestName 169 type: string 170 description: Used to supply the name for the newly created PR project branch when being used in pull request scenarios 171 scope: 172 - PARAMETERS 173 - STAGES 174 - STEPS 175 - name: repository 176 aliases: 177 - name: githubRepo 178 description: "Set the GitHub repository." 179 resourceRef: 180 - name: commonPipelineEnvironment 181 param: github/repository 182 scope: 183 - GENERAL 184 - PARAMETERS 185 - STAGES 186 - STEPS 187 type: string 188 - name: serverUrl 189 aliases: 190 - name: checkmarxServerUrl 191 type: string 192 description: The URL pointing to the root of the Checkmarx server to be used 193 mandatory: true 194 scope: 195 - GENERAL 196 - PARAMETERS 197 - STAGES 198 - STEPS 199 - name: sourceEncoding 200 type: string 201 description: The source encoding to be used, if not set explicitly the project's default will be used 202 scope: 203 - PARAMETERS 204 - STAGES 205 - STEPS 206 default: "1" 207 - name: teamId 208 aliases: 209 - name: checkmarxGroupId 210 - name: groupId 211 deprecated: true 212 type: string 213 description: The group ID related to your team which can be obtained via the Pipeline Syntax plugin as described in the `Details` section 214 scope: 215 - PARAMETERS 216 - STAGES 217 - STEPS 218 - name: teamName 219 type: string 220 description: The full name of the team to assign newly created projects to which is preferred to teamId 221 scope: 222 - PARAMETERS 223 - STAGES 224 - STEPS 225 - name: username 226 type: string 227 description: The username to authenticate 228 mandatory: true 229 scope: 230 - PARAMETERS 231 - STAGES 232 - STEPS 233 secret: true 234 resourceRef: 235 - name: checkmarxCredentialsId 236 type: secret 237 param: username 238 - type: vaultSecret 239 name: checkmarxVaultSecretName 240 default: checkmarx 241 - name: verifyOnly 242 type: bool 243 description: Whether the step shall only apply verification checks or whether it does a full scan and check cycle 244 scope: 245 - PARAMETERS 246 - STAGES 247 - STEPS 248 default: false 249 - name: vulnerabilityThresholdEnabled 250 type: bool 251 description: Whether the thresholds are enabled or not. If enabled the build will be set to `vulnerabilityThresholdResult` in case a specific threshold value is exceeded 252 scope: 253 - PARAMETERS 254 - STAGES 255 - STEPS 256 default: true 257 - name: vulnerabilityThresholdHigh 258 type: int 259 description: The specific threshold for high severity findings 260 scope: 261 - PARAMETERS 262 - STAGES 263 - STEPS 264 default: 100 265 - name: vulnerabilityThresholdLow 266 type: int 267 description: The specific threshold for low severity findings 268 scope: 269 - PARAMETERS 270 - STAGES 271 - STEPS 272 default: 10 273 - name: vulnerabilityThresholdMedium 274 type: int 275 description: The specific threshold for medium severity findings 276 scope: 277 - PARAMETERS 278 - STAGES 279 - STEPS 280 default: 100 281 - name: vulnerabilityThresholdResult 282 type: string 283 description: The result of the build in case thresholds are enabled and exceeded 284 scope: 285 - PARAMETERS 286 - STAGES 287 - STEPS 288 default: FAILURE 289 possibleValues: 290 - FAILURE 291 - name: vulnerabilityThresholdUnit 292 type: string 293 description: The unit for the threshold to apply. 294 scope: 295 - PARAMETERS 296 - STAGES 297 - STEPS 298 default: percentage 299 - name: isOptimizedAndScheduled 300 type: bool 301 description: Whether the pipeline runs in optimized mode and the current execution is a scheduled one 302 resourceRef: 303 - name: commonPipelineEnvironment 304 param: custom/isOptimizedAndScheduled 305 scope: 306 - PARAMETERS 307 - name: createResultIssue 308 type: bool 309 description: Activate creation of a result issue in GitHub. 310 longDescription: | 311 Whether the step creates a GitHub issue containing the scan results in the originating repo. 312 Since optimized pipelines are headless the creation is implicitly activated for scheduled runs. 313 resourceRef: 314 - name: commonPipelineEnvironment 315 param: custom/isOptimizedAndScheduled 316 scope: 317 - GENERAL 318 - PARAMETERS 319 - STAGES 320 - STEPS 321 default: false 322 - name: convertToSarif 323 type: bool 324 description: "[BETA] Convert the Checkmarx XML (Cxxml) scan results to the open SARIF standard. Uploaded through Cumulus later on." 325 scope: 326 - PARAMETERS 327 - STAGES 328 - STEPS 329 outputs: 330 resources: 331 - name: influx 332 type: influx 333 params: 334 - name: step_data 335 fields: 336 - name: checkmarx 337 type: bool 338 - name: checkmarx_data 339 fields: 340 - name: high_issues 341 type: int 342 - name: high_not_false_postive 343 type: int 344 - name: high_not_exploitable 345 type: int 346 - name: high_confirmed 347 type: int 348 - name: high_urgent 349 type: int 350 - name: high_proposed_not_exploitable 351 type: int 352 - name: high_to_verify 353 type: int 354 - name: medium_issues 355 type: int 356 - name: medium_not_false_postive 357 type: int 358 - name: medium_not_exploitable 359 type: int 360 - name: medium_confirmed 361 type: int 362 - name: medium_urgent 363 type: int 364 - name: medium_proposed_not_exploitable 365 type: int 366 - name: medium_to_verify 367 type: int 368 - name: low_issues 369 type: int 370 - name: low_not_false_postive 371 type: int 372 - name: low_not_exploitable 373 type: int 374 - name: low_confirmed 375 type: int 376 - name: low_urgent 377 type: int 378 - name: low_proposed_not_exploitable 379 type: int 380 - name: low_to_verify 381 type: int 382 - name: information_issues 383 type: int 384 - name: information_not_false_postive 385 type: int 386 - name: information_not_exploitable 387 type: int 388 - name: information_confirmed 389 type: int 390 - name: information_urgent 391 type: int 392 - name: information_proposed_not_exploitable 393 type: int 394 - name: information_to_verify 395 type: int 396 - name: lines_of_code_scanned 397 type: int 398 - name: files_scanned 399 type: int 400 - name: initiator_name 401 - name: owner 402 - name: scan_id 403 - name: project_id 404 - name: projectName 405 - name: team 406 - name: team_full_path_on_report_date 407 - name: scan_start 408 - name: scan_time 409 - name: checkmarx_version 410 - name: scan_type 411 - name: preset 412 - name: deep_link 413 - name: report_creation_time 414 - name: reports 415 type: reports 416 params: 417 - filePattern: "**/piper_checkmarx_report.html" 418 type: checkmarx 419 - filePattern: "**/CxSASTResults_*.xml" 420 type: checkmarx 421 - filePattern: "**/ScanReport.*" 422 type: checkmarx 423 - filePattern: "**/toolrun_checkmarx_*.json" 424 type: checkmarx