github.com/ouraigua/jenkins-library@v0.0.0-20231028010029-fbeaf2f3aa9b/resources/metadata/checkmarxExecuteScan.yaml (about) 1 metadata: 2 name: checkmarxExecuteScan 3 description: Checkmarx is the recommended tool for security scans of JavaScript, iOS, Swift and Ruby code. 4 longDescription: |- 5 Checkmarx is a Static Application Security Testing (SAST) tool to analyze i.e. Java- or TypeScript, Swift, Golang, Ruby code, 6 and many other programming languages for security flaws based on a set of provided rules/queries that can be customized and extended. 7 8 This step by default enforces a specific audit baseline for findings and therefore ensures that: 9 10 * No 'To Verify' High and Medium issues exist in your project 11 * Total number of High and Medium 'Confirmed' or 'Urgent' issues is zero 12 * 10% of all Low issues are 'Confirmed' or 'Not Exploitable' 13 14 You can adapt above thresholds specifically using the provided configuration parameters and i.e. check for `absolute` 15 thresholds instead of `percentage` whereas we strongly recommend you to stay with the defaults provided. 16 spec: 17 inputs: 18 secrets: 19 - name: checkmarxCredentialsId 20 description: Jenkins 'Username with password' credentials ID containing username and password to communicate with the Checkmarx backend. 21 type: jenkins 22 - name: githubTokenCredentialsId 23 description: Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub. 24 type: jenkins 25 resources: 26 - name: checkmarx 27 type: stash 28 params: 29 - name: assignees 30 description: Defines the assignees for the Github Issue created/updated with the results of the scan as a list of login names. 31 scope: 32 - PARAMETERS 33 - STAGES 34 - STEPS 35 type: "[]string" 36 default: [] 37 - name: avoidDuplicateProjectScans 38 type: bool 39 description: Tell Checkmarx to skip the scan if no code change is detected 40 scope: 41 - PARAMETERS 42 - STAGES 43 - STEPS 44 default: true 45 aliases: 46 - name: notForceScan 47 - name: filterPattern 48 type: string 49 description: The filter pattern used to zip the files relevant for scanning, patterns can be negated by setting an exclamation mark in front i.e. `!test/*.js` would avoid adding any javascript files located in the test directory 50 scope: 51 - PARAMETERS 52 - STAGES 53 - STEPS 54 default: 55 "!**/node_modules/**, !**/.xmake/**, !**/*_test.go, !**/vendor/**/*.go, 56 **/*.html, **/*.xml, **/*.go, **/*.py, **/*.js, **/*.scala, **/*.ts" 57 - name: fullScanCycle 58 type: string 59 description: Indicates how often a full scan should happen between the incremental scans when activated 60 scope: 61 - PARAMETERS 62 - STAGES 63 - STEPS 64 default: 5 65 - name: fullScansScheduled 66 type: bool 67 description: Whether full scans are to be scheduled or not. Should be used in relation with `incremental` and `fullScanCycle` 68 scope: 69 - PARAMETERS 70 - STAGES 71 - STEPS 72 default: true 73 - name: generatePdfReport 74 type: bool 75 description: Whether to generate a PDF report of the analysis results or not 76 scope: 77 - PARAMETERS 78 - STAGES 79 - STEPS 80 default: true 81 - name: githubApiUrl 82 description: "Set the GitHub API URL." 83 scope: 84 - GENERAL 85 - PARAMETERS 86 - STAGES 87 - STEPS 88 type: string 89 default: "https://api.github.com" 90 - name: githubToken 91 description: "GitHub personal access token as per 92 https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line" 93 scope: 94 - GENERAL 95 - PARAMETERS 96 - STAGES 97 - STEPS 98 type: string 99 secret: true 100 aliases: 101 - name: access_token 102 resourceRef: 103 - name: githubTokenCredentialsId 104 type: secret 105 - type: vaultSecret 106 default: github 107 name: githubVaultSecretName 108 - name: incremental 109 type: bool 110 description: Whether incremental scans are to be applied which optimizes the scan time but might reduce detection capabilities. Therefore full scans are still required from time to time and should be scheduled via `fullScansScheduled` and `fullScanCycle` 111 scope: 112 - PARAMETERS 113 - STAGES 114 - STEPS 115 default: true 116 - name: maxRetries 117 type: int 118 description: Maximum number of HTTP request retries upon intermittend connetion interrupts 119 scope: 120 - PARAMETERS 121 - STAGES 122 - STEPS 123 default: 3 124 - name: owner 125 aliases: 126 - name: githubOrg 127 description: "Set the GitHub organization." 128 resourceRef: 129 - name: commonPipelineEnvironment 130 param: github/owner 131 scope: 132 - GENERAL 133 - PARAMETERS 134 - STAGES 135 - STEPS 136 type: string 137 - name: password 138 type: string 139 description: The password to authenticate 140 mandatory: true 141 scope: 142 - PARAMETERS 143 - STAGES 144 - STEPS 145 secret: true 146 resourceRef: 147 - name: checkmarxCredentialsId 148 type: secret 149 param: password 150 - type: vaultSecret 151 name: checkmarxVaultSecretName 152 default: checkmarx 153 - name: preset 154 type: string 155 description: The preset to use for scanning, if not set explicitly the step will attempt to look up the project's setting based on the availability of `checkmarxCredentialsId` 156 scope: 157 - PARAMETERS 158 - STAGES 159 - STEPS 160 default: null 161 - name: projectName 162 aliases: 163 - name: checkmarxProject 164 - name: checkMarxProjectName 165 deprecated: true 166 type: string 167 description: The name of the Checkmarx project to scan into 168 mandatory: true 169 scope: 170 - PARAMETERS 171 - STAGES 172 - STEPS 173 - name: pullRequestName 174 type: string 175 description: Used to supply the name for the newly created PR project branch when being used in pull request scenarios 176 scope: 177 - PARAMETERS 178 - STAGES 179 - STEPS 180 - name: repository 181 aliases: 182 - name: githubRepo 183 description: "Set the GitHub repository." 184 resourceRef: 185 - name: commonPipelineEnvironment 186 param: github/repository 187 scope: 188 - GENERAL 189 - PARAMETERS 190 - STAGES 191 - STEPS 192 type: string 193 - name: serverUrl 194 aliases: 195 - name: checkmarxServerUrl 196 type: string 197 description: The URL pointing to the root of the Checkmarx server to be used 198 mandatory: true 199 scope: 200 - GENERAL 201 - PARAMETERS 202 - STAGES 203 - STEPS 204 - name: engineConfigurationID 205 type: string 206 description: The engine configuration ID to be used, if not set explicitly the project's default will be used 207 scope: 208 - PARAMETERS 209 - STAGES 210 - STEPS 211 aliases: 212 - name: sourceEncoding 213 - name: teamId 214 aliases: 215 - name: checkmarxGroupId 216 - name: groupId 217 deprecated: true 218 type: string 219 description: The group ID related to your team which can be obtained via the Pipeline Syntax plugin as described in the `Details` section 220 scope: 221 - PARAMETERS 222 - STAGES 223 - STEPS 224 - name: teamName 225 type: string 226 description: The full name of the team to assign newly created projects to which is preferred to teamId 227 scope: 228 - PARAMETERS 229 - STAGES 230 - STEPS 231 - name: username 232 type: string 233 description: The username to authenticate 234 mandatory: true 235 scope: 236 - PARAMETERS 237 - STAGES 238 - STEPS 239 secret: true 240 resourceRef: 241 - name: checkmarxCredentialsId 242 type: secret 243 param: username 244 - type: vaultSecret 245 name: checkmarxVaultSecretName 246 default: checkmarx 247 - name: verifyOnly 248 type: bool 249 description: Whether the step shall only apply verification checks or whether it does a full scan and check cycle 250 scope: 251 - PARAMETERS 252 - STAGES 253 - STEPS 254 default: false 255 - name: vulnerabilityThresholdEnabled 256 type: bool 257 description: Whether the thresholds are enabled or not. If enabled the build will be set to `vulnerabilityThresholdResult` in case a specific threshold value is exceeded 258 scope: 259 - PARAMETERS 260 - STAGES 261 - STEPS 262 default: true 263 - name: vulnerabilityThresholdHigh 264 type: int 265 description: The specific threshold for high severity findings 266 scope: 267 - PARAMETERS 268 - STAGES 269 - STEPS 270 default: 100 271 - name: vulnerabilityThresholdMedium 272 type: int 273 description: The specific threshold for medium severity findings 274 scope: 275 - PARAMETERS 276 - STAGES 277 - STEPS 278 default: 100 279 - name: vulnerabilityThresholdLow 280 type: int 281 description: The specific threshold for low severity findings 282 scope: 283 - PARAMETERS 284 - STAGES 285 - STEPS 286 default: 10 287 - name: vulnerabilityThresholdLowPerQuery 288 type: bool 289 description: Flag to activate/deactivate the threshold of low severity findings per query 290 scope: 291 - PARAMETERS 292 - STAGES 293 - STEPS 294 default: false 295 - name: vulnerabilityThresholdLowPerQueryMax 296 type: int 297 description: Upper threshold of low severity findings per query (in absolute number) 298 scope: 299 - PARAMETERS 300 - STAGES 301 - STEPS 302 default: 10 303 - name: vulnerabilityThresholdResult 304 type: string 305 description: The result of the build in case thresholds are enabled and exceeded 306 scope: 307 - PARAMETERS 308 - STAGES 309 - STEPS 310 default: FAILURE 311 possibleValues: 312 - FAILURE 313 - name: vulnerabilityThresholdUnit 314 type: string 315 description: The unit for the threshold to apply. 316 scope: 317 - PARAMETERS 318 - STAGES 319 - STEPS 320 default: percentage 321 - name: isOptimizedAndScheduled 322 type: bool 323 description: Whether the pipeline runs in optimized mode and the current execution is a scheduled one 324 resourceRef: 325 - name: commonPipelineEnvironment 326 param: custom/isOptimizedAndScheduled 327 scope: 328 - PARAMETERS 329 - name: createResultIssue 330 type: bool 331 description: Activate creation of a result issue in GitHub. 332 longDescription: | 333 Whether the step creates a GitHub issue containing the scan results in the originating repo. 334 Since optimized pipelines are headless the creation is implicitly activated for scheduled runs. 335 resourceRef: 336 - name: commonPipelineEnvironment 337 param: custom/isOptimizedAndScheduled 338 scope: 339 - GENERAL 340 - PARAMETERS 341 - STAGES 342 - STEPS 343 default: false 344 - name: convertToSarif 345 type: bool 346 description: "Convert the Checkmarx XML scan results to the open SARIF standard." 347 scope: 348 - PARAMETERS 349 - STAGES 350 - STEPS 351 default: true 352 outputs: 353 resources: 354 - name: influx 355 type: influx 356 params: 357 - name: step_data 358 fields: 359 - name: checkmarx 360 type: bool 361 - name: checkmarx_data 362 fields: 363 - name: high_issues 364 type: int 365 - name: high_not_false_positive 366 type: int 367 - name: high_not_exploitable 368 type: int 369 - name: high_confirmed 370 type: int 371 - name: high_urgent 372 type: int 373 - name: high_proposed_not_exploitable 374 type: int 375 - name: high_to_verify 376 type: int 377 - name: medium_issues 378 type: int 379 - name: medium_not_false_positive 380 type: int 381 - name: medium_not_exploitable 382 type: int 383 - name: medium_confirmed 384 type: int 385 - name: medium_urgent 386 type: int 387 - name: medium_proposed_not_exploitable 388 type: int 389 - name: medium_to_verify 390 type: int 391 - name: low_issues 392 type: int 393 - name: low_not_false_positive 394 type: int 395 - name: low_not_exploitable 396 type: int 397 - name: low_confirmed 398 type: int 399 - name: low_urgent 400 type: int 401 - name: low_proposed_not_exploitable 402 type: int 403 - name: low_to_verify 404 type: int 405 - name: information_issues 406 type: int 407 - name: information_not_false_positive 408 type: int 409 - name: information_not_exploitable 410 type: int 411 - name: information_confirmed 412 type: int 413 - name: information_urgent 414 type: int 415 - name: information_proposed_not_exploitable 416 type: int 417 - name: information_to_verify 418 type: int 419 - name: lines_of_code_scanned 420 type: int 421 - name: files_scanned 422 type: int 423 - name: initiator_name 424 - name: owner 425 - name: scan_id 426 - name: project_id 427 - name: projectName 428 - name: team 429 - name: team_full_path_on_report_date 430 - name: scan_start 431 - name: scan_time 432 - name: checkmarx_version 433 - name: scan_type 434 - name: preset 435 - name: deep_link 436 - name: report_creation_time 437 - name: reports 438 type: reports 439 params: 440 - filePattern: "**/piper_checkmarx_report.html" 441 type: checkmarx 442 - filePattern: "**/CxSASTResults_*.xml" 443 type: checkmarx 444 - filePattern: "**/ScanReport.*" 445 type: checkmarx 446 - filePattern: "**/toolrun_checkmarx_*.json" 447 type: checkmarx