github.com/ouraigua/jenkins-library@v0.0.0-20231028010029-fbeaf2f3aa9b/resources/metadata/checkmarxOneExecuteScan.yaml (about) 1 metadata: 2 name: checkmarxOneExecuteScan 3 description: checkmarxOne is the recommended tool for security scans of JavaScript, iOS, Swift and Ruby code. 4 longDescription: |- 5 checkmarxOne is a Static Application Security Testing (SAST) platform to analyze i.e. Java or TypeScript, Swift, Golang, Ruby code, 6 and many other programming languages for security flaws based on a set of provided rules/queries that can be customized and extended. 7 8 This step by default enforces a specific audit baseline for findings and therefore ensures that: 9 10 * No 'To Verify' High and Medium issues exist in your project 11 * Total number of High and Medium 'Confirmed' or 'Urgent' issues is zero 12 * 10% of all Low issues are 'Confirmed' or 'Not Exploitable' 13 14 You can adapt above thresholds specifically using the provided configuration parameters and i.e. check for `absolute` 15 thresholds instead of `percentage` whereas we strongly recommend you to stay with the defaults provided. 16 spec: 17 inputs: 18 secrets: 19 - name: checkmarxOneCredentialsId 20 description: Jenkins 'Username with password' credentials ID containing ClientID and ClientSecret to communicate with the checkmarxOne backend. 21 type: jenkins 22 - name: checkmarxOneAPIKey 23 description: Jenkins 'Secret Text' containing the APIKey to communicate with the checkmarxOne backend. 24 type: jenkins 25 - name: githubTokenCredentialsId 26 description: Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub. 27 type: jenkins 28 resources: 29 - name: checkmarxOne 30 type: stash 31 params: 32 - name: assignees 33 description: Defines the assignees for the Github Issue created/updated with the results of the scan as a list of login names. [Not yet supported] 34 scope: 35 - PARAMETERS 36 - STAGES 37 - STEPS 38 type: "[]string" 39 default: [] 40 - name: avoidDuplicateProjectScans 41 type: bool 42 description: Whether duplicate scans of the same project state shall be avoided or not [Not yet supported] 43 scope: 44 - PARAMETERS 45 - STAGES 46 - STEPS 47 default: true 48 - name: filterPattern 49 type: string 50 description: The filter pattern used to zip the files relevant for scanning, patterns can be negated by setting an exclamation mark in front i.e. `!test/*.js` would avoid adding any javascript files located in the test directory 51 scope: 52 - PARAMETERS 53 - STAGES 54 - STEPS 55 default: 56 "!**/node_modules/**, !**/.xmake/**, !**/*_test.go, !**/vendor/**/*.go, 57 **/*.html, **/*.xml, **/*.go, **/*.py, **/*.js, **/*.scala, **/*.ts" 58 - name: fullScanCycle 59 type: string 60 description: Indicates how often a full scan should happen between the incremental scans when activated 61 scope: 62 - PARAMETERS 63 - STAGES 64 - STEPS 65 default: 5 66 - name: fullScansScheduled 67 type: bool 68 description: Whether full scans are to be scheduled or not. Should be used in relation with `incremental` and `fullScanCycle` 69 scope: 70 - PARAMETERS 71 - STAGES 72 - STEPS 73 default: true 74 - name: generatePdfReport 75 type: bool 76 description: Whether to generate a PDF report of the analysis results or not 77 scope: 78 - PARAMETERS 79 - STAGES 80 - STEPS 81 default: true 82 - name: githubApiUrl 83 description: "Set the GitHub API URL." 84 scope: 85 - GENERAL 86 - PARAMETERS 87 - STAGES 88 - STEPS 89 type: string 90 default: "https://api.github.com" 91 - name: githubToken 92 description: "GitHub personal access token as per 93 https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line" 94 scope: 95 - GENERAL 96 - PARAMETERS 97 - STAGES 98 - STEPS 99 type: string 100 secret: true 101 aliases: 102 - name: access_token 103 resourceRef: 104 - name: githubTokenCredentialsId 105 type: secret 106 - type: vaultSecret 107 default: github 108 name: githubVaultSecretName 109 - name: incremental 110 type: bool 111 description: Whether incremental scans are to be applied which optimizes the scan time but might reduce detection capabilities. Therefore full scans are still required from time to time and should be scheduled via `fullScansScheduled` and `fullScanCycle` 112 scope: 113 - PARAMETERS 114 - STAGES 115 - STEPS 116 default: true 117 - name: owner 118 aliases: 119 - name: githubOrg 120 description: "Set the GitHub organization." 121 resourceRef: 122 - name: commonPipelineEnvironment 123 param: github/owner 124 scope: 125 - GENERAL 126 - PARAMETERS 127 - STAGES 128 - STEPS 129 type: string 130 - name: clientSecret 131 type: string 132 description: The clientSecret to authenticate using a service account 133 mandatory: true 134 scope: 135 - PARAMETERS 136 - STAGES 137 - STEPS 138 secret: true 139 resourceRef: 140 - name: checkmarxOneCredentialsId 141 type: secret 142 param: clientSecret 143 - type: vaultSecret 144 name: checkmarxOneVaultSecretName 145 default: checkmarxOne 146 - name: APIKey 147 type: string 148 description: The APIKey to authenticate 149 mandatory: true 150 scope: 151 - PARAMETERS 152 - STAGES 153 - STEPS 154 secret: true 155 resourceRef: 156 - name: checkmarxOneAPIKey 157 type: secret 158 param: APIKey 159 - type: vaultSecret 160 name: checkmarxOneVaultSecretName 161 default: checkmarxOne 162 - name: preset 163 type: string 164 description: The preset to use for scanning, if not set explicitly the step will attempt to look up the project's setting based on the availability of `checkmarxOneCredentialsId` 165 scope: 166 - PARAMETERS 167 - STAGES 168 - STEPS 169 - name: languageMode 170 type: string 171 description: Specifies whether the scan should be run for a 'single' language or 'multi' language, default 'multi' 172 scope: 173 - PARAMETERS 174 - STAGES 175 - STEPS 176 default: "multi" 177 - name: projectCriticality 178 type: string 179 description: The criticality of the checkmarxOne project, used during project creation 180 mandatory: true 181 scope: 182 - PARAMETERS 183 - STAGES 184 - STEPS 185 default: "3" 186 - name: projectName 187 type: string 188 description: The name of the checkmarxOne project to scan into 189 mandatory: true 190 scope: 191 - PARAMETERS 192 - STAGES 193 - STEPS 194 - name: branch 195 type: string 196 description: Used to supply the branch scanned in the repository, or a friendly-name set by the user 197 scope: 198 - PARAMETERS 199 - STAGES 200 - STEPS 201 mandatory: true 202 - name: pullRequestName 203 type: string 204 description: Used to supply the name for the newly created PR project branch when being used in pull request scenarios. This is supplied by the orchestrator. 205 scope: 206 - PARAMETERS 207 - STAGES 208 - STEPS 209 - name: repository 210 aliases: 211 - name: githubRepo 212 description: "Set the GitHub repository." 213 resourceRef: 214 - name: commonPipelineEnvironment 215 param: github/repository 216 scope: 217 - GENERAL 218 - PARAMETERS 219 - STAGES 220 - STEPS 221 type: string 222 - name: serverUrl 223 type: string 224 description: The URL pointing to the root of the checkmarxOne server to be used 225 mandatory: true 226 scope: 227 - GENERAL 228 - PARAMETERS 229 - STAGES 230 - STEPS 231 - name: iamUrl 232 type: string 233 description: The URL pointing to the access control root of the checkmarxOne IAM server to be used 234 mandatory: true 235 scope: 236 - GENERAL 237 - PARAMETERS 238 - STAGES 239 - STEPS 240 - name: tenant 241 type: string 242 description: The name of the checkmarxOne tenant to be used 243 mandatory: true 244 scope: 245 - GENERAL 246 - PARAMETERS 247 - STAGES 248 - STEPS 249 - name: sourceEncoding 250 type: string 251 description: The source encoding to be used, if not set explicitly the project's default will be used [Not yet supported] 252 scope: 253 - PARAMETERS 254 - STAGES 255 - STEPS 256 default: "1" 257 - name: groupName 258 type: string 259 description: The full name of the group to which the newly created projects will be assigned 260 scope: 261 - PARAMETERS 262 - STAGES 263 - STEPS 264 - name: applicationName 265 type: string 266 description: The full name of the Checkmarx One application to which the newly created projects will be assigned 267 scope: 268 - PARAMETERS 269 - STAGES 270 - STEPS 271 - name: clientId 272 type: string 273 description: The username to authenticate 274 mandatory: true 275 scope: 276 - PARAMETERS 277 - STAGES 278 - STEPS 279 secret: true 280 resourceRef: 281 - name: checkmarxOneCredentialsId 282 type: secret 283 param: clientId 284 - type: vaultSecret 285 name: checkmarxOneVaultSecretName 286 default: checkmarxOne 287 - name: verifyOnly 288 type: bool 289 description: Whether the step shall only apply verification checks or whether it does a full scan and check cycle 290 scope: 291 - PARAMETERS 292 - STAGES 293 - STEPS 294 default: false 295 - name: vulnerabilityThresholdEnabled 296 type: bool 297 description: Whether the thresholds are enabled or not. If enabled the build will be set to `vulnerabilityThresholdResult` in case a specific threshold value is exceeded 298 scope: 299 - PARAMETERS 300 - STAGES 301 - STEPS 302 default: true 303 - name: vulnerabilityThresholdHigh 304 type: int 305 description: The specific threshold for high severity findings 306 scope: 307 - PARAMETERS 308 - STAGES 309 - STEPS 310 default: 100 311 - name: vulnerabilityThresholdMedium 312 type: int 313 description: The specific threshold for medium severity findings 314 scope: 315 - PARAMETERS 316 - STAGES 317 - STEPS 318 default: 100 319 - name: vulnerabilityThresholdLow 320 type: int 321 description: The specific threshold for low severity findings 322 scope: 323 - PARAMETERS 324 - STAGES 325 - STEPS 326 default: 10 327 - name: vulnerabilityThresholdLowPerQuery 328 type: bool 329 description: Flag to activate/deactivate the threshold of low severity findings per query 330 scope: 331 - PARAMETERS 332 - STAGES 333 - STEPS 334 default: false 335 - name: vulnerabilityThresholdLowPerQueryMax 336 type: int 337 description: Upper threshold of low severity findings per query (in absolute number) 338 scope: 339 - PARAMETERS 340 - STAGES 341 - STEPS 342 default: 10 343 - name: vulnerabilityThresholdResult 344 type: string 345 description: The result of the build in case thresholds are enabled and exceeded 346 scope: 347 - PARAMETERS 348 - STAGES 349 - STEPS 350 default: FAILURE 351 possibleValues: 352 - FAILURE 353 - name: vulnerabilityThresholdUnit 354 type: string 355 description: The unit for the threshold to apply. 356 scope: 357 - PARAMETERS 358 - STAGES 359 - STEPS 360 default: percentage 361 - name: isOptimizedAndScheduled 362 type: bool 363 description: Whether the pipeline runs in optimized mode and the current execution is a scheduled one 364 resourceRef: 365 - name: commonPipelineEnvironment 366 param: custom/isOptimizedAndScheduled 367 scope: 368 - PARAMETERS 369 - name: createResultIssue 370 type: bool 371 description: Activate creation of a result issue in GitHub. 372 longDescription: | 373 Whether the step creates a GitHub issue containing the scan results in the originating repo. 374 Since optimized pipelines are headless the creation is implicitly activated for scheduled runs. 375 resourceRef: 376 - name: commonPipelineEnvironment 377 param: custom/isOptimizedAndScheduled 378 scope: 379 - GENERAL 380 - PARAMETERS 381 - STAGES 382 - STEPS 383 default: false 384 - name: convertToSarif 385 type: bool 386 description: "Convert the checkmarxOne XML scan results to the open SARIF standard." 387 scope: 388 - PARAMETERS 389 - STAGES 390 - STEPS 391 default: true 392 outputs: 393 resources: 394 - name: influx 395 type: influx 396 params: 397 - name: step_data 398 fields: 399 - name: checkmarxOne 400 type: bool 401 - name: checkmarxOne_data 402 fields: 403 - name: high_issues 404 type: int 405 - name: high_not_false_postive 406 type: int 407 - name: high_not_exploitable 408 type: int 409 - name: high_confirmed 410 type: int 411 - name: high_urgent 412 type: int 413 - name: high_proposed_not_exploitable 414 type: int 415 - name: high_to_verify 416 type: int 417 - name: medium_issues 418 type: int 419 - name: medium_not_false_postive 420 type: int 421 - name: medium_not_exploitable 422 type: int 423 - name: medium_confirmed 424 type: int 425 - name: medium_urgent 426 type: int 427 - name: medium_proposed_not_exploitable 428 type: int 429 - name: medium_to_verify 430 type: int 431 - name: low_issues 432 type: int 433 - name: low_not_false_postive 434 type: int 435 - name: low_not_exploitable 436 type: int 437 - name: low_confirmed 438 type: int 439 - name: low_urgent 440 type: int 441 - name: low_proposed_not_exploitable 442 type: int 443 - name: low_to_verify 444 type: int 445 - name: information_issues 446 type: int 447 - name: information_not_false_postive 448 type: int 449 - name: information_not_exploitable 450 type: int 451 - name: information_confirmed 452 type: int 453 - name: information_urgent 454 type: int 455 - name: information_proposed_not_exploitable 456 type: int 457 - name: information_to_verify 458 type: int 459 - name: lines_of_code_scanned 460 type: int 461 - name: files_scanned 462 type: int 463 - name: initiator_name 464 - name: owner 465 - name: scan_id 466 - name: project_id 467 - name: projectName 468 - name: group 469 - name: group_full_path_on_report_date 470 - name: scan_start 471 - name: scan_time 472 - name: tool_version 473 - name: scan_type 474 - name: preset 475 - name: deep_link 476 - name: report_creation_time 477 - name: reports 478 type: reports 479 params: 480 - filePattern: "**/piper_checkmarxone_report.html" 481 type: checkmarxone 482 - filePattern: "**/Cx1_SASTResults_*.xml" 483 type: checkmarxone 484 - filePattern: "**/ScanReport.*" 485 type: checkmarxone 486 - filePattern: "**/toolrun_checkmarxone_*.json" 487 type: checkmarxone 488 - filePattern: "**/piper_checkmarxone_report.json" 489 type: checkmarxone