signavio · Matwog · Mar 27, 2024 · Mar 27, 2024
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -2,13 +2,6 @@ version: 2.1
 
 orbs:
   blackduck: signavio/blackduck@1.16.4
-  fortify: signavio/fortify@2.0.0
-
-executors:
-  fortify:
-    machine:
-      image: &ubuntu "ubuntu-2204:current"
-    resource_class: 2xlarge
 
 references:
   workspace_root: &workspace_root /home/circleci/repo
@@ -77,41 +70,6 @@ jobs:
           blackduck-project-name: i18n
           blackduck-project-path: *workspace_root
 
-  fortify-translate-and-scan:
-    executor: fortify
-    working_directory: *workspace_root
-    steps:
-      - checkout
-      - fortify/setup
-      - run:
-          name: Translate i18n
-          command: |
-            set -x
-            sourceanalyzer \
-              -b i18n \
-              -verbose \
-              ./src
-      - run:
-          name: Analyze i18n
-          command: |
-            sourceanalyzer \
-              -b i18n \
-              -verbose \
-              -scan \
-              -f i18n.fpr
-      - store_artifacts:
-          path: i18n.fpr
-      - run:
-          name: 'Fortify: upload'
-          command: |
-            fortifyclient \
-               -url "$FORTIFY_SSC" \
-               -authtoken "$SSC_API_TOKEN" \
-               uploadFPR \
-               -file i18n.fpr \
-               -project signavio-i18n \
-               -version master
-
   test:
     <<: *container_config
 
@@ -194,15 +152,3 @@ workflows:
     jobs:
       - black-duck-scan:
           context: BlackDuck
-
-  fortify-workflow:
-    triggers:
-      - schedule:
-          cron: '0 0 * * 0'
-          filters:
-            branches:
-              only: master
-    jobs:
-      - fortify-translate-and-scan:
-          context:
-            - fortify
diff --git a/.github/workflows/checkmarx-one.yml b/.github/workflows/checkmarx-one.yml
@@ -0,0 +1,55 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# The Checkmarx One GitHub Action enables you to trigger SAST, SCA, and KICS scans directly from the GitHub workflow.
+# It provides a wrapper around the Checkmarx One CLI Tool which creates a zip archive from your source code repository
+# and uploads it to Checkmarx One for scanning. The Github Action provides easy integration with GitHub while enabling
+# scan customization using the full functionality and flexibility of the CLI tool.
+
+# This is a basic workflow to help you get started with Using Checkmarx One Action,
+# documentation can be found here : https://checkmarx.com/resource/documents/en/34965-68702-checkmarx-one-github-actions.html
+
+name: Checkmarx Scan
+
+# Controls when the workflow will run
+on:
+  pull_request:
+    types: [opened, reopened, synchronize]
+    branches: [ "master" ]
+
+permissions:
+  contents: read
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  build:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif
+
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # This step checks out a copy of your repository.
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      # This step creates the Checkmarx One scan
+      - name: Checkmarx One scan
+        uses: checkmarx/ast-github-action@8e887bb93dacc44e0f5b64ee2b06d5815f89d4fc
+        with:
+          base_uri: https://ast.checkmarx.net  # This should be replaced by your base uri for Checkmarx One
+          cx_client_id: ${{ secrets.CX_CLIENT_ID }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e
+          cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e
+          cx_tenant: ${{ secrets.CX_TENANT }} # This should be replaced by your tenant for Checkmarx One
+          additional_params: --report-format sarif --output-path .
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: cx_result.sarif