SIGSPM-10844-integrate-checkmarx-scan (#207)

* ci: migrate fortify to checkmarx one * ci: test commit to run checkmarx scan * ci: adjust project name * ci: adjust name of workflow * ci: adjust checkmarx scan params * ci: setup weekly workflow and scan on master branch --------- Co-authored-by: Leonard Heilos <leonard.heilos@sap.com>
signavio · Apr 9, 2024 · da51d4b · da51d4b
1 parent 3042465
commit da51d4b
Showing 1 changed file with 31 additions and 41 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -2,13 +2,6 @@ version: 2.1
 
 orbs:
   blackduck: signavio/blackduck@1.16.4
-  fortify: signavio/fortify@2.0.0
-
-executors:
-  fortify:
-    machine:
-      image: &ubuntu "ubuntu-2204:current"
-    resource_class: 2xlarge
 
 references:
   workspace_root: &workspace_root /home/circleci/repo
@@ -77,40 +70,26 @@ jobs:
           blackduck-project-name: i18n
           blackduck-project-path: *workspace_root
 
-  fortify-translate-and-scan:
-    executor: fortify
-    working_directory: *workspace_root
+  checkmarx-one-scan:
+    docker:
+      - image: checkmarx/ast-cli
     steps:
       - checkout
-      - fortify/setup
-      - run:
-          name: Translate i18n
-          command: |
-            set -x
-            sourceanalyzer \
-              -b i18n \
-              -verbose \
-              ./src
-      - run:
-          name: Analyze i18n
-          command: |
-            sourceanalyzer \
-              -b i18n \
-              -verbose \
-              -scan \
-              -f i18n.fpr
-      - store_artifacts:
-          path: i18n.fpr
       - run:
-          name: 'Fortify: upload'
+          name: 'Run Scan'
           command: |
-            fortifyclient \
-               -url "$FORTIFY_SSC" \
-               -authtoken "$SSC_API_TOKEN" \
-               uploadFPR \
-               -file i18n.fpr \
-               -project signavio-i18n \
-               -version master
+            /app/bin/cx \
+            scan create \
+            -s . \
+            --agent CircleCI \
+            --project-name signavio-i18n \
+            --application-name SIGNAVIO_I18N \
+            --branch master \
+            --base-uri $CX_BASE_URI \
+            --base-auth-uri $CX_BASE_AUTH_URI \
+            --tenant $CX_TENANT \
+            --client-id $CX_CLIENT_ID \
+            --client-secret $CX_CLIENT_SECRET \
 
   test:
     <<: *container_config
@@ -195,14 +174,25 @@ workflows:
       - black-duck-scan:
           context: BlackDuck
 
-  fortify-workflow:
+  checkmarx:
+    jobs:
+      - checkmarx-one-scan:
+          filters:
+            branches:
+              only:
+                - master
+          context:
+            - checkmarx-one
+
+  checkmarx-weekly:
     triggers:
       - schedule:
           cron: '0 0 * * 0'
           filters:
             branches:
-              only: master
+              only:
+                - master
     jobs:
-      - fortify-translate-and-scan:
+      - checkmarx-one-scan:
           context:
-            - fortify
+            - checkmarx-one