Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add GitHub Actions Support to Checkmarx 2MS Tool #39

Open
bryantschuck opened this issue Apr 12, 2023 · 10 comments
Open

Add GitHub Actions Support to Checkmarx 2MS Tool #39

bryantschuck opened this issue Apr 12, 2023 · 10 comments

Comments

@bryantschuck
Copy link

Description:
The Checkmarx 2MS tool is a powerful secret leakage detection tool that helps developers identify sensitive data and other secrets that may have been unintentionally leaked within their code repositories. To integrate this tool effectively into the development workflow, we need to add support for GitHub Actions to Checkmarx 2MS.

Technical Details:
To add GitHub Actions support to Checkmarx 2MS, we will create a custom action that can be used within GitHub workflows. This action will leverage the Checkmarx 2MS tool to scan a specified code repository for potential secret leakage issues and provide detailed results to the user. The action should be configurable, allowing users to specify the repository to scan, the API key to use for authentication, and any other relevant options.

Once the custom action is created, we can add it to the GitHub Marketplace, making it easily accessible for users. Additionally, we will provide documentation on how to integrate this action into existing workflows and best practices for using the Checkmarx 2MS tool for secret leakage detection within the GitHub ecosystem.
@baruchiro
Copy link
Contributor

Depends on #30

@kaplanlior
Copy link
Contributor

Can we integrate into https://github.com/Checkmarx/ast-github-action/ instead of maintaining yet another GH ?

CC @pedrompflopes

@baruchiro
Copy link
Contributor

@kaplanlior I see people using this tool freely in their indie projects, without being Checkmarx customers.

Having said that, we can guide them on how to use ast-github-action for only 2ms.

@baruchiro baruchiro mentioned this issue May 5, 2023
Closed
@baruchiro
Copy link
Contributor

I'm suggesting waiting for #66

@baruchiro baruchiro self-assigned this Jun 12, 2023
@jossef
Copy link
Member

jossef commented Jun 12, 2023

I suggest let's do both,

  1. creating a GitHub action for 2ms
  2. contributing a PR for ast-github-action with the additions

this will be flexible for all users

@kaplanlior
Copy link
Contributor

I talked with Pedro and he also thinks we should have our own github action for the open source project.

@baruchiro
Copy link
Contributor

Two examples of implementing a Github Action based on Docker:

  1. ast-github-action
  2. kics-github-action

They both contain an entrypoint.sh file with a big code to handle action inputs, and I want to avoid it (but I'm not sure if I can).
One option is to download the 2ms from the release as executable, instead of running it as Docker Container, but I'm not sure if it is the better way.

@baruchiro
Copy link
Contributor

Regarding ast-github-action, talk with Pedro.
Follow the kics-github-action flow.

@baruchiro
Copy link
Contributor

Check the possibility of uploading a report to mark the secret on the code, like in Kics.

See why gitleaks not using Github Code Scanning.

But we can do annotations like in Kics.

@baruchiro baruchiro mentioned this issue Jul 13, 2023
Open
@baruchiro baruchiro removed their assignment Jul 24, 2023
@baruchiro
Copy link
Contributor

Should be assigned to @ShimonMizrahi

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
2ms
Status: No status
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jossef @kaplanlior @baruchiro @bryantschuck