diff --git a/.github/workflows/cxflow.yml b/.github/workflows/cxflow.yml index 2376e9d..cb22006 100644 --- a/.github/workflows/cxflow.yml +++ b/.github/workflows/cxflow.yml @@ -1,54 +1,17 @@ name: CxFlow-GitHub-Pull-Request -# Controls when the action will run. Triggers the workflow on push or pull request events but only for the master branch on: pull_request: types: [ready_for_review] -# A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action jobs: - # This workflow contains a single job called "build" build: - # The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action runs-on: self-runner-node steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 - - name: Checkmarx CxFlow Action - id: checkmarx - uses: checkmarx-ts/checkmarx-cxflow-github-action@v1.4 - with: - project: ${{ github.repository }}-PR - team: ${{ secrets.CHECKMARX_TEAMS }} - checkmarx_url: ${{ secrets.CHECKMARX_URL }} # To be stored in GitHub Secrets. - checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} # To be stored in GitHub Secrets. - checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} # To be stored in GitHub Secrets. - checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} # To be stored in GitHub Secrets. - scan-preset: Checkmarx Default - incremental: true - break_build: false - scanners: sast - params: --namespace=${{ github.repository_owner }} --cx-flow.filterStatus=New --repo-name=${{ github.event.repository.name }} --branch=${{ github.head_ref }} --cx-flow.filterSeverity --cx-flow.filterCategory --cx-flow.zip-exclude="\.git\/.*,\.github\/.*,tests\/.*,__tests__\/.*,__mocks__\/.*,\.*\/.*,test\/.*,doc\/.*,_unit\/.*" - - name: The job has failed - if: ${{ failure() }} + - name: Trigger to Scanner Lambda run: | python -c ' import json,sys,requests; - github_result = {"repository": "'${{ github.repository }}'", "server_url": "'${{ github.server_url }}'", "run_id": "'${{ github.run_id }}'"}; - request = {"checkmarx_result": "empty", "github": github_result}; - requests.post("'$LambdaWebHook'", json=request);' - env: - LambdaWebHook: ${{ secrets.CHECKMARX_LAMBDA_WEBHOOK }} - - name: Checkmarx Response Send to Lambda - id: slack-notification - if: ${{ success() }} - run: | - python -c ' - import json,sys,requests; - output=open("./cx.sarif"); - json_result=json.loads(output.read()); - response=""; - json_result = json_result.get("runs", [{}])[0].get("tool", {}).get("driver", {}).get("rules", []); - github_result = {"repository": "'${{ github.repository }}'", "server_url": "'${{ github.server_url }}'", "run_id": "'${{ github.run_id }}'"}; - request = {"checkmarx_result": json_result, "github": github_result}; - requests.post("'$LambdaWebHook'", json=request);' + github = {"repository": "'${{ github.event.repository.name }}'", "ref": "'${{ github.head_ref }}'"}; + github_request = {"checkmarx_gitaction": github}; + requests.post("'$LambdaWebHook'", json=github_request);' env: LambdaWebHook: ${{ secrets.CHECKMARX_LAMBDA_WEBHOOK }} \ No newline at end of file