Skip to content
You're viewing an older version of this GitHub Action. Do you want to see the latest version instead?
check-square

GitHub Action

Checkmarx DAST Github Action

v1.0.1-beta

Checkmarx DAST Github Action

check-square

Checkmarx DAST Github Action

Integrate Checkmarx DAST into your GitHub Actions CI/CD pipelines

Installation

Copy and paste the following snippet into your .yml file.

              

- name: Checkmarx DAST Github Action

uses: Checkmarx/[email protected]

Learn more about this action in Checkmarx/dast-github-action

Choose a version

Checkmarx DAST GitHub Action

License: GPL-3.0

Integrate Checkmarx DAST into your GitHub workflows

You can integrate DAST into your GitHub Actions CI/CD pipelines. This provides you the ability to run DAST scans in your GitHub repositories.

Authentication

Checkmarx DAST CLI Authentication is made through Checkmarx One API Key To Generate an API Key follow these steps:

  1. Go to Identity and Access Management

    iam
  2. Go to API Keys

    apik
  3. Create a new API Key

    iam
  4. Copy the Generated Key

    iam
  5. Create a GitHub action runner secret from the key generated in point 4

    iam
  6. Set the enviornment variable CX_APIKEY to you newly created secret

steps:
    - name: Checkmarx DAST Github Action
      uses: Checkmarx/[email protected]
      env:
        CX_APIKEY: ${{ secrets.CX_ONE_API_KEY }}

Inputs

Variable Example Value Description Required
command web The type of scan to preform (web, api) true
config ./zap_config.yaml The path to the ZAP configuration file true
base_url localhost.cxast.net The baseURL for the Checkmarx One application true
environment_id c608a51a-ec4e-4eef-81c4-a0241737efd7 The environment ID retrieved from DAST in CxOne true
openapi ./swagger.yaml The path to the openapi specification file true (only for api scan)
project_id fd093dde-b64a-466f-b2cd-8bf141b4db94 The project ID retrieved from project tab in Checkmarx One false (only for api scan)
output ./output The path to generate the output files (zap log and original results) false
timeout 10000 The zap engine timeout in seconds (default: 300) false
update_interval 10 The interval in which to log the progress of the scan in seconds (default: 10) false
jvm_properties -Xmx512m The jvm properties used in the ZAP engine (default: -Xmx3G) false
log_level info The level on what DAST will log (default: info) false
verbose true Set to true in order to print the logs to the stdout (default: false) false
fail_on high The minimum severity in which the action should fail false
retry 3 Retry requests to AST on connection failure (default: 3) false
retry_delay 20 Time between retries in seconds, use with retry (default: 20) false

Simple Usage Example

Web Scan

    # Steps represent a sequence of tasks that will be executed as part of the job
    steps:
    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
    - uses: actions/checkout@v3
    # Scan Iac with kics
    - name: Checkmarx DAST Github Action
      uses: Checkmarx/[email protected]
      env:
        CX_APIKEY: ${{ secrets.CX_ONE_API_KEY }}
      with:
        command: "web"
        config: 'zap_config.yaml'
        base_url: "localhost.cxast.net"
        environment_id: "c608a51a-ec4e-4eef-81c4-a0241737efd7"
        fail_on: "HIGH"
        verbose: true

API Scan

    # Steps represent a sequence of tasks that will be executed as part of the job
    steps:
    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
    - uses: actions/checkout@v3
    # Scan Iac with kics
    - name: Checkmarx DAST Github Action
      uses: Checkmarx/[email protected]
      env:
        CX_APIKEY: ${{ secrets.CX_ONE_API_KEY }}
      with:
        command: "api"
        config: 'zap_api_config.yaml'
        base_url: "localhost.cxast.net"
        environment_id: "c608a51a-ec4e-4eef-81c4-a0241737efd7"
        openapi: "swagger.yaml"
        project_id: "fd093dde-b64a-466f-b2cd-8bf141b4db94"
        fail_on: "HIGH"
        verbose: true