ci(secu): deploy checkmarx (#5588)

sc979 · web-flow · commit c674f133d6af · 2025-05-19T11:54:54.000+02:00
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1,26 +1,27 @@
-*                                  @centreon/owners-connectors
+*                                   @centreon/owners-connectors
 
-*.md                               @centreon/owners-doc
-*.mdx                              @centreon/owners-doc
+*.md                                @centreon/owners-doc
+*.mdx                               @centreon/owners-doc
 
-*.cmake                            @centreon/owners-cpp
-CMakeLists.txt                     @centreon/owners-cpp
-Makefile                           @centreon/owners-cpp
+*.cmake                             @centreon/owners-cpp
+CMakeLists.txt                      @centreon/owners-cpp
+Makefile                            @centreon/owners-cpp
 
-*.pm                               @centreon/owners-perl
-*.pl                               @centreon/owners-perl
-*.t                                @centreon/owners-perl
+*.pm                                @centreon/owners-perl
+*.pl                                @centreon/owners-perl
+*.t                                 @centreon/owners-perl
 
-*.py                               @centreon/owners-python
+*.py                                @centreon/owners-python
 
-*.sh                               @centreon/owners-bash
+*.sh                                @centreon/owners-bash
 
-tests/**                           @centreon/owners-robot-e2e
+tests/**                            @centreon/owners-robot-e2e
 
-.github/**                         @centreon/owners-pipelines
-packaging/**                       @centreon/owners-perl
-selinux/**                         @centreon/owners-pipelines
-.github/scripts/pod_spell_check.t  @centreon/owners-perl
+.github/**                          @centreon/owners-pipelines
+packaging/**                        @centreon/owners-perl
+selinux/**                          @centreon/owners-pipelines
+.github/scripts/pod_spell_check.t   @centreon/owners-perl
 
-.gitleaks.toml                     @centreon/owners-security
-.gitleaksignore                    @centreon/owners-security
+.gitleaks.toml                      @centreon/owners-security
+.gitleaksignore                     @centreon/owners-security
+**/checkmarx-analysis.yml           @centreon/owners-security
diff --git a/.github/workflows/checkmarx-analysis.yml b/.github/workflows/checkmarx-analysis.yml
@@ -0,0 +1,68 @@
+name: Checkmarx scans
+
+on:
+  workflow_call:
+    inputs:
+      module_name:
+        required: true
+        type: string
+      module_directory:
+        required: false
+        type: string
+
+    secrets:
+      base_uri:
+        required: true
+      cx_tenant:
+        required: true
+      cx_client_id:
+        required: true
+      cx_client_secret:
+        required: true
+
+jobs:
+  build:
+    name: Binary preparation
+    runs-on: ubuntu-24.04
+    outputs:
+      enable_analysis: ${{ steps.routing.outputs.enable_analysis }}
+
+    steps:
+      - name: routing
+        id: routing
+        run: |
+          # Quality gate settings
+          ENABLE_QG="true"
+          if [[ "${{ vars.CHECKMARX_QUALITY_GATE }}" != "true" ]]; then
+            # disabling all QG in case of incident with the service
+            ENABLE_QG="false"
+            echo "Skipping analysis. Caused by QG override"
+          elif [[ "${{ github.event_name }}" == "pull_request" && "${{ github.event.pull_request.user.id }}" == "49699333" ]]; then
+            # disabling the QG in case of pull request opened by dependabot bot
+            # As dependabot will ne be able to access GH secrets
+            ENABLE_QG="false"
+            echo "Skipping analysis. Caused by dependabot PR"
+          fi
+          echo "enable_analysis=$ENABLE_QG" >> $GITHUB_OUTPUT
+          cat $GITHUB_OUTPUT
+
+  pipeline-scan:
+    needs: [build]
+    name: Run a pipeline scan
+    runs-on: ubuntu-24.04
+    if: needs.build.outputs.enable_analysis == 'true'
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Checkmarx One CLI Action
+        uses: checkmarx/ast-github-action@ef93013c95adc60160bc22060875e90800d3ecfc # v.2.3.19
+        with:
+          project_name: ${{ inputs.module_name }}
+          base_uri: ${{ secrets.base_uri }}
+          cx_tenant: ${{ secrets.cx_tenant }}
+          cx_client_id: ${{ secrets.cx_client_id }}
+          cx_client_secret: ${{ secrets.cx_client_secret }}
+          source_dir: "./"
+          additional_params: --file-filter "!**/.githooks/**" --scan-types "sast,sca,api-security"
diff --git a/.github/workflows/plugins-analysis.yml b/.github/workflows/plugins-analysis.yml
@@ -0,0 +1,41 @@
+name: plugins-analysis
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '30 0 * * 1-5'
+  pull_request:
+    branches:
+      - develop
+      - master
+  push:
+    branches:
+      - develop
+      - master
+
+jobs:
+  get-environment:
+    uses: ./.github/workflows/get-environment.yml
+
+  checkmarx-analysis:
+    needs: [get-environment]
+    if: |
+      needs.get-environment.outputs.skip_workflow == 'false' &&
+      github.event.pull_request.draft != 'true'
+    uses: ./.github/workflows/checkmarx-analysis.yml
+    with:
+      module_name: centreon-plugins
+    secrets:
+      base_uri: ${{ secrets.AST_RND_SCANS_BASE_URI }}
+      cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }}
+      cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }}
+      cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }}
+
+  set-skip-label:
+    needs: [get-environment, checkmarx-analysis]
+    if: needs.get-environment.outputs.skip_workflow == 'false'
+    uses: ./.github/workflows/set-pull-request-skip-label.yml
