You can integrate DAST into your GitHub Actions CI/CD pipelines. This provides you the ability to run DAST scans in your GitHub repositories.
Checkmarx DAST CLI Authentication is made through Checkmarx One API Key To Generate an API Key follow these steps:
-
Go to Identity and Access Management
-
Go to API Keys
-
Create a new API Key
-
Copy the Generated Key
-
Create a GitHub action runner secret from the key generated in point 4
-
Set the enviornment variable
CX_APIKEYto you newly created secret
steps:
- name: Checkmarx DAST Github Action
uses: Checkmarx/[email protected]
env:
CX_APIKEY: ${{ secrets.CX_ONE_API_KEY }}| Variable | Example Value | Description | Required |
|---|---|---|---|
| command | web | The type of scan to preform (web, api) | true |
| config | ./zap_config.yaml | The path to the ZAP configuration file | true |
| base_url | localhost.cxast.net | The baseURL for the Checkmarx One application | true |
| environment_id | c608a51a-ec4e-4eef-81c4-a0241737efd7 | The environment ID retrieved from DAST in CxOne | true |
| openapi | ./swagger.yaml | The path to the openapi file (cannot be provided with postman flag) | true (only for api scan) |
| postman | ./postman_collection.json | The path to the postman collection file (cannot be provided with openapi flag) | true (only for api scan) |
| project_id | fd093dde-b64a-466f-b2cd-8bf141b4db94 | The project ID retrieved from project tab in Checkmarx One | false (only for api scan) |
| output | ./output | The path to generate the output files (zap log and original results) | false |
| timeout | 10000 | The zap engine timeout in seconds (default: 300) | false |
| update_interval | 10 | The interval in which to log the progress of the scan in seconds (default: 10) | false |
| jvm_properties | -Xmx512m | The jvm properties used in the ZAP engine (default: -Xmx3G) | false |
| log_level | info | The level on what DAST will log (default: info) | false |
| verbose | true | Set to true in order to print the logs to the stdout (default: false) | false |
| fail_on | high | The minimum severity in which the action should fail | false |
| retry | 3 | Retry requests to AST on connection failure (default: 3) | false |
| retry_delay | 20 | Time between retries in seconds, use with retry (default: 20) | false |
| proxy-url | http://myproxy.com | Override the proxy used by the ZAP Engine | false |
| proxy-port | 8088 | The port number for the proxy | false |
| poll-timeout | 600 | Poll timeout in seconds, for uploading results (default: 600) | false |
| poll-ticker | 30 | Time interval between sending poll requests (default: 30) | false |
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v3
# Scan Iac with kics
- name: Checkmarx DAST Github Action
uses: Checkmarx/[email protected]
env:
CX_APIKEY: ${{ secrets.CX_ONE_API_KEY }}
with:
command: "web"
config: 'zap_config.yaml'
base_url: "localhost.cxast.net"
environment_id: "c608a51a-ec4e-4eef-81c4-a0241737efd7"
fail_on: "HIGH"
verbose: true # Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v3
# Scan Iac with kics
- name: Checkmarx DAST Github Action
uses: Checkmarx/[email protected]
env:
CX_APIKEY: ${{ secrets.CX_ONE_API_KEY }}
with:
command: "api"
config: 'zap_api_config.yaml'
base_url: "localhost.cxast.net"
environment_id: "c608a51a-ec4e-4eef-81c4-a0241737efd7"
openapi: "swagger.yaml"
project_id: "fd093dde-b64a-466f-b2cd-8bf141b4db94"
fail_on: "HIGH"
verbose: true