From 5a2d23953671775acc35408388264fd53e6bb48c Mon Sep 17 00:00:00 2001 From: repl-neha-belwal <91696048+repl-neha-belwal@users.noreply.github.com> Date: Tue, 18 Nov 2025 12:25:48 +0530 Subject: [PATCH 1/7] set scan-resubmit to true --- .github/workflows/checkmarx.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/checkmarx.yml b/.github/workflows/checkmarx.yml index d84a2fa..3e32a8c 100644 --- a/.github/workflows/checkmarx.yml +++ b/.github/workflows/checkmarx.yml @@ -41,5 +41,6 @@ jobs: --cx-flow.filterSeverity --cx-flow.thresholds.high=1 --cx-flow.thresholds.medium=1 + --cx-flow.scan-resubmit=true ${{ github.event.number && format('--merge-id={0}', github.event.number)}} From 7bee5cdf44b0b26b5c1f32ebaacfb6781a61a6f2 Mon Sep 17 00:00:00 2001 From: repl-neha-belwal <91696048+repl-neha-belwal@users.noreply.github.com> Date: Tue, 25 Nov 2025 11:46:40 +0530 Subject: [PATCH 2/7] Update Checkmarx workflow with scheduled scan support --- .github/workflows/checkmarx.yml | 48 ++++++++++++++++++++++++++++----- 1 file changed, 42 insertions(+), 6 deletions(-) diff --git a/.github/workflows/checkmarx.yml b/.github/workflows/checkmarx.yml index 3e32a8c..c20cd59 100644 --- a/.github/workflows/checkmarx.yml +++ b/.github/workflows/checkmarx.yml @@ -4,17 +4,20 @@ on: branches: - main - master + schedule: + # Run on the 28th of every month at 2 AM UTC (safe for all months) + - cron: '0 2 28 * *' + workflow_dispatch: name: Checkmarx SAST Scan jobs: checkmarx-scan: name: Checkmarx SAST Scan runs-on: ubuntu-latest - timeout-minutes: 30 - + timeout-minutes: 90 + if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch' # Skip this job on scheduled runs steps: - name: Checkout Code uses: actions/checkout@v4 - - name: Run Checkmarx SAST Scan uses: checkmarx-ts/checkmarx-cxflow-github-action@v2.3 with: @@ -24,14 +27,12 @@ jobs: checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} team: "/CxServer/Security/Deltek/Replicon" - # Project configuration project: Replicon-${{ github.event.repository.name }} scanners: sast # bug_tracker: GitHub - incremental: false + incremental: true break_build: false - # Scan parameters and thresholds params: >- --namespace=${{ github.repository_owner}} @@ -44,3 +45,38 @@ jobs: --cx-flow.scan-resubmit=true ${{ github.event.number && format('--merge-id={0}', github.event.number)}} + checkmarx-scheduled-scan: + name: Checkmarx scheduled SAST Scan + runs-on: ubuntu-latest + timeout-minutes: 360 + if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' + steps: + - name: Checkout Code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.repository.default_branch }} + - name: Run Checkmarx SAST Scan + uses: checkmarx-ts/checkmarx-cxflow-github-action@v2.3 + with: + # Connection parameters + checkmarx_url: https://cmxext.deltek.com + checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} + checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} + checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} + team: "/CxServer/Security/Deltek/Replicon" + # Project configuration + project: Replicon-${{ github.event.repository.name }} + scanners: sast + # bug_tracker: GitHub + incremental: false + break_build: false + # Scan parameters and thresholds + params: >- + --namespace=${{ github.repository_owner}} + --checkmarx.settings-override=true + --repo-name=${{ github.event.repository.name}} + --branch=${{ github.event.repository.default_branch }} + --cx-flow.filterSeverity + --cx-flow.thresholds.high=1 + --cx-flow.thresholds.medium=1 + --cx-flow.scan-resubmit=true From 777d179324d6c23758ad8cf8b16eb93726791493 Mon Sep 17 00:00:00 2001 From: repl-neha-belwal <91696048+repl-neha-belwal@users.noreply.github.com> Date: Tue, 25 Nov 2025 12:12:04 +0530 Subject: [PATCH 3/7] Update Checkmarx workflow with scheduled scan support From ab94c327bb391fcbfaa7cc7809abf4215bd17595 Mon Sep 17 00:00:00 2001 From: repl-neha-belwal <91696048+repl-neha-belwal@users.noreply.github.com> Date: Tue, 25 Nov 2025 13:45:44 +0530 Subject: [PATCH 4/7] Update Checkmarx workflow with scheduled scan support --- .github/workflows/checkmarx.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/checkmarx.yml b/.github/workflows/checkmarx.yml index c20cd59..d309ca3 100644 --- a/.github/workflows/checkmarx.yml +++ b/.github/workflows/checkmarx.yml @@ -27,6 +27,7 @@ jobs: checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} team: "/CxServer/Security/Deltek/Replicon" + preset: "ASA Premium" # Project configuration project: Replicon-${{ github.event.repository.name }} scanners: sast @@ -64,6 +65,7 @@ jobs: checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} team: "/CxServer/Security/Deltek/Replicon" + preset: "ASA Premium" # Project configuration project: Replicon-${{ github.event.repository.name }} scanners: sast From e3a8fbbcae20687c0e03462d00a452376185a050 Mon Sep 17 00:00:00 2001 From: repl-neha-belwal <91696048+repl-neha-belwal@users.noreply.github.com> Date: Thu, 27 Nov 2025 12:40:16 +0530 Subject: [PATCH 5/7] schedule a full scan and update the regular scan workflow --- .github/workflows/checkmarx.yml | 134 +++++++++++++++++--------------- 1 file changed, 70 insertions(+), 64 deletions(-) diff --git a/.github/workflows/checkmarx.yml b/.github/workflows/checkmarx.yml index d309ca3..4884e5b 100644 --- a/.github/workflows/checkmarx.yml +++ b/.github/workflows/checkmarx.yml @@ -1,12 +1,11 @@ on: - pull_request: {} + pull_request: push: branches: - main - master schedule: - # Run on the 28th of every month at 2 AM UTC (safe for all months) - - cron: '0 2 28 * *' + - cron: '0 19 * * 1' workflow_dispatch: name: Checkmarx SAST Scan jobs: @@ -14,71 +13,78 @@ jobs: name: Checkmarx SAST Scan runs-on: ubuntu-latest timeout-minutes: 90 - if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch' # Skip this job on scheduled runs + if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch' + steps: - - name: Checkout Code - uses: actions/checkout@v4 - - name: Run Checkmarx SAST Scan - uses: checkmarx-ts/checkmarx-cxflow-github-action@v2.3 - with: - # Connection parameters - checkmarx_url: https://cmxext.deltek.com - checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} - checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} - checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} - team: "/CxServer/Security/Deltek/Replicon" - preset: "ASA Premium" - # Project configuration - project: Replicon-${{ github.event.repository.name }} - scanners: sast - # bug_tracker: GitHub - incremental: true - break_build: false - # Scan parameters and thresholds - params: >- - --namespace=${{ github.repository_owner}} - --checkmarx.settings-override=true - --repo-name=${{ github.event.repository.name}} - --branch=${{ github.ref_name || github.head_ref}} - --cx-flow.filterSeverity - --cx-flow.thresholds.high=1 - --cx-flow.thresholds.medium=1 - --cx-flow.scan-resubmit=true - ${{ github.event.number && format('--merge-id={0}', github.event.number)}} - + - name: Checkout Code + uses: actions/checkout@v4 + + - name: Run Checkmarx SAST Scan + uses: checkmarx-ts/checkmarx-cxflow-github-action@v2.3 + with: + # Connection parameters + checkmarx_url: https://cmxext.deltek.com + checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} + checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} + checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} + team: "/CxServer/Security/Deltek/Replicon" + preset: "ASA Premium" + + # Project configuration + project: Replicon-${{ github.event.repository.name }} + scanners: sast + incremental: true + break_build: false + + # Scan parameters and thresholds + params: >- + --namespace=${{ github.repository_owner}} + --checkmarx.settings-override=true + --repo-name=${{ github.event.repository.name}} + --branch=${{ github.ref_name || github.head_ref}} + --cx-flow.filterSeverity + --cx-flow.thresholds.high=1 + --cx-flow.thresholds.medium=1 + --cx-flow.scan-resubmit=true + ${{ github.event.number && format('--merge-id={0}', github.event.number)}} + checkmarx-scheduled-scan: name: Checkmarx scheduled SAST Scan runs-on: ubuntu-latest timeout-minutes: 360 if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' + steps: - - name: Checkout Code - uses: actions/checkout@v4 - with: - ref: ${{ github.event.repository.default_branch }} - - name: Run Checkmarx SAST Scan - uses: checkmarx-ts/checkmarx-cxflow-github-action@v2.3 - with: - # Connection parameters - checkmarx_url: https://cmxext.deltek.com - checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} - checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} - checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} - team: "/CxServer/Security/Deltek/Replicon" - preset: "ASA Premium" - # Project configuration - project: Replicon-${{ github.event.repository.name }} - scanners: sast - # bug_tracker: GitHub - incremental: false - break_build: false - # Scan parameters and thresholds - params: >- - --namespace=${{ github.repository_owner}} - --checkmarx.settings-override=true - --repo-name=${{ github.event.repository.name}} - --branch=${{ github.event.repository.default_branch }} - --cx-flow.filterSeverity - --cx-flow.thresholds.high=1 - --cx-flow.thresholds.medium=1 - --cx-flow.scan-resubmit=true + - name: Checkout Code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.repository.default_branch }} + + - name: Run Checkmarx SAST Scan + uses: checkmarx-ts/checkmarx-cxflow-github-action@v2.3 + with: + # Connection parameters + checkmarx_url: https://cmxext.deltek.com + checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} + checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} + checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} + team: "/CxServer/Security/Deltek/Replicon" + preset: "ASA Premium" + + # Project configuration + project: Replicon-${{ github.event.repository.name }} + scanners: sast + incremental: false + break_build: false + + # Scan parameters and thresholds + params: >- + --namespace=${{ github.repository_owner}} + --checkmarx.settings-override=true + --repo-name=${{ github.event.repository.name}} + --branch=${{ github.event.repository.default_branch }} + --cx-flow.filterSeverity + --cx-flow.thresholds.high=1 + --cx-flow.thresholds.medium=1 + --cx-flow.scan-resubmit=true + From 4799bdb86aae9d53c5398e9e87c2114b1e7a27a6 Mon Sep 17 00:00:00 2001 From: repl-neha-belwal <91696048+repl-neha-belwal@users.noreply.github.com> Date: Tue, 2 Dec 2025 16:22:38 +0530 Subject: [PATCH 6/7] update concurrency settings --- .github/workflows/checkmarx.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/checkmarx.yml b/.github/workflows/checkmarx.yml index 4884e5b..9d3af3b 100644 --- a/.github/workflows/checkmarx.yml +++ b/.github/workflows/checkmarx.yml @@ -12,6 +12,9 @@ jobs: checkmarx-scan: name: Checkmarx SAST Scan runs-on: ubuntu-latest + concurrency: + group: checkmarx-${{ github.head_ref || github.ref }} + cancel-in-progress: true timeout-minutes: 90 if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch' @@ -51,6 +54,9 @@ jobs: checkmarx-scheduled-scan: name: Checkmarx scheduled SAST Scan runs-on: ubuntu-latest + concurrency: + group: checkmarx-scheduled-scan + cancel-in-progress: true timeout-minutes: 360 if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' From e6ad734c4902df4fbaf2b978bc6b2ccf3d107317 Mon Sep 17 00:00:00 2001 From: repl-neha-belwal <91696048+repl-neha-belwal@users.noreply.github.com> Date: Thu, 4 Dec 2025 12:20:54 +0530 Subject: [PATCH 7/7] use reusable Workflows --- .github/workflows/checkmarx.yml | 94 ++++----------------------------- 1 file changed, 10 insertions(+), 84 deletions(-) diff --git a/.github/workflows/checkmarx.yml b/.github/workflows/checkmarx.yml index 9d3af3b..65b827c 100644 --- a/.github/workflows/checkmarx.yml +++ b/.github/workflows/checkmarx.yml @@ -9,88 +9,14 @@ on: workflow_dispatch: name: Checkmarx SAST Scan jobs: - checkmarx-scan: - name: Checkmarx SAST Scan - runs-on: ubuntu-latest - concurrency: - group: checkmarx-${{ github.head_ref || github.ref }} - cancel-in-progress: true - timeout-minutes: 90 - if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch' + call-reusable-checkmarx: + name: Call Reusable Checkmarx Workflow + uses: Replicon/time-intelligence-web/.github/workflows/reusable-checkmarx.yml@main + with: + timeout_minutes: 90 + scheduled_timeout_minutes: 360 + secrets: + checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} + checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} + checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} - steps: - - name: Checkout Code - uses: actions/checkout@v4 - - - name: Run Checkmarx SAST Scan - uses: checkmarx-ts/checkmarx-cxflow-github-action@v2.3 - with: - # Connection parameters - checkmarx_url: https://cmxext.deltek.com - checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} - checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} - checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} - team: "/CxServer/Security/Deltek/Replicon" - preset: "ASA Premium" - - # Project configuration - project: Replicon-${{ github.event.repository.name }} - scanners: sast - incremental: true - break_build: false - - # Scan parameters and thresholds - params: >- - --namespace=${{ github.repository_owner}} - --checkmarx.settings-override=true - --repo-name=${{ github.event.repository.name}} - --branch=${{ github.ref_name || github.head_ref}} - --cx-flow.filterSeverity - --cx-flow.thresholds.high=1 - --cx-flow.thresholds.medium=1 - --cx-flow.scan-resubmit=true - ${{ github.event.number && format('--merge-id={0}', github.event.number)}} - - checkmarx-scheduled-scan: - name: Checkmarx scheduled SAST Scan - runs-on: ubuntu-latest - concurrency: - group: checkmarx-scheduled-scan - cancel-in-progress: true - timeout-minutes: 360 - if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' - - steps: - - name: Checkout Code - uses: actions/checkout@v4 - with: - ref: ${{ github.event.repository.default_branch }} - - - name: Run Checkmarx SAST Scan - uses: checkmarx-ts/checkmarx-cxflow-github-action@v2.3 - with: - # Connection parameters - checkmarx_url: https://cmxext.deltek.com - checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} - checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} - checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} - team: "/CxServer/Security/Deltek/Replicon" - preset: "ASA Premium" - - # Project configuration - project: Replicon-${{ github.event.repository.name }} - scanners: sast - incremental: false - break_build: false - - # Scan parameters and thresholds - params: >- - --namespace=${{ github.repository_owner}} - --checkmarx.settings-override=true - --repo-name=${{ github.event.repository.name}} - --branch=${{ github.event.repository.default_branch }} - --cx-flow.filterSeverity - --cx-flow.thresholds.high=1 - --cx-flow.thresholds.medium=1 - --cx-flow.scan-resubmit=true -