From eb26a0f8c13668fa2d0a9a49b9c1b8ed207c708e Mon Sep 17 00:00:00 2001 From: repl-neha-belwal <91696048+repl-neha-belwal@users.noreply.github.com> Date: Tue, 25 Nov 2025 12:36:06 +0530 Subject: [PATCH 1/6] Update Checkmarx workflow with scheduled scan support --- .github/workflows/checkmarx.yml | 49 +++++++++++++++++++++++++++++---- 1 file changed, 43 insertions(+), 6 deletions(-) diff --git a/.github/workflows/checkmarx.yml b/.github/workflows/checkmarx.yml index d84a2fa43..c20cd591e 100644 --- a/.github/workflows/checkmarx.yml +++ b/.github/workflows/checkmarx.yml @@ -4,17 +4,20 @@ on: branches: - main - master + schedule: + # Run on the 28th of every month at 2 AM UTC (safe for all months) + - cron: '0 2 28 * *' + workflow_dispatch: name: Checkmarx SAST Scan jobs: checkmarx-scan: name: Checkmarx SAST Scan runs-on: ubuntu-latest - timeout-minutes: 30 - + timeout-minutes: 90 + if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch' # Skip this job on scheduled runs steps: - name: Checkout Code uses: actions/checkout@v4 - - name: Run Checkmarx SAST Scan uses: checkmarx-ts/checkmarx-cxflow-github-action@v2.3 with: @@ -24,14 +27,12 @@ jobs: checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} team: "/CxServer/Security/Deltek/Replicon" - # Project configuration project: Replicon-${{ github.event.repository.name }} scanners: sast # bug_tracker: GitHub - incremental: false + incremental: true break_build: false - # Scan parameters and thresholds params: >- --namespace=${{ github.repository_owner}} @@ -41,5 +42,41 @@ jobs: --cx-flow.filterSeverity --cx-flow.thresholds.high=1 --cx-flow.thresholds.medium=1 + --cx-flow.scan-resubmit=true ${{ github.event.number && format('--merge-id={0}', github.event.number)}} + checkmarx-scheduled-scan: + name: Checkmarx scheduled SAST Scan + runs-on: ubuntu-latest + timeout-minutes: 360 + if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' + steps: + - name: Checkout Code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.repository.default_branch }} + - name: Run Checkmarx SAST Scan + uses: checkmarx-ts/checkmarx-cxflow-github-action@v2.3 + with: + # Connection parameters + checkmarx_url: https://cmxext.deltek.com + checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} + checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} + checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} + team: "/CxServer/Security/Deltek/Replicon" + # Project configuration + project: Replicon-${{ github.event.repository.name }} + scanners: sast + # bug_tracker: GitHub + incremental: false + break_build: false + # Scan parameters and thresholds + params: >- + --namespace=${{ github.repository_owner}} + --checkmarx.settings-override=true + --repo-name=${{ github.event.repository.name}} + --branch=${{ github.event.repository.default_branch }} + --cx-flow.filterSeverity + --cx-flow.thresholds.high=1 + --cx-flow.thresholds.medium=1 + --cx-flow.scan-resubmit=true From f0f4ce31b07b03a9c8b85ab8a4066d93fd30c5c2 Mon Sep 17 00:00:00 2001 From: repl-neha-belwal <91696048+repl-neha-belwal@users.noreply.github.com> Date: Tue, 25 Nov 2025 14:14:39 +0530 Subject: [PATCH 2/6] Update Checkmarx workflow with scheduled scan support --- .github/workflows/checkmarx.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/checkmarx.yml b/.github/workflows/checkmarx.yml index c20cd591e..d309ca35c 100644 --- a/.github/workflows/checkmarx.yml +++ b/.github/workflows/checkmarx.yml @@ -27,6 +27,7 @@ jobs: checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} team: "/CxServer/Security/Deltek/Replicon" + preset: "ASA Premium" # Project configuration project: Replicon-${{ github.event.repository.name }} scanners: sast @@ -64,6 +65,7 @@ jobs: checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} team: "/CxServer/Security/Deltek/Replicon" + preset: "ASA Premium" # Project configuration project: Replicon-${{ github.event.repository.name }} scanners: sast From 506428b0dfd04b1c14e9829ab5e01c2b1818c097 Mon Sep 17 00:00:00 2001 From: repl-neha-belwal <91696048+repl-neha-belwal@users.noreply.github.com> Date: Thu, 27 Nov 2025 12:37:15 +0530 Subject: [PATCH 3/6] schedule a full scan and update the regular scan workflow --- .github/workflows/checkmarx.yml | 134 +++++++++++++++++--------------- 1 file changed, 70 insertions(+), 64 deletions(-) diff --git a/.github/workflows/checkmarx.yml b/.github/workflows/checkmarx.yml index d309ca35c..5af0418c5 100644 --- a/.github/workflows/checkmarx.yml +++ b/.github/workflows/checkmarx.yml @@ -1,12 +1,11 @@ on: - pull_request: {} + pull_request: push: branches: - main - master schedule: - # Run on the 28th of every month at 2 AM UTC (safe for all months) - - cron: '0 2 28 * *' + - cron: '0 17 * * 2' workflow_dispatch: name: Checkmarx SAST Scan jobs: @@ -14,71 +13,78 @@ jobs: name: Checkmarx SAST Scan runs-on: ubuntu-latest timeout-minutes: 90 - if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch' # Skip this job on scheduled runs + if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch' + steps: - - name: Checkout Code - uses: actions/checkout@v4 - - name: Run Checkmarx SAST Scan - uses: checkmarx-ts/checkmarx-cxflow-github-action@v2.3 - with: - # Connection parameters - checkmarx_url: https://cmxext.deltek.com - checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} - checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} - checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} - team: "/CxServer/Security/Deltek/Replicon" - preset: "ASA Premium" - # Project configuration - project: Replicon-${{ github.event.repository.name }} - scanners: sast - # bug_tracker: GitHub - incremental: true - break_build: false - # Scan parameters and thresholds - params: >- - --namespace=${{ github.repository_owner}} - --checkmarx.settings-override=true - --repo-name=${{ github.event.repository.name}} - --branch=${{ github.ref_name || github.head_ref}} - --cx-flow.filterSeverity - --cx-flow.thresholds.high=1 - --cx-flow.thresholds.medium=1 - --cx-flow.scan-resubmit=true - ${{ github.event.number && format('--merge-id={0}', github.event.number)}} - + - name: Checkout Code + uses: actions/checkout@v4 + + - name: Run Checkmarx SAST Scan + uses: checkmarx-ts/checkmarx-cxflow-github-action@v2.3 + with: + # Connection parameters + checkmarx_url: https://cmxext.deltek.com + checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} + checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} + checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} + team: "/CxServer/Security/Deltek/Replicon" + preset: "ASA Premium" + + # Project configuration + project: Replicon-${{ github.event.repository.name }} + scanners: sast + incremental: true + break_build: false + + # Scan parameters and thresholds + params: >- + --namespace=${{ github.repository_owner}} + --checkmarx.settings-override=true + --repo-name=${{ github.event.repository.name}} + --branch=${{ github.ref_name || github.head_ref}} + --cx-flow.filterSeverity + --cx-flow.thresholds.high=1 + --cx-flow.thresholds.medium=1 + --cx-flow.scan-resubmit=true + ${{ github.event.number && format('--merge-id={0}', github.event.number)}} + checkmarx-scheduled-scan: name: Checkmarx scheduled SAST Scan runs-on: ubuntu-latest timeout-minutes: 360 if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' + steps: - - name: Checkout Code - uses: actions/checkout@v4 - with: - ref: ${{ github.event.repository.default_branch }} - - name: Run Checkmarx SAST Scan - uses: checkmarx-ts/checkmarx-cxflow-github-action@v2.3 - with: - # Connection parameters - checkmarx_url: https://cmxext.deltek.com - checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} - checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} - checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} - team: "/CxServer/Security/Deltek/Replicon" - preset: "ASA Premium" - # Project configuration - project: Replicon-${{ github.event.repository.name }} - scanners: sast - # bug_tracker: GitHub - incremental: false - break_build: false - # Scan parameters and thresholds - params: >- - --namespace=${{ github.repository_owner}} - --checkmarx.settings-override=true - --repo-name=${{ github.event.repository.name}} - --branch=${{ github.event.repository.default_branch }} - --cx-flow.filterSeverity - --cx-flow.thresholds.high=1 - --cx-flow.thresholds.medium=1 - --cx-flow.scan-resubmit=true + - name: Checkout Code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.repository.default_branch }} + + - name: Run Checkmarx SAST Scan + uses: checkmarx-ts/checkmarx-cxflow-github-action@v2.3 + with: + # Connection parameters + checkmarx_url: https://cmxext.deltek.com + checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} + checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} + checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} + team: "/CxServer/Security/Deltek/Replicon" + preset: "ASA Premium" + + # Project configuration + project: Replicon-${{ github.event.repository.name }} + scanners: sast + incremental: false + break_build: false + + # Scan parameters and thresholds + params: >- + --namespace=${{ github.repository_owner}} + --checkmarx.settings-override=true + --repo-name=${{ github.event.repository.name}} + --branch=${{ github.event.repository.default_branch }} + --cx-flow.filterSeverity + --cx-flow.thresholds.high=1 + --cx-flow.thresholds.medium=1 + --cx-flow.scan-resubmit=true + From 6e3aed86bcca38315ec8d583ac61c920cbf765c4 Mon Sep 17 00:00:00 2001 From: repl-neha-belwal <91696048+repl-neha-belwal@users.noreply.github.com> Date: Tue, 2 Dec 2025 16:19:17 +0530 Subject: [PATCH 4/6] update concurrency settings --- .github/workflows/checkmarx.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/checkmarx.yml b/.github/workflows/checkmarx.yml index 5af0418c5..00b0fe520 100644 --- a/.github/workflows/checkmarx.yml +++ b/.github/workflows/checkmarx.yml @@ -12,6 +12,9 @@ jobs: checkmarx-scan: name: Checkmarx SAST Scan runs-on: ubuntu-latest + concurrency: + group: checkmarx-${{ github.head_ref || github.ref }} + cancel-in-progress: true timeout-minutes: 90 if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch' @@ -51,6 +54,9 @@ jobs: checkmarx-scheduled-scan: name: Checkmarx scheduled SAST Scan runs-on: ubuntu-latest + concurrency: + group: checkmarx-scheduled-scan + cancel-in-progress: true timeout-minutes: 360 if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' From fe5f92d5cab6229fb5824785380bd6e9630bdef5 Mon Sep 17 00:00:00 2001 From: repl-neha-belwal <91696048+repl-neha-belwal@users.noreply.github.com> Date: Thu, 4 Dec 2025 12:17:39 +0530 Subject: [PATCH 5/6] use reusable Workflows --- .github/workflows/checkmarx.yml | 96 ++++----------------------------- 1 file changed, 11 insertions(+), 85 deletions(-) diff --git a/.github/workflows/checkmarx.yml b/.github/workflows/checkmarx.yml index 00b0fe520..be37db4d5 100644 --- a/.github/workflows/checkmarx.yml +++ b/.github/workflows/checkmarx.yml @@ -5,92 +5,18 @@ on: - main - master schedule: - - cron: '0 17 * * 2' + - cron: '0 17 * * 1' workflow_dispatch: name: Checkmarx SAST Scan jobs: - checkmarx-scan: - name: Checkmarx SAST Scan - runs-on: ubuntu-latest - concurrency: - group: checkmarx-${{ github.head_ref || github.ref }} - cancel-in-progress: true - timeout-minutes: 90 - if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch' + call-reusable-checkmarx: + name: Call Reusable Checkmarx Workflow + uses: Replicon/time-intelligence-web/.github/workflows/reusable-checkmarx.yml@main + with: + timeout_minutes: 90 + scheduled_timeout_minutes: 360 + secrets: + checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} + checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} + checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} - steps: - - name: Checkout Code - uses: actions/checkout@v4 - - - name: Run Checkmarx SAST Scan - uses: checkmarx-ts/checkmarx-cxflow-github-action@v2.3 - with: - # Connection parameters - checkmarx_url: https://cmxext.deltek.com - checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} - checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} - checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} - team: "/CxServer/Security/Deltek/Replicon" - preset: "ASA Premium" - - # Project configuration - project: Replicon-${{ github.event.repository.name }} - scanners: sast - incremental: true - break_build: false - - # Scan parameters and thresholds - params: >- - --namespace=${{ github.repository_owner}} - --checkmarx.settings-override=true - --repo-name=${{ github.event.repository.name}} - --branch=${{ github.ref_name || github.head_ref}} - --cx-flow.filterSeverity - --cx-flow.thresholds.high=1 - --cx-flow.thresholds.medium=1 - --cx-flow.scan-resubmit=true - ${{ github.event.number && format('--merge-id={0}', github.event.number)}} - - checkmarx-scheduled-scan: - name: Checkmarx scheduled SAST Scan - runs-on: ubuntu-latest - concurrency: - group: checkmarx-scheduled-scan - cancel-in-progress: true - timeout-minutes: 360 - if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' - - steps: - - name: Checkout Code - uses: actions/checkout@v4 - with: - ref: ${{ github.event.repository.default_branch }} - - - name: Run Checkmarx SAST Scan - uses: checkmarx-ts/checkmarx-cxflow-github-action@v2.3 - with: - # Connection parameters - checkmarx_url: https://cmxext.deltek.com - checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} - checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} - checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} - team: "/CxServer/Security/Deltek/Replicon" - preset: "ASA Premium" - - # Project configuration - project: Replicon-${{ github.event.repository.name }} - scanners: sast - incremental: false - break_build: false - - # Scan parameters and thresholds - params: >- - --namespace=${{ github.repository_owner}} - --checkmarx.settings-override=true - --repo-name=${{ github.event.repository.name}} - --branch=${{ github.event.repository.default_branch }} - --cx-flow.filterSeverity - --cx-flow.thresholds.high=1 - --cx-flow.thresholds.medium=1 - --cx-flow.scan-resubmit=true - From 64fcd6e2fb5cc582665dbeea3aa213e3a4443f0a Mon Sep 17 00:00:00 2001 From: repl-neha-belwal <91696048+repl-neha-belwal@users.noreply.github.com> Date: Wed, 17 Dec 2025 16:26:31 +0530 Subject: [PATCH 6/6] Update Checkmarx workflow to use shared-workflow reusable workflow --- .github/workflows/checkmarx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/checkmarx.yml b/.github/workflows/checkmarx.yml index be37db4d5..9a8c4419a 100644 --- a/.github/workflows/checkmarx.yml +++ b/.github/workflows/checkmarx.yml @@ -11,7 +11,7 @@ name: Checkmarx SAST Scan jobs: call-reusable-checkmarx: name: Call Reusable Checkmarx Workflow - uses: Replicon/time-intelligence-web/.github/workflows/reusable-checkmarx.yml@main + uses: Replicon/shared-workflow/.github/workflows/reusable-checkmarx.yml@v1 with: timeout_minutes: 90 scheduled_timeout_minutes: 360