2ms icon indicating copy to clipboard operation
2ms copied to clipboard

Published 20 hours ago verified publisher icon Checkmarx

Add GitHub Actions Support to Checkmarx 2MS Tool

Open bryantschuck opened this issue 2 years ago • 10 comments

Description: The Checkmarx 2MS tool is a powerful secret leakage detection tool that helps developers identify sensitive data and other secrets that may have been unintentionally leaked within their code repositories. To integrate this tool effectively into the development workflow, we need to add support for GitHub Actions to Checkmarx 2MS.

Technical Details: To add GitHub Actions support to Checkmarx 2MS, we will create a custom action that can be used within GitHub workflows. This action will leverage the Checkmarx 2MS tool to scan a specified code repository for potential secret leakage issues and provide detailed results to the user. The action should be configurable, allowing users to specify the repository to scan, the API key to use for authentication, and any other relevant options.

Once the custom action is created, we can add it to the GitHub Marketplace, making it easily accessible for users. Additionally, we will provide documentation on how to integrate this action into existing workflows and best practices for using the Checkmarx 2MS tool for secret leakage detection within the GitHub ecosystem.

bryantschuck avatar Apr 12 '23 17:04 bryantschuck

Depends on #30

baruchiro avatar Apr 16 '23 11:04 baruchiro

Can we integrate into https://github.com/Checkmarx/ast-github-action/ instead of maintaining yet another GH ?

CC @pedrompflopes

kaplanlior avatar May 02 '23 00:05 kaplanlior

@kaplanlior I see people using this tool freely in their indie projects, without being Checkmarx customers.

Having said that, we can guide them on how to use ast-github-action for only 2ms.

baruchiro avatar May 02 '23 09:05 baruchiro

I'm suggesting waiting for #66

baruchiro avatar Jun 05 '23 11:06 baruchiro

I suggest let's do both,

  1. creating a GitHub action for 2ms
  2. contributing a PR for ast-github-action with the additions

this will be flexible for all users

jossef avatar Jun 12 '23 09:06 jossef

I talked with Pedro and he also thinks we should have our own github action for the open source project.

kaplanlior avatar Jun 12 '23 09:06 kaplanlior

Two examples of implementing a Github Action based on Docker:

  1. ast-github-action
  2. kics-github-action

They both contain an entrypoint.sh file with a big code to handle action inputs, and I want to avoid it (but I'm not sure if I can). One option is to download the 2ms from the release as executable, instead of running it as Docker Container, but I'm not sure if it is the better way.

baruchiro avatar Jun 12 '23 11:06 baruchiro

Regarding ast-github-action, talk with Pedro. Follow the kics-github-action flow.

baruchiro avatar Jun 15 '23 10:06 baruchiro

Check the possibility of uploading a report to mark the secret on the code, like in Kics.

See why gitleaks not using Github Code Scanning.

But we can do annotations like in Kics.

baruchiro avatar Jul 03 '23 12:07 baruchiro

Should be assigned to @ShimonMizrahi

baruchiro avatar Jul 24 '23 09:07 baruchiro