This repository contains tools for assisting deployment of supply chain vulnerability scanning with Checkmarx products. A complete user manual and downloadable components can be found in the releases area to the right side of this page.
If you are using Checkmarx SCA or Checkmarx One with SCA and need to execute SCA Resolver in a build pipeline or on demand from a SCM web hook event, the toolkit is for you.
The toolkit is used by these GitHub actions published by Checkmarx Professional Services:
- For SCA standalone and optionally CxSAST: CxFlow++ GitHub Action
- For Checkmarx One: CxOne++ GitHub Action
- Download the latest release of the build-environment
- Expand the build-environment zip in a temporary directory.
- Use the
download_resolver.shscript to install the SCA Resolver executable appropriate for your execution platform. - Invoke SCA Resolver directly as part of orchestrating scans or via the Checkmarx One CLI.
If your build is performed by executing build tools defined in an existing
container, the toolkit will allow you to create a new container that extends
that existing container with SCA Resolver. The image can be pre-built and
cached in your container registry or it can be built dynamically using the
autobuild.sh script.
Dynamically building an extended container and invoking the SCA Resolver can be done with the following steps:
-
Download the latest release of the build-environment
-
Expand the build-environment zip in a temporary directory.
-
Use the
autobuild.shscript to build the extended container. -
Invoke SCA Resolver in the container by:
a. Mapping the code to scan to the documented paths in the container.
b. Passing arguments to the container on the command line that are passed through to the SCA Resolver.
Please see the manual for more information about mapping volumes to the container. Note that the Checkmarx One CLI is also installed as part of the container extension and will invoke the container's SCA Resolver if given the appropriate parameters.
This topic is complex and does not have a quick method of implementation. Please contact Checkmarx Professional Services for implementation consulting.