Today, Checkmarx announced a new GitHub Action to bring seamless and automated security scans within GitHub repositories. Our new Action for GitHub integrates Checkmarx SAST (CxSAST) and Checkmarx SCA (CxSCA) directly into the GitHub platform, providing our comprehensive static and open source security testing to developers within the development environment they work in. Now, SAST and SCA security scans can be automatically triggered in the event of pull requests and the results are embedded directly into the GitHub CI/CD pipeline, streamlining developer workflows and empowering them to release code quickly without compromising on security.
We sat down with Ken McDonald, Principal Integrations Engineer at Checkmarx, to learn more about how Checkmarx’s new GitHub Action works and how it helps developers secure code.
Q: Tell me about the new Checkmarx GitHub Action.
Ken: The new integration developed by Checkmarx for GitHub Actions can be easily leveraged to work seamlessly within the GitHub ecosystem by triggering source code and dependency scanning with our Checkmarx SAST and SCA solution. Results of the scan are then published as findings to the repository’s Security Alerts, or alternatively, any number of developer feedback channels that Checkmarx supports. These results can be narrowed down according to an established and configurable policy to ensure developers focus on what matters.
Q: How does this Action help developers secure code?
Ken: This solution helps developers write secure code by simplifying the workflow and allowing the developers to work within their desired code development ecosystem. This includes from pull request code reviews, as well as having the ability to break builds based on policy criteria violations during early stages of development activities. Developers simply do not have to go out of their way to scan and manage code vulnerability findings, as results are optionally managed through GitHub Security Alerts or Issues (if desired).
Q: How does the solution work?
Ken: The Checkmarx GitHub Action was developed using the Docker/Container approach to building and publishing a GitHub Action. This allowed Checkmarx to easily build our integration on top of our existing technologies, which are aimed at scan orchestration and continuous developer feedback through many channels. The output for the GitHub Action is the OASIS SARIF format, which is published to the GitHub code scanning UI. The Checkmarx scanning solutions have no requirement for compiling code in order to complete SAST results. This allows the integration to run smoothly and without compilation challenges. Code is simply sent to Checkmarx and we make sense of it. For more information regarding Checkmarx’s source code management (SCM) integration technology, which is available on GitHub, visit here: https://github.com/checkmarx-ltd/cx-flow.
Q: Does Checkmarx have any other capabilities with GitHub worth mentioning?
Ken: Checkmarx’s integration technologies, which the Checkmarx GitHub Action is built on, provides many capabilities for GitHub. These include full support of Webhooks for push and pull requests coming from GitHub repositories and tight integration into pull request feedback (including blocking/failing ability to merge), as well as GitHub Issues. GitHub Issues is core to our developer-first commitment. This allows for developer feedback directly where issue management is desired. Support for Jira and other backlog management tools is also supported in a closed-loop nature where issues will automatically open and close with no manual intervention.
Thank you to Ken and the Checkmarx team for releasing this new GitHub Action. To learn more about how to secure code in GitHub with Checkmarx, contact us today to speak with one of our experts.
Webinar with Ken: Simplifying the Automation of Application Security Testing