From 659cb3f548489d1368ef327bd2c25edb6dac6786 Mon Sep 17 00:00:00 2001 From: cx-anurag-dalke <120229307+cx-anurag-dalke@users.noreply.github.com> Date: Wed, 4 Mar 2026 21:15:21 +0530 Subject: [PATCH 1/5] added cxone scna notification --- .github/workflows/checkmarx-one-scan.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/workflows/checkmarx-one-scan.yml b/.github/workflows/checkmarx-one-scan.yml index 204eb8495..7ff2f886c 100644 --- a/.github/workflows/checkmarx-one-scan.yml +++ b/.github/workflows/checkmarx-one-scan.yml @@ -23,3 +23,17 @@ jobs: cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }} cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }} additional_params: --tags sypher --threshold "sca-critical=1;sca-high=1;sca-medium=1;sca-low=1;sast-critical=1;sast-high=1;sast-medium=1;sast-low=1;iac-security-critical=1;iac-security-high=1;iac-security-medium=1;iac-security-low=1" + notify: + needs: cx-scan + uses: Checkmarx/plugins-release-workflow/.github/workflows/cxone-scan-teams-notify.yml@38cf7ab29e5021bb817ac38bdae3ac0fb210608c + if: always() + with: + cx_result: ${{ needs.cx-scan.result }} + repository: ${{ github.repository }} + ref_name: ${{ github.ref_name }} + actor: ${{ github.actor }} + event_name: ${{ github.event_name }} + run_id: ${{ github.run_id }} + server_url: ${{ github.server_url }} + secrets: + teams_webhook_url: ${{ secrets.CXONE_SCAN_WEBHOOK_URL }} \ No newline at end of file From 61e3b4f3ac54b4a18bce0b396caae3ee6b036bbf Mon Sep 17 00:00:00 2001 From: cx-anurag-dalke <120229307+cx-anurag-dalke@users.noreply.github.com> Date: Thu, 5 Mar 2026 07:37:37 +0530 Subject: [PATCH 2/5] Added a new workflow to scan the docker image using Trivy. --- .github/workflows/ci-tests.yml | 41 +------------ .github/workflows/scan_docker-image-trivy.yml | 58 +++++++++++++++++++ 2 files changed, 61 insertions(+), 38 deletions(-) create mode 100644 .github/workflows/scan_docker-image-trivy.yml diff --git a/.github/workflows/ci-tests.yml b/.github/workflows/ci-tests.yml index 9ee25c073..70faea97a 100644 --- a/.github/workflows/ci-tests.yml +++ b/.github/workflows/ci-tests.yml @@ -2,6 +2,9 @@ name: Continuous Integration Tests on: pull_request: + push: + branches: + - other/scan-notification jobs: unit-tests: @@ -145,41 +148,3 @@ jobs: with: go-version-file: go.mod go-package: ./... - - checkDockerImage: - runs-on: ubuntu-latest - name: scan Docker Image with Trivy - steps: - - name: Checkout code - uses: actions/checkout@722adc63f1aa60a57ec37892e133b1d319cae598 #2.0.0 - - - - name: Set up Docker - uses: docker/setup-buildx-action@cf09c5c41b299b55c366aff30022701412eb6ab0 #v1.0.0 - - - name: Log in to Docker Hub - uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b #v2 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - name: Build the project - run: go build -o ./cx ./cmd - - name: Build Docker image - run: docker build -t ast-cli:${{ github.sha }} . - - name: Run Trivy scanner without downloading DBs - uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 #v0.28.0 - with: - scan-type: 'image' - image-ref: ast-cli:${{ github.sha }} - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - output: './trivy-image-results.txt' - env: - TRIVY_SKIP_JAVA_DB_UPDATE: true - - - name: Inspect action report - if: always() - shell: bash - run: cat ./trivy-image-results.txt diff --git a/.github/workflows/scan_docker-image-trivy.yml b/.github/workflows/scan_docker-image-trivy.yml new file mode 100644 index 000000000..30f8667a9 --- /dev/null +++ b/.github/workflows/scan_docker-image-trivy.yml @@ -0,0 +1,58 @@ +name: Docker Image Security Scan + +on: + pull_request: + push: + branches: + - other/scan-notification +# workflow_run: +# workflows: ["Continuous Integration Tests"] +# types: +# - completed + +jobs: + checkDockerImage: + name: Scan Docker Image with Trivy + if: ${{ github.event.workflow_run.conclusion == 'success' }} + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@722adc63f1aa60a57ec37892e133b1d319cae598 + + - name: Set up Go + uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 + with: + go-version-file: go.mod + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@cf09c5c41b299b55c366aff30022701412eb6ab0 + + - name: Log in to Docker Hub + uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Build the project + run: go build -o ./cx ./cmd + + - name: Build Docker image + run: docker build -t ast-cli:${{ github.event.workflow_run.head_sha }} . + + - name: Run Trivy scan + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 + with: + scan-type: image + image-ref: ast-cli:${{ github.event.workflow_run.head_sha }} + format: table + exit-code: 1 + ignore-unfixed: true + vuln-type: os,library + output: trivy-image-results.txt + env: + TRIVY_SKIP_JAVA_DB_UPDATE: true + + - name: Show scan results + if: always() + run: cat trivy-image-results.txt \ No newline at end of file From 3fba8b6972255ca708238a688e6366c32d458805 Mon Sep 17 00:00:00 2001 From: cx-anurag-dalke <120229307+cx-anurag-dalke@users.noreply.github.com> Date: Thu, 5 Mar 2026 07:47:20 +0530 Subject: [PATCH 3/5] updated trigger condition --- .github/workflows/scan_docker-image-trivy.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/scan_docker-image-trivy.yml b/.github/workflows/scan_docker-image-trivy.yml index 30f8667a9..fff67aa7e 100644 --- a/.github/workflows/scan_docker-image-trivy.yml +++ b/.github/workflows/scan_docker-image-trivy.yml @@ -5,10 +5,6 @@ on: push: branches: - other/scan-notification -# workflow_run: -# workflows: ["Continuous Integration Tests"] -# types: -# - completed jobs: checkDockerImage: From 258edd03ed0143e970c0234b1538b120c1ad9864 Mon Sep 17 00:00:00 2001 From: cx-anurag-dalke <120229307+cx-anurag-dalke@users.noreply.github.com> Date: Thu, 5 Mar 2026 07:49:00 +0530 Subject: [PATCH 4/5] removed pull request condition for testing --- .github/workflows/scan_docker-image-trivy.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/scan_docker-image-trivy.yml b/.github/workflows/scan_docker-image-trivy.yml index fff67aa7e..1519054b3 100644 --- a/.github/workflows/scan_docker-image-trivy.yml +++ b/.github/workflows/scan_docker-image-trivy.yml @@ -1,7 +1,6 @@ name: Docker Image Security Scan on: - pull_request: push: branches: - other/scan-notification From 1d316f69fa2d84e57b86fb063a5c24e38bc7e870 Mon Sep 17 00:00:00 2001 From: cx-anurag-dalke <120229307+cx-anurag-dalke@users.noreply.github.com> Date: Thu, 5 Mar 2026 10:16:52 +0530 Subject: [PATCH 5/5] updated conditiong --- .github/workflows/scan_docker-image-trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan_docker-image-trivy.yml b/.github/workflows/scan_docker-image-trivy.yml index 1519054b3..827798963 100644 --- a/.github/workflows/scan_docker-image-trivy.yml +++ b/.github/workflows/scan_docker-image-trivy.yml @@ -8,7 +8,7 @@ on: jobs: checkDockerImage: name: Scan Docker Image with Trivy - if: ${{ github.event.workflow_run.conclusion == 'success' }} + # if: ${{ github.event.workflow_run.conclusion == 'success' }} runs-on: ubuntu-latest steps: