Skip to content

test: Enable fork-friendly Checkmarx scanning with pull_request_target#55

Merged
gilescope merged 1 commit intomainfrom
sean/test-fork-friendly-checkmarx
Sep 23, 2025
Merged

test: Enable fork-friendly Checkmarx scanning with pull_request_target#55
gilescope merged 1 commit intomainfrom
sean/test-fork-friendly-checkmarx

Conversation

@cosmir17
Copy link
Copy Markdown
Contributor

@cosmir17 cosmir17 commented Sep 22, 2025

Summary

Testing the fork-friendly Checkmarx solution from PM-19431. This updates our workflow to allow fork PRs to run security scans without requiring access to secrets.

Problem

Fork PRs currently fail Checkmarx scans because they cannot access repository secrets (GitHub security feature). This blocks external contributions.

Solution

Using the new checkmarx-scan-public action with pull_request_target:

  • Changed from pull_request to pull_request_target event
  • Removed main code checkout (critical for security)
  • Checkmarx fetches code directly from repo URL

Changes

  • Modified .github/workflows/checkmarx.yaml:
    • Event: pull_requestpull_request_target
    • Removed main code checkout step
    • Uses new checkmarx-scan-public action

Security

  • pull_request_target runs with base branch context (has secrets)
  • No code checkout means no risk of running untrusted code
  • Safe for fork PRs

Dependencies

⚠️ Requires: midnightntwrk/upload-sarif-github-action#25 to be merged first

Testing

Once both PRs are merged:

  1. Create a fork of midnight-node-docker
  2. Submit a test PR from the fork
  3. Verify Checkmarx scan runs successfully

References

  • PM-19431: Fork-friendly Checkmarx solution
  • PM-19178: Original issue about fork PRs failing

cc @gilescope

@cosmir17
test: Use fork-friendly Checkmarx action with pull_request_target
4ffd96e 
Testing PM-19431 solution for fork PR scanning:
- Changed pull_request to pull_request_target
- Removed main code checkout (critical for security)
- Uses new checkmarx-scan-public action from sean/PM-19431-fork-friendly-checkmarx branch
- This will allow fork PRs to run Checkmarx scans

Note: Depends on midnightntwrk/upload-sarif-github-action#25
@cosmir17 cosmir17 requested a review from gilescope September 22, 2025 22:52
@cosmir17 cosmir17 self-assigned this Sep 22, 2025
@cosmir17 cosmir17 requested review from a team as code owners September 22, 2025 22:52
gilescope
gilescope approved these changes Sep 23, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@gilescope gilescope left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We ought to default the project name correctly.

@gilescope gilescope enabled auto-merge (squash) September 23, 2025 08:12
@gilescope gilescope merged commit 53b8fa0 into main Sep 23, 2025
9 checks passed
@gilescope gilescope deleted the sean/test-fork-friendly-checkmarx branch September 23, 2025 08:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gilescope gilescope gilescope approved these changes

@Fentonhaslam Fentonhaslam Fentonhaslam approved these changes

Assignees

@cosmir17 cosmir17

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cosmir17 @gilescope @Fentonhaslam