Mobb User Docs
Start NowBlogsWatch NowContact Us
  • What is Mobb?
  • What's New with Mobb
  • Supported Fixes
  • Getting Started
    • System Requirements
    • Onboarding Guide
      • Registering a Mobb account
      • Try Mobb now!
      • Running Mobb against your own code
      • Automate Mobb in a CI/CD pipeline
    • Working with the Fix Report
    • Mobb CLI Overview
      • Analyze Mode
      • Scan Mode
      • Add SCM Token Mode
      • Review Mode
      • Common Deployment Scenarios
  • Mobb Dashboard
  • Integrating SAST Findings
    • Checkmarx
      • Generating Checkmarx One JSON Report from CLI
    • Snyk
    • SonarQube
      • Generating a SonarQube SAST Report
    • Fortify
    • CodeQL
    • Semgrep/Opengrep
      • Generating a Semgrep SAST Report
      • Generating an Opengrep SAST Report
  • CI/CD Integrations
    • GitHub Actions
      • GitHub Fixer for CxOne
      • GitHub Fixer for Opengrep
    • GitLab Pipeline
    • Azure DevOps
    • Jenkins
    • CircleCI
    • Bamboo
    • Bitbucket Pipeline
  • Administration
    • User Management
    • Project Settings
    • Access Tokens
    • Organization-Level Fix Policy
    • Integrations Page
    • SAML Single Sign-On Flow
  • More Info
    • Mobb Broker
      • Mobb Broker Token Rotation
      • Secure storage of Mobb broker in AWS Secrets Manager
    • Providing Fix Feedback
    • Frequently Asked Questions (FAQ)
    • Data Protection and Retention
    • Service Level Agreement
  • Fixing Guides
    • SQL Injection
    • Path Traversal
    • Log Forging
    • XSS
    • XXE
    • Server Side Request Forgery
    • HttpOnly Cookie Vulnerabilities
    • Hardcoded Domain in HTML
    • Hardcoded Secrets
    • HTTP Response Splitting Attacks
    • Insecure Cookie Vulnerabilities
    • Insecure Randomness
    • Missing Check against Null
    • Missing Rate Limiting
    • Regex Missing Timeout
    • System Information Leakage
  • Mobb REST API Guide
Powered by GitBook
On this page
  • Scenario 1 - Run Checkmarx CLI + Mobb
  • Scenario 2 - Run Snyk Code CLI + Mobb with Auto-Commit

Was this helpful?

  1. CI/CD Integrations

GitHub Actions

PreviousCI/CD IntegrationsNextGitHub Fixer for CxOne

Last updated 1 month ago

Was this helpful?

Mobb can be integrated into any CI/CD platform of your choice. In this guide, the process of integration with GitHub Actions will be demonstrated.

After logging into Mobb, select the last option in the menu: “Connect Mobb to Your Workflow”.

To run Mobb within GitHub Actions, select “GitHub Actions”.

You will be presented with a sample GitHub Actions yaml script that you can use within GitHub Actions. This particular example uses Checkmarx as the SAST scanner, however, you may want to modify the script to use the SAST tool of your choice.

Scenario 1 - Run Checkmarx CLI + Mobb

# This example utilizes Mobb with Checkmarx via GitHub Actions

on: [pull_request]

jobs:
  Checkmarx-Mobb-example:
    runs-on: ubuntu-latest
    name: Fix Checkmarx findings with Mobb

    steps:
      - name: Checkout repo to get code
        uses: actions/checkout@v3
  
      - name: Setup Node on this machine
        uses: actions/setup-node@v3.6.0
        with:
          node-version: 18
  
      - name: Download and configure Checkmarx CLI
        run: |
          wget https://github.com/Checkmarx/ast-cli/releases/download/2.0.54/ast-cli_2.0.54_linux_x64.tar.gz -O checkmarx.tar.gz
          tar -xf checkmarx.tar.gz
          ./cx configure set --prop-name cx_apikey --prop-value ${{ secrets.CX_API_KEY }}
        shell: bash -l {0}
  
      - name: Run Checkmarx SAST scan
        run: ./cx scan create --project-name my-test-project -s ./ --report-format json --scan-types sast --branch nobranch  --threshold "sast-high=1" 
        shell: bash -l {0}
  
      - name: Run Mobb on the findings and get fixes
        if: always()
        uses: mobb-dev/action@v1.1
        with:
          report-file: "cx_result.json"
          api-key: ${{ secrets.MOBB_API_TOKEN }}
          github-token: ${{ secrets.GITHUB_TOKEN }}// Some code

For a demonstration of how this integration works, you can visit the following YouTube video:

Scenario 2 - Run Snyk Code CLI + Mobb with Auto-Commit

In this scenario, we are configuring Mobb to automatically commit fixes directly to the PR based on the approved fixes as defined in our project Fix Policy. This is achieved by setting the following parameters in our mobb-dev/action:

...
auto-pr: true
commit-directly: true

Full YAML:

# Mobb/Snyk Fixer on pull requests
# This workflow defines the needed steps to run Snyk Code on every pull request and pass the results to Mobb Fixer.
#
# Secrets in use (add your missing ones):
# SNYK_API_TOKEN - your Snyk user credentials (find how to get it here: https://docs.snyk.io/getting-started/how-to-obtain-and-authenticate-with-your-snyk-api-token)
# MOBB_API_TOKEN - your mobb user credentials (autumatially set if you forked this repo via the Mobb app)
# GITHUB_TOKEN - automatically set by GitHub

name: "Snyk/Mobb with Auto-PR"

on: [pull_request]

jobs:
  scan-and-fix:
    name: Scan with Snyk and fix with Mobb Auto-PR
    runs-on: 'ubuntu-latest'
    timeout-minutes: 360
    permissions:
      pull-requests: write
      statuses: write
      contents: read
      actions: read

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with: 
          ref: ${{ github.event.pull_request.head.ref }}

      - name: Run Snyk SAST scan
        run:
          npx snyk auth ${{ secrets.SNYK_API_TOKEN }} && npx snyk code test --sarif-file-output=/home/runner/report.json ./
        shell: bash -l {0}

      - name: Run Mobb on the findings and get fixes
        if: always()
        uses: mobb-dev/action@v1.1
        with:
          report-file: "/home/runner/report.json"
          api-key: ${{ secrets.MOBB_API_TOKEN }}
          github-token: ${{ secrets.GITHUB_TOKEN }}
          mobb-project-name: "auto-pr-demo"
          auto-pr: true
          commit-directly: true