Mobb User Docs
Start NowBlogsWatch NowContact Us
  • What is Mobb?
  • What's New with Mobb
  • Supported Fixes
  • Getting Started
    • System Requirements
    • Onboarding Guide
      • Registering a Mobb account
      • Try Mobb now!
      • Running Mobb against your own code
      • Automate Mobb in a CI/CD pipeline
    • Working with the Fix Report
    • Mobb CLI Overview
      • Analyze Mode
      • Scan Mode
      • Add SCM Token Mode
      • Review Mode
      • Common Deployment Scenarios
  • Mobb Dashboard
  • Integrating SAST Findings
    • Checkmarx
      • Generating Checkmarx One JSON Report from CLI
    • Snyk
    • SonarQube
      • Generating a SonarQube SAST Report
    • Fortify
    • CodeQL
    • Semgrep/Opengrep
      • Generating a Semgrep SAST Report
      • Generating an Opengrep SAST Report
  • CI/CD Integrations
    • GitHub Actions
      • GitHub Fixer for CxOne
      • GitHub Fixer for Opengrep
    • GitLab Pipeline
    • Azure DevOps
    • Jenkins
    • CircleCI
    • Bamboo
    • Bitbucket Pipeline
  • Administration
    • User Management
    • Project Settings
    • Access Tokens
    • Organization-Level Fix Policy
    • Integrations Page
    • SAML Single Sign-On Flow
  • More Info
    • Mobb Broker
      • Mobb Broker Token Rotation
      • Secure storage of Mobb broker in AWS Secrets Manager
    • Providing Fix Feedback
    • Frequently Asked Questions (FAQ)
    • Data Protection and Retention
    • Service Level Agreement
  • Fixing Guides
    • SQL Injection
    • Path Traversal
    • Log Forging
    • XSS
    • XXE
    • Server Side Request Forgery
    • HttpOnly Cookie Vulnerabilities
    • Hardcoded Domain in HTML
    • Hardcoded Secrets
    • HTTP Response Splitting Attacks
    • Insecure Cookie Vulnerabilities
    • Insecure Randomness
    • Missing Check against Null
    • Missing Rate Limiting
    • Regex Missing Timeout
    • System Information Leakage
  • Mobb REST API Guide
Powered by GitBook
On this page
  • Introductions
  • Prerequisites
  • Step 1 - Set Up Checkmarx monitoring for your GitHub repository
  • Step 2 - Set Up Mobb GitHub Fixer to monitor for Checkmarx results
  • Step 3 - Create the workflow yaml in your GitHub Repository

Was this helpful?

  1. CI/CD Integrations
  2. GitHub Actions

GitHub Fixer for CxOne

PreviousGitHub ActionsNextGitHub Fixer for Opengrep

Last updated 9 months ago

Was this helpful?

Introductions

This guide will provide a quick and easy guide to integrate Mobb with your Checkmarx One environment. The GitHub Action referenced in this integration can be found on GitHub Marketplace, under .

This guide is also recorded in an easy-to-follow video format that can be found here:

Prerequisites

Before starting this integration, you will need to have the following components:

  1. A Checkmarx One (CxOne) account

  2. A GitHub repository which will be monitored by CxOne

Step 1 - Set Up Checkmarx monitoring for your GitHub repository

By the end of this step, Checkmarx should be fully configured to run on every Pull Requests. If there are issues found, Checkmarx will automatically populate the comments section in the PR with a scan summary.

Here is an example of this scan summary appearing in a GitHub PR comments section:

Step 2 - Set Up Mobb GitHub Fixer to monitor for Checkmarx results

You will need to generate 2 tokens and store them in your GitHub Action's secrets and variables:

Once you have both tokens generated, simply store them in your GitHub repository under the "Settings" tab -> Secrets and variables -> Actions -> New respository secret.

Step 3 - Create the workflow yaml in your GitHub Repository

The next step involves creating the workflow file in your GitHub repository. To do so, click on Actions -> New workflow.

Select "set up a workflow yourself".

In the code editor page, simply copy and paste the following workflow.

# Mobb/Checkamrx Fixer on pull requests
# This workflow defines the needed steps to run Checkmarx on every pull request and pass the results to Mobb Fixer.
#
# Secrets in use (add your missing ones):
# CX_API_TOKEN - Your Checkmarx credentials (find how to get it here: https://checkmarx.com/resource/documents/en/34965-68775-generating-a-refresh-token--api-key-.html)
# MOBB_API_TOKEN - Your mobb API Token (find out how to get it here: https://docs.mobb.ai/mobb-user-docs/administration/access-tokens)
# GITHUB_TOKEN - Automatically set by GitHub

name: "Mobb/Checkmarx"

on:
  issue_comment:
    types: [created]

jobs:
  report-and-fix:
    name: Get Report and Fix
    if: ${{ github.event.issue.pull_request && contains(github.event.comment.body,'Checkmarx One – Scan Summary & Details') }} # This makes sure that the comment originates from a PR and not an issue comment
    runs-on: 'ubuntu-latest'
    timeout-minutes: 360
    permissions:
      pull-requests: write
      statuses: write
      contents: read
    steps:
      - name: Run Mobb GH Fixer monitor for CxOne Comments
        if: always()
        uses: mobb-dev/cx-mobb-fixer-action@v1.5
        with:
          cx-api-token: ${{ secrets.CX_API_TOKEN  }}
          mobb-api-token: ${{ secrets.MOBB_API_TOKEN }}
          github-token: ${{ secrets.GITHUB_TOKEN }}
          cx-timeout: 20000

Then click on "Commit Changes". Note that this workflow file must be stored under the default branch for this integration to work.

The integration is now complete. On every PR, Checkmarx will be triggered to run a SAST scan. Afterward, the Mobb autofixer will run to consume the report from Checkmarx to product fix results directly in your Pull Request.

If you have already configured Checkmarx One to monitor your GitHub repository, skip to below.

Follow the on setting up monitoring for your GitHub repository for Pull Request events.

cx-api-token - This is the Checkmarx API Token. You can generate this token by .

mobb-api-token - This is the Mobb API Token. You can genreate this token by .

Checkmarx One guide
following the guide here
following the guide here
Step 2
cx-mobb-fixer-action