GitHub Fixer for CxOne

Introductions

This guide will provide a quick and easy guide to integrate Mobb with your Checkmarx One environment. The GitHub Action referenced in this integration can be found on GitHub Marketplace, under cx-mobb-fixer-action.

This guide is also recorded in an easy-to-follow video format that can be found here:

Prerequisites

Before starting this integration, you will need to have the following components:

A Checkmarx One (CxOne) account
A GitHub repository which will be monitored by CxOne

Step 1 - Set Up Checkmarx monitoring for your GitHub repository

If you have already configured Checkmarx One to monitor your GitHub repository, skip to Step 2 below.

Follow the Checkmarx One guide on setting up monitoring for your GitHub repository for Pull Request events.

By the end of this step, Checkmarx should be fully configured to run on every Pull Requests. If there are issues found, Checkmarx will automatically populate the comments section in the PR with a scan summary.

Here is an example of this scan summary appearing in a GitHub PR comments section:

Step 2 - Set Up Mobb GitHub Fixer to monitor for Checkmarx results

You will need to generate 2 tokens and store them in your GitHub Action's secrets and variables:

cx-api-token - This is the Checkmarx API Token. You can generate this token by following the guide here.
mobb-api-token - This is the Mobb API Token. You can genreate this token by following the guide here.

Once you have both tokens generated, simply store them in your GitHub repository under the "Settings" tab -> Secrets and variables -> Actions -> New respository secret.

Step 3 - Create the workflow `yaml` in your GitHub Repository

The next step involves creating the workflow file in your GitHub repository. To do so, click on Actions -> New workflow.

Select "set up a workflow yourself".

In the code editor page, simply copy and paste the following workflow.

# Mobb/Checkamrx Fixer on pull requests
# This workflow defines the needed steps to run Checkmarx on every pull request and pass the results to Mobb Fixer.
#
# Secrets in use (add your missing ones):
# CX_API_TOKEN - Your Checkmarx credentials (find how to get it here: https://checkmarx.com/resource/documents/en/34965-68775-generating-a-refresh-token--api-key-.html)
# MOBB_API_TOKEN - Your mobb API Token (find out how to get it here: https://docs.mobb.ai/mobb-user-docs/administration/access-tokens)
# GITHUB_TOKEN - Automatically set by GitHub

name: "Mobb/Checkmarx"

on:
  issue_comment:
    types: [created]

jobs:
  report-and-fix:
    name: Get Report and Fix
    if: ${{ github.event.issue.pull_request && contains(github.event.comment.body,'Checkmarx One – Scan Summary & Details') }} # This makes sure that the comment originates from a PR and not an issue comment
    runs-on: 'ubuntu-latest'
    timeout-minutes: 360
    permissions:
      pull-requests: write
      statuses: write
      contents: read
    steps:
      - name: Run Mobb GH Fixer monitor for CxOne Comments
        if: always()
        uses: mobb-dev/cx-mobb-fixer-action@v1.5
        with:
          cx-api-token: ${{ secrets.CX_API_TOKEN  }}
          mobb-api-token: ${{ secrets.MOBB_API_TOKEN }}
          github-token: ${{ secrets.GITHUB_TOKEN }}
          cx-timeout: 20000

Then click on "Commit Changes". Note that this workflow file must be stored under the default branch for this integration to work.

The integration is now complete. On every PR, Checkmarx will be triggered to run a SAST scan. Afterward, the Mobb autofixer will run to consume the report from Checkmarx to product fix results directly in your Pull Request.