- Automated project creation / update
- Scan Execution
https://github.com/binqsoft/CxRestPy.git
https://s3.amazonaws.com/checkmarx-public/cx-sast-lambda.yml
Note: Ensure you are in AWS Region : US East (N. Virginia) us-east-1
https://s3.amazonaws.com/checkmarx-public/cx-lambda-1.0.zip
AWS UI:
- Go to AWS Systems Manager
- Application Management -> Parameter Store
- Create Parameter:
- Name: /Checkmarx/checkmarxUser
- Description: Checkmarx Username
- Tier: Standard
- Type: SecureString
- KMS KeySource: My Current Account
- KMS Key ID: alias/aws/ssm
- Value: [email protected]
- Do the same for Checkmarx URL (String) and Password (SecureString)
AWS CLI:
aws ssm put-parameter --name /Checkmarx/checkmarxURL --type String --value "https://cx.xxxxx.com"
aws ssm put-parameter --name /Checkmarx/checkmarxUser --type SecureString --value "xxxxxx"
aws ssm put-parameter --name /Checkmarx/checkmarxPassword --type SecureString --value "xxxxxx"
AWS UI:
- Go to CloudFormation
- Create Stack -> With new resources (standard) :
- Prerequisite - Prepare Template : Template is ready
- Specify template:
- Amazon S3 URL
- https://s3.amazonaws.com/checkmarx-public/cx-sast-lambda.yml
- Next
- Stack Name : CxStack
- Parameters :
- CxPassword : /Checkmarx/checkmarxPassword - it will link to SSM Stored Parameter
- CxPreset : Checkmarx Default
- CxTeam : \CxServer\SP\Checkmarx\Automation - it should exists in Checkmarx Server
- CxUrl : /Checkmarx/checkmarxURL - it will link to SSM Stored Parameter
- CxUser : /Checkmarx/checkmarxUser - it will link to SSM Stored Paramete
- KMSKeyAlias : aws/ssm
- SSM : true
- SSMParamPath : Checkmarx
- Next
- Next
- Check the Checkbox : I acknowledge that AWS CloudFormation might create IAM resources.
- Create Stack
- Wait until Stack Status is : CREATE_COMPLETE
AWS CLI:
aws cloudformation create-stack --stack-name cx-lambda --template-url https://s3.amazonaws.com/checkmarx-public/cx-sast-lambda.yml \
--capabilities CAPABILITY_IAM \
--parameters ParameterKey=CxUrl,ParameterValue="/Checkmarx/checkmarxURL" \
ParameterKey=CxUser,ParameterValue="/Checkmarx/checkmarxUser" \
ParameterKey=CxPassword,ParameterValue="/Checkmarx/checkmarxPassword"
- Ensure the project parameters include a project at minimum:
{"project" : "CxLambda"}
- Ensure the Role used by CodePipeline has Lambda Access in its permissions
AWS UI:
- Go to CodePipeline
- Create Pipeline:
- Pipeline Settings:
- Pipeline Name : CxPipeline
- Service Role : New Service Role
- Role Name: AWSCodePipelineServiceRole-us-east-1-CxPipeline
- Check Checkbox : Allow AWS CodePipeline to create a service role so it can be used with this new pipeline
- Next
- Source:
- Source Provider: Github (for example)
- Connect to Github
- Repository : user/reponame
- Branch : master
- Change detection options : AWS CodePipeline (for example)
- Next
- Build:
- Skip build stage -> Skip
- Next
- Deploy (for example):
- AWS S3
- Bucket Name: example_bucket
- Object Key: example key
- Next
- Create pipeline
- Edit
- + Add Stage :
- Stage Name : Checkmarx
- + Add action group:
- Action Name : CxScan
- Action provider : AWS Lambda
- Region : US East - (N. Virginia)
- Input Artifacts : SourceArtifact
- Function name: cxScan
- User parameters:
{"project" : "CxLambda"}
- Done
- Done
- Save
- Save
- Pipeline Settings:
- Go to IAM:
- Roles:
- Search for the role you set for CodePipeline: AWSCodePipelineServiceRole-us-east-1-CxPipeline
- Expand Existing Policy : AWSCodePipelineServiceRole-us-east-1-CxPipeline
- Click Lambda:
- Edit Policy:
- Lambda:
- Actions:
- Access Level:
- Write (InvokeFunction)
- Review Policy
- Access Level:
- Save Changes
- Actions:
- Lambda:
- Edit Policy:
- Roles:
- Go to CodePipeline:
- CxPipeline
- Release Changes -> Release
- Checkmarx Scan Succeeded
- CxPipeline