Create main.yml

.github/workflows/main.yml

@@ -0,0 +1,40 @@
+name: Checkmarx Scan
+
+# Controls when the workflow will run
+on: workflow_dispatch
+permissions:
+  contents: read
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  build:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif
+
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # This step checks out a copy of your repository.
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      # This step creates the Checkmarx One scan
+      - name: Checkmarx One scan
+        uses: checkmarx/ast-github-action@8e887bb93dacc44e0f5b64ee2b06d5815f89d4fc
+        with:
+          project_name: devops
+          branch: ${{ github.event.repository.name }}
+          base_uri: ${{ secrets.CXURI }}  
+          cx_client_id: ${{ secrets.CXCLIENTID }} 
+          cx_client_secret: ${{ secrets.CXSECRET }} 
+          cx_tenant: ${{ secrets.CXTENANT }} 
+          additional_params: --scan-types sast  --sast-preset-name "OWASP TOP 10 - 2021" --sast-incremental  --report-format sarif --output-path .
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: cx_result.sarif