Scan

[PM-23410] Feature: Allow loading auth tokens from external namespace #148

Workflow file for this run

	name: Scan

	on:
	workflow_dispatch:
	push:
	branches:
	- "main"
	pull_request_target:
	types: [opened, synchronize]
	branches:
	- "main"

	# TODO: see https://bitwarden.atlassian.net/l/cp/SLtTZJ90 for configuration tips
	jobs:
	check-run:
	name: Check PR run
	uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
	permissions:
	contents: read

	sast:
	name: SAST scan
	runs-on: ubuntu-22.04
	needs: check-run
	permissions:
	contents: read
	pull-requests: write
	security-events: write
	id-token: write

	steps:
	- name: Check out repo
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	ref: ${{ github.event.pull_request.head.sha }}

	- name: Log in to Azure
	uses: bitwarden/gh-actions/azure-login@main
	with:
	subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
	tenant_id: ${{ secrets.AZURE_TENANT_ID }}
	client_id: ${{ secrets.AZURE_CLIENT_ID }}

	- name: Get Azure Key Vault secrets
	id: get-kv-secrets
	uses: bitwarden/gh-actions/get-keyvault-secrets@main
	with:
	keyvault: gh-org-bitwarden
	secrets: "CHECKMARX-TENANT,CHECKMARX-CLIENT-ID,CHECKMARX-SECRET"

	- name: Log out from Azure
	uses: bitwarden/gh-actions/azure-logout@main

	- name: Scan with Checkmarx
	uses: checkmarx/ast-github-action@9fda4ab4c1b67c35de380552a972a82997d97731 # 2.0.42
	env:
	INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' \|\| '' }}"
	with:
	project_name: ${{ github.repository }}
	cx_tenant: ${{ steps.get-kv-secrets.outputs.CHECKMARX-TENANT }}
	base_uri: https://ast.checkmarx.net/
	cx_client_id: ${{ steps.get-kv-secrets.outputs.CHECKMARX-CLIENT-ID }}
	cx_client_secret: ${{ steps.get-kv-secrets.outputs.CHECKMARX-SECRET }}
	additional_params: \|
	--report-format sarif \
	--filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \
	--output-path . ${{ env.INCREMENTAL }}

	- name: Upload Checkmarx results to GitHub
	uses: github/codeql-action/upload-sarif@17a820bf2e43b47be2c72b39cc905417bc1ab6d0 # v3.28.6
	with:
	sarif_file: cx_result.sarif
	sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha \|\| github.sha }}
	ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) \|\| github.ref }}

	quality:
	name: Quality scan
	runs-on: ubuntu-22.04
	needs: check-run
	permissions:
	contents: read
	pull-requests: write
	id-token: write

	steps:
	- name: Check out repo
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	fetch-depth: 0
	ref: ${{ github.event.pull_request.head.sha }}

	- name: Log in to Azure
	uses: bitwarden/gh-actions/azure-login@main
	with:
	subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
	tenant_id: ${{ secrets.AZURE_TENANT_ID }}
	client_id: ${{ secrets.AZURE_CLIENT_ID }}

	- name: Get Azure Key Vault secrets
	id: get-kv-secrets
	uses: bitwarden/gh-actions/get-keyvault-secrets@main
	with:
	keyvault: gh-org-bitwarden
	secrets: "SONAR-TOKEN"

	- name: Log out from Azure
	uses: bitwarden/gh-actions/azure-logout@main

	- name: Scan with SonarCloud
	uses: sonarsource/sonarqube-scan-action@aa494459d7c39c106cc77b166de8b4250a32bb97 # v5.1.0
	env:
	SONAR_TOKEN: ${{ steps.get-kv-secrets.outputs.SONAR-TOKEN }}
	with:
	args: >
	-Dsonar.organization=${{ github.repository_owner }}
	-Dsonar.projectKey=${{ github.repository_owner }}_${{ github.event.repository.name }}
	-Dsonar.pullrequest.key=${{ github.event.pull_request.number }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[PM-23410] Feature: Allow loading auth tokens from external namespace #148

Workflow file

[PM-23410] Feature: Allow loading auth tokens from external namespace #148

Uh oh!

Jobs

Run details

Workflow file for this run