From 730c7e5f53f21fec967c296ffc24002586fec200 Mon Sep 17 00:00:00 2001 From: Aniket Shinde Date: Wed, 15 Apr 2026 12:01:43 +0530 Subject: [PATCH 1/5] docs AST-146800: Add Cloud.md standardization file MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds the Cloud.md documentation file covering all essential sections: Project Overview, Architecture, Repository Structure, Technology Stack, Development Setup, Coding Standards, Project Rules, Testing Strategy, Known Issues — plus recommended sections: External Integrations, Deployment, Security & Access, Logging, and Debugging Steps. Co-Authored-By: Claude Sonnet 4.6 (1M context) --- Cloud.md | 346 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 346 insertions(+) create mode 100644 Cloud.md diff --git a/Cloud.md b/Cloud.md new file mode 100644 index 0000000..459c1fa --- /dev/null +++ b/Cloud.md @@ -0,0 +1,346 @@ +# Cloud.md — Checkmarx One Eclipse Plugin + +> Standardized Cloud MD file for [ast-eclipse-plugin](https://github.com/Checkmarx/ast-eclipse-plugin) +> Following the Cloud MD standardization template defined in epic AST-146793. + +--- + +## Project Overview + +The **Checkmarx One Eclipse Plugin** integrates the full Checkmarx One security platform directly into the Eclipse IDE. It enables developers to discover and remediate vulnerabilities without leaving their editor — embodying the shift-left AppSec philosophy. + +**Key capabilities:** +- Import scan results (SAST, SCA, IaC Security) from Checkmarx One directly into Eclipse +- Run new scans from the IDE before committing code +- Navigate from a vulnerability directly to the affected source line +- Triage results (adjust severity, state, add comments) without leaving the IDE +- Filter and group results by severity, state, or query name +- View vulnerability descriptions, attack vectors, and Codebashing remediation links +- Best Fix Location (BFL) highlighting for SAST findings + +**Supported Eclipse versions:** 2019-03 (4.11) and above +**Supported platforms:** Windows, macOS, Linux/GTK + +--- + +## Architecture + +The plugin follows a standard Eclipse **ViewPart** architecture backed by an **OSGi** bundle lifecycle. + +``` +┌─────────────────────────────────────────────────────┐ +│ Eclipse IDE │ +│ ┌──────────────────────────────────────────────┐ │ +│ │ CheckmarxView (ViewPart) │ │ +│ │ ┌──────────┐ ┌──────────┐ ┌────────────┐ │ │ +│ │ │ Project │ │ Branch │ │ Scan ID │ │ │ +│ │ │ Combo │ │ Combo │ │ Combo │ │ │ +│ │ └──────────┘ └──────────┘ └────────────┘ │ │ +│ │ ┌────────────────────────────────────────┐ │ │ +│ │ │ Results Tree (SWT TreeViewer) │ │ │ +│ │ │ Grouped by: Severity / Query / State │ │ │ +│ │ └────────────────────────────────────────┘ │ │ +│ │ ┌───────────────┐ ┌──────────────────────┐ │ │ +│ │ │ Description │ │ Attack Vector / │ │ │ +│ │ │ & Triage │ │ Package Data / │ │ │ +│ │ │ Panel │ │ BFL Panel │ │ │ +│ │ └───────────────┘ └──────────────────────┘ │ │ +│ └──────────────────────────────────────────────┘ │ +└─────────────────────────────────────────────────────┘ + │ EventBus (Guava) + ▼ +┌─────────────────────┐ ┌──────────────────────┐ +│ DataProvider │◄──────►│ ast-cli-java-wrapper │ +│ (Singleton) │ │ (Checkmarx One API) │ +└─────────────────────┘ └──────────────────────┘ +``` + +**Key architectural decisions:** +- **Event-driven UI:** Google Guava `EventBus` decouples UI actions (filter changes, scan loads) from the view rendering. Events: `FILTER_CHANGED`, `GET_RESULTS`, `CLEAN_AND_REFRESH`, `LOAD_RESULTS_FOR_SCAN`. +- **CLI wrapper:** All communication with the Checkmarx One platform is delegated to `ast-cli-java-wrapper`, which wraps the Checkmarx CLI binary. No direct REST calls from the plugin. +- **Singleton DataProvider:** Holds all loaded scan results, filter state, and project/branch/scan metadata for the current session. +- **Static FilterState:** Severity and state filter flags are stored as static fields persisted to Eclipse preferences via `GlobalSettings`. + +--- + +## Repository Structure + +``` +ast-eclipse-plugin/ +├── checkmarx-ast-eclipse-plugin/ # Main OSGi plugin bundle +│ ├── src/com/checkmarx/eclipse/ +│ │ ├── Activator.java # OSGi bundle lifecycle +│ │ ├── enums/ # Severity, State, ActionName enums +│ │ ├── properties/ # Eclipse preferences page & fields +│ │ ├── runner/ # Authentication runner +│ │ ├── utils/ # CxLogger, PluginUtils, PluginConstants +│ │ └── views/ +│ │ ├── CheckmarxView.java # Main ViewPart (~2600 lines) +│ │ ├── DataProvider.java # Singleton data/state manager +│ │ ├── DisplayModel.java # Tree node model +│ │ ├── GlobalSettings.java # Eclipse preference store wrapper +│ │ ├── actions/ # Toolbar actions (filters, scan, triage) +│ │ ├── filters/ # FilterState, ActionFilters +│ │ └── provider/ # TreeContentProvider, ColumnProvider +│ ├── META-INF/MANIFEST.MF # OSGi bundle descriptor +│ ├── plugin.xml # Eclipse extension points +│ ├── icons/ # Severity and UI icons +│ └── lib/ # Bundled JAR dependencies +├── checkmarx-ast-eclipse-plugin-tests/ # Test bundle +│ └── src/test/java/.../tests/ +│ ├── integration/ # Integration tests (auth) +│ ├── ui/ # SWTBot UI tests +│ └── unit/ # Unit tests +├── com.checkmarx.eclipse.feature/ # Eclipse feature descriptor +├── com.checkmarx.eclipse.site/ # Eclipse p2 update site +├── pom.xml # Root Maven/Tycho POM +├── ast-cli-java-wrapper.version # Pinned wrapper version +└── .github/workflows/ # CI/CD pipelines +``` + +--- + +## Technology Stack + +| Layer | Technology | Version | +|-------|-----------|---------| +| Language | Java | 17 (Temurin) | +| IDE Framework | Eclipse OSGi / RCP | 4.11+ | +| UI Toolkit | SWT / JFace | Bundled with Eclipse | +| Build System | Maven + Eclipse Tycho | Tycho 4.0.11 | +| Platform API | ast-cli-java-wrapper | 2.4.23 | +| Event Bus | Google Guava | Bundled with Eclipse | +| Git Integration | JGit | Bundled with Eclipse | +| JSON | Jackson | 2.21.1 | +| Utilities | Apache Commons Lang3 | 3.18.0 | +| Logging | SLF4J + Eclipse ILog (CxLogger) | 2.0.17 | + +--- + +## Development Setup + +### Prerequisites + +1. **Java 17** (Temurin recommended) +2. **Eclipse IDE for RCP and RAP Developers** (2019-03 or later) — includes PDE (Plugin Development Environment) +3. **Maven 3.x** with Tycho support +4. **Checkmarx One account** with an API key (`ast-scanner` + `default-roles` IAM roles) + +### Clone and Import + +```bash +git clone https://github.com/Checkmarx/ast-eclipse-plugin.git +cd ast-eclipse-plugin +``` + +Import into Eclipse: +- `File → Import → Maven → Existing Maven Projects` +- Select the repo root — all four modules will be detected + +### Build from CLI + +```bash +# Full build (plugin + feature + site + tests) +mvn clean verify + +# Build plugin only (skip tests) +mvn clean package -pl checkmarx-ast-eclipse-plugin -am -DskipTests +``` + +### Run in Development + +1. Open `checkmarx-ast-eclipse-plugin/plugin.xml` in Eclipse +2. Click **Launch an Eclipse Application** (creates a new Eclipse instance with the plugin loaded) +3. Configure credentials: `Window → Preferences → Checkmarx` + +### Run Tests + +```bash +# UI tests (requires Xvfb on Linux) +Xvfb -ac :99 -screen 0 1920x1080x16 & +mvn verify -Dtest.includes="**/ui/*.java" \ + -DCX_BASE_URI= -DCX_TENANT= \ + -DCX_APIKEY= -DCX_TEST_SCAN= + +# Unit tests only +mvn test -pl checkmarx-ast-eclipse-plugin-tests +``` + +--- + +## Coding Standards + +- **Java 17** language level — use modern constructs (streams, lambdas, records where appropriate) +- **Logging:** Always use `CxLogger` (Eclipse ILog wrapper), never raw `System.out` or SLF4J directly in plugin code. SLF4J is available only for passing to the CLI wrapper internals. +- **UI thread safety:** All SWT widget updates must happen on the UI thread. Use `UISynchronizeImpl.asyncExec()` for background-to-UI transitions. +- **EventBus events:** Post events via `pluginEventBus.post(new PluginListenerDefinition(...))`. Subscribe with `@Subscribe`. Never call UI update methods directly from non-UI threads. +- **Constants:** Add all string literals used in UI or logic to `PluginConstants.java`. Never hardcode strings inline. +- **SWT layout:** Use `GridData`/`GridLayout` for all composites. Avoid fixed `widthHint` on combos that may contain variable-length content — use `SWT.FILL` with `grabExcessHorizontalSpace = true` instead. +- **Null safety:** Check `selectedItem.getResult()` and `selectedItem.getSeverity()` before accessing them — tree nodes may be group-level nodes with no attached result. + +--- + +## Project Rules + +- **All PRs target `main`** (or an integration branch when batching multiple bug fixes). +- **Branch naming:** + - Bug fixes: `bug/AST-XXXXX` + - Features: `feature/AST-XXXXX` + - Documentation: `docs/AST-XXXXX` + - Other: `other/AST-XXXXX` +- **Commit messages** must reference the Jira ticket: `Fix AST-XXXXX: ` +- **Never commit secrets.** Checkmarx credentials are injected via environment variables or Eclipse preferences at runtime — never hardcoded. +- **Wrapper version** is pinned in `ast-cli-java-wrapper.version`. Update this file and the JAR in `lib/` when upgrading the CLI wrapper. +- **Icons** must be placed in `checkmarx-ast-eclipse-plugin/icons/` and registered in `plugin.xml` if used as action images. +- **PR size:** Keep PRs focused on a single ticket. Use an integration branch to batch multiple related fixes before merging to main. + +--- + +## Testing Strategy + +### Test Types + +| Type | Location | Runner | Purpose | +|------|----------|--------|---------| +| Unit | `unit/` | JUnit | Test logic in isolation (DataProvider, FilterState, PluginUtils) | +| UI (SWTBot) | `ui/` | SWTBot + JUnit | Test full plugin behavior inside a headless Eclipse instance | +| Integration | `integration/` | JUnit | Test authentication and API connectivity against a real Checkmarx One tenant | + +### CI Triggers + +- All tests run on **every PR to `main`** via GitHub Actions (`.github/workflows/ci.yml`) +- UI tests run on **Ubuntu** with **Xvfb** (virtual display) +- Integration tests require secrets: `CX_BASE_URI`, `CX_TENANT`, `CX_APIKEY`, `CX_TEST_SCAN` + +### Coverage + +- JaCoCo coverage reports generated per run +- Reports uploaded as GitHub Actions artifacts +- Coverage badge auto-generated via `cicirello/jacoco-badge-generator` + +--- + +## External Integrations + +| Integration | Purpose | How | +|-------------|---------|-----| +| **Checkmarx One Platform** | Fetch projects, branches, scans, results; submit triage | Via `ast-cli-java-wrapper` (wraps the Checkmarx CLI binary) | +| **JGit** | Detect current git branch to auto-select in branch combo | `RefsChangedListener` on local repo | +| **Eclipse Marketplace** | Plugin distribution and install | p2 update site published on release | +| **Codebashing** | Remediation lesson links per vulnerability | REST call to Checkmarx Codebashing API | + +--- + +## Deployment + +### Release Process + +Releases are created via `.github/workflows/release.yml` (triggered manually or via `workflow_call`): + +1. Input: `tag` (semver), `jira_ticket`, optional `rbranch` for dev releases +2. Tycho builds the p2 update site into `com.checkmarx.eclipse.site/target/` +3. Site artifact is published as a GitHub Release +4. Dev releases are cleaned up automatically before publishing a stable release + +### Distribution + +- **Eclipse Marketplace:** [checkmarx-ast-plugin](https://marketplace.eclipse.org/content/checkmarx-ast-plugin) +- **p2 Update Site:** published as a GitHub Release asset + +### Install (End Users) + +``` +Help → Install New Software → Add repository URL (GitHub Release asset) +``` + +--- + +## Security & Access + +- **API Key authentication:** Users configure a Checkmarx One API key in `Window → Preferences → Checkmarx`. The key is stored in the Eclipse secure preferences store. +- **Required roles:** `ast-scanner` (composite role) + `default-roles` IAM role on the Checkmarx One tenant. +- **No credentials in code:** All secrets are injected at runtime via preferences or environment variables (CI). Never commit API keys or tokens. +- **TLS:** All communication with Checkmarx One is HTTPS, enforced by the CLI wrapper. +- **Triage permissions:** Triage actions (severity/state changes) require the user's API key to have write permissions on the project. + +--- + +## Logging + +The plugin uses two logging mechanisms — use the right one for the right context: + +| Logger | Class | Output | When to use | +|--------|-------|--------|-------------| +| `CxLogger` | `com.checkmarx.eclipse.utils.CxLogger` | Eclipse Error Log view + `.metadata/.log` | All plugin-level log messages | +| SLF4J | `org.slf4j.Logger` | No-op inside OSGi (dropped) | Only for passing to `CxWrapper` internals | + +**Usage:** +```java +CxLogger.info("Loading results for scan: " + scanId); +CxLogger.error("Failed to fetch projects: " + e.getMessage(), e); +CxLogger.warning("Could not fetch platform states: " + e.getMessage()); +``` + +**Viewing logs:** +- Eclipse IDE: `Window → Show View → Error Log` +- File: `/.metadata/.log` + +--- + +## Debugging Steps + +### Plugin not loading + +1. Check `Window → Show View → Error Log` for bundle activation errors +2. Verify Java 17 is set as the JRE: `Window → Preferences → Java → Installed JREs` +3. Confirm the plugin is enabled: `Help → About Eclipse → Installation Details` + +### Authentication failures + +1. Verify API key in `Window → Preferences → Checkmarx` — click **Authenticate** +2. Check Error Log for `CxLogger` messages containing `authentication` or `CxException` +3. Confirm the API key has `ast-scanner` + `default-roles` roles on the tenant + +### No results / empty tree + +1. Confirm project, branch, and scan ID are selected in the top combos +2. Check filter state — all severity filters may be disabled (toolbar toggle buttons) +3. Check Error Log for errors from `DataProvider.getResultsForScanId()` + +### UI not updating after filter change + +1. Confirm you are on a build that includes the AST-136035 fix +2. If the tree collapses entirely, check that `FILTER_CHANGED` calls `updateResultsTree(..., true)` + +### Custom state dropdown overflow + +1. Fixed in AST-137779 — ensure you are on a build that includes the `truncate()` fix in `ActionFilterStatePreference` + +### Running UI tests locally (Linux) + +```bash +Xvfb -ac :99 -screen 0 1920x1080x16 & +export DISPLAY=:99.0 +mvn verify -Dtest.includes="**/ui/*.java" \ + -DCX_BASE_URI=$CX_BASE_URI \ + -DCX_TENANT=$CX_TENANT \ + -DCX_APIKEY=$CX_APIKEY \ + -DCX_TEST_SCAN=$CX_TEST_SCAN +``` + +--- + +## Known Issues + +| Issue | Ticket | Status | +|-------|--------|--------| +| Severity filter clears description/attack vector panels | AST-136035 | Fixed | +| Severity filter collapses entire results tree | AST-136035 | Fixed | +| Authentication logs not routed to Eclipse Error Log | AST-136023 | Fixed | +| Custom State dropdown occupies entire screen | AST-137779 | Fixed | +| Scan ID combo overflows window on small screens | AST-136035 | Fixed | +| New scan ID not marked as latest in scan list after notification | AST-137779 | Open | + +--- + +*Generated for AST-146800 · Checkmarx Integrations Team* From 992bf4156a01c9b58c6eadc8432c3d7d807516aa Mon Sep 17 00:00:00 2001 From: Noam Brendel <139764378+cx-noam-brendel@users.noreply.github.com> Date: Mon, 27 Apr 2026 12:18:25 +0300 Subject: [PATCH 2/5] CISO-920: remove broken Teams notify job (secret CXONE_SCAN_WEBHOOK_URL not set) (#250) The notify job references secrets.CXONE_SCAN_WEBHOOK_URL which does not exist in this repo or at org level, causing the step to fail silently. Ref: https://checkmarx.atlassian.net/browse/CISO-920 Ref: https://checkmarx.atlassian.net/browse/CISO-815 --- .github/workflows/ast-scan.yml | 18 +----------------- 1 file changed, 1 insertion(+), 17 deletions(-) diff --git a/.github/workflows/ast-scan.yml b/.github/workflows/ast-scan.yml index 7baed0d..8efc927 100644 --- a/.github/workflows/ast-scan.yml +++ b/.github/workflows/ast-scan.yml @@ -21,20 +21,4 @@ jobs: cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }} cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }} cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }} - additional_params: --tags phoenix --file-filter !checkmarx-ast-eclipse-plugin-tests/ --threshold "sast-critical=1;sast-high=1;sast-medium=1;sast-low=1;iac-security-critical=1;iac-security-high=1;iac-security-medium=1;iac-security-low=1;sca-critical=1;sca-high=1;sca-medium=1;sca-low=1" - - - notify: - needs: cx-scan - uses: Checkmarx/plugins-release-workflow/.github/workflows/cxone-scan-teams-notify.yml@38cf7ab29e5021bb817ac38bdae3ac0fb210608c - if: always() - with: - cx_result: ${{ needs.cx-scan.result }} - repository: ${{ github.repository }} - ref_name: ${{ github.ref_name }} - actor: ${{ github.actor }} - event_name: ${{ github.event_name }} - run_id: ${{ github.run_id }} - server_url: ${{ github.server_url }} - secrets: - teams_webhook_url: ${{ secrets.CXONE_SCAN_WEBHOOK_URL }} + additional_params: --tags phoenix --file-filter !checkmarx-ast-eclipse-plugin-tests/ --threshold "sast-critical=1;sast-high=1;sast-medium=1;sast-low=1;iac-security-critical=1;iac-security-high=1;iac-security-medium=1;iac-security-low=1;sca-critical=1;sca-high=1;sca-medium=1;sca-low=1" From 885d96aa61499dbb687a02472da67618d8c6b42b Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Fri, 22 May 2026 12:41:11 -0400 Subject: [PATCH 3/5] [StepSecurity] Apply security best practices (#251) Signed-off-by: StepSecurity Bot Co-authored-by: stepsecurity-app[bot] <188008098+stepsecurity-app[bot]@users.noreply.github.com> --- .github/workflows/ast-scan.yml | 2 +- .github/workflows/auto-merge.yml | 2 +- .github/workflows/ci.yml | 30 +++++++++++------------ .github/workflows/delete-dev-releases.yml | 2 +- .github/workflows/manual-tag.yml | 9 +++++-- .github/workflows/nightly.yml | 2 +- .github/workflows/pr-label.yml | 2 +- .github/workflows/release.yml | 6 ++--- .github/workflows/update-cli.yml | 7 ++++-- 9 files changed, 35 insertions(+), 27 deletions(-) diff --git a/.github/workflows/ast-scan.yml b/.github/workflows/ast-scan.yml index 8efc927..22bd5da 100644 --- a/.github/workflows/ast-scan.yml +++ b/.github/workflows/ast-scan.yml @@ -10,7 +10,7 @@ on: jobs: cx-scan: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml index 365aa5c..2d6b01e 100644 --- a/.github/workflows/auto-merge.yml +++ b/.github/workflows/auto-merge.yml @@ -6,7 +6,7 @@ permissions: jobs: dependabot-merge: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 if: contains(github.head_ref, 'other/update_java_wrapper') steps: - name: Enable auto-merge for Dependabot PRs diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ed289f2..164d587 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,18 +7,18 @@ on: jobs: ui-tests: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 steps: - - uses: actions/checkout@v3.5.2 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: lfs: true - name: Checkout LFS objects run: git lfs checkout - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: distribution: temurin java-version: 17 - - uses: actions/cache@v3 + - uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0 with: path: ~/.m2/repository key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} @@ -34,7 +34,7 @@ jobs: Xvfb -ac :99 -screen 0 1920x1080x16 & mvn verify -Dtest.includes="**/ui/*.java" - name: Upload Coverage Report - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: jacoco-coverage-report-ui path: checkmarx-ast-eclipse-plugin-tests/target/site/jacoco-aggregate @@ -44,18 +44,18 @@ jobs: jacoco-csv-file: checkmarx-ast-eclipse-plugin-tests/target/site/jacoco-aggregate/jacoco.csv generate-summary: true integration-tests: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 steps: - - uses: actions/checkout@v3.5.2 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: lfs: true - name: Checkout LFS objects run: git lfs checkout - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: distribution: temurin java-version: 17 - - uses: actions/cache@v3 + - uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0 with: path: ~/.m2/repository key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} @@ -71,7 +71,7 @@ jobs: Xvfb -ac :99 -screen 0 1920x1080x16 & mvn verify -Dtest.includes="**/integration/*Test.java" - name: Upload Coverage Report - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: jacoco-coverage-report-integration path: checkmarx-ast-eclipse-plugin-tests/target/site/jacoco-aggregate @@ -81,18 +81,18 @@ jobs: jacoco-csv-file: checkmarx-ast-eclipse-plugin-tests/target/site/jacoco-aggregate/jacoco.csv generate-summary: true unit-tests: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 steps: - - uses: actions/checkout@v3.5.2 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: lfs: true - name: Checkout LFS objects run: git lfs checkout - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: distribution: temurin java-version: 17 - - uses: actions/cache@v3 + - uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0 with: path: ~/.m2/repository key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} @@ -108,7 +108,7 @@ jobs: Xvfb -ac :99 -screen 0 1920x1080x16 & mvn clean verify -Dtest.includes="**/unit/**/*Test.java" - name: Upload Coverage Report - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: jacoco-coverage-report-unit path: checkmarx-ast-eclipse-plugin-tests/target/site/jacoco-aggregate diff --git a/.github/workflows/delete-dev-releases.yml b/.github/workflows/delete-dev-releases.yml index 77d64f7..d64be7a 100644 --- a/.github/workflows/delete-dev-releases.yml +++ b/.github/workflows/delete-dev-releases.yml @@ -20,7 +20,7 @@ permissions: jobs: delete: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 steps: - name: Delete releases and tags diff --git a/.github/workflows/manual-tag.yml b/.github/workflows/manual-tag.yml index cd27756..fb08413 100644 --- a/.github/workflows/manual-tag.yml +++ b/.github/workflows/manual-tag.yml @@ -7,12 +7,17 @@ on: description: 'Next release tag' required: true +permissions: + contents: read + jobs: tag-creation: - runs-on: ubuntu-latest + permissions: + contents: write # for Git to git push + runs-on: cx-public-ubuntu-x64 steps: - name: Checkout - uses: actions/checkout@v3.5.2 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} - name: Tag diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 4335898..78956ca 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -7,7 +7,7 @@ on: jobs: set_tag: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 outputs: tag_name: ${{ steps.tagname.outputs.tag_name }} steps: diff --git a/.github/workflows/pr-label.yml b/.github/workflows/pr-label.yml index 188fa9c..6c09bd3 100644 --- a/.github/workflows/pr-label.yml +++ b/.github/workflows/pr-label.yml @@ -10,7 +10,7 @@ jobs: pr-labeler: permissions: pull-requests: write # for TimonVS/pr-labeler-action to add labels in PR - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 steps: - uses: TimonVS/pr-labeler-action@8b99f404a073744885d8021d1de4e40c6eaf38e2 # v4 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 07a13d3..c97bd1b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -38,7 +38,7 @@ jobs: secrets: inherit if: inputs.rbranch release: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 outputs: TAG_NAME: ${{ steps.generate_tag_name.outputs.TAG_NAME }} CLI_VERSION: ${{ steps.set_outputs.outputs.CLI_VERSION }} @@ -75,13 +75,13 @@ jobs: echo "TAG_NAME=$GH_RELEASE_TAG_NAME" >> $GITHUB_OUTPUT - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: distribution: temurin java-version: 17 - name: Cache local Maven repository - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0 with: path: ~/.m2/repository key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} diff --git a/.github/workflows/update-cli.yml b/.github/workflows/update-cli.yml index 15bf280..367fc93 100644 --- a/.github/workflows/update-cli.yml +++ b/.github/workflows/update-cli.yml @@ -4,11 +4,14 @@ on: repository_dispatch: types: [java-wrapper-version-update] +permissions: + contents: read + jobs: update-checkmarx-cli: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 steps: - - uses: actions/checkout@v4.1.7 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: lfs: true From 2f1d99899f2d5781acc5ea06e87c7866a4bc80a9 Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Fri, 29 May 2026 21:12:18 -0400 Subject: [PATCH 4/5] [StepSecurity] Apply security best practices (#252) Signed-off-by: StepSecurity Bot Co-authored-by: stepsecurity-app[bot] <188008098+stepsecurity-app[bot]@users.noreply.github.com> --- .github/workflows/auto-merge.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/update-cli.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml index 2d6b01e..9347843 100644 --- a/.github/workflows/auto-merge.yml +++ b/.github/workflows/auto-merge.yml @@ -15,6 +15,6 @@ jobs: GITHUB_TOKEN: ${{secrets.PERSONAL_ACCESS_TOKEN }} run: gh pr merge --auto --squash "$PR_URL" - name: Auto approve dependabot PRs - uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 #v4 + uses: step-security/auto-approve-action@0c28339628c8e79ab2f6813291e7e6cd584b4d30 # v4.0.0 with: github-token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c97bd1b..3056146 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -106,7 +106,7 @@ jobs: echo "::set-output name=CLI_VERSION::${{ env.CLI_VERSION }}" - name: Release - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1 + uses: step-security/action-gh-release@277bfa82abcfdb73e5bbb19e213fd76532ee2be5 # v3.0.0 with: tag_name: ${{ env.GH_RELEASE_TAG_NAME }} generate_release_notes: true diff --git a/.github/workflows/update-cli.yml b/.github/workflows/update-cli.yml index 367fc93..0bc3247 100644 --- a/.github/workflows/update-cli.yml +++ b/.github/workflows/update-cli.yml @@ -76,7 +76,7 @@ jobs: - name: Create Pull Request if: steps.ast-cli-java-wrapper.outputs.current_tag != steps.ast-cli-java-wrapper.outputs.release_tag - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c #v6.1.0 + uses: step-security/create-pull-request@50c103da2b9ca12cd5bc013fc6931051a5aa872b # v8.1.1 with: token: ${{ secrets.AUTOMATION_TOKEN }} commit-message: Update ast-cli-java-wrapper to ${{ steps.ast-cli-java-wrapper.outputs.release_tag }} From 33b6352227b25a50a44ddb0ba90f882875f3b663 Mon Sep 17 00:00:00 2001 From: Alon Rosenhek <80337069+cx-alon-rosenhek@users.noreply.github.com> Date: Tue, 16 Jun 2026 20:30:13 +0300 Subject: [PATCH 5/5] remove dependabot (#254) --- .github/workflows/auto-merge.yml | 20 -------------------- 1 file changed, 20 deletions(-) delete mode 100644 .github/workflows/auto-merge.yml diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml deleted file mode 100644 index 9347843..0000000 --- a/.github/workflows/auto-merge.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: Post-Check Actions -on: [pull_request] - -permissions: - contents: write - -jobs: - dependabot-merge: - runs-on: cx-public-ubuntu-x64 - if: contains(github.head_ref, 'other/update_java_wrapper') - steps: - - name: Enable auto-merge for Dependabot PRs - env: - PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.PERSONAL_ACCESS_TOKEN }} - run: gh pr merge --auto --squash "$PR_URL" - - name: Auto approve dependabot PRs - uses: step-security/auto-approve-action@0c28339628c8e79ab2f6813291e7e6cd584b4d30 # v4.0.0 - with: - github-token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}