Skip to content

Configuration of Checkmarx (BYOR).

To enable the sending of scan results from SAFE to Checkmarx, add "checkmarx" to the list of outputs in the config.json

Enabling Checkmarx.

config.json
{
    "output": ["stdio", "checkmarx"],
    "version": "1.0",
    "project": {
      "type": "erlang",
      "name": "erlang_project",
      "appbases": [
        "_build/default/lib"
      ],
      "excludes": [
        "/test/"
      ],
      "includes": [
        "apps/services/include",
        "apps/custom_cmd/include",
        "apps/config/include",
        "apps/alarms/include"
      ],
      "extra_paths": [
        "apps/plugin/priv"
      ]
    }

  }

Define the environment variables for Checkmarx API

In your CI/CD pipeline, define a job specifically for the security audit tool (e.g., security-check) as shown here And add this

These are the necessary environment variables to allow results being sent to Checkmarx. 

        env: 
        SAFE_LICENSE: ${{ secrets.SAFE_LICENSE }}
        CHECKMARX_API_KEY: ${{ secrets.CHECKMARX_API_KEY }}
        CHECKMARX_PROJECT_ID: ${{ secrets.CHECKMARX_PROJECT_ID }}
        CHECKMARX_TENANT_ACCOUNT_NAME: ${{ secrets.CHECKMARX_TENANT_ACCOUNT_NAME }}
        CHECKMARX_REGION: ${{ secrets.CHECKMARX_REGION }}

Github actions

config.yml
name: Erlang CI

 on:
   push:
     branches: [ "main" ]
   pull_request:
     branches: [ "main" ]

 permissions:
   contents: read

 jobs:
   build:
     runs-on: ubuntu-latest

     steps:
     - uses: actions/checkout@v4
     - uses: erlef/setup-beam@v1
       with:
        otp-version: '24'
        rebar3-version: '3.20.0'
     - name: Compile
       run: rebar3 compile

    - name: Upload _build directory
      uses: actions/upload-artifact@v3
      with:
        name: build-artifact
        path: _build

   security-check:
        runs-on: ubuntu-latest
        needs: build
        container:
            image: erlangsolutions/safe:1.0.1-otp-24
        steps:
            - name: Download _build directory
              uses: actions/download-artifact@v3
              with:
                name: build-artifact
                path: _build

            - uses: actions/checkout@v4
            - run: safe start
              env: 
                SAFE_LICENSE: ${{ secrets.SAFE_LICENSE }}
                CHECKMARX_API_KEY: ${{ secrets.CHECKMARX_API_KEY }}
                CHECKMARX_PROJECT_ID: ${{ secrets.CHECKMARX_PROJECT_ID }}
                CHECKMARX_TENANT_ACCOUNT_NAME: ${{ secrets.CHECKMARX_TENANT_ACCOUNT_NAME }}
                CHECKMARX_REGION: ${{ secrets.CHECKMARX_REGION }}

            - name: Persist results
              uses: actions/upload-artifact@v3
              with:
                name: project-safe-results
                path: _results/<<Project_Name>>.safe

Info

The value for CHECKMARX_REGION can be one of these: us, us2, eu, eu2, deu, anz, ind, sng, uae

Info

The CHECKMARX_TENANT_ACCOUNT_NAME can be found in the Account Settings screen in the web portal.

The CHECKMARX_PROJECT_ID can be found in the project page.

Image title
Project ID in Project page

After the CI run, the results are sent to Checkmarx and will be created in the Risk Management page.

Image title
Results in risk managament

And the details for each vulnerability is shown.

Image title
Vulnerability details