Can't use Kubernetes secrets instead of GitHub secrets
donohoel opened this issue · comments
Hello,
I have created a workflow using the Checkmarx Full Scan GHA. Since our runners are self-hosted in Kubernetes, I wanted to add the cxUsername and cxPassword variables as secrets in Kubernetes so it's accessible from all repositories rather than having to add them as GitHub secrets to our many repositories. The relevant parts of the workflow are here:
env:
GITHUB_REPOSITORY: ***
CX_USER: $CHECKMARX_USERNAME
CX_PASSWORD: $CHECKMARX_PASSWORD
jobs:
run-full-checkmarx:
runs-on: self-hosted
steps:
- name: Checkout Repository
uses: actions/checkout@v2
- name: Checkmarx Full Scan
uses: checkmarx-ts/checkmarx-github-action@v1.0.3
with:
cxServer: ***
cxUsername: ${{ env.CX_USER }}
cxPassword: ${{ env.CX_PASSWORD }}
cxTeam: ***
cxReportPDF: '***.pdf'
cxProject: ${{ env.GITHUB_REPOSITORY }}
As with the cxProject variable where I have referred to a global variable and it has been accepted by the action, the login portion does not work. I have tried adding the variables as both global (above) and step envs but neither allows me to log into Checkmarx.
Any help/advice/corrections would be much appreciated 😊
@donohoel what is the error the you get in the CLI ?
[2021-03-09 17:17:23,376 ERROR] Fail to login with credentials: User authentication failed
[2021-03-09 17:17:23,379 INFO ] Attempt #1 - Error occurred during Login
[2021-03-09 17:17:23,379 INFO ] Logging into Checkmarx server.
[2021-03-09 17:17:23,528 ERROR] Fail to login with credentials: User authentication failed
[2021-03-09 17:17:23,529 INFO ] Attempt #2 - Error occurred during Login
[2021-03-09 17:17:23,529 INFO ] Logging into Checkmarx server.
[2021-03-09 17:17:23,678 ERROR] Fail to login with credentials: User authentication failed
[2021-03-09 17:17:23,678 INFO ] Attempt #3 - Error occurred during Login
[2021-03-09 17:17:23,678 INFO ] Logging into Checkmarx server.
[2021-03-09 17:17:23,828 ERROR] Fail to login with credentials: User authentication failed
[2021-03-09 17:17:23,829 ERROR] Error executing SAST scan command: com.checkmarx.cxconsole.commands.job.exceptions.CLIJobException: Unsuccessful login.
[2021-03-09 17:17:23,829 INFO ] CxConsole session finished
[2021-03-09 17:17:23,829 ERROR] Failure - Login Failed - error code 4
Error: Failed to execute command : The process '**/cxcli/runCxConsole.sh' failed with exit code 4
@donohoel what is your CLI version and Checkmarx version used ? Does your Runner can reach Checkmarx server ?
The runner can reach the server. When I use the username and password stored in GitHub secrets, it works just fine and the scan completes successfully. See the logs:
[2021-03-09 17:17:22,794 INFO ] Trying to reach Checkmarx server, response code: 200
[2021-03-09 17:17:22,795 INFO ] Server connectivity test succeeded to: ***
cxVersion: 8.9
CxConsole version 8.90.2
I'm not sure how to find the CLI version but I'm using the checkmarx-ts/checkmarx-github-action@v1.0.3 action.
@donohoel according to this issue https://github.community/t/how-to-use-env-context/16975 it seems to be an issue with Github Action yml convention.
You need to pass the environments to inside the step before using them, for example:
env:
GITHUB_REPOSITORY: ***
CX_USER: $CHECKMARX_USERNAME
CX_PASSWORD: $CHECKMARX_PASSWORD
jobs:
run-full-checkmarx:
runs-on: self-hosted
steps:
- name: Checkout Repository
uses: actions/checkout@v2
- name: Checkmarx Full Scan
uses: checkmarx-ts/checkmarx-github-action@v1.0.5
env:
GITHUB_REPOSITORY: ${{ env.GITHUB_REPOSITORY }}
CX_USER: ${{ env.CX_USER }}
CX_PASSWORD: ${{ env.CX_PASSWORD }}
with:
cxServer: ***
cxUsername: $CX_USER
cxPassword: $CX_PASSWORD
cxTeam: ***
cxReportPDF: '***.pdf'
cxProject: $GITHUB_REPOSITORYPlease also update the version from v1.0.3 to v1.0.5 or master
@miguelfreitas93 I've updated the action and tried your suggestion but am now getting the following error:
[2021-03-10T10:11:03,461 INFO ] Initializing Cx client [2021.1.133]
[2021-03-10T10:11:04,354 INFO ] Checkmarx server version [9.2.0.41015]. Hotfix [8].
[2021-03-10T10:11:04,355 INFO ] Logging into the Checkmarx service.
[2021-03-10T10:11:04,932 ERROR] com.cx.restclient.exception.CxClientException: Failed to generate access token, failure error was: Status code: 400, message: 'Failed to authenticate', response body: "error":"invalid_grant","error_description":"invalid_username_or_password"
I have double checked the username and password in Kubernetes are correct so I'm not sure why there's a different error now. I'm unsure if the GitHub yaml convention is the issue as the problem is only with the $CX_USER and $CX_PASSWORD envs and not with $GITHUB_REPOSITORY
@donohoel that is related with version of CLI you're using, by default it will be used 2021.1.1 version which is not compatible with 8.X Checkmarx Versions.
To solve that you need to specify "cxVersion: 8.9" in your action
env:
GITHUB_REPOSITORY: ***
CX_USER: $CHECKMARX_USERNAME
CX_PASSWORD: $CHECKMARX_PASSWORD
jobs:
run-full-checkmarx:
runs-on: self-hosted
steps:
- name: Checkout Repository
uses: actions/checkout@v2
- name: Checkmarx Full Scan
uses: checkmarx-ts/checkmarx-github-action@v1.0.5
env:
GITHUB_REPOSITORY: ${{ env.GITHUB_REPOSITORY }}
CX_USER: ${{ env.CX_USER }}
CX_PASSWORD: ${{ env.CX_PASSWORD }}
with:
cxServer: ***
cxUsername: $CX_USER
cxPassword: $CX_PASSWORD
cxTeam: ***
cxReportPDF: '***.pdf'
cxProject: $GITHUB_REPOSITORY
cxVersion: 8.9@miguelfreitas93 I managed to get it working but I had to add an extra step to save the variables like so:
- name: Set env
run: |
echo "CX_USER=$CHECKMARX_USERNAME" >> $GITHUB_ENV
echo "CX_PASSWORD=$CHECKMARX_PASSWORD" >> $GITHUB_ENV
Thank you so much for your help 😊