From a79aa5b9e588868b6435bca98f7f548da8a161b6 Mon Sep 17 00:00:00 2001
From: PauloNova8 <151679174+PauloNova8@users.noreply.github.com>
Date: Tue, 23 Apr 2024 17:51:41 -0300
Subject: [PATCH] Add new yaml file

---
 .github/workflows/mobb-checkmarx.yaml | 54 +++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 .github/workflows/mobb-checkmarx.yaml

diff --git a/.github/workflows/mobb-checkmarx.yaml b/.github/workflows/mobb-checkmarx.yaml
new file mode 100644
index 00000000..a5e16232
--- /dev/null
+++ b/.github/workflows/mobb-checkmarx.yaml
@@ -0,0 +1,54 @@
+# Mobb/Checkamrx Fixer on pull requests
+# This workflow defines the needed steps to run Checkmarx on every pull request and pass the results to Mobb Fixer.
+#
+# Secrets in use (add your missing ones):
+# CX_TENANT - your Checkmarx tenant name (found in your Checkmarx settings)
+# CX_API_TOKEN - your Checkmarx credentials (find how to get it here: https://checkmarx.com/resource/documents/en/34965-68775-generating-a-refresh-token--api-key-.html)
+# CX_BASE_URI - your Checkmarx app url, e.g. "https://ast.checkmarx.net/"
+# CX_BASE_AUTH_URI - your Checkmarx auth url, e.g. "https://iam.checkmarx.net/"
+# MOBB_API_TOKEN - your mobb user credentials (autumatially set if you used the Mobb app to configure the integration)
+# GITHUB_TOKEN - automatically set by GitHub
+
+name: "Mobb/Checkmarx"
+
+on:
+  pull_request:
+    branches: ["*"]
+
+jobs:
+  scan-and-fix:
+    name: Scan with Checkmarx and fix with Mobb
+    runs-on: 'ubuntu-latest'
+    timeout-minutes: 360
+    permissions:
+      pull-requests: write
+      statuses: write
+      contents: read
+      actions: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Download and configure Checkmarx CLI
+        run: |
+          wget https://github.com/Checkmarx/ast-cli/releases/download/2.0.54/ast-cli_2.0.54_linux_x64.tar.gz -O checkmarx.tar.gz
+          tar -xf checkmarx.tar.gz
+          ./cx configure set --prop-name cx_apikey --prop-value ${{ secrets.CX_API_TOKEN }}
+          ./cx configure set --prop-name cx_base_auth_uri --prop-value ${{ secrets.CX_BASE_AUTH_URI }}
+          ./cx configure set --prop-name cx_base_uri --prop-value ${{ secrets.CX_BASE_URI }}
+          ./cx configure set --prop-name cx_tenant --prop-value ${{ secrets.CX_TENANT }}
+        shell: bash -l {0}
+  
+      - name: Run Checkmarx SAST scan
+        run: ./cx scan create --project-name ${{ github.repository }} -s ./ --report-format json --scan-types sast --branch nobranch --threshold "sast-high=1; sast-medium=1; sast-low=1" 
+        shell: bash -l {0}
+
+      - name: Run Mobb on the findings and get fixes
+        if: always()
+        uses: mobb-dev/action/review@v1.1
+        with:
+          report-file: cx_result.json
+          api-key: ${{ secrets.MOBB_API_TOKEN }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          scanner: checkmarx