Configuring a Scan Task in Bamboo

The Atlassian Bamboo workflow uses the concept of a 'plan' with 'jobs' and 'tasks' to configure and order the actions in the workflow. A task is generally a small unit in a workflow, such as a source code checkout, running a script or parsing test results.

In our case, a task is a Checkmarx scan and a Checkmarx scan is configured from within Atlassian Bamboo.

The user who is running the Bamboo plugin scan must have both 'Scanner' and 'Reviewer' role permissions.

To access the Atlassian Bamboo account: 

  • Enter the Base Bamboo URL. The Build Dashboard window is displayed.

 

To create a plan:

 1. Click  and provide your user name and password to log in. The Create menu becomes available.

 

 2. Refer to Creating a plan in the Bamboo documentation for further information.

To add a Checkmarx scan task to an existing plan:

If you want to use pre-configured defaults for your scan, you select the use of the global settings. These global settings must be set up as explained before you can start configuring this task. 

 1. In the line of the respective project, click Edit .

    The plan's content (list of jobs) appears.

 2. Select the job to which you want to add the task, for example to Test 4. You are asked to add a task.

 

 3. Click <Add Task>. The Task Types window is displayed.

 

 4. Select the  Checkmarx task. The Checkmarx Task Configuration dialog is displayed.

 

 5. In the Checkmarx Task Configuration dialog, define the Checkmarx Configuration parameters listed in the table below.

Parameter Description

Task Description

Enter a description for the task.

Disable this Task

Check to disable this task when the next one is built.

Add Condition to TaskCheck to add a condition to this task.


Checkmarx Server

Use Global Setting

Select Use Global Setting to use the default server credentials. Refer to Configuring the Checkmarx Bamboo Plugin Global Settings for further information.

Use Specific Setting

Select Use Specific Setting and then enter the server URL and credentials that override the default settings as outlined below.

Server URL

Enter the Checkmarx Server URL or IP address with or without port, for example http://<server-name>, https://<ip address>:port

Available only, if Use Specific Setting is selected.

Username

Enter a login username.

Available only, if Use Specific Setting is selected.

Password

Enter a login password.

Available only, if Use Specific Setting is selected.

Enable ProxyCheck to enable a project scan via a proxy server.

<Connect to Server>

Click <Connect to Server> and wait until the credentials are validated and the Success status is indicated.

Available only, if Use Specific Setting is selected.

Checkmarx Project Name

Enter the relevant project name. The project name is used in the CxSAST Server. In order to use an existing project, make sure the name is identical to the one in CxSAST and the project exists under the same team that you define.

Preset

Select a scan preset for the project. If the preset is not specified, the default preset will be used.

If the Preset list is not updated or empty, click <Connect to Server> to refresh the list.

Team

Enter the relevant team name for the project.



Checkmarx Scan CxSAST

Use Global Setting

Select Use Global Setting to use the default server credentials. Refer to Configuring the Checkmarx Bamboo Plugin Global Settings for further information.

Use Specific Setting Select Use Specific Setting and then enter the server URL and credentials that override the default settings as outlined below.

Folder Exclusion

Define a comma separated list of folders to exclude from the scan. Entries in this list are automatically converted to exclude wildcard patterns and appended to the full pattern list provided in the Include/Exclude Wildcard Patterns section.

Available only, if Use Specific Setting is selected.

Include / Exclude Wildcard Patterns

Define the include/exclude wildcard patterns as explained in the instructions under the field.

Available only, if Use Specific Setting is selected.

Scan Timeout In Minutes

Define the scan timeout threshold.

Available only, if Use Specific Setting is selected.

Comment

Enter an optional remark for the Checkmarx CxSAST scan. You may use Bamboo variables, .e.g. ${bamboo.buildNumber} or ${bamboo.buildPlanName} as part of the comment.

Available only, if Use Specific Setting is selected.

Enable Incremental Scan

Check to enable incremental scan. This scans only new and modified files relative to the project's previous scan.

Schedule Interval-based Full Scans

Check to enable the scheduling of interval based full scans and define the required time range. When performing incremental scans, this option enables periodic full scans according to the defined time range. For example, this could be used to make sure that daily runs would be incremental scans and nightly builds will be full scans, without having to separate jobs.

Available only, if Enable incremental Scan is selected.

Generate CxSAST PDF Report

Check to generate a CxSAST scan result report in PDF format. A link to the report becomes available in the scan results.

Available only, if Enable Synchronous Mode is selected.



Dependency Scan
Enable Dependency Scan

Check to enable packages from various dependency managers, such as NPM, Nugget, Python and others being scanned.

NPM, Nuget and/or Python must be installed on every Bamboo slave and/or master running the job in order to use this option.

Override Global Dependency Scan Settings

Check to use specific settings for this task. These settings override the global settings.

Available only, if Enable Dependency Scan is checked.

Include/Exclude Wildcard Patterns

Define the include/exclude wildcard patterns as explained in the instructions under the field.

Available only, if Enable Dependency Scan and Override Global Dependency Scan Settings are checked.

Folder Exclusion

Define a comma separated list of folders to exclude from the scan. Entries in this list are automatically converted to exclude wildcard patterns and appended to the full pattern list provided in the Include/Exclude Wildcard Patterns section.

Available only, if Enable Dependency Scan and Override Global Dependency Scan Settings are checked.

Use CxOSA Dependency Scanner

Select Use CxOSA Dependency Scanner to enable and configure CxOSA scans.

Use CxSCA Dependency ScannerSelect Use CxSCA Dependency Scanner to enable and configure CxSCA scans.


Checkmarx Scan CxOSA

These parameters show, if Use CxOSA Dependency Scanner has been selected .

OSA Archive Include Wildcard PatternsDefine the included wildcard patterns as explained in the instructions under the field.
Execute Dependency Managers 'Install Packages' Command before Scan

Check to enable packages from various dependency managers, such as NPM, Nugget, Go and others being scanned as part of the CxOSA scan.

NPM, Nuget and/or Python must be installed on every Bamboo slave and/or master running the job in order to use this option.



Checkmarx Scan CxSCA

These parameters show, if Use CxSCA Dependency Scanner has been selected .

CxSCA Web API URLEnter the name of the server that interacts with CxSCA using API calls, for example https://api-sca.company.com .
Access Control Server URLEnter the server that hosts the Access Control portal used to access CxSCA, for example https://platform.company.com .
CxSCA Web App URLEnter the URL of the web based application that serves as the CxSCA user interface, for example https://sca.company.com .
Entering this URL generates a link to a page with CxSCA scan results. If this option is not entered, no such link is generated.
AccountEnter the CxSCA customer account.
CxSCA UserEnter the CxSCA user name.
CxSCA PasswordEnter the CxSCA password.
<Connect to Server>Click to connect to the CxSCA server.


Control Checkmarx Scan
Use Global SettingSelect Use Global Setting to use the default server credentials. Refer to Configuring the Checkmarx Bamboo Plugin Global Settings for further information.
Use Specific Setting Select Use Specific Setting and then enter the server URL and credentials that override the default settings as outlined below.
Enable Synchronous Mode
  • If checked, the Checkmarx build step waits for a running Checkmarx scan to complete, then retrieves the scan results and optionally checks vulnerability thresholds.
  • If cleared, the build step completes after submitting the scan job to the Checkmarx server.
  • By default, Synchronous Mode is enabled.
  • Can only be disabled, if Use Specific Setting is selected.
Enable Projects Policy Enforcement

If checked, the build is marked as as failed or unstable, if the projects policy is violated.

Policies are assigned to a project from within CxSAST.

Enable CxSAST Vulnerability Thresholds

If checked, you may define thresholds for low, medium and high severity vulnerabilities above which the build is considered as failed. If cleared, no thresholds are defined.

Available only, if Use Specific Setting is selected.

CxSAST High

Set the threshold for high severity thresholds.

Available only, if Enable CxSAST Vulnerability Thresholds is checked.

CxSAST Medium

Set the threshold for medium severity thresholds.

Available only, if Enable CxSAST Vulnerability Thresholds is checked.

CxSAST Low

Set the threshold for low severity thresholds.

Available only, if Enable CxSAST Vulnerability Thresholds is checked.

Enable Dependency Scan Vulnerability ThresholdsIf checked, you may define thresholds for low, medium and high severity vulnerabilities in addition to the defined dependencies. Crossing the defined thresholds cause the build being considered as failed. If cleared, no thresholds are defined.
Dependency scan high severity vulnerabilities threshold

Set the threshold for high severity thresholds.

Available only, if Enable Synchronous Mode and Enable Dependency Scan Vulnerability Thresholds are checked.

Dependency scan medium severity vulnerabilities threshold

Set the threshold for medium severity thresholds.

Available only, if Enable Synchronous Mode and Enable Dependency Scan Vulnerability Thresholds are checked.

Dependency scan low severity vulnerabilities threshold

Set the threshold for low severity thresholds.

Available only, if Enable Synchronous Mode and Enable Dependency Scan Vulnerability Thresholds are checked.

Deny new Checkmarx Projects CreationThis parameter applies to the global settings only and is unavailable for specific settings. 
Hide ResultsThis parameter applies to the global settings only and is unavailable for specific settings. 

 6. To save the changes, click <Save>. The Checkmarx Scan Task is displayed in the Plan Configuration screen.

If you need to edit the scan task configuration parameters, click the Checkmarx scan task and make the changes.

You can now run your plan according to your current development procedure. Refer to Running a Plan in the Atlassian Bamboo Documentation.