Skip to content

Feature/oauth check v2#1515

Closed
cx-aniket-shinde wants to merge 18 commits into
other/release-integrationfrom
feature/oauth-check-v2
Closed

Feature/oauth check v2#1515
cx-aniket-shinde wants to merge 18 commits into
other/release-integrationfrom
feature/oauth-check-v2

Conversation

@cx-aniket-shinde

Copy link
Copy Markdown
Contributor

By submitting this pull request, you agree to the terms within the Checkmarx Code of Conduct. Please review the contributing guidelines for guidance on creating high-quality pull requests.

Description

Please provide a summary of the changes and the related issue. Include relevant motivation and context.

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update

Related Issues

Link any related issues or tickets.

Checklist

  • I have performed a self-review of my code
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)
  • Any dependent changes have been merged and published in downstream modules
  • I have updated the CLI help for new/changed functionality in this PR (if applicable)
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used

Screenshots (if applicable)

Add screenshots to help explain your changes.

Additional Notes

Add any other relevant information.

cx-kedar-bhujade and others added 18 commits July 2, 2026 16:24
- Introduced `ignore-vulnerability` command to manage the realtime ignore file for various scan types (OSS, secrets, containers, IaC, ASCA).
- Implemented functionality to add, remove, and validate ignored findings.
- Added tests for the command and ignore file operations to ensure correct behavior.
- Created supporting structures and methods for handling ignore entries and file operations.
- Updated relevant files to integrate the new command into the CLI structure.
- Removed unnecessary dependency on guardrails in asca.go.
- Updated ScanFileEdit function to return findings without appending the deny message directly.
- Enhanced findingsSummary function to include file name, line number, rule ID, severity, and remediation details for better context.
- Improved permissionDecisionReason and additionalContext functions to provide clearer instructions on handling findings and false positives.
Introduces a new sca/ package that gates package-manager installs
(Bash hook) and manifest edits (Write/Edit/MultiEdit hook) against
the Checkmarx OSS realtime scanner:

- ParseInstall recognises npm/yarn/pnpm/pip/go/dotnet/maven install
  commands and normalises partial semver (e.g. "4.10" → "4.10.0")
- CheckBashInstall scans packages before the shell command runs
- CheckManifestEdit diffs before/after manifest content and scans
  only newly-added packages; reconstructs full file content for Edit
  ops so the manifest parser receives a valid document
- Both return (finding, remediation) separately so the denial reason
  and MCP remediation instructions land in distinct hook fields
  (permissionDecisionReason and additionalContext)
- Remediation note instructs the agent to use mcp__Checkmarx__packageRemediation
  exclusively, and to ask the user to install/enable the MCP server
  if the tool is unavailable

Wires the scanner into RegisterGuardrails alongside the existing ASCA
file-edit scan; adds /cx to .gitignore.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- ASCA additionalContext now generates pre-filled cx ignore-vulnerability
  commands with actual FileName/Line/RuleID per finding instead of a generic
  placeholder; uses full executable path so the agent can run it regardless
  of PATH
- SCA DenyVulnerable remediation now includes per-package ignore commands
  when no safe version is found, replacing the Dev Assist fallback
- SCA scanner passes the realtime ignore file path to RunOssRealtimeScan so
  suppressed packages are filtered out on subsequent scans
- ASCA permissionDecisionReason shows only findings to the user; agent
  instructions moved entirely to additionalContext

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Added `auth login` command for browser-based OAuth authentication to Checkmarx One, supporting session modes: local, global, and yaml.
- Introduced `auth logout` command to revoke the current refresh token and clear stored credentials across all session types.
- Integrated session management functionality to handle active mode persistence and cleanup.
- Updated command structure to include new authentication commands in the CLI.
- Added tests for session management and command functionality to ensure reliability.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Introduced a new `cx mcp bridge` command that acts as a transparent stdio<->HTTP proxy to the Checkmarx Security MCP.
- Implemented functionality to derive the realm-scoped Security MCP URL from the JWT issuer claim or through environment variables and command-line flags.
- Added tests for URL derivation and bridge command functionality to ensure reliability.
- Updated the existing MCP command structure to include the new bridge command while maintaining backward compatibility.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Expanded the `cx mcp bridge` command to support a resilient connection lifecycle, allowing the bridge to operate in a degraded state until valid credentials are available.
- Implemented a new `bridgeSession` structure to manage connection states and ensure thread-safe operations.
- Added comprehensive tests for deriving the MCP URL from various sources, including JWT claims and environment variables, ensuring robust functionality.
- Updated the command structure to maintain backward compatibility while integrating new features.
* copilot=chnages

* removed-temp-dependency

* removed-temp-dependency1

* Fix SCA bypass on CRLF/LF line-ending mismatch (#7)

* Fix SCA guardrail bypass on CRLF/LF line-ending mismatch

fullAfterContent now tries an exact replacement first, then falls back to
a line-ending-normalized replacement (CRLF→LF) when the exact match fails.
If the edited region still cannot be located, it logs a warning and scans
the proposed snippet rather than silently returning the unchanged file,
ensuring newly added dependencies are always given a chance to be detected.

Co-Authored-By: Kedar Bhujade <kedar.bhujade@checkmarx.com>

* Instruct agent to invoke skill or install MCP when tool is unavailable in ASCA and SCA hooks

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

* copilot-changes (#8)

* copilot=chnages

* removed-temp-dependency

* removed-temp-dependency1

---------

Co-authored-by: Amol Mane <22643905+cx-amol-mane@users.noreply.github.com>

* Bump ast-cx-hooks to v1.0.3

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Resolve realtime ignore file from hook event WorkDir, not process CWD (#9)

The realtime ignore-file (.checkmarx/checkmarxIgnoredTempList.json) was
resolved as a CWD-relative path against the hook subprocess's own working
directory. Claude Code launches the hook from the workspace root, so it
found the file; Copilot CLI launches it from a different directory, so the
lookup missed the file the ignore command wrote under the workspace and the
finding kept getting blocked.

Anchor the lookup to the workspace the hook event reports via ev.WorkDir:
- Add ignore.PathFor(workDir) (falls back to DefaultPath when empty).
- SCA: thread workDir through Scanner.CheckManifestEdit/CheckBashInstall into
  existingIgnoreFilePath; pass ev.WorkDir from cxBeforeFileEdit.
- ASCA: resolve existingIgnoreFilePath(ev.WorkDir) in ScanFileEdit.
- Pin the emitted `cx ignore-vulnerability` remediation to an explicit
  --ignored-file-path under ev.WorkDir so the write and later read use the
  same absolute file regardless of either process's CWD.

Add tests for PathFor anchoring/fallback, workDir-anchored ignore lookup,
and the remediation flag.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* added-telemetry

* checked-telemetry-payload

* checked-telemetry-payload1

---------

Co-authored-by: Kedar Bhujade <206036177+cx-kedar-bhujade@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Amol Mane <22643905+cx-amol-mane@users.noreply.github.com>
- Improve OAuth PKCE flow with session management and token caching
- Enhance HTTP client with retry logic and better error handling
- Add comprehensive unit tests for auth login (186 lines)
- Update MCP bridge with improved error handling and testing
- Fix build tag consistency across agenthooks test files
- Sanitize sensitive data in logger utils

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
* copilot=chnages

* removed-temp-dependency

* removed-temp-dependency1

---------

Co-authored-by: Amol Mane <22643905+cx-amol-mane@users.noreply.github.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…#9)

The realtime ignore-file (.checkmarx/checkmarxIgnoredTempList.json) was
resolved as a CWD-relative path against the hook subprocess's own working
directory. Claude Code launches the hook from the workspace root, so it
found the file; Copilot CLI launches it from a different directory, so the
lookup missed the file the ignore command wrote under the workspace and the
finding kept getting blocked.

Anchor the lookup to the workspace the hook event reports via ev.WorkDir:
- Add ignore.PathFor(workDir) (falls back to DefaultPath when empty).
- SCA: thread workDir through Scanner.CheckManifestEdit/CheckBashInstall into
  existingIgnoreFilePath; pass ev.WorkDir from cxBeforeFileEdit.
- ASCA: resolve existingIgnoreFilePath(ev.WorkDir) in ScanFileEdit.
- Pin the emitted `cx ignore-vulnerability` remediation to an explicit
  --ignored-file-path under ev.WorkDir so the write and later read use the
  same absolute file regardless of either process's CWD.

Add tests for PathFor anchoring/fallback, workDir-anchored ignore lookup,
and the remediation flag.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* Enhance auth login command and improve security measures

- Introduced a new constant for config file permissions to restrict access to owner only, ensuring better security for stored refresh tokens.
- Updated the auth login flow to preserve existing credentials during authentication failures, enhancing user experience.
- Improved the nuke phase to revoke prior refresh tokens only after a new credential is established, ensuring a clean state.
- Added HTML escaping for error messages in the OAuth PKCE callback to prevent potential XSS vulnerabilities.
- Standardized build tags across multiple test files to ensure consistent test execution.

This commit enhances the security and reliability of the authentication process while improving code maintainability.

* Introduce telemetry for the ignore command

Co-authored-by: Kedar Bhujade <206036177+cx-kedar-bhujade@users.noreply.github.com>

* removed-telemetry-error-msg

* Add proxy support to newBridgeClient and enhance tests

- Implemented the newBridgeClient function to configure an HTTP client that respects proxy settings from the environment or configuration.
- Added unit tests to verify the behavior of the newBridgeClient, ensuring it correctly handles both default and proxy-aware transports.
- Updated the runBridge function to utilize the newBridgeClient for improved proxy handling.

This commit enhances the MCP bridge functionality by ensuring proper proxy configuration and testing.

---------

Co-authored-by: Hitesh Madgulkar <212497904+cx-hitesh-madgulkar@users.noreply.github.com>
Co-authored-by: Kedar Bhujade <206036177+cx-kedar-bhujade@users.noreply.github.com>
* chore: remove Dependabot configuration

* Add KICS IaC guardrail to agent file-edit hook

Wire a KICS-based guardrail into cxBeforeFileEdit that blocks AI-introduced
IaC misconfigurations before they are written to disk, using delta detection
on edits (new findings only) and any-vuln on new files. Honors user
suppressions from the realtime ignore file.

Unlike ASCA, the agent is not given discretion to treat KICS findings as
false positives: KICS is a deterministic IaC rule engine whose findings are
not caused by missing cross-file context, and forcing a fix on an IaC finding
produces benign additive hardening rather than contorted code. The remediation
prompt instructs the agent to fix every finding and to add any externally
required resources rather than skipping.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(actions): declare secrets used by reusable workflows (#6)

Adds explicit on.workflow_call.secrets declarations for all secrets
referenced in the workflow body, replacing implicit reliance on
callers using secrets: inherit.

* chore: remove Dependabot configuration

---------

Co-authored-by: Ohad Israeli <243351248+cx-ohad-israeli@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: Jonathan Hartman <208858388+cx-jonathan-hartman@users.noreply.github.com>
Co-authored-by: Nisan Ben Abu <nisan.ben-abu@checkmarx.com>
Co-authored-by: Hitesh Madgulkar <212497904+cx-hitesh-madgulkar@users.noreply.github.com>
@stepsecurity-app

Copy link
Copy Markdown
Contributor

Security Policy Alert: Secret Policy Violation

This workflow run has been blocked by StepSecurity's secrets policy because it accesses secrets and the workflow file differs from the default branch.

Secret references detected:

  • secrets.CX_BASE_URI at line 58
  • secrets.CX_CLIENT_ID at line 59
  • secrets.CX_CLIENT_SECRET at line 60
  • secrets.CX_BASE_AUTH_URI at line 61
  • secrets.CX_AST_USERNAME at line 62
  • secrets.CX_AST_PASSWORD at line 63
  • secrets.CX_APIKEY at line 64
  • secrets.CX_TENANT at line 65
  • secrets.CX_SCAN_SSH_KEY at line 66
  • secrets.PERSONAL_ACCESS_TOKEN at line 68
  • secrets.PROXY_USER at line 71
  • secrets.PROXY_PASSWORD at line 72
  • secrets.PR_GITLAB_TOKEN at line 77
  • secrets.PR_GITLAB_NAMESPACE at line 78
  • secrets.PR_GITLAB_REPO_NAME at line 79
  • secrets.PR_GITLAB_PROJECT_ID at line 80
  • secrets.PR_GITLAB_IID at line 81
  • secrets.AZURE_ORG at line 82
  • secrets.AZURE_PROJECT at line 83
  • secrets.AZURE_REPOS at line 84
  • secrets.AZURE_TOKEN at line 85
  • secrets.BITBUCKET_WORKSPACE at line 87
  • secrets.BITBUCKET_REPOS at line 88
  • secrets.BITBUCKET_USERNAME at line 89
  • secrets.BITBUCKET_PASSWORD at line 90
  • secrets.GITLAB_TOKEN at line 91
  • secrets.PR_BITBUCKET_TOKEN at line 93
  • secrets.DOCKER_USERNAME at line 173
  • secrets.DOCKER_PASSWORD at line 174

To approve this workflow, please add the workflows-approved label to this PR.

Note: The label must be added by someone other than the PR author (cx-aniket-shinde) or automation bots to ensure proper security review.

After the label is added, you can re-run the blocked workflow to proceed.

This workflow will be automatically approved once merged into the default branch.

For more information, see StepSecurity's Secret Exfiltration Policy documentation.

@stepsecurity-app

Copy link
Copy Markdown
Contributor

Security Policy Alert: Actions Policy Violation

This workflow run has been blocked by StepSecurity's actions policy.

Disallowed Actions:

  • aidar-freeed/ai-codereviewer@a9a064dfa1db8c83f40ef63f6e247fa09c935ed6

To fix this issue, please modify the workflow to use only allowed actions. Contact your organization administrator to request changes to the allowed actions list if needed.

For more information, see StepSecurity's Actions Policy documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants