Ingest Checkmarx KICS scan into your catalog
The following example shows you how to create a checkmarxScan
blueprint that ingests all scan results in your Checkmarx KICS file using Port's GitHub file ingesting feature.
To ingest the packages to Port, a port-app-config.yml
file in the needed repository or organisation is used.
Prerequisitesโ
This guide assumes:
- You have a Port account
- You have installed Port's GitHub app in your organisation or in repositories you are interested in.
GitHub configurationโ
To ingest GitHub objects, use one of the following methods:
- Using Port's UI
- Using GitHub
To manage your GitHub integration configuration using Port:
- Go to the data sources page of your portal.
- Under
Exporters
, click on your desired GitHub organization. - A window will open containing the default YAML configuration of your GitHub integration.
- Here you can modify the configuration to suit your needs, by adding/removing entries.
- When finished, click
resync
to apply any changes.
Using this method applies the configuration to all repositories that the GitHub app has permissions to.
When configuring the integration using Port, the YAML configuration is global, allowing you to specify mappings for multiple Port blueprints.
To manage your GitHub integration configuration using a config file in GitHub:
- Go to the data sources page of your portal.
- Under
Exporters
, click on your desired GitHub organization. - A window will open containing the default YAML configuration of your GitHub integration.
- Scroll all the way down, and turn on the
Manage this integration using the "port-app-config.yml" file
toggle.
This will clear the configuration in Port's UI.
When configuring the integration using GitHub, you can choose either a global or granular configuration:
- Global configuration: create a
.github-private
repository in your organization and add theport-app-config.yml
file to the repository.- Using this method applies the configuration to all repositories that the GitHub app has permissions to (unless it is overridden by a granular
port-app-config.yml
in a repository).
- Using this method applies the configuration to all repositories that the GitHub app has permissions to (unless it is overridden by a granular
- Granular configuration: add the
port-app-config.yml
file to the.github
directory of your desired repository.- Using this method applies the configuration only to the repository where the
port-app-config.yml
file exists.
- Using this method applies the configuration only to the repository where the
When using global configuration using GitHub, the configuration specified in the port-app-config.yml
file will only be applied if the file is in the default branch of the repository (usually main
).
When using Port's UI, the specified configuration will override any port-app-config.yml
file in your GitHub repository/ies.
Setting up the blueprint and mapping configurationโ
Create the following blueprint and mapping configuration:
Checkmarx KICS blueprint (Click to expand)
{
"identifier": "checkmarxScan",
"description": "This blueprint represents a Checkmarx KICS scan in our software catalog",
"title": "Checkmarx Scans",
"icon": "checkmarx",
"schema": {
"properties": {
"severity": {
"title": "Severity",
"type": "string",
"enum": ["LOW", "MEDIUM", "HIGH", "INFO"],
"enumColors": {
"LOW": "green",
"MEDIUM": "yellow",
"HIGH": "red",
"INFO": "yellow"
}
},
"url": {
"type": "string",
"title": "Scan URL",
"format": "url"
},
"platform": {
"title": "Platform",
"type": "string"
},
"files": {
"items": {
"type": "object"
},
"title": "Files",
"type": "array"
},
"cloud_provider": {
"title": "Cloud Provider",
"type": "string"
},
"description": {
"title": "Description",
"type": "string"
},
"category": {
"title": "Category",
"type": "string"
}
},
"required": []
},
"mirrorProperties": {},
"calculationProperties": {},
"relations": {}
}
Checkmarx KICS mapping configuration (Click to expand)
resources:
- kind: file
selector:
query: 'true'
files:
- path: '**/results.json'
port:
itemsToParse: '[.file.content[] | select(.Vulnerabilities != null) as $input | .Vulnerabilities[] | {VulnerabilityID, PkgName, InstalledVersion, FixedVersion, Title, Description, Severity, References, PrimaryURL, DataSource, Target: $input.Target}]'
entity:
mappings:
identifier: .item.VulnerabilityID
title: .item.Title
blueprint: '"trivyVulnerability"'
properties:
version: .item.InstalledVersion
package_name: .item.PkgName
primaryUrl: .item.PrimaryURL
description: .item.Description
target: .item.Target
severity: .item.Severity
data_source: .item.DataSource
Then click on Resync
and wait for the entities to be ingested in your Port environment