feat: Add fork-friendly Checkmarx action for public repos (PM-19431)

[cosmir17]

Summary

This PR introduces a new Checkmarx action variant that enables fork PRs to run security scans on public repositories without requiring access to secrets.

Problem (PM-19178)

• Fork PRs cannot access repository secrets (GitHub security feature)
• Checkmarx requires authentication credentials to run
• External contributors get failing CI, defeating the purpose of open source

Solution (PM-19431)

Created checkmarx-scan-public action that:

• Does NOT checkout code (critical for security)
• Uses Checkmarx CLI to scan repositories directly via URL
• Works with pull_request_target to access secrets safely
• Allows fork PRs to get green CI

Technical Approach

Instead of:

1. Checkout code locally
2. Scan local files

We do:

1. Pass repo URL to Checkmarx CLI
2. CLI fetches code using: cx scan create -s <repo-url> --branch <branch>
3. Scan happens in Checkmarx environment

Security Model

• pull_request_target provides secret access (runs with base branch context)
• No code checkout = no risk of running untrusted code with elevated permissions
• Checkmarx fetches and scans the code in their isolated environment

Changes

• Added checkmarx-scan-public/action.yml - New composite action for fork-friendly scanning
• Added checkmarx-scan-public/README.md - Documentation and usage examples

Testing Plan

1. Merge this PR to main
2. Update midnight-node-docker workflow to use pull_request_target with new action
3. Create a fork PR to validate it works
4. Roll out to other public repos

Usage Example

on:
  pull_request_target:  # Important: not pull_request
    types: [opened, synchronize, reopened]

jobs:
  checkmarx:
    steps:
      # NO checkout step - critical for security

      - uses: midnightntwrk/upload-sarif-github-action/checkmarx-scan-public@main
        with:
          cx-client-id: ${{ secrets.CX_CLIENT_ID }}
          cx-client-secret: ${{ secrets.CX_CLIENT_SECRET_EU }}
          cx-tenant: ${{ secrets.CX_TENANT }}

Notes

• Only needed for public repos (private repos don't have fork issues)
• Requires merging to main before we can fully test with real fork PRs
• midnight-node-docker will be our first test case (per @gilescope)

[github-actions]

Checkmarx One – Scan Summary & Details – b433ac69-5111-4b9a-b279-f1641a30fa22

Great job! No new security vulnerabilities introduced in this pull request

[gilescope]

additional params default to '' so no need for the if:

Suggested change

	if [ -n "${{ inputs.additional-params }}" ]; then
	SCAN_CMD="$SCAN_CMD ${{ inputs.additional-params }}"
	fi
	SCAN_CMD="$SCAN_CMD ${{ inputs.additional-params }}"

[cosmir17]

Added fix for scan types issue mentioned in standup.

The CLI was using different defaults than the GitHub Action, resulting in fewer vulnerabilities being detected. Fixed by explicitly specifying --scan-types sast,sca,kics to ensure:

• SAST (Static Application Security Testing)
• SCA (Software Composition Analysis)
• KICS (Infrastructure as Code Security)

This matches the original action's security coverage.

Note: Scorecard/SCS is still not included as it requires additional tokens that fork PRs wouldn't have access to. Per @gilescope's suggestion, we can add actionlint as an alternative validation tool in a follow-up PR.

@gilescope @MB-IOHK - This push has made your approvals stale. Could you please re-review? The only change is adding the scan types parameter to fix the issue Giles identified in standup.

[cosmir17]

Thanks for the approval @MB-IOHK!

@gilescope identified an issue with SCS/Scorecard for fork PRs:

1. SCS fails because MIDNIGHTCI_REPO token doesn't have permissions for fork repositories
2. It appears to check the fork's main branch instead of the PR branch (bug)

Giles suggested we try using GITHUB_TOKEN instead of MIDNIGHTCI_REPO for the SCS token before making it conditional.

Plan to fix in this PR:

1. Add SCS parameters to checkmarx-scan-public action
2. Try using --scs-repo-token ${{ github.token }} for public repos
3. If that doesn't work, make SCS conditional (only for non-fork PRs)

I'll push these changes to complete PM-19431 properly. The core Checkmarx scanning works for forks, just need to fix the SCS component.

[cosmir17]

@MB-IOHK @gilescope, Thanks for your feedback about using github.token for SCS. You were right - it works for public fork PRs!

✅ Tested and Working

I've successfully tested this implementation with a real fork PR: midnightntwrk/midnight-node-docker#58

What's been fixed:

1. Added SCS support with github.token fallback (commit 3afeaae)

   • Falls back to github.token when no explicit token provided
   • Enables SCS for fork PRs without permission errors

2. Fixed SCS repo URL (commit baecb78)

   • Now correctly scans the fork repository instead of base repository
   • Uses ${{ inputs.repo-url }} which points to the actual fork

Test Results:

✅ Checkmarx scan: Completed successfully
✅ SCS enabled: "Using GitHub token for SCS..."
✅ Scanning correct fork: https://github.com/cosmir17/midnight-node-docker
✅ No permission errors

The SCS results show dashes, which is expected for midnight-node-docker (minimal dependencies, just Docker compose files).

Summary:

This PR now successfully implements fork-friendly Checkmarx scanning with SCS/Scorecard support, addressing the issue where MIDNIGHTCI_REPO token couldn't access fork repositories.