Skip to content

Combining all changes for cli (AST-161391)#1516

Merged
cx-alon-rosenhek merged 2 commits into
mainfrom
other/integration-main
Jul 2, 2026
Merged

Combining all changes for cli (AST-161391)#1516
cx-alon-rosenhek merged 2 commits into
mainfrom
other/integration-main

Conversation

@cx-atish-jadhav

Copy link
Copy Markdown
Contributor

By submitting this pull request, you agree to the terms within the Checkmarx Code of Conduct. Please review the contributing guidelines for guidance on creating high-quality pull requests.

Description

Please provide a summary of the changes and the related issue. Include relevant motivation and context.

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update

Related Issues

Link any related issues or tickets.

Checklist

  • I have performed a self-review of my code
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)
  • Any dependent changes have been merged and published in downstream modules
  • I have updated the CLI help for new/changed functionality in this PR (if applicable)
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used

Screenshots (if applicable)

Add screenshots to help explain your changes.

Additional Notes

Add any other relevant information.

@cx-atish-jadhav cx-atish-jadhav changed the title combining all changes Combining all changes for cli (AST-161391) Jul 2, 2026

@cx-anurag-dalke cx-anurag-dalke left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

@cx-alon-rosenhek cx-alon-rosenhek merged commit 527c123 into main Jul 2, 2026
6 of 8 checks passed
cx-atish-jadhav added a commit that referenced this pull request Jul 3, 2026
commit 527c123
Author: Atish Jadhav <atish.jadhav@checkmarx.com>
Date:   Thu Jul 2 21:10:31 2026 +0530

    Combining all changes for cli (AST-161391) (#1516)

    * combining all changes

    * fixing lint issue
cx-alon-rosenhek pushed a commit that referenced this pull request Jul 6, 2026
* Fix KICS container shutdown race condition and add OneAssist license support

- Create kicsshutdown package with thread-safe container name management
- Update signal handler to read container name from kicsshutdown instead of viper
- Prevents race conditions during SIGTERM cleanup
- Add support for OneAssist license in addition to Developer Assist
- Update GetUniqueID() to check both license types

* Integrate file updates: SARIF enhancements, filters expansion, and project/application management improvements

- Add CodeFlow and ThreadFlow support to SARIF result structures with new types
- Extend BaseIncludeFilters with 41 additional file type patterns
- Enhance applications.go with project association polling and duplicate prevention
- Update result.go with CodeFlow handling in SARIF serialization
- Add IsInSource and CommitURL fields to SarifResultProperties
- Fix projects.go verifyApplicationAssociationDone and UpsertProjectGroups functions
- Change IaCS and KICS filter flags from String to StringSlice in scan.go

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

* Fix SCA vulnerabilities: update dependencies to patched versions

- Upgrade distribution/v3 to v3.0.1-0.20260120145532-40594bd98e6d (security patch)
- Upgrade go-jose/v3 to v3.0.5 (CWE-345: Insufficient Verification)
- Upgrade anchore/stereoscope to v0.2.0
- Upgrade google.golang.org/grpc to v1.80.0
- Upgrade gonum to v0.17.0
- Upgrade containerd/v2 to v2.3.1
- Upgrade go-git/go-git/v5 to v5.18.1-0.20260420130857-e5bbc088b774 (CVE-2026-45022)
- Upgrade go-git/go-billy/v5 to v5.8.1-0.20260506061021-07f2a0bf50e4 (CVE-2026-44973)
- Upgrade Go version to 1.26.3

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

* Fix additional SCA vulnerabilities: containerd, golang.org/x/image, and opencontainers/runc

- Upgrade github.com/containerd/containerd v1.7.30 to v1.7.32 (CVE-2026-46680)
- Upgrade golang.org/x/image v0.25.0 to v0.36.1-0.20260211191414-e3d762b1d37e (CVE-2026-33813)
- Upgrade github.com/opencontainers/runc v1.3.3 to v1.3.4 (CVE-2025-52881)
- Upgrade github.com/cilium/ebpf v0.16.0 to v0.17.3 (transitive dependency)

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

* Fix k8s.io/kubectl version mismatch after SCA dependency upgrades

Upgrade k8s.io/kubectl from v0.35.1 to v0.36.0 to resolve missing package
k8s.io/api/scheduling/v1alpha1 caused by k8s.io/api being upgraded to v0.36.0
during SCA vulnerability remediation.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

* create CLAUDE.md file for ast-cli repo

* Updated filters.go

* fix failing unit test case

* trivy and  integration check fixes

* CVE-2026-33813: fixing cxone scan vulnerability

* Fix CVE vulnerabilities and lint issues

- Upgrade golang.org/x/image to v0.39.0 (CVE-2026-33813)
- Upgrade github.com/go-jose/go-jose/v3 to v3.0.5 (CVE-2026-34986)
- Upgrade github.com/opencontainers/runc to v1.3.4 (CVE-2025-52881)
- Extract repeated string to constant in result_test.go (goconst lint fix)

* Override transitive golang.org/x/image and update config

- Add explicit requirement for golang.org/x/image v0.39.0 to override
  gonum.org/v1/gonum's transitive requirement of v0.25.0 (CVE-2026-33813)
- Update result_test.go constant alignment
- Add cx_config_file_path to integration config

* Fix KICS container shutdown race condition and add OneAssist license support

- Create kicsshutdown package with thread-safe container name management
- Update signal handler to read container name from kicsshutdown instead of viper
- Prevents race conditions during SIGTERM cleanup
- Add support for OneAssist license in addition to Developer Assist
- Update GetUniqueID() to check both license types

* Integrate file updates: SARIF enhancements, filters expansion, and project/application management improvements

- Add CodeFlow and ThreadFlow support to SARIF result structures with new types
- Extend BaseIncludeFilters with 41 additional file type patterns
- Enhance applications.go with project association polling and duplicate prevention
- Update result.go with CodeFlow handling in SARIF serialization
- Add IsInSource and CommitURL fields to SarifResultProperties
- Fix projects.go verifyApplicationAssociationDone and UpsertProjectGroups functions
- Change IaCS and KICS filter flags from String to StringSlice in scan.go

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

* Fix SCA vulnerabilities: update dependencies to patched versions

- Upgrade distribution/v3 to v3.0.1-0.20260120145532-40594bd98e6d (security patch)
- Upgrade go-jose/v3 to v3.0.5 (CWE-345: Insufficient Verification)
- Upgrade anchore/stereoscope to v0.2.0
- Upgrade google.golang.org/grpc to v1.80.0
- Upgrade gonum to v0.17.0
- Upgrade containerd/v2 to v2.3.1
- Upgrade go-git/go-git/v5 to v5.18.1-0.20260420130857-e5bbc088b774 (CVE-2026-45022)
- Upgrade go-git/go-billy/v5 to v5.8.1-0.20260506061021-07f2a0bf50e4 (CVE-2026-44973)
- Upgrade Go version to 1.26.3

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

* Fix additional SCA vulnerabilities: containerd, golang.org/x/image, and opencontainers/runc

- Upgrade github.com/containerd/containerd v1.7.30 to v1.7.32 (CVE-2026-46680)
- Upgrade golang.org/x/image v0.25.0 to v0.36.1-0.20260211191414-e3d762b1d37e (CVE-2026-33813)
- Upgrade github.com/opencontainers/runc v1.3.3 to v1.3.4 (CVE-2025-52881)
- Upgrade github.com/cilium/ebpf v0.16.0 to v0.17.3 (transitive dependency)

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

* Fix k8s.io/kubectl version mismatch after SCA dependency upgrades

Upgrade k8s.io/kubectl from v0.35.1 to v0.36.0 to resolve missing package
k8s.io/api/scheduling/v1alpha1 caused by k8s.io/api being upgraded to v0.36.0
during SCA vulnerability remediation.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

* create CLAUDE.md file for ast-cli repo

* Updated filters.go

* fix failing unit test case

* trivy and  integration check fixes

* CVE-2026-33813: fixing cxone scan vulnerability

* Fix CVE vulnerabilities and lint issues

- Upgrade golang.org/x/image to v0.39.0 (CVE-2026-33813)
- Upgrade github.com/go-jose/go-jose/v3 to v3.0.5 (CVE-2026-34986)
- Upgrade github.com/opencontainers/runc to v1.3.4 (CVE-2025-52881)
- Extract repeated string to constant in result_test.go (goconst lint fix)

* Override transitive golang.org/x/image and update config

- Add explicit requirement for golang.org/x/image v0.39.0 to override
  gonum.org/v1/gonum's transitive requirement of v0.25.0 (CVE-2026-33813)
- Update result_test.go constant alignment
- Add cx_config_file_path to integration config

* Vulnerability fixes and ci changes

* Fix transitive CVE vulnerabilities without go mod tidy

- Add explicit golang.org/x/image v0.41.0 override (CVE-2026-33813, CVE-2026-46599)
  pulled transitively through gonum.org/v1/gonum v0.17.0
- Add explicit github.com/opencontainers/runc v1.3.4 (CVE-2025-52881)
  pulled transitively through github.com/Microsoft/hcsshim v0.15.0-rc.1
- Add explicit github.com/go-jose/go-jose/v3 v3.0.5 (CVE-2026-34986)
  pulled transitively through github.com/containerd/containerd v1.7.32
- Add explicit github.com/cilium/ebpf v0.17.3 (transitive upgrade)

Note: do not run go mod tidy on this module — it strips these security
overrides because the packages are indirect and not directly imported.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Added harden runner

* release workflow - comment out notify step

* Commenting the signing logic from dev-release

* Add ignore vulnerability command and related functionality

- Introduced `ignore-vulnerability` command to manage the realtime ignore file for various scan types (OSS, secrets, containers, IaC, ASCA).
- Implemented functionality to add, remove, and validate ignored findings.
- Added tests for the command and ignore file operations to ensure correct behavior.
- Created supporting structures and methods for handling ignore entries and file operations.
- Updated relevant files to integrate the new command into the CLI structure.

* Cx-One scan fixes for crypto

* Revert golang.org/x/crypto upgrade (v0.51.0 also vulnerable)

Reverted golang.org/x/crypto from v0.51.0 back to v0.50.0 as v0.51.0
also flagged as vulnerable by Checkmarx SCA.

CVE-2026-46595 & CVE-2026-39829 in golang.org/x/crypto v0.50.0 are
marked as Not Exploitable (NE) because:

1. CLI does NOT perform authorization logic (CVE-2026-46595)
   - Authorization decisions are delegated to Git layer

2. CLI does NOT verify cryptographic signatures (CVE-2026-39829)
   - No signature verification code in CLI
   - SSH keys only used for Git authentication

3. Vulnerable code paths in x/crypto are not exercised by CLI
   - Direct crypto imports (sha256, tls, etc) are from stdlib
   - Indirect x/crypto usage limited to SSH authentication

Acceptable Risk: YES

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Hooks related changes (#3)

* Refactor ASCA scan file handling and improve messaging

- Removed unnecessary dependency on guardrails in asca.go.
- Updated ScanFileEdit function to return findings without appending the deny message directly.
- Enhanced findingsSummary function to include file name, line number, rule ID, severity, and remediation details for better context.
- Improved permissionDecisionReason and additionalContext functions to provide clearer instructions on handling findings and false positives.

* Add SCA hooks guardrail alongside ASCA

Introduces a new sca/ package that gates package-manager installs
(Bash hook) and manifest edits (Write/Edit/MultiEdit hook) against
the Checkmarx OSS realtime scanner:

- ParseInstall recognises npm/yarn/pnpm/pip/go/dotnet/maven install
  commands and normalises partial semver (e.g. "4.10" → "4.10.0")
- CheckBashInstall scans packages before the shell command runs
- CheckManifestEdit diffs before/after manifest content and scans
  only newly-added packages; reconstructs full file content for Edit
  ops so the manifest parser receives a valid document
- Both return (finding, remediation) separately so the denial reason
  and MCP remediation instructions land in distinct hook fields
  (permissionDecisionReason and additionalContext)
- Remediation note instructs the agent to use mcp__Checkmarx__packageRemediation
  exclusively, and to ask the user to install/enable the MCP server
  if the tool is unavailable

Wires the scanner into RegisterGuardrails alongside the existing ASCA
file-edit scan; adds /cx to .gitignore.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Integrate ignore-vulnerability command into ASCA and SCA hooks

- ASCA additionalContext now generates pre-filled cx ignore-vulnerability
  commands with actual FileName/Line/RuleID per finding instead of a generic
  placeholder; uses full executable path so the agent can run it regardless
  of PATH
- SCA DenyVulnerable remediation now includes per-package ignore commands
  when no safe version is found, replacing the Dev Assist fallback
- SCA scanner passes the realtime ignore file path to RunOssRealtimeScan so
  suppressed packages are filtered out on subsequent scans
- ASCA permissionDecisionReason shows only findings to the user; agent
  instructions moved entirely to additionalContext

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Squashed commit of the following:

commit 372c01c
Author: Ohad Israeli <243351248+cx-ohad-israeli@users.noreply.github.com>
Date:   Wed Jun 10 17:39:16 2026 +0300

    chore: remove Dependabot configuration

commit fcc941d
Author: Luís Ventuzelos <207163323+cx-luis-ventuzelos@users.noreply.github.com>
Date:   Tue Jun 9 17:30:06 2026 +0100

    Comment out Docker image signature verification step in release workflow (#1500)

commit 7200c50
Author: Atish Jadhav <141334503+cx-atish-jadhav@users.noreply.github.com>
Date:   Tue Jun 9 14:57:11 2026 +0530

    Bugs remediation and Salesforce tickets resolution(AST-146432) (#1499)

    * Fix KICS container shutdown race condition and add OneAssist license support

    - Create kicsshutdown package with thread-safe container name management
    - Update signal handler to read container name from kicsshutdown instead of viper
    - Prevents race conditions during SIGTERM cleanup
    - Add support for OneAssist license in addition to Developer Assist
    - Update GetUniqueID() to check both license types

    * Integrate file updates: SARIF enhancements, filters expansion, and project/application management improvements

    - Add CodeFlow and ThreadFlow support to SARIF result structures with new types
    - Extend BaseIncludeFilters with 41 additional file type patterns
    - Enhance applications.go with project association polling and duplicate prevention
    - Update result.go with CodeFlow handling in SARIF serialization
    - Add IsInSource and CommitURL fields to SarifResultProperties
    - Fix projects.go verifyApplicationAssociationDone and UpsertProjectGroups functions
    - Change IaCS and KICS filter flags from String to StringSlice in scan.go

    Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

    * Fix SCA vulnerabilities: update dependencies to patched versions

    - Upgrade distribution/v3 to v3.0.1-0.20260120145532-40594bd98e6d (security patch)
    - Upgrade go-jose/v3 to v3.0.5 (CWE-345: Insufficient Verification)
    - Upgrade anchore/stereoscope to v0.2.0
    - Upgrade google.golang.org/grpc to v1.80.0
    - Upgrade gonum to v0.17.0
    - Upgrade containerd/v2 to v2.3.1
    - Upgrade go-git/go-git/v5 to v5.18.1-0.20260420130857-e5bbc088b774 (CVE-2026-45022)
    - Upgrade go-git/go-billy/v5 to v5.8.1-0.20260506061021-07f2a0bf50e4 (CVE-2026-44973)
    - Upgrade Go version to 1.26.3

    Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

    * Fix additional SCA vulnerabilities: containerd, golang.org/x/image, and opencontainers/runc

    - Upgrade github.com/containerd/containerd v1.7.30 to v1.7.32 (CVE-2026-46680)
    - Upgrade golang.org/x/image v0.25.0 to v0.36.1-0.20260211191414-e3d762b1d37e (CVE-2026-33813)
    - Upgrade github.com/opencontainers/runc v1.3.3 to v1.3.4 (CVE-2025-52881)
    - Upgrade github.com/cilium/ebpf v0.16.0 to v0.17.3 (transitive dependency)

    Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

    * Fix k8s.io/kubectl version mismatch after SCA dependency upgrades

    Upgrade k8s.io/kubectl from v0.35.1 to v0.36.0 to resolve missing package
    k8s.io/api/scheduling/v1alpha1 caused by k8s.io/api being upgraded to v0.36.0
    during SCA vulnerability remediation.

    Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

    * create CLAUDE.md file for ast-cli repo

    * Updated filters.go

    * fix failing unit test case

    * trivy and  integration check fixes

    * CVE-2026-33813: fixing cxone scan vulnerability

    * Fix CVE vulnerabilities and lint issues

    - Upgrade golang.org/x/image to v0.39.0 (CVE-2026-33813)
    - Upgrade github.com/go-jose/go-jose/v3 to v3.0.5 (CVE-2026-34986)
    - Upgrade github.com/opencontainers/runc to v1.3.4 (CVE-2025-52881)
    - Extract repeated string to constant in result_test.go (goconst lint fix)

    * Override transitive golang.org/x/image and update config

    - Add explicit requirement for golang.org/x/image v0.39.0 to override
      gonum.org/v1/gonum's transitive requirement of v0.25.0 (CVE-2026-33813)
    - Update result_test.go constant alignment
    - Add cx_config_file_path to integration config

    * Fix KICS container shutdown race condition and add OneAssist license support

    - Create kicsshutdown package with thread-safe container name management
    - Update signal handler to read container name from kicsshutdown instead of viper
    - Prevents race conditions during SIGTERM cleanup
    - Add support for OneAssist license in addition to Developer Assist
    - Update GetUniqueID() to check both license types

    * Integrate file updates: SARIF enhancements, filters expansion, and project/application management improvements

    - Add CodeFlow and ThreadFlow support to SARIF result structures with new types
    - Extend BaseIncludeFilters with 41 additional file type patterns
    - Enhance applications.go with project association polling and duplicate prevention
    - Update result.go with CodeFlow handling in SARIF serialization
    - Add IsInSource and CommitURL fields to SarifResultProperties
    - Fix projects.go verifyApplicationAssociationDone and UpsertProjectGroups functions
    - Change IaCS and KICS filter flags from String to StringSlice in scan.go

    Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

    * Fix SCA vulnerabilities: update dependencies to patched versions

    - Upgrade distribution/v3 to v3.0.1-0.20260120145532-40594bd98e6d (security patch)
    - Upgrade go-jose/v3 to v3.0.5 (CWE-345: Insufficient Verification)
    - Upgrade anchore/stereoscope to v0.2.0
    - Upgrade google.golang.org/grpc to v1.80.0
    - Upgrade gonum to v0.17.0
    - Upgrade containerd/v2 to v2.3.1
    - Upgrade go-git/go-git/v5 to v5.18.1-0.20260420130857-e5bbc088b774 (CVE-2026-45022)
    - Upgrade go-git/go-billy/v5 to v5.8.1-0.20260506061021-07f2a0bf50e4 (CVE-2026-44973)
    - Upgrade Go version to 1.26.3

    Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

    * Fix additional SCA vulnerabilities: containerd, golang.org/x/image, and opencontainers/runc

    - Upgrade github.com/containerd/containerd v1.7.30 to v1.7.32 (CVE-2026-46680)
    - Upgrade golang.org/x/image v0.25.0 to v0.36.1-0.20260211191414-e3d762b1d37e (CVE-2026-33813)
    - Upgrade github.com/opencontainers/runc v1.3.3 to v1.3.4 (CVE-2025-52881)
    - Upgrade github.com/cilium/ebpf v0.16.0 to v0.17.3 (transitive dependency)

    Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

    * Fix k8s.io/kubectl version mismatch after SCA dependency upgrades

    Upgrade k8s.io/kubectl from v0.35.1 to v0.36.0 to resolve missing package
    k8s.io/api/scheduling/v1alpha1 caused by k8s.io/api being upgraded to v0.36.0
    during SCA vulnerability remediation.

    Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

    * create CLAUDE.md file for ast-cli repo

    * Updated filters.go

    * fix failing unit test case

    * trivy and  integration check fixes

    * CVE-2026-33813: fixing cxone scan vulnerability

    * Fix CVE vulnerabilities and lint issues

    - Upgrade golang.org/x/image to v0.39.0 (CVE-2026-33813)
    - Upgrade github.com/go-jose/go-jose/v3 to v3.0.5 (CVE-2026-34986)
    - Upgrade github.com/opencontainers/runc to v1.3.4 (CVE-2025-52881)
    - Extract repeated string to constant in result_test.go (goconst lint fix)

    * Override transitive golang.org/x/image and update config

    - Add explicit requirement for golang.org/x/image v0.39.0 to override
      gonum.org/v1/gonum's transitive requirement of v0.25.0 (CVE-2026-33813)
    - Update result_test.go constant alignment
    - Add cx_config_file_path to integration config

    * Vulnerability fixes and ci changes

    * Fix transitive CVE vulnerabilities without go mod tidy

    - Add explicit golang.org/x/image v0.41.0 override (CVE-2026-33813, CVE-2026-46599)
      pulled transitively through gonum.org/v1/gonum v0.17.0
    - Add explicit github.com/opencontainers/runc v1.3.4 (CVE-2025-52881)
      pulled transitively through github.com/Microsoft/hcsshim v0.15.0-rc.1
    - Add explicit github.com/go-jose/go-jose/v3 v3.0.5 (CVE-2026-34986)
      pulled transitively through github.com/containerd/containerd v1.7.32
    - Add explicit github.com/cilium/ebpf v0.17.3 (transitive upgrade)

    Note: do not run go mod tidy on this module — it strips these security
    overrides because the packages are indirect and not directly imported.

    Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

    * Added harden runner

    * release workflow - comment out notify step

    * Commenting the signing logic from dev-release

    * Cx-One scan fixes for crypto

    * Revert golang.org/x/crypto upgrade (v0.51.0 also vulnerable)

    Reverted golang.org/x/crypto from v0.51.0 back to v0.50.0 as v0.51.0
    also flagged as vulnerable by Checkmarx SCA.

    CVE-2026-46595 & CVE-2026-39829 in golang.org/x/crypto v0.50.0 are
    marked as Not Exploitable (NE) because:

    1. CLI does NOT perform authorization logic (CVE-2026-46595)
       - Authorization decisions are delegated to Git layer

    2. CLI does NOT verify cryptographic signatures (CVE-2026-39829)
       - No signature verification code in CLI
       - SSH keys only used for Git authentication

    3. Vulnerable code paths in x/crypto are not exercised by CLI
       - Direct crypto imports (sha256, tls, etc) are from stdlib
       - Indirect x/crypto usage limited to SSH authentication

    Acceptable Risk: YES

    Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

    ---------

    Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>
    Co-authored-by: Luís Ventuzelos <207163323+cx-luis-ventuzelos@users.noreply.github.com>

* Size reduction changes

* Implement OAuth login and logout commands with session management

- Added `auth login` command for browser-based OAuth authentication to Checkmarx One, supporting session modes: local, global, and yaml.
- Introduced `auth logout` command to revoke the current refresh token and clear stored credentials across all session types.
- Integrated session management functionality to handle active mode persistence and cleanup.
- Updated command structure to include new authentication commands in the CLI.
- Added tests for session management and command functionality to ensure reliability.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Fix SCA bypass on CRLF/LF line-ending mismatch (#7)

* Fix SCA guardrail bypass on CRLF/LF line-ending mismatch

fullAfterContent now tries an exact replacement first, then falls back to
a line-ending-normalized replacement (CRLF→LF) when the exact match fails.
If the edited region still cannot be located, it logs a warning and scans
the proposed snippet rather than silently returning the unchanged file,
ensuring newly added dependencies are always given a chance to be detected.

Co-Authored-By: Kedar Bhujade <kedar.bhujade@checkmarx.com>

* Instruct agent to invoke skill or install MCP when tool is unavailable in ASCA and SCA hooks

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

* copilot-changes (#8)

* copilot=chnages

* removed-temp-dependency

* removed-temp-dependency1

---------

Co-authored-by: Amol Mane <22643905+cx-amol-mane@users.noreply.github.com>

* Bump ast-cx-hooks to v1.0.3

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Resolve realtime ignore file from hook event WorkDir, not process CWD (#9)

The realtime ignore-file (.checkmarx/checkmarxIgnoredTempList.json) was
resolved as a CWD-relative path against the hook subprocess's own working
directory. Claude Code launches the hook from the workspace root, so it
found the file; Copilot CLI launches it from a different directory, so the
lookup missed the file the ignore command wrote under the workspace and the
finding kept getting blocked.

Anchor the lookup to the workspace the hook event reports via ev.WorkDir:
- Add ignore.PathFor(workDir) (falls back to DefaultPath when empty).
- SCA: thread workDir through Scanner.CheckManifestEdit/CheckBashInstall into
  existingIgnoreFilePath; pass ev.WorkDir from cxBeforeFileEdit.
- ASCA: resolve existingIgnoreFilePath(ev.WorkDir) in ScanFileEdit.
- Pin the emitted `cx ignore-vulnerability` remediation to an explicit
  --ignored-file-path under ev.WorkDir so the write and later read use the
  same absolute file regardless of either process's CWD.

Add tests for PathFor anchoring/fallback, workDir-anchored ignore lookup,
and the remediation flag.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* config

* Add MCP bridge command for proxying stdio to Checkmarx Security MCP

- Introduced a new `cx mcp bridge` command that acts as a transparent stdio<->HTTP proxy to the Checkmarx Security MCP.
- Implemented functionality to derive the realm-scoped Security MCP URL from the JWT issuer claim or through environment variables and command-line flags.
- Added tests for URL derivation and bridge command functionality to ensure reliability.
- Updated the existing MCP command structure to include the new bridge command while maintaining backward compatibility.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Enhance MCP bridge functionality and testing

- Expanded the `cx mcp bridge` command to support a resilient connection lifecycle, allowing the bridge to operate in a degraded state until valid credentials are available.
- Implemented a new `bridgeSession` structure to manage connection states and ensure thread-safe operations.
- Added comprehensive tests for deriving the MCP URL from various sources, including JWT claims and environment variables, ensuring robust functionality.
- Updated the command structure to maintain backward compatibility while integrating new features.

* Feature/telemetry (#12)

* copilot=chnages

* removed-temp-dependency

* removed-temp-dependency1

* Fix SCA bypass on CRLF/LF line-ending mismatch (#7)

* Fix SCA guardrail bypass on CRLF/LF line-ending mismatch

fullAfterContent now tries an exact replacement first, then falls back to
a line-ending-normalized replacement (CRLF→LF) when the exact match fails.
If the edited region still cannot be located, it logs a warning and scans
the proposed snippet rather than silently returning the unchanged file,
ensuring newly added dependencies are always given a chance to be detected.

Co-Authored-By: Kedar Bhujade <kedar.bhujade@checkmarx.com>

* Instruct agent to invoke skill or install MCP when tool is unavailable in ASCA and SCA hooks

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

* copilot-changes (#8)

* copilot=chnages

* removed-temp-dependency

* removed-temp-dependency1

---------

Co-authored-by: Amol Mane <22643905+cx-amol-mane@users.noreply.github.com>

* Bump ast-cx-hooks to v1.0.3

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Resolve realtime ignore file from hook event WorkDir, not process CWD (#9)

The realtime ignore-file (.checkmarx/checkmarxIgnoredTempList.json) was
resolved as a CWD-relative path against the hook subprocess's own working
directory. Claude Code launches the hook from the workspace root, so it
found the file; Copilot CLI launches it from a different directory, so the
lookup missed the file the ignore command wrote under the workspace and the
finding kept getting blocked.

Anchor the lookup to the workspace the hook event reports via ev.WorkDir:
- Add ignore.PathFor(workDir) (falls back to DefaultPath when empty).
- SCA: thread workDir through Scanner.CheckManifestEdit/CheckBashInstall into
  existingIgnoreFilePath; pass ev.WorkDir from cxBeforeFileEdit.
- ASCA: resolve existingIgnoreFilePath(ev.WorkDir) in ScanFileEdit.
- Pin the emitted `cx ignore-vulnerability` remediation to an explicit
  --ignored-file-path under ev.WorkDir so the write and later read use the
  same absolute file regardless of either process's CWD.

Add tests for PathFor anchoring/fallback, workDir-anchored ignore lookup,
and the remediation flag.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* added-telemetry

* checked-telemetry-payload

* checked-telemetry-payload1

---------

Co-authored-by: Kedar Bhujade <206036177+cx-kedar-bhujade@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Amol Mane <22643905+cx-amol-mane@users.noreply.github.com>

* Add OAuth PKCE improvements, HTTP client enhancements, and test coverage

- Improve OAuth PKCE flow with session management and token caching
- Enhance HTTP client with retry logic and better error handling
- Add comprehensive unit tests for auth login (186 lines)
- Update MCP bridge with improved error handling and testing
- Fix build tag consistency across agenthooks test files
- Sanitize sensitive data in logger utils

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Update pre_commit_test.go

* Reverted Logging changes

* Enhance auth login command and improve security measures (#16)

* Enhance auth login command and improve security measures

- Introduced a new constant for config file permissions to restrict access to owner only, ensuring better security for stored refresh tokens.
- Updated the auth login flow to preserve existing credentials during authentication failures, enhancing user experience.
- Improved the nuke phase to revoke prior refresh tokens only after a new credential is established, ensuring a clean state.
- Added HTML escaping for error messages in the OAuth PKCE callback to prevent potential XSS vulnerabilities.
- Standardized build tags across multiple test files to ensure consistent test execution.

This commit enhances the security and reliability of the authentication process while improving code maintainability.

* Introduce telemetry for the ignore command

Co-authored-by: Kedar Bhujade <206036177+cx-kedar-bhujade@users.noreply.github.com>

* removed-telemetry-error-msg

* Add proxy support to newBridgeClient and enhance tests

- Implemented the newBridgeClient function to configure an HTTP client that respects proxy settings from the environment or configuration.
- Added unit tests to verify the behavior of the newBridgeClient, ensuring it correctly handles both default and proxy-aware transports.
- Updated the runBridge function to utilize the newBridgeClient for improved proxy handling.

This commit enhances the MCP bridge functionality by ensuring proper proxy configuration and testing.

---------

Co-authored-by: Hitesh Madgulkar <212497904+cx-hitesh-madgulkar@users.noreply.github.com>
Co-authored-by: Kedar Bhujade <206036177+cx-kedar-bhujade@users.noreply.github.com>

* Update release.yml

* AST-158636 - Add KICS IaC guardrail to agent hooks (#11)

* chore: remove Dependabot configuration

* Add KICS IaC guardrail to agent file-edit hook

Wire a KICS-based guardrail into cxBeforeFileEdit that blocks AI-introduced
IaC misconfigurations before they are written to disk, using delta detection
on edits (new findings only) and any-vuln on new files. Honors user
suppressions from the realtime ignore file.

Unlike ASCA, the agent is not given discretion to treat KICS findings as
false positives: KICS is a deterministic IaC rule engine whose findings are
not caused by missing cross-file context, and forcing a fix on an IaC finding
produces benign additive hardening rather than contorted code. The remediation
prompt instructs the agent to fix every finding and to add any externally
required resources rather than skipping.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(actions): declare secrets used by reusable workflows (#6)

Adds explicit on.workflow_call.secrets declarations for all secrets
referenced in the workflow body, replacing implicit reliance on
callers using secrets: inherit.

* chore: remove Dependabot configuration

---------

Co-authored-by: Ohad Israeli <243351248+cx-ohad-israeli@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: Jonathan Hartman <208858388+cx-jonathan-hartman@users.noreply.github.com>
Co-authored-by: Nisan Ben Abu <nisan.ben-abu@checkmarx.com>
Co-authored-by: Hitesh Madgulkar <212497904+cx-hitesh-madgulkar@users.noreply.github.com>

* Hooks related changes (#3)

* Add ignore vulnerability command and related functionality

- Introduced `ignore-vulnerability` command to manage the realtime ignore file for various scan types (OSS, secrets, containers, IaC, ASCA).
- Implemented functionality to add, remove, and validate ignored findings.
- Added tests for the command and ignore file operations to ensure correct behavior.
- Created supporting structures and methods for handling ignore entries and file operations.
- Updated relevant files to integrate the new command into the CLI structure.

* Refactor ASCA scan file handling and improve messaging

- Removed unnecessary dependency on guardrails in asca.go.
- Updated ScanFileEdit function to return findings without appending the deny message directly.
- Enhanced findingsSummary function to include file name, line number, rule ID, severity, and remediation details for better context.
- Improved permissionDecisionReason and additionalContext functions to provide clearer instructions on handling findings and false positives.

* Add SCA hooks guardrail alongside ASCA

Introduces a new sca/ package that gates package-manager installs
(Bash hook) and manifest edits (Write/Edit/MultiEdit hook) against
the Checkmarx OSS realtime scanner:

- ParseInstall recognises npm/yarn/pnpm/pip/go/dotnet/maven install
  commands and normalises partial semver (e.g. "4.10" → "4.10.0")
- CheckBashInstall scans packages before the shell command runs
- CheckManifestEdit diffs before/after manifest content and scans
  only newly-added packages; reconstructs full file content for Edit
  ops so the manifest parser receives a valid document
- Both return (finding, remediation) separately so the denial reason
  and MCP remediation instructions land in distinct hook fields
  (permissionDecisionReason and additionalContext)
- Remediation note instructs the agent to use mcp__Checkmarx__packageRemediation
  exclusively, and to ask the user to install/enable the MCP server
  if the tool is unavailable

Wires the scanner into RegisterGuardrails alongside the existing ASCA
file-edit scan; adds /cx to .gitignore.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Integrate ignore-vulnerability command into ASCA and SCA hooks

- ASCA additionalContext now generates pre-filled cx ignore-vulnerability
  commands with actual FileName/Line/RuleID per finding instead of a generic
  placeholder; uses full executable path so the agent can run it regardless
  of PATH
- SCA DenyVulnerable remediation now includes per-package ignore commands
  when no safe version is found, replacing the Dev Assist fallback
- SCA scanner passes the realtime ignore file path to RunOssRealtimeScan so
  suppressed packages are filtered out on subsequent scans
- ASCA permissionDecisionReason shows only findings to the user; agent
  instructions moved entirely to additionalContext

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Implement OAuth login and logout commands with session management

- Added `auth login` command for browser-based OAuth authentication to Checkmarx One, supporting session modes: local, global, and yaml.
- Introduced `auth logout` command to revoke the current refresh token and clear stored credentials across all session types.
- Integrated session management functionality to handle active mode persistence and cleanup.
- Updated command structure to include new authentication commands in the CLI.
- Added tests for session management and command functionality to ensure reliability.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* config

* Add MCP bridge command for proxying stdio to Checkmarx Security MCP

- Introduced a new `cx mcp bridge` command that acts as a transparent stdio<->HTTP proxy to the Checkmarx Security MCP.
- Implemented functionality to derive the realm-scoped Security MCP URL from the JWT issuer claim or through environment variables and command-line flags.
- Added tests for URL derivation and bridge command functionality to ensure reliability.
- Updated the existing MCP command structure to include the new bridge command while maintaining backward compatibility.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Enhance MCP bridge functionality and testing

- Expanded the `cx mcp bridge` command to support a resilient connection lifecycle, allowing the bridge to operate in a degraded state until valid credentials are available.
- Implemented a new `bridgeSession` structure to manage connection states and ensure thread-safe operations.
- Added comprehensive tests for deriving the MCP URL from various sources, including JWT claims and environment variables, ensuring robust functionality.
- Updated the command structure to maintain backward compatibility while integrating new features.

* Feature/telemetry (#12)

* copilot=chnages

* removed-temp-dependency

* removed-temp-dependency1

* Fix SCA bypass on CRLF/LF line-ending mismatch (#7)

* Fix SCA guardrail bypass on CRLF/LF line-ending mismatch

fullAfterContent now tries an exact replacement first, then falls back to
a line-ending-normalized replacement (CRLF→LF) when the exact match fails.
If the edited region still cannot be located, it logs a warning and scans
the proposed snippet rather than silently returning the unchanged file,
ensuring newly added dependencies are always given a chance to be detected.

Co-Authored-By: Kedar Bhujade <kedar.bhujade@checkmarx.com>

* Instruct agent to invoke skill or install MCP when tool is unavailable in ASCA and SCA hooks

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

* copilot-changes (#8)

* copilot=chnages

* removed-temp-dependency

* removed-temp-dependency1

---------

Co-authored-by: Amol Mane <22643905+cx-amol-mane@users.noreply.github.com>

* Bump ast-cx-hooks to v1.0.3

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Resolve realtime ignore file from hook event WorkDir, not process CWD (#9)

The realtime ignore-file (.checkmarx/checkmarxIgnoredTempList.json) was
resolved as a CWD-relative path against the hook subprocess's own working
directory. Claude Code launches the hook from the workspace root, so it
found the file; Copilot CLI launches it from a different directory, so the
lookup missed the file the ignore command wrote under the workspace and the
finding kept getting blocked.

Anchor the lookup to the workspace the hook event reports via ev.WorkDir:
- Add ignore.PathFor(workDir) (falls back to DefaultPath when empty).
- SCA: thread workDir through Scanner.CheckManifestEdit/CheckBashInstall into
  existingIgnoreFilePath; pass ev.WorkDir from cxBeforeFileEdit.
- ASCA: resolve existingIgnoreFilePath(ev.WorkDir) in ScanFileEdit.
- Pin the emitted `cx ignore-vulnerability` remediation to an explicit
  --ignored-file-path under ev.WorkDir so the write and later read use the
  same absolute file regardless of either process's CWD.

Add tests for PathFor anchoring/fallback, workDir-anchored ignore lookup,
and the remediation flag.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* added-telemetry

* checked-telemetry-payload

* checked-telemetry-payload1

---------

Co-authored-by: Kedar Bhujade <206036177+cx-kedar-bhujade@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Amol Mane <22643905+cx-amol-mane@users.noreply.github.com>

* Add OAuth PKCE improvements, HTTP client enhancements, and test coverage

- Improve OAuth PKCE flow with session management and token caching
- Enhance HTTP client with retry logic and better error handling
- Add comprehensive unit tests for auth login (186 lines)
- Update MCP bridge with improved error handling and testing
- Fix build tag consistency across agenthooks test files
- Sanitize sensitive data in logger utils

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* copilot-changes (#8)

* copilot=chnages

* removed-temp-dependency

* removed-temp-dependency1

---------

Co-authored-by: Amol Mane <22643905+cx-amol-mane@users.noreply.github.com>

* Bump ast-cx-hooks to v1.0.3

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Resolve realtime ignore file from hook event WorkDir, not process CWD (#9)

The realtime ignore-file (.checkmarx/checkmarxIgnoredTempList.json) was
resolved as a CWD-relative path against the hook subprocess's own working
directory. Claude Code launches the hook from the workspace root, so it
found the file; Copilot CLI launches it from a different directory, so the
lookup missed the file the ignore command wrote under the workspace and the
finding kept getting blocked.

Anchor the lookup to the workspace the hook event reports via ev.WorkDir:
- Add ignore.PathFor(workDir) (falls back to DefaultPath when empty).
- SCA: thread workDir through Scanner.CheckManifestEdit/CheckBashInstall into
  existingIgnoreFilePath; pass ev.WorkDir from cxBeforeFileEdit.
- ASCA: resolve existingIgnoreFilePath(ev.WorkDir) in ScanFileEdit.
- Pin the emitted `cx ignore-vulnerability` remediation to an explicit
  --ignored-file-path under ev.WorkDir so the write and later read use the
  same absolute file regardless of either process's CWD.

Add tests for PathFor anchoring/fallback, workDir-anchored ignore lookup,
and the remediation flag.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Reverted Logging changes

* Enhance auth login command and improve security measures (#16)

* Enhance auth login command and improve security measures

- Introduced a new constant for config file permissions to restrict access to owner only, ensuring better security for stored refresh tokens.
- Updated the auth login flow to preserve existing credentials during authentication failures, enhancing user experience.
- Improved the nuke phase to revoke prior refresh tokens only after a new credential is established, ensuring a clean state.
- Added HTML escaping for error messages in the OAuth PKCE callback to prevent potential XSS vulnerabilities.
- Standardized build tags across multiple test files to ensure consistent test execution.

This commit enhances the security and reliability of the authentication process while improving code maintainability.

* Introduce telemetry for the ignore command

Co-authored-by: Kedar Bhujade <206036177+cx-kedar-bhujade@users.noreply.github.com>

* removed-telemetry-error-msg

* Add proxy support to newBridgeClient and enhance tests

- Implemented the newBridgeClient function to configure an HTTP client that respects proxy settings from the environment or configuration.
- Added unit tests to verify the behavior of the newBridgeClient, ensuring it correctly handles both default and proxy-aware transports.
- Updated the runBridge function to utilize the newBridgeClient for improved proxy handling.

This commit enhances the MCP bridge functionality by ensuring proper proxy configuration and testing.

---------

Co-authored-by: Hitesh Madgulkar <212497904+cx-hitesh-madgulkar@users.noreply.github.com>
Co-authored-by: Kedar Bhujade <206036177+cx-kedar-bhujade@users.noreply.github.com>

* Update release.yml

* AST-158636 - Add KICS IaC guardrail to agent hooks (#11)

* chore: remove Dependabot configuration

* Add KICS IaC guardrail to agent file-edit hook

Wire a KICS-based guardrail into cxBeforeFileEdit that blocks AI-introduced
IaC misconfigurations before they are written to disk, using delta detection
on edits (new findings only) and any-vuln on new files. Honors user
suppressions from the realtime ignore file.

Unlike ASCA, the agent is not given discretion to treat KICS findings as
false positives: KICS is a deterministic IaC rule engine whose findings are
not caused by missing cross-file context, and forcing a fix on an IaC finding
produces benign additive hardening rather than contorted code. The remediation
prompt instructs the agent to fix every finding and to add any externally
required resources rather than skipping.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(actions): declare secrets used by reusable workflows (#6)

Adds explicit on.workflow_call.secrets declarations for all secrets
referenced in the workflow body, replacing implicit reliance on
callers using secrets: inherit.

* chore: remove Dependabot configuration

---------

Co-authored-by: Ohad Israeli <243351248+cx-ohad-israeli@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: Jonathan Hartman <208858388+cx-jonathan-hartman@users.noreply.github.com>
Co-authored-by: Nisan Ben Abu <nisan.ben-abu@checkmarx.com>
Co-authored-by: Hitesh Madgulkar <212497904+cx-hitesh-madgulkar@users.noreply.github.com>

* combining all changes

* Fixing the go build issue

* Squashed commit of the following:

commit 527c123
Author: Atish Jadhav <atish.jadhav@checkmarx.com>
Date:   Thu Jul 2 21:10:31 2026 +0530

    Combining all changes for cli (AST-161391) (#1516)

    * combining all changes

    * fixing lint issue

* bug fix

* Adding unit testcases for the change

---------

Co-authored-by: Atish Jadhav <141334503+cx-atish-jadhav@users.noreply.github.com>
Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>
Co-authored-by: Luís Ventuzelos <207163323+cx-luis-ventuzelos@users.noreply.github.com>
Co-authored-by: Amol Mane <22643905+cx-amol-mane@users.noreply.github.com>
Co-authored-by: Kedar Bhujade <206036177+cx-kedar-bhujade@users.noreply.github.com>
Co-authored-by: Mor Levy <mor.levy@checkmarx.com>
Co-authored-by: Hitesh Madgulkar <212497904+cx-hitesh-madgulkar@users.noreply.github.com>
Co-authored-by: Avi Sabzerou <53776974+cx-avi-sabzerou@users.noreply.github.com>
Co-authored-by: Ohad Israeli <243351248+cx-ohad-israeli@users.noreply.github.com>
Co-authored-by: Jonathan Hartman <208858388+cx-jonathan-hartman@users.noreply.github.com>
Co-authored-by: Nisan Ben Abu <nisan.ben-abu@checkmarx.com>
Co-authored-by: atishj99 <atish.jadhav@checkmarx.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants