Checkmarx · cx-ricardo-jesus · Mar 10, 2026 · Mar 10, 2026 · Mar 10, 2026 · Mar 10, 2026
@@ -0,0 +1,31 @@
+from pymarshal.json import type_assert, type_assert_iter
+
+
+class ScanFile:
+    def __init__(self, file_name, similarity_id, line,
+                 resource_type, resource_name, issue_type,
+                 search_key, search_line, search_value,
+                 expected_value, actual_value):
+        self.file_name = type_assert(file_name, str)
+        self.similarity_id = type_assert(similarity_id, str)
+        self.line = type_assert(line, int)
+        self.resource_type = type_assert(resource_type, str)
+        self.resource_name = type_assert(resource_name, str)
+        self.issue_type = type_assert(issue_type, str)
+        self.search_key = type_assert(search_key, str)
+        self.search_line = type_assert(search_line, int)
+        self.search_value = type_assert(search_value, str)
+        self.expected_value = type_assert(expected_value, str)
+        self.actual_value = type_assert(actual_value, str)
+
+
+class Query:
+    def __init__(self, query_name="", query_id="", files=None):
+        self.query_name = type_assert(query_name, str)
+        self.query_id = type_assert(query_id, str)
+        self.files = type_assert_iter(files, ScanFile)
+
+
+class ScanResults:
+    def __init__(self, queries=None):
+        self.queries = type_assert_iter(queries, Query)
@@ -0,0 +1,160 @@
+#!/usr/bin/env python3
+
+import json
+import os
+import subprocess
+import sys
+from pathlib import Path
+from pymarshal.json import unmarshal_json
+from results_models import ScanResults
+
+REPO_ROOT = Path(__file__).resolve().parents[3]
+
+def get_changed_queries():
+    """Parse CHANGED_QUERIES env var (JSON array from dorny/paths-filter) to get query directories."""
+    raw = os.getenv("CHANGED_QUERIES", "")
+    if not raw:
+        print("::error::CHANGED_QUERIES environment variable is empty or not set")
+        sys.exit(1)
+
+    try:
+        files = json.loads(raw)
+    except json.JSONDecodeError:
+        print(f"::error::CHANGED_QUERIES is not valid JSON: {raw}")
+        sys.exit(1)
+
+    dirs = []
+    for f in files:
+        if f.endswith("/query.rego"):
+            dirs.append(REPO_ROOT / Path(f).parent)
+    return dirs
+
+
+def has_search_line_defined(query_dir):
+    """Check if query.rego defines searchLine in its result object."""
+    rego_file = query_dir / "query.rego"
+    if not rego_file.exists():
+        return False
+    return "searchLine" in rego_file.read_text()
+
+
+def run_kics_scan(query_dir):
+    """Run KICS scan for a single query and return True if it completed successfully."""
+    query_id = json.loads((query_dir / "metadata.json").read_text())["id"]
+
+    results_dir = query_dir / "results"
+    results_dir.mkdir(exist_ok=True)
+
+    payloads_dir = query_dir / "payloads"
+    payloads_dir.mkdir(exist_ok=True)
+
+    cmd = [
+        "go", "run", str(REPO_ROOT / "cmd" / "console" / "main.go"),
+        "scan",
+        "-p", str(query_dir / "test"),
+        "-o", str(results_dir),
+        "--output-name", "all_results.json",
+        "-i", query_id,
+        "-d", str(payloads_dir / "all_payloads.json"),
+        "-v",
+        "--experimental-queries",
+        "--bom",
+        "--enable-openapi-refs",
+        "--ignore-on-exit", "results",
+        "--kics_compute_new_simid"
+    ]
+
+    print(f"  Running scan with query ID: {query_id}")
+
+    proc = subprocess.run(cmd, capture_output=True, text=True, cwd=str(REPO_ROOT))
+
+    if proc.returncode not in {0, 60, 50, 40, 30, 20}:
+        print(f"  ::error::Scan failed (exit code {proc.returncode})")
+        if proc.stdout:
+            print(f"  stdout (last 500 chars): ...{proc.stdout[-500:]}")
+        if proc.stderr:
+            print(f"  stderr (last 500 chars): ...{proc.stderr[-500:]}")
+        return False
+
+    return True
+
+def validate_scan_results(query_dir):
+    """
+    Validate scan results:
+    - Fail if any search_line != line
+    - Fail if any search_line == -1
+    """
+    results_file = query_dir / "results" / "all_results.json"
+    rel_dir = query_dir.relative_to(REPO_ROOT)
+
+    if not results_file.exists():
+        print(f"  ::error file={rel_dir}::Results file not generated by scan")
+        return False
+
+    data = json.loads(results_file.read_text())
+    scan_results = unmarshal_json(data, ScanResults)
+
+    # Flatten results from all queries
+    all_results = []
+    for query in scan_results.queries:
+        all_results.extend(query.files)
+
+    if not all_results:
+        print("  [OK] No results to validate")
+        return True
+    # Validate each result
+    valid = True
+    for idx, f in enumerate(all_results):
+        sl = int(f.search_line)
+        ln = int(f.line)
+        fn = f.file_name
+
+        if sl == -1:
+            print(f"  ::error::Result [{idx}] {fn}: search_line is -1")
+            valid = False
+        elif sl != ln:
+            print(f"  ::error::Result [{idx}] {fn}: search_line ({sl}) != line ({ln})")
+            valid = False
+        else:
+            print(f"  [OK] Result [{idx}] {fn}: search_line={sl} == line={ln}")
+
+    return valid
+
+
+def validate_query(query_dir):
+    """Validate a single query directory."""
+
+    if not has_search_line_defined(query_dir):
+        print("  [SKIP] searchLine not defined in query.rego - PASS")
+        return True
+
+    print("  searchLine is defined in query.rego - running scan...")
+
+    if not run_kics_scan(query_dir):
+        return False
+
+    return validate_scan_results(query_dir)
+
+
+def main():
+    query_dirs = get_changed_queries()
+
+    if not query_dirs:
+        print("No query.rego were changed - nothing to validate")
+        sys.exit(0)
+
+    all_valid = True
+    for qd in query_dirs:
+        if not validate_query(qd):
+            all_valid = False
+
+    if all_valid:
+        print("All searchLine validations passed!")
+        sys.exit(0)
+    else:
+        print("::error::Some searchLine validations failed. See errors above.")
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    main()
@@ -90,6 +90,40 @@ jobs:
         with:
           name: unit-test-${{ runner.os }}-${{ github.event.pull_request.head.sha }}.log
           path: unit-test.log
+  validate-search-line:
+    name: validate-search-line
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+      - name: Detect changed query.rego files
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        id: filter
+        with:
+          list-files: json
+          filters: |
+            queries:
+              - 'assets/queries/**/query.rego'
+      - name: Set up Python
+        if: steps.filter.outputs.queries == 'true'
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: '3.13'
+      - name: Install Python dependencies
+        if: steps.filter.outputs.queries == 'true'
+        run: pip install pymarshal
+      - name: Validate searchLine in modified queries
+        if: steps.filter.outputs.queries == 'true'
+        env:
+          CHANGED_QUERIES: ${{ steps.filter.outputs.queries_files }}
+          KICS_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          KICS_PR_NUMBER: ${{ github.event.number }}
+        working-directory: .github/scripts/validate-search-line/
+        run: python3 validate_search_line.py
+
   security-scan:
     name: security-scan
     runs-on: ubuntu-latest

@@ -51,7 +51,7 @@ CxPolicy[result] {
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": "'deploy.resources' should be defined",
 		"keyActualValue":  "'deploy.resources' is not defined",
-		"searchLine": common_lib.build_search_line(["services", name, "deploy"], []),
+		"searchLine": common_lib.build_search_line(["shdfosdhfoisdhf"], []),
 	}
 }
 

@@ -1,4 +1,4 @@
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.25.7-alpine AS build_env
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.25.8-alpine AS build_env
 
 # Install build dependencies
 RUN apk add --no-cache git
@@ -51,7 +51,7 @@
 USER checkmarx

 # Add kics to PATH
 ENV PATH $PATH:/app/bin

 # Healthcheck the container (consistent with Debian variant)
 HEALTHCHECK CMD wget -q --method=HEAD localhost/system-status.txt

@@ -3,7 +3,7 @@
 # it does not define an ENTRYPOINT as this is a requirement described here:
 # https://docs.microsoft.com/en-us/azure/devops/pipelines/process/container-phases?view=azure-devops#linux-based-containers
 #
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.25.7-bookworm as build_env
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.25.8-bookworm as build_env
 # Create a group and user
 RUN groupadd checkmarx && useradd -g checkmarx -M -s /bin/bash checkmarx
 USER checkmarx
@@ -45,7 +45,7 @@

 RUN groupadd checkmarx && useradd -g checkmarx -M -s /bin/bash checkmarx

 ENV PATH /app/bin:/usr/bin/git:$PATH

 RUN apt-get update -yq \
  && apt-get install git wget unzip zip jq -y \
@@ -60,7 +60,7 @@

 WORKDIR /app/bin

 ENV PATH $PATH:/app/bin
 # Healthcheck the container

 HEALTHCHECK CMD wget -q --method=HEAD localhost/system-status.txt
@@ -4,10 +4,10 @@
 
 ENV PATH=$PATH:/usr/local/go/bin
 
-ADD https://golang.org/dl/go1.25.7.linux-amd64.tar.gz .
+ADD https://golang.org/dl/go1.25.8.linux-amd64.tar.gz .
 RUN yum install git gcc -y \
-  && rm -rf /usr/local/go && tar -C /usr/local -xzf go1.25.7.linux-amd64.tar.gz \
-  && rm -f go1.25.7.linux-amd64.tar.gz
+  && rm -rf /usr/local/go && tar -C /usr/local -xzf go1.25.8.linux-amd64.tar.gz \
+  && rm -f go1.25.8.linux-amd64.tar.gz
 
 ENV GOPRIVATE=github.com/Checkmarx/*
 ARG VERSION="development"
@@ -36,7 +36,7 @@

 FROM registry.access.redhat.com/ubi8:latest

 ENV RELEASE=$RELEASE \
  VERSION=$VERSION

 LABEL name="KICS" \
@@ -75,7 +75,7 @@
 COPY --chown=${KUSER}:${KGROUP} --from=build_env /build/bin/kics /app/bin/kics
 COPY --chown=${KUSER}:${KGROUP} --from=build_env /build/assets/ /app/bin/assets/

 ENV PATH $PATH:/app/bin

 # Command to run the executable
 ENTRYPOINT ["/app/bin/kics"]