Skip to main content
Version: Release 24.3

Checkmarx Plugin

With the Digital.ai Release Checkmarx plugin, you can trigger scans in Checkmarx for your application, verify scan results, and check compliance directly from the Digital.ai Release user interface.

Features

  • Create a Checkmarx: CxOSA - Check Compliance task
  • Create a Checkmarx: CxSCA - Check Compliance task
  • Create a Checkmarx: CxSAST - Check Compliance task
  • Create a Checkmarx: CxSAST Scan - Git task
  • Create a Checkmarx: CxSAST Scan - Svn task
  • Create a CheckmarxOne: CxOneSCA - Check Compliance task
  • Create a CheckmarxOne: CxOneSAST - Check Compliance task
  • Create a CheckmarxOne: Git Trigger - Git task
  • Configure a CxOSA Scan Summary tile
  • Configure a CxSAST Scan Summary tile
  • Configure a CheckmarxOne SAST and SCA Scan Summary tile

Requirements

The Digital.ai Release Checkmarx plugin requires the following:

  • Checkmarx CxSAST versions 9.0.0 or 9.2.0
  • Checkmarx CxSCA Release August 26, 2021 and above
  • For older Checkmarx CxSAST versions such as 8.8.0 8.9.0 use version 9.8.0 of the Release Checkmarx plugin.

Set up a Checkmarx server

There are two locations where you can define a Checkmarx: Server configuration:

  • On a global level in Connections under the Configuration group
  • On a folder level in Overview > Folders of the navigation pane, under the Configuration tab of the desired folder

To set up a connection to a Checkmarx server:

  1. In Release, go to one of the two specified locations.
  2. Click Add button next to the Checkmarx: Server.
  3. In the Title field, specify a name for your Checkmarx server.
  4. In the URL field, specify the URL where to connect to the Checkmarx server.
  5. In the Username and Password fields, specify the login user name and password of the user on the server.
  6. If you are using a proxy connection, specify the host, port, username, password, and Domain in the Proxy section.

Note: Domain is used for the NTLM proxy authentication

  1. To test the server connection, click Test.
  2. Click Save.

Add Checkmarx Server

Set up a Checkmarx SCA server

There are two locations where you can define a Checkmarx: Server configuration:

  • On a global level in Connections under the Configuration group of the navigation pane
  • On a folder level in Overview > Folders of the navigation pane, under the Configuration tab of the desired folder

To set up a connection to a Checkmarx SCA server:

  1. In Release, go to one of the two specified locations.
  2. Click Add button next to the Checkmarx SCA: Server.
  3. In the Title field, specify a name for your Checkmarx SCA server.
  4. In the Account field, specify a name for the Checkmarx SCA tenant account.
  5. In the Server Environment field, select the checkmarx SCA server environment.
  6. In the Username and Password fields, specify the login user name and password of the user on the server.
  7. If you are using a proxy connection, specify the host, port, username, password, and Domain in the Proxy section.

Note: Domain is used for the NTLM proxy authentication

  1. To test the server connection, click Test.
  2. Click Save.

Add Checkmarx SCA Server

Set up a CheckmarxOne server

There are two locations where you can define a CheckmarxOne: Server configuration:

  • On a global level in Connections under the Configuration group of the navigation pane
  • On a folder level in Overview > Folders of the navigation pane, under the Configuration tab of the desired folder

To set up a connection to a CheckmarxOne server:

  1. In Release, go to one of the two specified locations.

  2. Click Add button next to the CheckmarxOne: Server.

  3. In the Title field, specify a name for your CheckmarxOne server.

  4. In the Account field, specify a name for the CheckmarxOne tenant account.

  5. In the Url field, specify the server api URL.

  6. In the User Token field, specify the user token of the user on the server.

  7. If you are using a proxy connection, specify the host, port, username, password, and Domain in the Proxy section.

  8. To test the server connection, click Test.

  9. Click Save.

Add CheckmarxOne Server

Create a Checkmarx: CxSAST - Check Compliance task

The Checkmarx: CxSAST - Check Compliance task type verifies the level of the severity threshold for your project on the Checkmarx server. If the issues count is higher than the configured threshold for a task, the task fails. The task also automatically saves audit reporting information including risk values by severity and their thresholds as well as Checkmarx server and user information. This information can be accessed through Release audit reporting functionality.

To add a Checkmarx: CxSAST - Check Compliance task:

  1. In the release flow view of a release or a template, add a task of the type Checkmarx > CxSAST - Check Compliance.
  2. Open the added task and in the Server field, select the Checkmarx server connection.
  3. In the Project Name field, enter the name of your project from the Checkmarx server.
  4. In the Team field, enter the name of the team from the Checkmarx server.
  5. In the Scan ID field, enter the ID of the project scan for which you want to retrieve the results. If you do not specify the Scan ID, it will retrieve data for latest finished scan.
  6. In the High, Medium, and Low fields, add a maximum value for each severity threshold level.

Create a Checkmarx: CxOSA - Check Compliance task

The Checkmarx: CxOSA - Check Compliance task type verifies the risk levels of the security and license thresholds for your project open source libraries. If the issues count is higher than the configured threshold for a task, the task fails. The task also automatically saves audit reporting information including risk values by severity and their thresholds as well as Checkmarx server and user information. This information can be accessed through Release audit reporting functionality.

To add a Checkmarx: CxOSA - Check Compliance task:

  1. In the release flow view of a release or a template, add a task of the type Checkmarx > CxOSA - Check Compliance.
  2. Open the added task and in the Server field, select the Checkmarx server connection.
  3. In the Project Name field, enter the name of your project from the Checkmarx server.
  4. In the Team field, enter the name of the team from the Checkmarx server.
  5. In the Scan ID field, enter the ID of the project scan for which you want to retrieve the results. If you do not specify the Scan ID, it will retrieve data for latest finished scan.
  6. In the High, Medium, and Low fields for the Security Risk Threshold, add a maximum value for each security risk threshold level.
  7. In the High, Medium, and Unknown fields for the License Risk Threshold, add a maximum value for each license risk threshold level. If the server cannot find the license for a library, it returns Unknown license type.

Add CxOSA Compliance task

Create a Checkmarx: CxSCA - Check Compliance task

The Checkmarx: CxSCA - Check Compliance task type verifies the risk levels of the security and license thresholds for your project source code. If the issues count is higher than the configured threshold for a task, the task fails. The task also automatically saves audit reporting information including risk values by severity and their thresholds as well as Checkmarx SCA server and user information. This information can be accessed through Release audit reporting functionality.

To add a Checkmarx: CxSCA - Check Compliance task:

  1. In the release flow view of a release or a template, add a task of the type Checkmarx > CxSCA - Check Compliance.
  2. Open the added task and in the Server field, select the Checkmarx SCA server connection.
  3. In the Project Name field, enter the name of your project from the Checkmarx server.
  4. In the High Security Risk, Medium Security Risk, and Low Security Risk fields for the Security Risk Threshold, add a maximum value for each security risk threshold level.
  5. In the High License Risk, Medium License Risk, and Low License Risk fields for the License Risk Threshold, add a maximum value for each license risk threshold level.

Add CxSCA Compliance task

Create a Checkmarx: CxSAST Scan - Git task

The Checkmarx: CxSAST Scan - Git task type triggers a scan on the Checkmarx server for your project from a specified Git repository.

To add a Checkmarx: CxSAST Scan - Git task:

  1. In the release flow view of a release or a template, add a task of the type Checkmarx > CxSAST Scan - Git.
  2. Open the added task and in the Server field, select the Checkmarx server connection.
  3. In the Project Name field, enter the name of your project from the Checkmarx server.
  4. In the Team field, enter the name of the team from the Checkmarx server.
  5. In the Preset field, specify the preset value to use for the scan from the Checkmarx server.
  6. In the Configuration field, specify the configuration value to use for the scan from the Checkmarx server.
  7. In the URL field, enter the URL of your Git repository.
  8. In the Branch field, enter the Git branch for you project.
  9. In the Username and Password fields, specify the login user name and password to connect to Git.
  10. In the Token field, enter the personal token to connect to Git. Note: If you used the username and password credentials, the token is not required.
  11. In the Timeout field, set the number of minutes for the scan timeout threshold. If the scan task execution time is higher than the threshold, the task fails.

The output property of this task is the Scan ID from the Checkmarx server. You can use this Scan ID to check the compliance of you project.

Add CxSAST Scan task

Create a CheckmarxOne: Git Trigger - Git task

The CheckmarxOne: Git Trigger - Git task type triggers a scan on the CheckmarxOne server for your project from a specified Git repository.

To add a CheckmarxOne: Git Trigger - Git task:

  1. Open the added task and in the Server field, select the CheckmarxOne server connection.
  2. In the Preset field, enter the preset value (eg) ASA Premium .
  3. In the URL field, enter the URL of your Git repository.
  4. In the Branch field, enter the Git branch for you project.
  5. In the Username and Password fields, specify the login user name and password to connect to Git.
  6. In the Token fields, specify the Personal Access Token(PAT) to connect to Git.
  7. In the SAST Scan SCA Scan Toggle Switch, choose one or both to retrieve the results.
  8. In the Skip Submodule Toggle Switch, Indicates whether to skip the Git submodules
  9. In the Timeout field, enter the Scan timeout in minutes.
  10. In the Scan Tags field, enter the list of the key-vaule tags associated with the scan.
  11. In the Project Tags field, enter the list of the key-vaule tags, will overwrite the tags in current project.

Add Git Trigger task Add Git Trigger task

Create a Checkmarx: CxSAST Scan - SVN task

The Checkmarx: CxSAST Scan - SVN task type triggers a scan on the Checkmarx server for your project from a specified Git repository.

To add a Checkmarx: CxSAST Scan - SVN task:

  1. In the release flow view of a release or a template, add a task of the type Checkmarx > CxSAST Scan - SVN.
  2. Open the added task and in the Server field, select the Checkmarx server connection.
  3. In the Project Name field, enter the name of your project from the Checkmarx server.
  4. In the Team field, enter the name of the team from the Checkmarx server.
  5. In the Preset field, specify the preset value to use for the scan from the Checkmarx server.
  6. In the Configuration field, specify the configuration value to use for the scan from the Checkmarx server.
  7. In the URL field, enter the URL of your SVN repository.
  8. In the Port field, enter the port to connect to SVN.
  9. In the Branch field, enter the SVN branch for you project.
  10. In the Username and Password fields, specify the login user name and password to connect to SVN.
  11. In the Timeout field, set the number of minutes for the scan timeout threshold. If the scan task execution time is higher than the threshold, the task fails.

The output property of this task is the Scan ID from the Checkmarx server. You can use this Scan ID to check the compliance of you project.

Create a CheckmarxOne: SAST - Check Compliance

The CheckmarxOne: SAST - Check Compliance task type verifies the level of the severity threshold for your project on the CheckmarxOne server. If the issues count is higher than the configured threshold for a task, the task fails. The task also automatically saves audit reporting information including risk values by severity and their thresholds as well as CheckmarxOne server and user information. This information can be accessed through Release audit reporting functionality.

To add a CheckmarxOne: SAST - Check Compliance task:

  1. In the release flow view of a release or a template, add a task of the type CheckmarxOne > SAST - Check Compliance.
  2. Open the added task and in the Server field, select the CheckmarxOne server connection.
  3. In the Project Name field, enter the name of your project from the CheckmarxOne server.
  4. In the Scan ID field, enter the ID of the project scan for which you want to retrieve the results. If you do not specify the Scan ID, it will retrieve data for latest finished scan.
  5. In the High, Medium, and Low fields, add a maximum value for each severity threshold level.

Add CxOneSAST Configuration Add CxOneSAST Compliance task

Create a CheckmarxOne: SCA - Check Compliance task

The CheckmarxOne: SCA - Check Compliance task type verifies the level of the severity threshold for your project on the CheckmarxOne server. If the issues count is higher than the configured threshold for a task, the task fails. The task also automatically saves audit reporting information including risk values by severity and their thresholds as well as CheckmarxOne server and user information. This information can be accessed through Release audit reporting functionality.

To add a CheckmarxOne: SCA - Check Compliance task:

  1. In the release flow view of a release or a template, add a task of the type CheckmarxOne > SCA - Check Compliance.
  2. Open the added task and in the Server field, select the CheckmarxOne server connection.
  3. In the Project Name field, enter the name of your project from the CheckmarxOne server.
  4. In the Scan ID field, enter the ID of the project scan for which you want to retrieve the results. If you do not specify the Scan ID, it will retrieve data for latest finished scan.
  5. In the High, Medium, and Low fields, add a maximum value for each severity threshold level.

Add CxOneSCA Configuration Add CxOneSCA Compliance task

Create a CheckmarxOne Scan Summary tile

The CheckmarxOne Scan Summary tile type creates a dashboard tile that displays the metrics of your selected project, configured for a CxOneSAST scan from the CheckmarxOne server.

To configure a CxOne Scan Summary tile:

  1. Go to the release dashboard view of a release or to a custom dashboard from the Dashboards menu.
  2. Click Configure > Add tile > CheckmarxOne Scan Summary.
  3. Open the added task and in the Server field, select the CheckmarxOne server connection.
  4. In the Project Name field, enter the name of your project from the CheckmarxOne server.
  5. In the Scan ID field, enter the ID of the project scan for which you want to retrieve the results. If you do not specify the Scan ID, it will retrieve data for latest finished scan.
  6. In the SAST Summary SCA Summary checkbox, click any one or both to retrieve the results.

CxOne tile Configuration CxOne Summary tile

Create a CxSAST Scan Summary tile

The CxSAST Scan Summary tile type creates a dashboard tile that displays the metrics of your selected project, configured for a CxSAST scan from the Checkmarx server.

To configure a CxSAST Scan Summary tile:

  1. Go to the release dashboard view of a release or to a custom dashboard from the Dashboards menu.
  2. Click Configure > Add tile > CxSAST Scan Summary.
  3. Click the gear icon to configure the added tile.
  4. In the Server field, select an existing Checkmarx server configuration.
  5. In the Project Name field, enter the name of your project from the Checkmarx server.
  6. In the Team field, enter the name of the project team to retrieve the metrics from the Checkmarx server.
  7. In the Scan ID field, enter the ID of the project scan for which you want to retrieve the metrics. If you do not specify the Scan ID, it will retrieve data for latest finished scan.
  8. Click Save.

The tile displays the metrics of your project configured for a CxSAST scan from the Checkmarx server or an error message if an error occurs.

Create a CxOSA Scan Summary tile

The CxOSA Scan Summary tile type creates a dashboard tile that displays the metrics of your selected project configured for a CxOSA scan from the Checkmarx server.

To configure a CxOSA Scan Summary tile:

  1. Go to the release dashboard view of a release or to a custom dashboard from the Dashboards menu.
  2. Click Configure > Add tile > CxOSA Scan Summary.
  3. Click the gear icon to configure the added tile.
  4. In the Server field, select an existing Checkmarx server configuration.
  5. In the Project Name field, enter the name of your project from the Checkmarx server.
  6. In the Team field, enter the name of the project team to retrieve the metrics from the Checkmarx server.
  7. In the Scan ID field, enter the ID of the project scan for which you want to retrieve the metrics. If you do not specify the Scan ID, it will retrieve data for latest finished scan.
  8. In the Risk Type field, select the type of risk for which you want to display metrics.
  9. Click Save.

The tile displays the metrics of your project configured for a CxOSA scan from the Checkmarx server or an error message if an error occurs.

CxOSA Summary tile

Create a Checkmarx: CxSAST - Get Compliance task

This task gets the compliance data in JSON format.