Integrating protection results of the Checkmarx inside GitLab


The automation and integration of utility safety Testing (AST) is crucial for constructing out a real DevSecOps program. Automation is the simple half. Invoke a safety scanners’ REST API or a command line interface inside a pipeline and you will get automated scans. The important thing and extra tough half, is integration. What I imply by that’s being able to combine the safety scanners’ outcomes inside their CI/CD tooling to make a safety evaluation with out having to depart the CI/CD ecosystem is desired.

Introduced immediately, we’re thrilled to share that CxSAST, CxSCA, and CxCodebashing all now combine seamlessly inside GitLab’s ecosystem through CxFlow: Checkmarx’s scan and consequence orchestration utility.

Beneath is a high-level overview on integrating Checkmarx safety into GitLab’s consumer interface.

GitLab’s customers, whether or not they’re Software program Builders, DevOps, or AppSec engineers, wish to devour as a lot of the appliance safety scanner’s outcomes as attainable inside GitLab. GitLab is already an entire DevOps platform from managing -> to planning -> to creating -> to releasing, so it’s simply widespread sense GitLab customers would wish to have safety immediately inside GitLab. GitLab customers can devour Checkmarx security-related vulnerability outcomes at three completely different integration factors:

  • Merge Request Overviews
  • GitLab Points
  • Safety Dashboard (for GitLab Gold/Final tier or public initiatives)

Each group, even groups throughout the group, will wish to run safety scanners at completely different factors of the SDLC, however by finest apply from Checkmarx, it’s prompt to scan on the Merge Request stage. With safety scanning accomplished on the Merge Request stage, an evaluation could be carried out with the scan outcomes and the merge could be blocked, or GitLab Points could be created. However, what sort of consequence information needs to be consumed?

Checkmarx gives:

  • Excessive degree abstract of CxSAST & CxSCA findings
  • Information circulation from supply to sink throughout the supply code
  • Brief abstract of the precise vulnerability that was recognized
  • Hyperlinks to just-in-time coaching (CxCodebashing) and on-line sources for remediation
  • Hyperlinks into Checkmarx platform for much more complete outcomes

Checkmarx maintains a spring boot utility known as CxFlow, which acts as a scan and outcomes orchestration instrument to automate safety scans and combine the outcomes into CI/CD instruments corresponding to GitLab. Some key options and capabilities embrace:

  • Scan Initiation – CLI or Webhook Occasions
    • CxFlow could be configured in two alternative ways: utilizing CxFlow from a command line interface or have CxFlow work as a server and pay attention for Webhook occasions. As soon as an occasion is triggered or acquired, the initiation of a Checkmarx scan will happen mechanically.
    • Merge requests, and even commits of the supply, will set off an present pipeline inside GitLab’s CI/CD and provoke a scan through CxFlow; the present pipeline simply wants an edit to incorporate a stage that can invoke CxFlow.
    • The scan initiation will both create a brand new venture if it doesn’t exist or replace a present one.
  • Outcomes Administration
    • So far as consuming outcomes, the scan outcomes are file based mostly (csv, json, or xml) making it straightforward to import into defect monitoring techniques or dashboards.
    • CxFlow additionally drives a consequence suggestions loop eliminating having to do handbook intervention (opening and even closing defects).
    • You’ll be able to at all times filter the outcomes created based mostly on any filtering standards.
    • The outcomes are straightforward to devour, in a method builders wish to devour and most significantly, actionable.
  • Defect Monitoring
    • Consolidates problems with the identical vulnerability sort in the identical file – as a substitute of a number of points, it is only one.
    • As soon as all references to the vulnerability sort of that problem are fastened, the ticket will mechanically shut.
    • You’ll be able to base it on coverage – severity / CWE / vulnerability sort or state (pressing / confirmed).
    • Defect monitoring can also be supported for each CxSAST and CxSCA outcomes.
  • Suggestions Channels
    • Not solely does it help GitLab Safety Dashboard and GitLab Points, but additionally Jira, E mail, Service Now and Rally.
  • Ease of Consuming the AST Service
    • Easy possibility for the event groups to shortly scan initiatives.
    • There is no such thing as a overhead when configuring and managing builds.
  • Mass Easy Scan Configuration
    • You’ll be able to shortly automate the scan of a number of repositories.
    • Once more, there isn’t a overhead when configuring and managing builds of many repos.
  • Automation with Builders’ Widespread Toolsets
    • On this case, GitLab.
    • You wish to get the small print of points to those that should deal with them – the builders.
    • Drive safety testing based mostly on GitLab exercise.
    • Publish points to present backlogs.
    • Preserve builders inside GitLab.
  • Remove Pointless Handbook Duties with Checkmarx Automation Capabilities
    • Liberate time to give attention to issues that matter.
    • Shift as far left as attainable.
    • Consistently scanning the newest code.
    • Replaces must scan within the IDE.

Beneath is a visible image of the Checkmarx workflow with GitLab’s CI/CD.

Now let’s describe this circulation in additional element:

  1. Setting Variables

Variables are wanted to carry out Checkmarx authentication and to outline Checkmarx scan settings learn by CxFlow. This may be arrange per venture or by “teams”. GitLab has an superior characteristic the place you may have a file as a Variable. We leverage this characteristic and have CxFlow’s yaml configuration file as a Variable.

  1. Defining a Stage

Per GitLab finest apply, utility safety testing needs to be carried out throughout the “check” stage of the pipeline. Throughout the check stage of the pipeline, GitLab will pull the Checkmarx docker container the place CxFlow CLI is saved. CxFlow CLI ought to then be invoked to provoke the scan based mostly on the settings outlined within the config file Variable.

  1. CxFlow CLI Initiates the Scan

CxFlow receives the request with the Checkmarx venture settings and the GitLab repository particulars. CxFlow performs the authentication into the Checkmarx server after which initiates a scan. It’s going to look ahead to the scan to complete.

  1. Checkmarx Performs SAST & SCA Scans
  2. CxFlow Parses Outcomes and Updates GitLab

CxFlow waits till the scan is completed, parses the outcomes and can replace the Safety Dashboard, GitLab Points, the Merge Request Dialogue, or all three. If the problem has been fastened, it’ll mechanically shut it.

For full integration steps, please go to us at

checkmarx sast pricing,checkmarx gitlab integration,checkmarx perpetual license,how to fix checkmarx issues,checkmarx vs sonarqube,fortify pricing,checkmarx sca,checkmarx supports the compare feature,checkmarx supports sans 25,checkmarx npm,what is checkmarx,static application security testing,checkmarx rasp,checkmarx sample report

You May Also Like