Skip to main content

Checkmarx One

Checkmarx One is an application security platform used for scanning, prioritizing, and addressing security vulnerabilities in your organization's applications, projects, or source code. You can bring code, project, and application data from Checkmarx One into Brinqa to manage your application security and construct a unified view of your attack surface, thus strengthening your cybersecurity posture.

This document details the information you must provide for the connector to authenticate with Checkmarx One and how to obtain that information from Checkmarx. See create a data integration for step-by-step instructions on setting up the integration.

Required connection settings

When setting up a data integration, select Checkmarx One from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Checkmarx One with Brinqa:

  • API URL: The Checkmarx One API URL. The default URL is https://ast.checkmarx.net/.

  • Client ID and Client secret: The client ID and client secret associated with the Checkmarx One account, which must have permissions to log in to the API server and return data.

  • Login URL: The Checkmarx One login URL. The default URL is https://iam.checkmarx.net/.

  • Client Realm: The Checkmarx One Realm client configuration. The client realm represents a specific area within the Checkmarx One platform used for managing users, roles, and permissions.

Generate a Checkmarx One client secret

For the Checkmarx One connector to use the Checkmarx One API, you must provide a client secret. Checkmarx One does not allow retrieving the client secret for an existing user, therefore, you must generate a new client secret instead. To do so, follow these steps:

  1. Log in to your Checkmarx One portal.

  2. On the left-hand side of the page, click Settings, and then click Identity and Access Management.

  3. Click OAuth Clients, and then click Create Client.

  4. Provide a Client ID and click Create client.

    The page reloads and your new client ID displays.

  5. Click Regenerate.

    A window appears with your new client secret. You cannot view it again. Copy the client secret and save it in a secure location.

  6. Click Ok.

  7. Scroll down to Role mapping, locate the ast-viewer role, and click Add.

    This permission allows for viewing the Checkmarx One projects, scans, and results.

  8. Click Save Client.

note

If you do not have the permissions to create a client secret, contact your Checkmarx One administrator. For additional information, see Checkmarx One documentation.

Obtain your Checkmarx One client realm

There are two ways you can obtain your client realm. You can obtain your Checkmarx One client by following these steps:

  1. Log in to your Checkmarx One portal.

  2. On the left-hand side of the page, click Identity and Access Management.

  3. Once you are on the Identity and Access Management page, locate the {client-realm} value in the URL of the page.

    The Client Realm is an alphanumeric value, and the URL should resemble the following: https://iam.checkmarx.net/auth/admin/{client-realm}/console/#/realms/{client-realm}, where {client-realm} represents the actual Client Realm value that you must use in authenticating Checkmarx One with Brinqa.

You can also obtain your Checkmarx One client realm by following these steps:

  1. Log in to your Checkmarx One portal.

  2. Click Account Settings, represented by a gear icon.

    The Client Realm displays under the License tab:

    checkmarx one client realm

Additional settings

The Checkmarx One connector contains additional options for specific configuration:

  • Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.

  • Parallel requests: The maximum number of parallel API requests. The default setting is 2.

Types of data to retrieve

The Checkmarx One connector can retrieve the following types of data from the Checkmarx One API:

Table 1: Data retrieved from Checkmarx One

Connector ObjectRequiredMaps to Data Model
ApplicationYesApplication
Infrastructure Code As FindingYesStatic Code Finding
Open Source Code FindingYesOpen Source Code Finding
Open Source Code Finding DefinitionYesOpen Source Code Finding Definition
PackageYesPackage
ProjectYesCode Project
ScanYesAssessment
Static Code FindingYesStatic Code Finding
Static Code Finding DefinitionYesStatic Code Finding Definition
info

For detailed steps on how to view the data retrieved from Checkmarx One in the Brinqa Platform, see How to view your data.

Attribute mappings

Expand the sections below to view the mappings between the source and the Brinqa data model attributes.

Application

Table 2: Application attribute mappings

Source Field NameMaps to Attribute
categorycategories
createdAtfirstSeen
criticalitycriticality
descriptiondescription
iduid
namename
tagstags
updatedAtsourceLastModified
Infrastructure Code As Finding

Table 3: Infrastructure Code As Finding attribute mappings

Source Field NameMaps to Attribute
IDuid
actualValueresults
assessmentfirstScanID
categorycategories
commentsLocal variable
descriptiondescription
expectedValueNot mapped
fileNamepath
firstFoundAtfirstFound
firstScanIDassessment
foundAtlastFound
groupNot mapped
issueTypeNot mapped
linepath
platformLocal variable
queryIDtype, uid
queryNamename
queryURLNot mapped
searchKeyNot mapped
searchValueNot mapped
severityseverity, severityScore
similarityIDLocal variable
stateLocal variable
statusstatus, statusCategory
typecategories
valueresults
Open Source Finding

Table 4: Open Source Finding attribute mappings

Source Field NameMaps to Attribute
cveNameNot mapped
idtype, uid, cveIds, cveRecords
isIgnoredstatus
isViolatingPolicytags
packageIdtargets
packageIduid
statusstatus
statusCategorystatusCategory
typeNot mapped
Open Source Finding Definition

Table 5: Open Source Finding Definition attribute mappings

Source Field NameMaps to Attribute
cwecweIds, weaknesses
cvssNot mapped
cvssListUse CVSS calculator
descriptiondescription
exploitableMethodsLocal variable
fixResolutionTextLocal variable
iduid, cveIds, cveRecords
publishDatepublishedDate
recommendationsrecommendation
referencesreferences
referencesDataNot mapped
scoreLocal variable
severityseverity, severityScore
typeNot mapped
Package

Table 6: Package attribute mappings

Source Field NameMaps to Attribute
confidenceLevelLocal variable
createdOnfirstSeen
highVulnerabilityCountLocal variable
iduid
ignoredVulnerabilitiesCountLocal variable
isDevelopmenttags
isDirectDependencytags
isNpmVerifiedtags
isPluginDependencytags
isTestDependencytags
isViolatingtags
lastUpdatesourceLastModified
licenseNameslicenses
lowVulnerabilityCountLocal variable
matchTypeNot mapped
nameNot mapped
newestVersionlatestVersion
newestVersionReleaseDateLocal variable
numberOfVersionsSinceLastUpdateLocal variable
outdatedoutdated
packageIdname
packageRepositoryLocal variable
projectIdprojects
projectNameLocal variable
releaseDateLocal variable
riskScoreLocal variable
scanIdLocal variable
severityLocal variable
tenantIdLocal variable
versioncurrentVersion
Project

Table 7: Project attribute mappings

Source Field NameMaps to Attribute
applicationsapplications
createdAtfirstSeen
criticalitycriticality
descriptiondescription
groupstags(group:id)
iduid
mainBranchLocal variable
namename
repoUrlLocal variable
tagstags(key:value)
updatedAtsourceLastModified
Scan

Table 8: Scan attribute mappings

Source Field NameMaps to Attribute
branchLocal variable
createdAtstartTime
iduid
initiatorLocal variable
loclinesOfCode
projectIdtargets
projectNameLocal variable
sourceOriginLocal variable
sourceTypeLocal variable
statusstatus
tagstags
updated AtendTime
Static Code Finding

Table 9: Static Code Finding attribute mappings

Source Field NameMaps to Attribute
compliancesLocal variable
confidenceLevelLocal variable
firstFoundAtfirstFound
firstScanIdassessment
foundAtlastFound
grouptags(group:value)
languageNamelanguages
nodesresults
pathpath
pathSystemIduid
queryIdtype
queryNamename
resultHashuid
similarityIdLocal variable
stateLocal variable
statusstatus, statusCategory
uniqueIdLocal variable
Static Code Finding Definition

Table 10: Static Code Finding Definition attribute mappings

Source Field NameMaps to Attribute
causedescription, Local variable
cweIDcweIds, weaknesses
generalRecommendationsrecommendation, Local variable
queryDescriptionIdname
queryIduid
queryNamename
resultDescriptiondescription, Local variable
riskdescription, Local variable
samples.coderecommendation
samples.progLanguagerecommendation
samples.titlerecommendation
severityseverity, severityScore
info

Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.

Use CVSS calculator indicates that the CVSS (Common Vulnerability Scoring System) vectors and scores aren't directly mapped to a specific attribute on the UDM. Instead, a specialized library calculates the CVSS scores from the provided CVSS vector strings.

Data lifecycle management (DLM) strategy

The following table details the DLM strategy for the Checkmarx One connector:

Table 11: Checkmarx One DLM strategy

Connector ObjectInactivity ConditionPurge PolicySummary
ApplicationLAST_CAPTURED NOT IN LAST 180 Days30 days after inactivityUses the LAST_CAPTURED attribute to identify applications not scanned in the last 180 days, and then purges the records after 30 days of inactivity.
Infrastructure Code FindingInactivity is delegated to the Application object30 days after inactivityInactivity is determined by the lifecycle status of the associated application, and then purges the records after 30 days of inactivity.
Open Source FindingInactivity is delegated to the Application object30 days after inactivityInactivity is determined by the lifecycle status of the associated application, and then purges the records after 30 days of inactivity.
Static Code FindingInactivity is delegated to the Application object30 days after inactivityInactivity is determined by the lifecycle status of the associated application, and then purges the records after 30 days of inactivity.

Operation options

The Checkmarx One connector supports the following operation options. See connector operation options for information about how to apply them.

Table 12: Checkmarx One connector operation options

Connector ObjectOptionAll Possible ValuesDescriptionExample
Infrastructure Code Findingproject-idsAny Checkmarx One project ID number.A comma-separated list of project ID numbers. You can use this option to retrieve infrastructure code findings from the specified Checkmarx One projects.Key: project-ids Value: 1d60e327-8c98-42c5-932f-73a4b91f58e3. This key and value combination only retrieves data from Checkmarx One that pertains to the specified project ID.
Infrastructure Code Finding Definitionproject-idsAny Checkmarx One project ID number.A comma-separated list of project ID numbers. You can use this option to retrieve infrastructure code finding definitions from the specified Checkmarx One projects.Key: project-ids Value: f9d4bc6a-2e15-4a7c-8b90-1e036cd8e773. This key and value combination only retrieves data from Checkmarx One that pertains to the specified project ID.
Open Source Findingproject-idsAny Checkmarx One project ID number.A comma-separated list of project ID numbers. You can use this option to retrieve open source findings from the specified Checkmarx One projects.Key: project-ids Value: 97c2ba45-0186-4d3d-92e3-e3518f760d32. This key and value combination only retrieves data from Checkmarx One that pertains to the specified project ID.
Open Source Finding Definitionproject-idsAny Checkmarx One project ID number.A comma-separated list of project ID numbers. You can use this option to retrieve open source finding definitions from the specified Checkmarx One projects.Key: project-ids Value: 27e3d460-d410-3f98-85c2-2cb541871a9e. This key and value combination only retrieves data from Checkmarx One that pertains to the specified project ID.
Packagesproject-idsAny Checkmarx One project ID number.A comma-separated list of project ID numbers. You can use this option to retrieve packages from the specified Checkmarx One projects.Key: project-ids Value: e8c6d4f2-a1b9-4e30-9d6c-75f7c803b520. This key and value combination only retrieves data from Checkmarx One that pertains to the specified project ID.
Static Code Findingproject-idsAny Checkmarx One project ID number.A comma-separated list of project ID numbers. You can use this option to retrieve static code findings from the specified Checkmarx One projects.Key: project-ids Value: 45a2bc89-7613-4e0d-92f5-c378d01256ef. This key and value combination only retrieves data from Checkmarx One that pertains to the specified project ID.
Static Code Finding Definitionproject-idsAny Checkmarx One project ID number.A comma-separated list of project ID numbers. You can use this option to retrieve static code finding definitions from the specified Checkmarx One projects.Key: project-ids Value: 83d4fe29-9601-4c3b-81a7-f215b36279de, 45a2bc97-6810-3d4f-92e3-d760f51832ce. This key and value combination only retrieves data from Checkmarx One that pertains to the specified project IDs.

To locate your Checkmarx One project IDs, follow these steps:

  1. Log in to your Checkmarx One portal.

  2. Click the Projects tab to see a list of projects in your account.

  3. Locate the ID column next to the corresponding project name. You'll find an icon in the ID column. Click this icon to obtain the project ID.

    The project ID is an alphanumeric value and is typically in the following format: 45a2bc89-7613-4e0d-92f5-c378d01256ef.

APIs

The Checkmarx One connector uses the Checkmarx One REST API. Specifically, it uses the following endpoints:

Table 13: Checkmarx One REST API Endpoints

Connector ObjectAPI Endpoints
ApplicationGET /api/applications
Infrastructure Code FindingGET /api/kics-results?scan-id=
Infrastructure Code Finding DefinitionGET /api/kics-results?scan-id=
ProjectGET /api/applications
GET /api/projects
ScansGET /api/scans?from-date=

The Checkmarx One connector also uses the Checkmarx SCA REST API. Specifically, it uses the following endpoints:

Table 14: Checkmark SCA REST API Endpoints

Connector ObjectAPI Endpoints
Open Source FindingGET /api/risk-management/risk-reports/{scan-id}
Open Source Finding DefinitionGET /api/risk-management/risk-reports/{scan-id}
PackageGET /api/sca/risk-management/reporting/packages
Static Code FindingGET /api/sast-results/?scan-id=
Static Code Finding DefinitionGET /api/sast-results/?scan-id=

Changelog

The Checkmarx One connector has undergone the following changes:

Table 15: Checkmarx One connector changelog

VersionDescription
3.1.3Fixed an issue where the connector was not properly ingesting exploitability information. As a result, the EXPLOITABLE_METHODS attribute type on the Open Source Finding Definition object has been changed from string to multi-value.
3.1.2- Fixed an issue where objects using the /api/risk-management/risk-reports/ endpoint were taking longer than expected to sync.
- Improved performance by preventing unnecessary retries on 404 errors.
- Fixed an issue where the connector was not properly identifying the correct scan type when retrieving the last scan for different object types.
3.1.1- Added support for Data lifecycle management to the Application, Infrastructure Code Finding, Open Source Finding, and Static Code Finding objects.
- Added the LAST_CAPTURED attribute to the Application object.
- Added the PROVIDER_STATUS and SOURCE_STATUS attributes to the Infrastructure Code Finding, Open Source Finding, and Static Code Finding objects.
- Added the LAST_CAPTURED attribute to the Static Code Finding object.
3.1.0No change.
3.0.8No change.
3.0.7No change.
3.0.6No change.
3.0.5Changed the CRITICALITY attribute type on the Application object from string to integer.
3.0.4No change.
3.0.3No change.
3.0.2Restructured the code to align with the latest Connector Framework.
3.0.1Enhanced the Static Code Finding object to return UNKNOWN when file name is missing in the source.
3.0.0Initial Integration+ release.