
Checkmarx SAST
Application Security- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
The CheckmarxSast connector integrates with the on-premise Checkmarx SAST (CxSAST) platform. It syncs the organizational team hierarchy, applications, and code projects, along with the scans (assessments) run against those projects and the findings they produce: SAST static-code findings (and their definitions) and OSA (Open Source Analysis) open-source findings, definitions, and packages.
Data retrieved from Checkmarx SAST
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Team | Yes | Team |
| Application | Yes | Application |
| CodeProject | Yes | Code Project |
| Assessment | Yes | Assessment |
| Package | Yes | Package |
| StaticCodeFinding | Yes | Static Code Finding |
| StaticCodeFindingDefinition | Yes | Static Code Finding Definition |
| OpenSourceFinding | Yes | Open Source Finding |
| OpenSourceFindingDefinition | Yes | Open Source Finding Definition |
Model relationships
For detailed steps on how to view the data retrieved from Checkmarx SAST in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select Checkmarx SAST from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| Server URL | No | — | Checkmarx Server URL |
| Username | No | — | Checkmarx username |
| Password | No | — | Checkmarx user password |
| Project remote setting | No | — | Include project remote setting. |
| Page size | No | — | Maximum number of records to get per API request |
| Parallel requests | No | — | Maximum number of parallel API requests |
| SSL / TLS | No | — | Skip certificate verification |
| Maximum retries | No | — | The maximum number of retry attempts before giving up a request |
| Requests per minute | No | — | Maximum number of API requests per minute |
| API Timeout | No | — | The maximum time to wait for an API response in seconds. Maximum allowed value 14400 seconds (4 hours) |
Authentication
CheckmarxSast uses OAuth2 (resource-owner password grant). The connector exchanges the configured CxSAST username and password for a bearer token, which it then attaches to every API request.
Token Endpoint
| Method | URL |
|---|---|
| POST | {url}/cxrestapi/auth/identity/connect/token |
Request Headers
| Header | Value |
|---|---|
| Content-Type | application/x-www-form-urlencoded |
Request Body (form-encoded)
{
"username": "{username}",
"password": "{password}",
"grant_type": "password",
"scope": "sast_rest_api",
"client_id": "resource_owner_client"
}
Sample Response
{
"access_token": "eyJhbGciOi***",
"expires_in": 86400,
"token_type": "Bearer"
}
Response Fields
| Field | Description |
|---|---|
| access_token | Bearer token used to authorize subsequent API requests. |
| expires_in | Token lifetime in seconds. The connector refreshes the token shortly before this elapses. |
| token_type | Always Bearer. |
Using the Token
Every API request to the CxSAST REST API ({url}/cxrestapi/...) carries the header:
Authorization: Bearer {access_token}
The token is cached and renewed when it is within 5 seconds of expiry.
How to obtain Checkmarx SAST credentials
Note: The Checkmarx SAST user must have at least the Reviewer role assigned to them in order to retrieve data from the Checkmarx SAST API, as it is the minimum role required for API access. For additional information on roles and permissions, see Checkmarx SAST documentation.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
Team
| Source Field Name | SDM Attribute |
|---|---|
| sync timestamp | LAST_CAPTURED |
Team.fullName | NAME |
Team.id | UID |
Application
| Source Field Name | SDM Attribute |
|---|---|
| Constant | CATEGORIES |
| Derived | UID |
| Derived | NAME |
| Sync timestamp | LAST_CAPTURED |
CodeProject
| Source Field Name | SDM Attribute |
|---|---|
| Constant | CATEGORIES |
| Latest scan finish time | LAST_SEEN |
Project.id | UID |
Project.isDeprecated | IS_DEPRECATED |
Project.isPublic | IS_PUBLIC |
Project.name | NAME |
Project.teamId | TEAM_ID |
RemoteSourceSettings.branch | BRANCH |
RemoteSourceSettings.paths | PATHS |
RemoteSourceSettings.url | URL |
Scan.owner | OWNER |
ScanState.cxVersion | CX_VERSION |
ScanState.failedLinesOfCode | FAILED_LOC |
ScanState.filesCount | FILE_COUNT |
ScanState.linesOfCode | LOC |
| Sync timestamp | LAST_CAPTURED |
Assessment
| Source Field Name | SDM Attribute |
|---|---|
| Derived | SCAN_SCOPE |
| Scan name | NAME |
Scan.dateAndTime.finishedOn | LAST_STOPPED |
Scan.dateAndTime.startedOn | LAST_STARTED |
Scan.id | UID |
Scan.project.id | TARGETS |
Scan.project.name | PROJECT_NAME |
Scan.scanType | SCAN_TYPE |
Scan.scanType | CATEGORIES |
Scan.status.name | STATUS |
| Sync timestamp | LAST_CAPTURED |
Package
| Source Field Name | SDM Attribute |
|---|---|
| Constant | CATEGORIES |
Library.id | UID |
Library.licenses | LICENSES |
Library.matchType | MATCH_TYPE |
Library.name | NAME |
Library.newestVersion | LATEST_VERSION |
Library.outdated | OUTDATED |
Library.releaseDate | FIRST_SEEN |
Library.version | CURRENT_VERSION |
| Scan project | PROJECTS |
| Sync timestamp | LAST_CAPTURED |
StaticCodeFinding
| Source Field Name | SDM Attribute |
|---|---|
| md5 of path / query / file / node data | UID |
PathNode.FileName | FILE_NAME |
| Query categories | CATEGORIES |
| Query type | TYPE |
Query.Language | LANGUAGES |
Result.Status | PROVIDER_STATUS |
Result.Status | SOURCE_STATUS |
| Scan time | LAST_FOUND |
Scan.project.id | TARGETS |
| Snippet | CODE_SNIPPET |
| Sync timestamp | LAST_CAPTURED |
StaticCodeFindingDefinition
| Source Field Name | SDM Attribute |
|---|---|
| Query categories | CATEGORIES |
| Query description | RECOMMENDATION |
Query.cweId | CWE_IDS |
Query.cweId | WEAKNESSES |
Query.group | QUERY_GROUP |
Query.id | UID |
Query.name | NAME |
Query.name | QUERY_NAME |
Query.Severity | SEVERITY |
Query.Severity | SOURCE_SEVERITY |
Query.Severity | SEVERITY_SCORE |
| Sync timestamp | LAST_CAPTURED |
OpenSourceFinding
| Source Field Name | SDM Attribute |
|---|---|
CheckmarxSAST- + Vuln.cveName | TYPE |
| Constant active | PROVIDER_STATUS |
| Derived | UID |
Lib.id | LIBRARY_ID |
Lib.id | TARGETS |
| Scan project | PROJECT_ID |
Scan.endAnalyzeTime | LAST_FOUND |
Scan.id | ASSESSMENT |
| State | SOURCE_STATUS |
| State | STATE |
| Sync timestamp | LAST_CAPTURED |
Vuln.cveName | NAME |
Vuln.id | VULNERABILITY_ID |
Vuln.score | SCORE |
Vuln.sourceFileName | FILE_NAME |
OpenSourceFindingDefinition
| Source Field Name | SDM Attribute |
|---|---|
| Definition UID | NAME |
| Sync timestamp | LAST_CAPTURED |
Vuln.cveName | CVE_IDS |
Vuln.cveName | CVE_RECORDS |
Vuln.description | DESCRIPTION |
Vuln.id | UID |
Vuln.publishDate | PUBLISHED_DATE |
Vuln.recommendations | RECOMMENDATION |
Vuln.severity | SEVERITY |
Vuln.severity | SOURCE_SEVERITY |
Vuln.severity | SEVERITY_SCORE |
Vuln.url | REFERENCES |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
Team
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: See connector README · Endpoint:
GET /cxrestapi/auth/teams
Application
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: See connector README · Endpoint:
Derived from project / team data.
CodeProject
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: See connector README · Endpoint:
GET /cxrestapi/projects
Assessment
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: See connector README · Endpoint:
GET /cxrestapi/sast/scans
Package
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: See connector README · Endpoint:
GET /cxrestapi/osa/libraries
StaticCodeFinding
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: See connector README · Endpoint:
GET /cxrestapi/reports/sastScan
StaticCodeFindingDefinition
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: See connector README · Endpoint:
SAST scan report queries (same report endpoints as StaticCodeFinding)
OpenSourceFinding
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: See connector README · Endpoint:
GET /cxrestapi/osa/vulnerabilities
OpenSourceFindingDefinition
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: See connector README · Endpoint:
GET /cxrestapi/osa/vulnerabilities
Changelog
The Checkmarx SAST connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.2.7 | Improvements - Checkmarx SAST records now include a "Last Captured" timestamp on every model (teams, applications, code projects, scans, packages, static code findings and definitions, and open source findings and definitions), recording when each record was last synced for more accurate data-freshness tracking in Brinqa. Bug Fixes - Fixed a sync error that could occur when a Checkmarx query definition had no severity assigned. - Prevented temporary sync storage from being removed while it may still be in use by an overlapping sync, improving the reliability of concurrent Checkmarx SAST syncs. | N/A |
| 3.2.6 | New Features - Checkmarx SAST now exposes a configurable API read timeout (up to 4 hours), letting large SAST instances finish slow report and scan-result downloads without timing out. Improvements - Checkmarx SAST static code findings are now collected from projects in parallel and filtered to scans completed since the last sync, reducing sync times and load on the Checkmarx server. | N/A |
| 3.2.5 | New Features - Checkmarx SAST adds a configurable requests-per-minute limit, allowing the connector to stay within Checkmarx API rate limits during large syncs. | N/A |
| 3.2.4 | New Features - Checkmarx SAST adds a configurable maximum-retries setting, giving you control over how persistently the connector retries failed API requests before skipping them. Improvements Dependency Upgrades Upgraded internal framework and model libraries to the latest stable versions for improved reliability, security patches, and alignment with the rest of the connector platform. | N/A |
| 3.2.3 | Improvements - Checkmarx SAST findings are now processed as they are fetched rather than fully buffered first, lowering memory usage and improving stability during large scans. | N/A |
| 3.2.2 | No changes in this release. | N/A |
| 3.2.1 | No changes in this release. | N/A |
| 3.2.0 | No changes in this release. | N/A |
| 3.1.3 | No changes in this release. | N/A |
| 3.1.2 | No changes in this release. | N/A |
| 3.1.1 | Improvements - Added automatic lifecycle handling for Checkmarx SAST: applications and code projects are aged out after 180 days without activity, and findings inherit the lifecycle of the asset they belong to, keeping stale records from lingering. | N/A |
| 3.1.0 | No changes in this release. | N/A |
| 3.0.8 | Improvements - Checkmarx SAST static code findings now display a clearer finding name derived from the analyzed path. Bug Fixes - Reworked how Checkmarx SAST static code findings and finding definitions are identified so findings sharing the same CWE but representing different rules are no longer merged together. | • Static Code Finding / Static Code Finding Definition (Checkmarx SAST): The identifiers used for these findings and definitions changed, so previously synced records will not match the new ones. Action: purge the Checkmarx SAST static code finding and finding definition data and re-sync the connector. --- |
| 3.0.7 | Improvements Dependency Upgrades Upgraded internal framework and model libraries to the latest stable versions for improved reliability, security patches, and alignment with the rest of the connector platform. | N/A |
| 3.0.6 | Bug Fixes - Fixed Checkmarx SAST static code finding status handling so results are only marked as a false positive when Checkmarx actually flags them as such. | • Static Code Finding (Checkmarx SAST): Finding status values are now derived correctly, changing stored status values for affected findings. Action: re-sync the connector to refresh finding statuses. --- |
| 3.0.5 | No changes in this release. | N/A |
| 3.0.4 | Bug Fixes - Corrected the data type of the Checkmarx SAST code project "Is deprecated" attribute so it is stored as a true/false value. | • Code Project (Checkmarx SAST): The "Is deprecated" attribute changed from a numeric type to a true/false value. Action: re-sync the connector so the attribute is stored in the new format. --- |
| 3.0.3 | New Features - Added the Checkmarx SAST connector for on-premises Checkmarx CxSAST, syncing teams, applications, code projects, scans (assessments), static code findings, and open source findings and packages. | N/A |