Checkmarx One – DAST Connector

The Checkmarx One – DAST (Dynamic Application Security Testing) connector integrates with the Checkmarx One platform to ingest application security findings into Qualys Enterprise TruRisk Management (ETM). By simulating real-world attack scenarios against running web applications, Checkmarx One – DAST identifies vulnerabilities. The Qualys connector allows you to centralize these findings in ETM, enabling risk visualization, prioritization, and remediation efforts through TruRisk Insights.

Category	Supported Asset Type	Supported Finding Type
API Connector	Host Asset	Web Application Vulnerabilities

Prerequisites

The Checkmarx One – DAST Connector is available on demand. To activate it for your subscription, please contact your Technical Account Manager (TAM) or Qualys Support.

Authentication Details

Setting Up Client ID and Client Secret

Reference: Creating OAuth Clients – Checkmarx Docs

1. Log in to your Checkmarx One environment (choose the appropriate server base URL).
   Checkmarx One Server Base URLs:
   • US:US:https://ast.checkmarx.net
   • US2:US2:https://us.ast.checkmarx.net  
   • EU:EU:https://eu.ast.checkmarx.net 
   • EU2:EU2:https://eu-2.ast.checkmarx.net  
   • DEU:DEU:https://deu.ast.checkmarx.net  
   • ANZ:ANZ:https://anz.ast.checkmarx.net  
   • India:India:https://ind.ast.checkmarx.net  
   • Singapore:Singapore:https://sng.ast.checkmarx.net  
   • UAE:UAE:https://mea.ast.checkmarx.net
   • Israel (Gov): Israel (Gov): https://gov-il.ast.checkmarx.net
2. Navigate to Settings > Identity and Access Management.
3. Go to OAuth Clients and click Create Client.
4. Enter a descriptive Client ID and click Create.
5. Copy the Client ID and generate a Client Secret by clicking Regenerate.
6. Copy the secret and store it securely.
7. Adjust optional client settings (Name, Description, Expiry, etc.).
8. Under Role Mapping, assign the following required roles (Read more about minimum required roles here):
   • CxOne composite role: ast-scanner
   • CxOne role: view-policy-management (not required for IDE plugins)
   • IAM role: default-roles
9. Save the client configuration.

Configure Checkmarx One Connector

1. Log in to your Qualys account and go to the Connectors module.
2. Navigate to the Integration tab, locate the Checkmarx One – DAST connector, and click Manage.

Basic Details

Provide the following details

1. Connector Name and Description
2. Type of findings (Web Application Vulnerabilities)
3. Authentication details (Domain Name, Tenant Name, Client ID, Client Secret)

Data Model

The Checkmarx One – DAST connector provides a default schema (based on Checkmarx APIs) to map findings with Qualys ETM schema.

Transform Maps

The connector includes a default transformation map. You may clone or create new maps to customize transformations.

Profile Configuration

Create a profile with Name, Description, Transform Map, Status (Active/Inactive), and Schedule (Single or Recurring).

Scoring

The Scoring screen allows mapping of non-CVE vendor vulnerability severities to Qualys Detection Score (QDS).

• Fill out 5 rows mapping vendor severity levels to QDS values (0–100).
• Default Severity can be set (applied when vendor scores do not match mapping).

How Does the Connection Work?

On schedule (or on-demand), the connector fetches Checkmarx One findings and imports them into ETM. Profiles define what is synchronized and when. The Checkmarx One vulnerability connector performs a full pull on each execution.

In the Connector screen, you can find your newly configured connector listed and marked in the Processed state.

Connector States

A successfully configured connector goes through 4 states.

1. Registered - The connector is successfully created and registered to fetch data from the vendor.
2. Scheduled - The connector is scheduled to execute a connection with the vendor.
3. Processing - A connection is executed and the connector is fetching the asset and findings data.
4. Processed - The connector has successfully fetched the assets, it may still be under process of fetching the findings. Wait for some more time for the connector to fetch the findings completely.

The Processed state indicates that the Connector is successfully configured but it is under the process of importing all your assets and findings. This process (specifically for findings) may take some time.

This entire process may take up to 2 hours for completion. Once it is done, you can find the imported data in Enterprise TruRisk Management (ETM).

Viewing Assets and Findings in ETM

1. Navigate to Enterprise TruRisk Management > Inventory.
   • Go to Assets > Web Applications to view imported Checkmarx applications.
     
2. Navigate to Risk Management > Findings > Vulnerability.
   • Use filter: finding.vendorProductName:"Checkmarx" to list Checkmarx findings.
     

Activating Web Applications in WAS

Web applications synced from the Checkmarx One - DAST Connector appear in:

• ETM

• CSAM

• WAS 

By default, these applications are not activated for scanning in WAS.

To activate web applications in WAS:

1. Navigate to CSAM > Web Applications.

2. Select the desired web application.

3. Choose Quick Actions > Activate WAS.

NOTE: Activating web applications will consume WAS licenses. You should activate only the required applications.

Additional Information

Required Permissions

API Endpoints

Checkmarx One - DAST Data Model Map