Checkmarx One SAST UAI connector
The Checkmarx One SAST (Static Application Security Testing) UAI connector integrates with the Checkmarx One platform to ingest code repository security findings into Qualys Enterprise TruRisk Management (ETM). By analyzing source code or binaries for security flaws without executing the program, Checkmarx One – SAST identifies vulnerabilities. The Qualys connector allows you to centralize these findings in ETM, enabling risk visualization, prioritization, and remediation efforts through TruRisk Insights.
This connector can be enabled only after UAI is activated on your account. Once UAI is active, you can configure the connection. Contact your TAM or Support to activate UAI and the Checkmarx One SAST connector.
Connector Details
|
Vendor |
Checkmarx |
|---|---|
|
Product Name |
Checkmarx |
|
Category |
Assets (SAST) |
|
Findings Supported |
Code Repository and Vulnerabilities (Findings) |
|
Assets Supported |
Code Repository |
|
Version |
1.0.0 |
|
Integration Type |
API Integration (REST) |
|
Direction |
Unidirectional |
|
Delta Support |
Not Supported |
Authentication
|
Checkmarx Region |
checkmarxRegion |
String |
Example: deu |
|
Tenant Name |
tenantName |
String |
Tenant ID for the user profile. |
|
API Key |
api_key |
String |
API Key for the user profile |
Setting Up the API Key
Reference: Creating OAuth Clients – Checkmarx Docs
- Log in to your Checkmarx One environment (choose the appropriate server base URL).
Checkmarx One Server Base URLs:
-
- US Environment - https://ast.checkmarx.net
- US2 Environment - https://us.ast.checkmarx.net
- EU Environment - https://eu.ast.checkmarx.net
- EU2 Environment - https://eu-2.ast.checkmarx.net
- DEU Environment - https://deu.ast.checkmarx.net
- Australia & New Zealand – https://anz.ast.checkmarx.net
- India - https://ind.ast.checkmarx.net
- Singapore - https://sng.ast.checkmarx.net
- UAE - https://mea.ast.checkmarx.net
- Israel (gov) - https://gov-il.ast.checkmarx.net
2. Navigate to Settings > Identity and Access Management.
3. In the main navigation, click API Keys > Create Key.
4. Configure the API Key with an optional Note description, the expiration period of the key, and the notification email(s).
5. Click Create and copy the API Key. Store it securely for later use.
Required Permissions:
|
Entity Type |
Permissions |
|---|---|
|
VulnerabilityFindings |
read: vulnerabilities |
API Endpoints
|
Authorization API |
https://<domain>.checkmarx.net/auth/realms/ |
Grant Type: client_credentials |
|
Fetch Projects |
https://<domain>api/projects/?limit=10&offset=0 |
Example Domain: deu.ast |
|
Fetch Last Scan |
https://<domain>.checkmarx.net/api/projects/last-scan?scan-status=Completed&project-ids=<projectId>&engine=sast |
Example Project ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
|
Fetch Scan Details |
https://<domain>.checkmarx.net/api/results/?scan-id=<scanId>&limit=5000&offset=0 |
Example Scan ID: xxxxxxxx-xxxx-xxxx-xxxx- |
Configure Checkmarx SAST UAI Connector
Basic Details
Provide the following details
- Connector Name and Description
- Authentication details (Checkmarx region, Tenant Name, API Key)
Profile
Profiles control the execution of the connector.
- Provide a Name and Description.
- Set Status (Active or Inactive).
- Configure a Schedule: Single Occurrence or Recurring with start and end dates/times.
- Assets value will be Generic Application by default for Checkmarx SAST UAI connector
- Click Next.
How Does the Connection Work?
On schedule (or on-demand), the connector fetches Checkmarx One findings and imports them into ETM. Profiles define what is synchronized and when. The Checkmarx SAST - UAI connector performs a full pull on each execution.
In the Connector screen, you can find your newly configured connector listed and marked in the Processed state.
Connector States
A successfully configured connector goes through 4 states.
- Registered - The connector is successfully created and registered to fetch data from the vendor.
- Scheduled - The connector is scheduled to execute a connection with the vendor.
- Processing - A connection is executed and the connector is fetching the asset and findings data.
- Processed - The connector has successfully fetched the assets, it may still be under process of fetching the findings. Wait for some more time for the connector to fetch the findings completely.
The Processed state indicates that the Connector is successfully configured but it is under the process of importing all your assets and findings. This process (specifically for findings) may take some tim.
This entire process may take up to 2 hours for completion. Once it is done, you can find the imported data in Enterprise TruRisk Management (ETM).
Viewing Assets and Findings in ETM
- Navigate to Enterprise TruRisk Management > Inventory.
- Go to Assets > Applications > Other Applications to view imported Checkmarx applications.
- Go to Assets > Applications > Other Applications to view imported Checkmarx applications.
- Navigate to Risk Management > Findings > Vulnerability.
- Use filter: finding.vendorProductName:"Checkmarx" to list Checkmarx findings.
- Use filter: finding.vendorProductName:"Checkmarx" to list Checkmarx findings.
Activating Web Applications in WAS
Assets (Code Repositories) synced from the Checkmarx SCA - UAI Connector appear in:
- ETM
- CSAM
- WAS
By default, these applications are not activated for scanning in WAS.
To activate web applications in WAS
- Navigate to CSAM > Web Applications.
- Select the desired web application.
- Choose Quick Actions > Activate WAS.
- Activating web applications will consume WAS licenses. You should activate only the required applications.
- This connector fetches the latest scans for the Web Applications.
Transformation Map
Checkmarx SAST - UAI Transformation Map: The default transformation map configured for the Checkmarx SAST–UAI connector is fetched from the database and utilized during the execution of the connector profile to perform data transformation.
Vulnerability Mapping
| Source Field | Target Field |
|---|---|
| name | asset.assetDetail.genericApplicationAssetClass.name |
| createdAt | asset.assetDetail.sourceCreatedAt |
| id | externalAssetId |
| name | asset.assetDetail.name |
| id | vendorAssetId |
| findings[].type | findingGroup.findings[].subCategory" |
| findings[].id | findingGroup.findings[].externalFindingId |
| findings[].status | findingGroup.findings[].findingStatus |
| findings[].severity | findingGroup.findings[].severity |
| findings[].firstFoundAt | findingGroup.findings[].firstFoundOn |
| findings[].foundAt | findingGroup.findings[].lastFoundOn |
| findings[].description | findingGroup.findings[].description |
| findings[].data.queryName | findingGroup.findings[].name |
| findings[].description | findingGroup.findings[].description |
| findings[].data.queryName | findingGroup.findings[].name |
| findings[].vulnerabilityDetails.cweId | findingGroup.findings[].findingType.vulnerability.cweId |