CheckmarxOne SCA Connector

The Checkmarx One SCA connector brings open source vulnerability findings from Checkmarx into Qualys Enterprise TruRisk Management, enabling organizations to centralize these findings in ETM for risk visualization, prioritization, and remediation efforts.

By automatically ingesting software composition analysis data alongside other security findings, teams gain a unified view of vulnerabilities across their code repositories and can make more informed decisions about which risks to address first.

This integration matters because unmanaged open source dependencies represent a significant attack surface that most enterprises struggle to track, and consolidating these insights with other risk data helps security teams allocate remediation resources more effectively.

Connector Details

Vendor

Checkmarx

Product Name

CheckmarxOne SCA

Category

Application Security

Findings Support

Yes

Supported Assets

Code Repository, Generic Application

Version

1.0.0

Integration Type

API Integration (REST)

Direction

Unidirectional

Delta Support

Not Supported

Configure the Connector

Follow the steps below to configure your connection.

Before You Begin - AuthenticationBefore You Begin - Authentication

Have the following ready before starting the connector configuration in Qualys ETM:

  1. Ensure you have access to your Checkmarx One environment with permissions to create API keys.
  2. Generate an API key in Checkmarx One. Navigate to Settings > Identity and Access Management > API Keys and click Create Key. Store the generated key securely.
  3. Note your Checkmarx region and Tenant Name (Tenant ID). Your region determines the base URL (for example, deu for the DEU region at https://deu.ast.checkmarx.net).

The connector authenticates using OAuth 2.0 with a client_credentials grant type. An API key generated from the Checkmarx One console is used alongside the Checkmarx region and Tenant Name to obtain an access token from the Checkmarx authorization endpoint. The token is then used for all subsequent API calls to retrieve projects and SCA scan results.

Generate an API Key in Checkmarx One

  1. Log in to your Checkmarx One environment using the appropriate regional URL (see the region table below).
  2. Navigate to Settings > Identity and Access Management > API Keys.
  3. Click Create Key.
  4. Optionally configure a description, expiration period, and notification emails.
  5. Click Create and copy the generated API key immediately. Store it securely.

Important: The API key is shown only once at creation. If you navigate away before copying it, you must delete and recreate the key. If an expiration period is configured, rotate the key before expiry to maintain uninterrupted data ingestion.

Read more about generating API keys at Creating OAuth Clients – Checkmarx Docs.

Identify Your Checkmarx Region and Tenant Name

Your Checkmarx region is extracted from your Checkmarx One base URL. Enter the full regional URL in the Checkmarx Region field in Qualys ETM.

US https://ast.checkmarx.net
US2 https://us.ast.checkmarx.net
EU https://eu.ast.checkmarx.net
EU2 https://eu-2.ast.checkmarx.net
DEU https://deu.ast.checkmarx.net
Australia & New Zealand https://anz.ast.checkmarx.net
India https://ind.ast.checkmarx.net
Singapore https://sng.ast.checkmarx.net
UAE https://mea.ast.checkmarx.net
Israel (Gov) https://gov-il.ast.checkmarx.net

Your Tenant Name is the Tenant ID associated with your Checkmarx One user profile.

Permissions Required

The API key must have read:vulnerabilities permission on the VulnerabilityFindings entity to access SCA vulnerability findings from Checkmarx One.

Scope and Data Access

The connector retrieves the latest completed SCA scan results for each project in Checkmarx One via the projects, last-scan, and scan results API endpoints. Custom filtering is not supported during connector configuration. The default asset class is Generic Application, and applications appear in ETM, CSAM, and WAS after ingestion. WAS activation consumes licenses; activate only the applications you need.

Key Rotation

When rotating the API key, generate a new key in Checkmarx One under Settings > Identity and Access Management > API Keys. Update the credential in Qualys ETM via the Edit Connector option and enter the new API key.

Create a Profile & ConnectionCreate a Profile & Connection

This step establishes the connector's identity and authenticates it with your Checkmarx One environment.

  1. Log in to Qualys ETM.
  2. Navigate to Connectors > Integration.
  3. Locate the CheckmarxOne SCA Connector on the Connector Marketplace and click Add. This is a one-time task.

    Note: If the connector is already added, navigate to My Connectors, search for the CheckmarxOne SCA connector, and click Manage Connections.

  4. From the connector tile, click Manage Connections.
  5. Click Create Connection. The Setup Guide opens with the Before You Begin checklist and four reference tabs: Overview, Auth Setup, Permissions, and Troubleshooting. Review these before continuing.
  6. Click Proceed to Setup.
  7. On the Profile & Connectivity page, complete the following fields:

    Connector Details

    Field Description
    Name (required) A unique display name for this connector connection.
    Description An optional description of the connection's purpose.

    Authentication Details

    Provide the following values to authenticate the connector with your Checkmarx One environment.

    Field Type Description
    Checkmarx Region (required) String The full base URL of your Checkmarx One environment. Example: https://deu.ast.checkmarx.net. See the regional URL table above.
    Tenant Name (required) String The Tenant ID associated with your Checkmarx One user profile. Example: qualys-nfr
    API Key (required) Encrypted String The API key generated from Checkmarx One under Settings > Identity and Access Management > API Keys.


  8. Click Test Connection. A modal appears showing the status of five sequential checks:
    • Network Reachability — Verifies the Checkmarx One regional endpoint is reachable over HTTPS (port 443).
    • TLS Handshake — Confirms a secure connection can be established.
    • Authentication Credential Check — Validates the API key, Region, and Tenant Name against the Checkmarx OAuth endpoint.
    • Authorization Scope Check — Confirms the API key has read:vulnerabilities permission on the VulnerabilityFindings entity.
    • Data Fetch — Verifies that project and SCA scan data can be retrieved from the Checkmarx One API.

    Important: All five checks must pass before you can proceed. If Network Reachability fails with an Unknown Host error, verify that the Checkmarx Region value matches your deployment (for example, deu for the DEU region) and that Qualys cloud can reach the endpoint over HTTPS (port 443).

  9. Click OK to dismiss the modal, then click Next.

Set a Scope & ScheduleSet a Scope & Schedule

This step defines what data is ingested and when the connector runs.

  1. Data to Sync — This connector supports Assets only. SCA vulnerability findings are always ingested as part of the asset sync. The default asset class is Generic Application.
  2. Advanced Settings (optional) — Click Advanced Settings to restrict which asset types are ingested or to view the active transform map. See Advanced Settings below.
  3. Schedule — Select an execution frequency from the Occurs dropdown (for example, Daily). The system displays the calculated start date, end date, and timezone.

    Note: The timezone is determined by your Qualys account settings. The connector runs from the configured start date for a default period of 5 years.

  4. Click Next.
  5. Review your changes and confirm. Save the connection.

Advanced Settings

Enabling the Advanced toggle on the Scope & Schedule page or clicking the Advanced Settings link opens a panel with two tabs: Filters and Transform Map.

Filters Tab

The Filters tab provides chip-based selectors for asset types and findings. The following options are available:

  • Asset Types: Code Repository, Generic Application. Both are selected by default. Remove chips to restrict ingestion to a specific asset class.
  • Findings: Vulnerability. Selected by default when asset sync is active.

Note: Click Save after making changes in the Advanced Settings panel. Closing without saving discards any modifications.

Transform Map Tab

The Transform Map tab displays the active transformation map applied during connector execution. The default active map is the Checkmarx SCA Transformation Map, predefined by Qualys and applied automatically. See Transformation Maps for the full field-level mapping details.

How the Connection Works

On each scheduled or on-demand run, the CheckmarxOne SCA connector retrieves the following from Checkmarx One and imports it into ETM:

  • Assets (Code Repositories & Applications) — Code repository assets and Generic Application assets representing scanned projects in Checkmarx One. Assets appear in ETM, CSAM, and WAS after ingestion (not activated by default in WAS).
  • Vulnerabilities — The latest completed SCA scan results for each project, including CVE IDs, CWE IDs, repository URLs, vulnerability severity and status, asset names and identifiers, creation timestamps, query names, and descriptions.

Note: The connector retrieves the latest completed SCA scan results for each project. Delta synchronization is not supported; each run performs a full pull of all current findings.

Connector States

  • Registered — Connection created; data fetch has not yet begun.
  • Scheduled — Queued for the next scheduled execution.
  • Processing — Assets and findings are actively being fetched from Checkmarx One.
  • Processed — Assets have been imported; findings may continue processing in the background.

Note: The Processed state indicates the connector has successfully fetched assets but may still be importing all findings. This entire process may take up to 2 hours. Once complete, imported data is available in ETM.

Viewing Assets and Findings in ETM

  • Assets: Navigate to Enterprise TruRisk Management > Inventory > Assets > Applications > Other Applications to view imported Checkmarx SCA applications.
  • Findings (Vulnerabilities): Navigate to Enterprise TruRisk Management > Risk Management > Findings > Vulnerability.
    Use the filter: finding.vendorProductName:"Checkmarx"

Activating Web Applications in WAS

Assets (Code Repositories) synced from the CheckmarxOne SCA Connector appear in ETM, CSAM, and WAS, but are not activated for scanning in WAS by default.

To activate a web application in WAS:

  1. Navigate to CSAM > Web Applications.
  2. Select the desired web application.
  3. Choose Quick Actions > Activate WAS.

Note: Activating web applications consumes WAS licenses. Activate only the applications that require scanning. This connector fetches the latest scans for activated web applications.

Troubleshooting

Issue Resolution
Authentication failure on connector run Verify the Checkmarx Region, Tenant Name, and API Key entered in Qualys ETM are correct. Confirm the API key has not expired. Ensure the region value matches your Checkmarx One deployment.
Connection test fails (Network Reachability — Unknown Host) Verify the Checkmarx Region value matches your deployment (for example, deu for the DEU region). Confirm Qualys cloud can reach the Checkmarx One API endpoint over HTTPS (port 443).
No findings imported after first run The connector transitions through Registered, Scheduled, Processing, and Processed states. The entire process may take up to 2 hours. Verify that Checkmarx One has completed SCA scans with results available. Delta synchronization is not supported; each run performs a full pull.
Connector not available in the integrations list Contact your Technical Account Manager (TAM) or Qualys Support to activate the connector for your subscription.
Test Connection fails at Authorization Scope Check Ensure the API key has the read:vulnerabilities permission on the VulnerabilityFindings entity type in Checkmarx One. Regenerate the key with the correct permissions if needed.

Additional Information

API Reference

The CheckmarxOne SCA connector calls the following Checkmarx One REST API endpoints during each execution:

Name Endpoint Notes
Authorization https://<domain>.checkmarx.net/auth/realms/<tenantId>/protocol/openid-connect/token Grant Type: client_credentials
Fetch Projects https://<domain>api/projects/?limit=10&offset=0 Example domain: deu.ast
Fetch Last Scan https://<domain>.checkmarx.net/api/projects/last-scan?scan-status=Completed&project-ids=<projectId>&engine=sca Retrieves the latest completed SCA scan per project
Fetch Scan Details https://<domain>.checkmarx.net/api/results/?scan-id=<scanId>&limit=5000&offset=0 Retrieves all SCA findings for a given scan ID

Transformation Maps


The Checkmarx SCA Transformation Map is the default map applied during connector execution. It maps Checkmarx One SCA source fields to Qualys ETM target fields for both asset and vulnerability data.

Checkmarx SCA — Transformation MapCheckmarx SCA — Transformation Map

Source Field Target Field
findings[].vulnerabilityDetails.cveName cveId
repoUrl repoUrl
createdAt sourceCreatedAt
name assetDetail.name
id externalAssetId
id vendorAssetId
findings[].type findings[].subCategory
findings[].id findings[].externalFindingId
findings[].status findings[].findingStatus
findings[].severity findings[].severity
findings[].firstFoundAt findings[].firstFoundOn
findings[].foundAt findings[].lastFoundOn
findings[].description findings[].description
findings[].data.queryName findings[].name
findings[].vulnerabilityDetails.cweId cweId

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: June, 2026