urlscan.io logo urlscan.io
SecurityTrails logo

checkmarx.com Open in urlscan Pro
141.193.213.21  Public Scan

Back to summary
Submitted URL: https://info.checkmarx.com/e3t/Btc/2D+113/bY6S04/VX3KVz69rLmtW8MXd7p7pFx8BVJvnzy4BNTkqN6wcHrw3hpQwV1-WJV7CgFd9W8GNLl85cz2Wy...
Effective URL: https://checkmarx.com/blog/integrating-checkmarx-security-results-within-gitlab/?utm_search_query=Monthly-Newsletter&u...
Submission: On December 10 via api from SE — Scanned from DE

Form analysis 2 forms found in the DOM

GET https://checkmarx.com/

<form action="https://checkmarx.com/" method="get" class="gm-search-wrapper-form">
  <div class="gm-form-group">
    <input placeholder="Search..." type="text" name="s" class="gm-search__input">
    <button type="submit" class="gm-search-btn">
      <i class="fa fa-search"></i>
    </button>
  </div>
</form>

GET https://checkmarx.com/

<form action="https://checkmarx.com/" method="get" class="gm-search-wrapper-form">
  <div class="gm-form-group">
    <input type="text" name="s" class="gm-search__input">
    <button type="submit" class="gm-search-btn">
      <i class="fa fa-search"></i>
    </button>
  </div>
</form>

Text Content

Skip to content
Open toolbar

Accessibility

 * Increase Text
 * Decrease Text
 * Grayscale
 * High Contrast
 * Negative Contrast
 * Light Background
 * Links Underline
 * Readable Font
 * Reset

 * Solutions
   
    * PRODUCTS
      
       * Checkmarx Application Security Platform
         Integrated AppSec for Modern Development
       * Checkmarx SAST
         Source Code Scanning
       * Checkmarx SCA
         Open Source Scanning
       * Checkmarx Codebashing
         Secure Code Training
       * Checkmarx IAST
         Interactive Code Scanning
       * KICS
         Open Source: Infrastructure as Code Project
      
      SERVICES
      
       * AppSec Services
       * AppSec Accelerator
       * AppSec Program Methodology
      
      
       * Public Sector
       * Financial Services
      
      AWS and Checkmarx team up for seamless, integrated security analysis.
      Tell Me More

 * Why Checkmarx
   
    * WHY CHECKMARX
      
       * Why We’re the Right Choice
       * Customer Stories
       * Compliance and Certifications
       * Integrations
       * Languages We Support
      
      SOLUTIONS FOR
      
       * Developers
       * AppSec
       * Leadership
      
      We’ve been a Leader in the Gartner Magic Quadrant for Application Security
      Testing four years in a row.
      Get the Report

 * Company
   
    * COMPANY
      
       * About Us
       * Culture and Careers (We’re Hiring!)
       * Checkmarx Newsroom
       * Our Leadership
       * Investors
       * Awards and Industry Recognition
       * Upcoming Events
      
      PARTNERS
      
       * Partner Program
       * Find a Partner
       * Become a Partner
      
      TECH PARTNERS
      
       * AWS
       * Gitlab
      
      Help us make code, and the world, safer. It’s a job and a mission.
      Explore Open Roles

 * Community
    * Videos
    * Articles
    * Comics
    * Lessons
    * Tech Blog
    * Community Events

 * Resources
    * Ebooks & Whitepapers
    * Videos
    * Datasheets
    * Customer Stories
    * Documentation
    * All Resources

 * Blog
 * Contact
    * Chat With Us
    * Call Us
    * Office Locations
    * Support Portal
    * Partner Portal
    * Partner Program

 *  * English
    * German
    * Russian
    * Korean
    * Chinese
    * Japanese

 * Get a Demo

Search


 * Solutions
    * Application Security Testing Platform
    * Products
    * Checkmarx SAST
    * Checkmarx SCA
    * Checkmarx CodeBashing
    * Checkmarx IAST
    * KICS
    * Services
    * AppSec Services
    * AppSec Accelerator
    * AppSec Program Methodology
    * Public Sector
    * Financial Services

 * Why Checkmarx
    * Why Checkmarx
    * Why We’re the Right Choice
    * Customer Stories
    * Compliance and Certifications
    * Integrations
    * Languages We Support
    * Solutions For
    * Developers
    * AppSec
    * Leadership

 * Company
    * Company
    * About Us
    * Culture and Careers
    * Checkmarx Newsroom
    * Checkmarx Leadership
    * Investors
    * Awards and Industry Recognition
    * Events
    * Partners
    * Partner Program
    * Find a partner
    * Become a Partner

 * Community
    * Videos
    * Articles
    * Comics
    * Lessons
    * Tech Blog
    * Community Events

 * Resources
    * E-books & White Papers
    * Videos
    * Customers
    * Datasheets
    * Documentation
    * All Resources

 * Blog
 * Contact Us
    * Chat With Us
    * Call Us
    * Office Locations
    * Support Portal
    * Partner Portal
    * Partner Program

 * Request a Demo
 * Global
    * English
    * German
    * Russian
    * Korean
    * Chinese
    * Japanese


Search





Home » Integrating Checkmarx Security Results within GitLab


INTEGRATING CHECKMARX SECURITY RESULTS WITHIN GITLAB


 * James Brotsos
 * August 24, 2020
 * Reading Time: 4 minutes


The automation and integration of Application Security Testing (AST) is
essential for building out a true DevSecOps program. Automation is the easy
part. Invoke a security scanners’ REST API or a command line interface inside a
pipeline and you can get automated scans. The key, and more tricky part, is
integration. What I mean by that is having the ability to integrate the security
scanners’ results within their CI/CD tooling to make a security assessment
without having to leave the CI/CD ecosystem is desired. Announced today, we're
thrilled to share that CxSAST, CxSCA, and CxCodebashing all now integrate
seamlessly within GitLab’s ecosystem via CxFlow: Checkmarx’s scan and result
orchestration application. Below is a high-level overview on integrating
Checkmarx security into GitLab’s user interface.


STAYIN’ PUT

GitLab’s users, whether they are Software Developers, DevOps, or AppSec
engineers, want to consume as much of the application security scanner's results
as possible within GitLab. GitLab is already a complete DevOps platform from
managing -> to planning -> to creating -> to releasing, so it is just common
sense GitLab users would want to have security directly within GitLab. GitLab
users can consume Checkmarx security-related vulnerability results at three
different integration points:
 * Merge Request Overviews
 * GitLab Issues
 * Security Dashboard (for GitLab Gold/Ultimate tier or public projects)

Every organization, even teams within the organization, will want to run
security scanners at different points of the SDLC, but by best practice from
Checkmarx, it is suggested to scan at the Merge Request stage. With security
scanning completed at the Merge Request stage, an assessment can be performed
with the scan results and the merge can be blocked, or GitLab Issues can be
created. But, what kind of result data should be consumed? Checkmarx provides:
 * High level summary of CxSAST & CxSCA findings
 * Data flow from source to sink within the source code
 * Short summary of the specific vulnerability that was identified
 * Links to just-in-time training (CxCodebashing) and online resources for
   remediation
 * Links into Checkmarx platform for even more comprehensive results


CXFLOW – UNDER THE HOOD

Checkmarx maintains a spring boot application called CxFlow, which acts as a
scan and results orchestration tool to automate security scans and integrate the
results into CI/CD tools such as GitLab. Some key features and capabilities
include:
 * Scan Initiation – CLI or Webhook Events
   * CxFlow can be configured in two different ways: using CxFlow from a command
     line interface or have CxFlow work as a server and listen for Webhook
     events. Once an event is triggered or received, the initiation of a
     Checkmarx scan will occur automatically.
   * Merge requests, or even commits of the source, will trigger an existing
     pipeline within GitLab’s CI/CD and initiate a scan via CxFlow; the existing
     pipeline just needs an edit to include a stage that will invoke CxFlow.
   * The scan initiation will either create a new project if it does not exist
     or update a current one.
 * Results Management
   * As far as consuming results, the scan results are file based (csv, json, or
     xml) making it easy to import into defect tracking systems or dashboards.
   * CxFlow also drives a result feedback loop eliminating having to do manual
     intervention (opening and even closing defects).
   * You can always filter the results created based on any filtering criteria.
   * The results are easy to consume, in a way developers want to consume and
     most importantly, actionable.
 * Defect Tracking
   * Consolidates issues of the same vulnerability type in the same file –
     instead of multiple issues, it is just one.
   * Once all references to the vulnerability type of that issue are fixed, the
     ticket will automatically close.
   * You can base it on policy – severity / CWE / vulnerability type or state
     (urgent / confirmed).
   * Defect tracking is also supported for both CxSAST and CxSCA results.
 * Feedback Channels
   * Not only does it support GitLab Security Dashboard and GitLab Issues, but
     also Jira, Email, Service Now and Rally.
 * Ease of Consuming the AST Service
   * Effortless option for the development teams to quickly scan projects.
   * There is no overhead when configuring and managing builds.
 * Mass Effortless Scan Configuration
   * You can quickly automate the scan of multiple repositories.
   * Again, there is no overhead when configuring and managing builds of many
     repos.
 * Automation with Developers' Common Toolsets
   * In this case, GitLab.
   * You want to get the details of issues to those who must address them – the
     developers.
   * Drive security testing based on GitLab activity.
   * Publish issues to existing backlogs.
   * Keep developers within GitLab.
 * Eliminate Unnecessary Manual Tasks with Checkmarx Automation Capabilities
   * Free up time to focus on things that matter.
   * Shift as far left as possible.
   * Constantly scanning the latest code.
   * Replaces need to scan in the IDE.


GITLAB / CHECKMARX WORKFLOW

Below is a visual picture of the Checkmarx workflow with GitLab’s CI/CD. Now
let’s describe this flow in more detail: 
 1. Setting Variables

Variables are needed to perform Checkmarx authentication and to define Checkmarx
scan settings read by CxFlow. This can be set up per project or by “groups”.
GitLab has an awesome feature where you can have a file as a Variable. We
leverage this feature and have CxFlow’s yaml configuration file as a Variable.
 2. Defining a Stage

Per GitLab best practice, application security testing should be done during the
“test” stage of the pipeline. During the test stage of the pipeline, GitLab will
pull the Checkmarx docker container where CxFlow CLI is stored. CxFlow CLI
should then be invoked to initiate the scan based on the settings defined in the
config file Variable.
 3. CxFlow CLI Initiates the Scan

CxFlow receives the request with the Checkmarx project settings and the GitLab
repository details. CxFlow performs the authentication into the Checkmarx server
and then initiates a scan. It will wait for the scan to finish. 
 4. Checkmarx Performs SAST & SCA Scans
 5. CxFlow Parses Results and Updates GitLab

CxFlow waits until the scan is done, parses the results and will update the
Security Dashboard, GitLab Issues, the Merge Request Discussion, or all three.
If the issue has been fixed, it will automatically close it. For full
integration steps, please visit us at https://checkmarx.com/gitlab.



JAMES BROTSOS

James serves as a Senior Solutions Engineer at Checkmarx, bringing 15 years of
network protocol and kernel development experience to his role. He has a
particular passion for architecting automated solutions that are effective in
driving security measures for DevOps organizations, helping them meet their
DevSecOps goals. In his spare time, James volunteers mentoring computer science
high school students in San Francisco, running the Checkmarx User Group, and
participating in IoT hackathons
More Content by Author


MORE RESOURCES TO CONSIDER

Recently Discovered Supply-chain Worm
December 9, 2021
KICS and Solvo: You Will Never Have to Worry about Leaky S3 Buckets
December 8, 2021
What, How, and Where Open Source Gets Pulled into a Codebase
December 7, 2021
Checkmarx 2021 EMEA & APAC Partner Awards
December 3, 2021
Checkmarx is constantly pushing the boundaries of Application Security Testing
to make security seamless and simple for the world’s developers and security
teams. As the AppSec testing leader, we deliver the unparalleled accuracy,
coverage, visibility, and guidance our customers need to build tomorrow’s
software securely and at speed.
ABOUT CHECKMARX
REQUEST A DEMO
CAREERS WITH US

SOLUTIONS

 * Source Code Scanning – Checkmarx SAST
 * Open Source Scanning – Checkmarx SCA
 * Secure Code Training – Checkmarx Codebashing
 * Interactive Code Scanning – Checkmarx IAST
 * Checkmarx Application Security Platform
 * Open Source: Infrastructure as Code Project – KICS

Menu
 * Source Code Scanning – Checkmarx SAST
 * Open Source Scanning – Checkmarx SCA
 * Secure Code Training – Checkmarx Codebashing
 * Interactive Code Scanning – Checkmarx IAST
 * Checkmarx Application Security Platform
 * Open Source: Infrastructure as Code Project – KICS

INDUSTRY

 * Public Sector
 * Financial Services

Menu
 * Public Sector
 * Financial Services

SOLUTIONS FOR

 * Developers
 * AppSec
 * Leadership

Menu
 * Developers
 * AppSec
 * Leadership

SERVICES

 * AppSec Services
 * AppSec Accelerator
 * AppSec Program Methodology

Menu
 * AppSec Services
 * AppSec Accelerator
 * AppSec Program Methodology

PARTNERS

 * Partner Program
 * Find a Partner
 * Become a Partner

Menu
 * Partner Program
 * Find a Partner
 * Become a Partner

COMPANY

 * Why Checkmarx
 * Integrations and Frameworks
 * Languages
 * Trust
 * About Us
 * Newsroom
 * Checkmarx Leadership
 * Board of Directors
 * Investors
 * Careers
 * Awards
 * Contact Us

Menu
 * Why Checkmarx
 * Integrations and Frameworks
 * Languages
 * Trust
 * About Us
 * Newsroom
 * Checkmarx Leadership
 * Board of Directors
 * Investors
 * Careers
 * Awards
 * Contact Us

RESOURCES

 * Customer Stories
 * Blog
 * Glossary

Menu
 * Customer Stories
 * Blog
 * Glossary

COMMUNITY

 * Latest
 * Forum
 * Technical Articles

Menu
 * Latest
 * Forum
 * Technical Articles


Linkedin Twitter Youtube Facebook

Terms of Use | Checkmarx Privacy Policy | Checkmarx.com Cookie Policy

©2021 Checkmarx Ltd. All Rights Reserved. iISO/IEC 27001:2013 Certified

This website uses cookies to maximize your experience on our website. By
continuing on our website, you consent to our use of cookies. To find out more
about how we use cookies, please see our Cookie Policy.
I Accept Reject All
Manage consent
Close

PRIVACY OVERVIEW

This website uses cookies to improve your experience while you navigate through
the website. Out of these, the cookies that are categorized as necessary are
stored on your browser as they are essential for the working of basic
functionalities of the ...
Necessary
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly.
These cookies ensure basic functionalities and security features of the website,
anonymously.

CookieDurationDescriptioncookielawinfo-checkbox-analytics11 monthsThis cookie is
set by GDPR Cookie Consent plugin. The cookie is used to store the user consent
for the cookies in the category "Analytics".cookielawinfo-checkbox-functional11
monthsThe cookie is set by GDPR cookie consent to record the user consent for
the cookies in the category "Functional".cookielawinfo-checkbox-necessary11
monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to
store the user consent for the cookies in the category
"Necessary".cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR
Cookie Consent plugin. The cookie is used to store the user consent for the
cookies in the category "Other.cookielawinfo-checkbox-performance11 monthsThis
cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the
user consent for the cookies in the category
"Performance".viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie
Consent plugin and is used to store whether or not user has consented to the use
of cookies. It does not store any personal data.

Functional
Functional
Functional cookies help to perform certain functionalities like sharing the
content of the website on social media platforms, collect feedbacks, and other
third-party features.
Performance
Performance
Performance cookies are used to understand and analyze the key performance
indexes of the website which helps in delivering a better user experience for
the visitors.
Analytics
Analytics
Analytical cookies are used to understand how visitors interact with the
website. These cookies help provide information on metrics the number of
visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and
marketing campaigns. These cookies track visitors across websites and collect
information to provide customized ads.
Others
Others
Other uncategorized cookies are those that are being analyzed and have not been
classified into a category as yet.
SAVE & ACCEPT


START TYPING AND PRESS ENTER TO SEARCH