LogoLogo
Login to CortexBook a DemoCortex Academycortex.io
  • Cortex Docs
  • Cortex Quick Start
  • Ingesting data into Cortex
    • Managing Entities
      • Adding entities
        • Add services
        • Add domains
        • Add teams
        • Add custom entity types
        • Defining dependencies
      • Entity details page
      • Defining ownership
      • Defining relationship types
      • Grouping entities
      • Adding external documentation
      • Adding Deploy data
      • Adding custom data
      • Viewing discovered entities
      • Archiving entities
      • Relationship graph
      • Using On-call Assistant for incidents
      • Managing Terraform infra in Cortex
    • Managing Catalogs
    • Integrations
      • Internally hosted integrations
      • ArgoCD
      • AWS
      • Azure DevOps
      • Azure Resources
      • BambooHR
      • Bitbucket
      • BugSnag
      • Buildkite
      • Checkmarx
      • CircleCI
      • ClickUp
      • Codecov
      • Coralogix
      • Custom webhook integrations
      • Datadog
      • Dynatrace
      • Entra ID (Azure AD)
      • FireHydrant
      • GitHub
      • GitLab
      • Google
      • Grafana
      • incident.io
      • Instana
      • Jenkins
      • Jira
      • Kubernetes
      • LaunchDarkly
      • Lightstep
      • Mend
      • Microsoft Teams
      • New Relic
      • Okta
      • Opsgenie
      • PagerDuty
      • Prometheus
      • Rollbar
      • Rootly
      • Sentry
      • ServiceNow
      • Slack
      • Snyk
      • SonarQube
      • Splunk Observability Cloud (SignalFx)
      • Splunk On-Call (VictorOps)
      • Sumo Logic
      • Veracode
      • Wiz
      • Workday
      • xMatters
  • Scorecards
    • Initiatives and Action items
      • Creating issues based on Initiatives
    • Scorecard rule exemptions
    • Scorecard rule filters
    • Scorecard examples
    • Scorecards as code
  • Reports
    • Executive report
    • All Scorecards report
    • Bird's eye report
    • Progress report
    • Report card
  • Eng Intelligence
    • Custom Metrics
    • Jira Metrics
    • Metrics Explorer (Beta)
  • Cortex Query Language (CQL)
    • Using CQL reports
    • Using JQ in Cortex
  • Workflows
    • Creating a Workflow
      • Workflows as code
    • Blocks
    • Running a Workflow
    • Registering a Scaffolder template
      • Scaffolder advanced usage
    • Using a Workflow to sync in ArgoCD
    • Kicking off a Jenkins pipeline in a Workflow
    • Calling internal service endpoints in a Workflow
  • Plugins
    • Creating a plugin
      • Creating a plugin proxy
    • Migrating Backstage plugins to Cortex
  • Engineering homepage
  • Workspace Settings
    • Using GitOps for Cortex
      • GitOps logs
    • Managing users
      • Roles and permissions
        • Custom roles
        • Team ownership entity editing
      • Configuring SSO
        • Microsoft Entra ID
        • Google
        • Other OIDC providers
        • Okta
          • Okta SCIM
      • Configuring identity mappings
      • Onboarding management
    • API keys, secrets, and tokens
      • Secrets
      • Personal tokens
    • Audit logs
    • Entity settings
      • Data verification
      • Auto archiving entities
    • IP allowlist
    • Notifications
      • Notification logs
    • Customizing your workspace
    • Using search in Cortex
  • Cortex API
    • REST API operations
      • API Keys
      • Audit Logs
      • Catalog Entities
      • Custom Data
        • Custom Data (Advanced)
      • Custom Events
      • Custom Metrics
      • Dependencies
      • Deploys
      • Discovery Audit
      • Docs
      • Eng Intel: User Labels
      • Entity Relationship Types (Beta)
      • Entity Relationships (Beta)
      • Entity Types
      • GitOps Logs
      • Groups
      • Initiatives
      • Integrations APIs
        • Azure Active Directory (Entra ID) API
        • Azure Resources API
        • AWS API
        • Azure DevOps API
        • CircleCI API
        • Coralogix API
        • Datadog API
        • GitHub API
        • GitLab API
        • incident.io API
        • LaunchDarkly API
        • New Relic API
        • PagerDuty API
        • Prometheus API
        • SonarQube API
      • IP Allowlist
      • Notification Logs
      • On call
      • Packages
      • Plugins
      • Queries
      • SCIM
      • Scorecards
      • Secrets
      • Team Hierarchies
      • Teams
      • Workflows
Powered by GitBook
On this page
  • Overview
  • How to configure Checkmarx with Cortex
  • Prerequisites
  • Configure the integration in Cortex
  • How to connect Cortex entities to Checkmarx
  • Discovery
  • Editing the entity descriptor
  • Expected results
  • Scorecards and CQL
  • FAQs and troubleshooting
  • Still need help?​

Was this helpful?

Export as PDF
  1. Ingesting data into Cortex
  2. Integrations

Checkmarx

Last updated 2 months ago

Was this helpful?

Overview

Checkmarx is an automated application security platform that checks source code for security vulnerabilities and compliance issues. Integrate Cortex with Checkmarx to drive insight into the vulnerabilities detected on your entities.

This integration is supported for .

How to configure Checkmarx with Cortex

Prerequisites

Before getting started, create a user with access to the sast_rest_api scope.

If you're using a self-hosted instance of Checkmarx, you'll need to verify that your Cortex instance is able to reach the Checkmarx instance. We route our requests through a static IP address. Reach out to support at to receive details about our static IP. If you're unable to directly allowlist our static IP, you can route requests through a secondary proxy in your network that has this IP allowlisted and have that proxy route traffic to your Checkmarx instance.

Configure the integration in Cortex

  1. In Cortex, navigate to the :

    1. In Cortex, click your avatar in the lower left corner, then click Settings.

    2. Under "Integrations", click Checkmarx.

  2. Click Add configuration.

  3. Configure the Checkmarx integration form:

    • Username and Password: Enter the username and password for the user with access to sast_rest_api.

    • Host: Enter the full URL of your Checkmarx instance.

  4. Click Save.

How to connect Cortex entities to Checkmarx

Discovery

By default, Cortex will use your associated Git repository (e.g. repo-name) or the service tag as the "best guess" for the Checkmarx project name.

If your repository and entity names don’t cleanly match the Checkmarx CxSAST project names, or if you have multiple Checkmarx projects for a service, you can add a Checkmarx project ID (recommended) or a Checkmarx project name in the Cortex entity descriptor.

Editing the entity descriptor

We recommend using the project ID as it is a unique identifier across projects.

Example using project IDs:

x-cortex-checkmarx:
  projects:
    - projectId: 1234
    - projectId: 2345

Example using both project IDs and names:

x-cortex-checkmarx:
  projects:
    - projectName: My Cool Project
    - projectId: 1234

Expected results

Entity pages

Once the integration is established, vulnerabilities pulled from Checkmarx will be available for each entity in the Code and Security block in the Overview tab.

While viewing an entity, click Code & security > Checkmarx. On this page, view the number of vulnerabilities per severity and a link directly to your Checkmarx instance.

Scorecards and CQL

With the Checkmarx integration, you can create Scorecard rules and write CQL queries based on Checkmarx details.

Check if Checkmarx project is set

Check if entity has a registered Checkmarx project in its entity descriptor. If there is a Checkmarx project name, we will try and make sure that the project exists in Checkmarx.

Definition: checkmarx (==/!=) null: Boolean

Example

In a Scorecard, you can write a rule to check whether an entity has a Checkmarx project set:

checkmarx != null
Checkmarx scan risk

Get the maximum scan risk among the entity's project's latest scans

Definition: checkmarx.sastScanRisk(): Number

Example

In a Scorecard, you can write a rule to verify that an entity has no Checkmarx projects where the latest scan risk is higher than 35:

checkmarx.sastScanRisk() < 35
Number of Checkmarx vulnerabilities

Get the count of all vulnerabilities for an entity's Checkmarx project's last scan

Definition: checkmarx.numOfVulnerabilities(): Number

Example

In a Scorecard, you can write a rule to verify that an entity has no vulnerabilities with a severity of HIGH:

checkmarx.numOfVulnerabilities(severity=["High"]) < 1

Verify that an entity has less than 5 vulnerabilities total:

checkmarx.numOfVulnerabilities() < 5

FAQs and troubleshooting

Does Cortex support integrating with Checkmarx One?

No, Cortex does not currently support Checkmarx one. Only Checkmarx SAST is supported for this integration.

The following options are available to get assistance from the Cortex Customer Engineering team:

  • Chat: Available in the Resource Center

  • Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.

See more examples in the in Cortex.

Still need help?

Email: , or open a support ticket in the in app Resource Center

Checkmarx Static Application Security Testing (SAST)
help@cortex.io
Checkmarx settings page
CQL Explorer
​
help@cortex.io