Checkmarx is an industry-leading application security analysis tool. Security is of ever growing importance as IT becomes more integral to business (see how FlexDeploy was affected by the recent log4j vulnerability) and Checkmarx can help find security issues before they become a major problem. In this blog we’ll cover how you can seamlessly and easily integrate Checkmarx into your existing delivery pipelines with FlexDeploy.

Checkmarx Plugin Overview

FlexDeploy’s Checkmarx plugin has the following operations:

FlexDeploy has support for both Static Application Security Testing (SAST) and Open Source Analysis (OSA) scans. SAST scans take in source code and analyze it for any known security issues. OSA scans will take in a build package and analyze if there are any vulnerable libraries included.

There are corresponding run and read operations for each of these types of scans. The run operations will initiate a scan, and then wait or not based on an input. The run OSA scan operation uses anything in the artifact directory and uploads it to scan. This is usually just your build. The read operations will take in a scan id and read that scan.

Now that we understand the Checkmarx Plugin’s different operations, let’s dig into an example of how to integrate this into your existing pipeline.

Setup Checkmarx Account

Before we begin setting up, this example has some assumptions. First, we’ll assume you already have an existing project configured with Git. Second, you have a release and pipeline configured to automatically deploy to Dev, and then to QA with an approval. This should be in line with many use cases, however you may need to modify the example for your use case.

With that out of the way, the first step is to add a Checkmarx account to FlexDeploy. To do this, head to Topology, then Integrations, then Analysis Tool.

Next click the plus button to create an account and select Checkmarx as the provider. Enter an instance code and name. Then fill in the rest of the details of the account similar to the following.

Checkmarx account details

Add Checkmarx Operations to Existing Workflow

In this example we’ll configure Checkmarx to run a SAST and OSA scan using the runCxSASTScan, readCxSASTScan, and runCxOSAScan operations. To configure this in our build Workflow we’ll:

  • Identify the correct build workflow.
  • Configure the Run CxSASTScan Operation – This will initiate the SAST scan.
  • Configure the Read CxSASTScan Operation – This will read the results of the SAST scan.
  • Configure the Run CxOSAScan Operation – This will initiate and read the results of the OSA scan.

Below is the simple build workflow we are starting with.

Original build workflow

RunCxSASTScan operation

Variables

Begin by setting the workflow variables like the following.

Workflow variables for Checkmarx RunCxSASTScan operation

SCAN_ID will be used to pass the scan id from the run operation to the read operation. More on this later.

The vulnerability counts will be used to determine the status of a gate in our pipeline, which is why they need to be Outputs.

Inputs

Next let’s add the runCxSASTScan operation. Here is our configuration for the inputs.

workflow inputs for the runCxSASTScan operation

Here’s a description of what and why we want these options for each input:

  • Checkmarx Account Code – The account you created earlier.
  • Checkmarx Project Name – The name of the project in Checkmarx used to run the scan. We are using the default, and passing in whatever the name of our project in FlexDeploy is. If no project exists with this name, one will be created. In this case this is what we want to happen since we have not yet configured anything in Checkmarx for the project.
  • Wait for Scan to Complete – We do not want to wait for this scan to complete. That way while the scan is running we can run our build. So this operation will initiate a scan, then our build will run and then we will wait for the scan to finish and read the results.
  • Report Type – This only matters if you are waiting for the scan to complete.
  • Incremental Scan – We’ll want to do a full scan every time.
  • Source Location – We’re going to choose git since this project has already been configured with Git. It will automatically update the git details of the project in Checkmarx so we do not have to configure anything.
  • Exclude Files – We don’t want to exclude any files.
  • Exclude Folders – Same thing for Folders.
  • Is Public – We’ll keep this scan as private.
  • Force Scan – We’ll force this scan to run every time.
  • Team Name – This can stay blank since we set the default team to the team we want.

Outputs

For the outputs put the scan id into the SCAN_ID variable we created, so we can use it to read the scan later.

SCAN_ID as the Plugin Output

ReadCxSASTScan operation

Inputs

Place the read operation after the build. Here is what the inputs will look like.

read inputs

  • Checkmarx Account Code – Same account code as before
  • Checkmarx Project Name – Same project name as before
  • Report Type – We’ll generate a PDF report, which can be viewed on the reports tab of an execution.
  • Scan Id – Input the scan id we stored into a variable. Make sure you change from a literal to an expression to use that variable.

Outputs

For the output we want to output the different vulnerability counts to the previously created variables like this.

read sast scan outputs

RunCxOSAScan operation

Inputs

Place the run OSA operation after the read SAST operation. Here are the inputs.

Inputs for the read SAST operation

  • Checkmarx Account Code – Same account code as before.
  • Checkmarx Project Name – Same project name as before.
  • Wait for Scan to Complete – Our build is already complete so we have nothing else to wait for. Let’s just wait for the scan to complete here.
  • Scan Directory – Use the artifacts directory where our build was created.

Outputs

Put our vulnerability counts into the outputs.

OS Scan Outputs

Result

Here’s what our workflow looks like now that it’s complete.

completed workflow

Next we can run a build on our project and make sure everything is working correctly. We can view our vulnerability counts on the outputs tab.

outputs tab

And on the reports tab we can see our generated report is available to download.

reports tab

Add Custom Gate To Pipeline

In this section we are going to:

  • Identify the correct pipeline.
  • Add a custom gate to the necessary stage to control if the SAST scan was acceptable.
  • Add a custom gate to the necessary stage to control if the OSA scan was acceptable.

Here is a basic pipeline example we are starting with. This pipeline is deploying to Dev, then waiting for a manual approval and deploying to QA.

pipeline including Dev and QA environments

Let’s add two custom gates for the Dev environment, so it only gets deployed if no vulnerabilities were found in either scan. Here’s what that script will look like for the SAST scan gate.

highSastCount = stgexec.getProjectWorkflowOutputValues("HIGH_SAST_VULNERABILITY_COUNT")[0];
mediumSastCount = stgexec.getProjectWorkflowOutputValues("MEDIUM_SAST_VULNERABILITY_COUNT")[0];
lowSastCount = stgexec.getProjectWorkflowOutputValues("LOW_SAST_VULNERABILITY_COUNT")[0];

if(highSastCount > 0 || mediumSastCount > 0 || lowSastCount > 0)
{
  return "FAILED";
}
else {
 return "SUCCESSFUL"; 
}

stgexec.getProjectWorkflowOutputValues returns an array of the values from every output with that name. In our case we only have one for each variable output, so we assume it’s at the 0 index in the array and get that value. Then we check if the values are greater than 0 and fail if they are, otherwise it was successful and we can pass through the gate. This script could easily be modified to allow different counts for each level or whatever else you might need.

Next let’s add a separate gate for OSA vulnerabilities. It will be very similar.

highOsaCount = stgexec.getProjectWorkflowOutputValues("HIGH_OSA_VULNERABILITY_COUNT")[0];
mediumOsaCount = stgexec.getProjectWorkflowOutputValues("MEDIUM_OSA_VULNERABILITY_COUNT")[0];
lowOsaCount = stgexec.getProjectWorkflowOutputValues("LOW_OSA_VULNERABILITY_COUNT")[0]; 

if(highOsaCount > 0 || mediumOsaCount > 0 || lowOsaCount > 0) { 
  return "FAILED"; 
} else { 
  return "SUCCESSFUL"; 
}

Here’s what a successful snapshot looks like.

completed snapshots

As you can see from this example, the Checkmarx plugin has been designed to be very easy to integrate within your existing pipeline. You get the advantages of a highly customizable tool like FlexDeploy paired with the security power of Checkmarx.

Interested in integrating with another analysis tools? FlexDeploy also has plugins available for:

Want to learn more about the Checkmarx plugin? Check out our plugin guide.

Share this:
Hayden Mumm

I have experience with Java and Oracle ADF. I also have experience with an assortment of technologies from working here including, Cucumber, Jython, Groovy, and more. I am an alumni of Fox Valley Technical College with a degree in Software Development. I have been a Software Developer here at Flexagon since December 2019 and I have a passion for programming and learning.

More posts by Hayden Mumm
    

Leave a Reply

Your email address will not be published. Required fields are marked *