Checkmarx

Checkmarx SAST is a static application security testing platform that scans source code for vulnerabilities including SQL injection, XSS, and insecure cryptography.

Installation

CxSAST (On-Premises)

# Download installer
wget https://download.checkmarx.com/CxServer/v9.3.0/CxSetup.exe
# or for Linux
wget https://download.checkmarx.com/CxServer/v9.3.0/Cx_Linux.tar.gz
tar -xzf Cx_Linux.tar.gz
cd Cx && ./install.sh

# Start service
sudo systemctl start checkmarx-server

CxOne (SaaS)

# Get API URL and token from portal
# https://cxone.checkmarx.net/

# CLI installation
curl -fsSL https://dist.checkmarx.io/install.sh | bash
export PATH="$PATH:$HOME/.checkmarx/bin"

CLI Setup

Login/Authentication

# CxOne SaaS login
cx configure \
  --name prod \
  --base-auth-url https://cxone.checkmarx.net/auth/realms/public \
  --api-key "YOUR_API_KEY"

# List configured instances
cx config list

# Switch instances
cx config use prod

Configuration File

# ~/.checkmarx/config.yaml
checkmarx:
  instance: prod
  base_url: https://cxone.checkmarx.net
  api_key: ${CHECKMARX_API_KEY}
  timeout: 3600

Project Management

Create/Update Projects

# Create new project
cx project create \
  --name "WebApp" \
  --description "Production web application"

# List projects
cx project list

# Delete project
cx project delete --project-id PROJECT_ID

Branch Management

# Create project with branch
cx project create \
  --name "WebApp" \
  --branch "main"

# Scan specific branch
cx scan create \
  --project-name "WebApp" \
  --branch "develop" \
  --source-dir /path/to/code

Scanning

SAST Scans

# Basic scan
cx scan create \
  --project-name "MyApp" \
  --source-dir /path/to/source \
  --type sast

# Full scan with SCA (software composition analysis)
cx scan create \
  --project-name "MyApp" \
  --source-dir /path/to/source \
  --type sast,sca

# Scan with specific configuration
cx scan create \
  --project-name "MyApp" \
  --source-dir . \
  --config-name "High Sensitivity" \
  --incremental true

Scan Progress

# Get scan status
cx scan list --project-name MyApp

# Wait for scan completion
cx scan wait --scan-id SCAN_ID --timeout 3600

# Stream scan logs
cx scan logs --scan-id SCAN_ID --follow

Incremental Scans

# Incremental scan (faster, delta-based)
cx scan create \
  --project-name "MyApp" \
  --source-dir . \
  --incremental true

# Full baseline scan (periodic)
cx scan create \
  --project-name "MyApp" \
  --source-dir . \
  --incremental false

Results & Reporting

View Vulnerabilities

# Get scan results
cx results show --scan-id SCAN_ID | jq '.vulnerabilities[]'

# Filter by severity
cx results show --scan-id SCAN_ID --severity high,critical

# Export results
cx results export \
  --scan-id SCAN_ID \
  --format json \
  --output results.json

# CSV export for reporting
cx results export \
  --scan-id SCAN_ID \
  --format csv \
  --output report.csv

Result Details

# Get vulnerabilities with CVSS scores
cx results show --scan-id SCAN_ID \
  --format json | jq '.[] | {id, type, cvss, language}'

# Show false positives handling
cx results show --scan-id SCAN_ID \
  --include-state "not_exploitable"

# Get audit trail
cx results audit --scan-id SCAN_ID

Generating Reports

# Create PDF report
cx report generate \
  --scan-id SCAN_ID \
  --template "Executive Summary" \
  --output report.pdf

# Generate compliance report (PCI-DSS)
cx report generate \
  --scan-id SCAN_ID \
  --template "PCI-DSS Report" \
  --output pci-report.pdf

Policy Management

Scan Policies

# List scan profiles
cx profile list

# Create custom profile
cx profile create \
  --name "Strict Security" \
  --language-settings cpp=high,java=critical,python=high

# Apply profile to scan
cx scan create \
  --project-name MyApp \
  --profile-name "Strict Security" \
  --source-dir .

Security Policies

# Enforce policy - scan fails if violations found
cx scan create \
  --project-name MyApp \
  --enforce-policy true \
  --source-dir .

# Check policy compliance
cx policy check --scan-id SCAN_ID

CI/CD Integration

GitHub Actions

name: SAST Scan
on: [push, pull_request]

jobs:
  checkmarx:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2

      - name: Checkmarx Scan
        uses: checkmarx/github-action@v2
        with:
          checkmarx_url: ${{ secrets.CHECKMARX_URL }}
          checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }}
          checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }}
          project_name: "${{ github.repository }}"
          team_name: "CxServer"

      - name: Upload Results
        uses: actions/upload-artifact@v2
        with:
          name: checkmarx-results
          path: checkmarx-results.xml

GitLab CI

checkmarx_scan:
  stage: security
  script:
    - cx scan create \
        --project-name "$CI_PROJECT_NAME" \
        --source-dir . \
        --type sast
  artifacts:
    reports:
      sast: results.json

Jenkins

#!/bin/bash
# Jenkinsfile stage

stage('SAST Scan') {
  steps {
    script {
      sh '''
        cx scan create \
          --project-name "${JOB_NAME}" \
          --source-dir ${WORKSPACE} \
          --type sast
      '''
    }
  }
}

Advanced Features

Custom Queries

# Create custom vulnerability query
cx query create \
  --language "java" \
  --name "Custom SQL Injection" \
  --pattern ".*execute.*sql.*"

# Run scan with custom queries
cx scan create \
  --project-name MyApp \
  --custom-queries true \
  --source-dir .

Source Exclusions

# Exclude test directories
cx scan create \
  --project-name MyApp \
  --source-dir . \
  --exclude "*/test/*,*/node_modules/*,*/vendor/*"

# Exclude by file extension
cx scan create \
  --project-name MyApp \
  --source-dir . \
  --exclude-extensions ".jar,.zip,.so"

API Examples

# Get API token
CHECKMARX_TOKEN=$(curl -X POST \
  https://cxone.checkmarx.net/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username":"user","password":"pass"}' | jq '.token')

# Create scan via REST API
curl -X POST https://cxone.checkmarx.net/api/scans \
  -H "Authorization: Bearer $CHECKMARX_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "project_id": "PROJECT_ID",
    "scan_type": "sast",
    "source_url": "https://github.com/user/repo.git",
    "branch": "main"
  }'

# Get scan status
curl -s https://cxone.checkmarx.net/api/scans/SCAN_ID \
  -H "Authorization: Bearer $CHECKMARX_TOKEN" | jq '.status'

Language Support

Language	Detection
Java	SQL Injection, XXE, Insecure Deserialization
C#	Weak Cryptography, LDAP Injection
C/C++	Buffer Overflow, Memory Leaks
Python	Command Injection, Path Traversal
JavaScript/Node	XSS, Prototype Pollution
PHP	SQL Injection, RCE
Go	Hardcoded Credentials, Weak TLS
Kotlin	Android-specific vulns

Performance Tuning

Large Codebase Scanning

# Parallel scanning (multiple threads)
cx scan create \
  --project-name BigApp \
  --source-dir /massive/codebase \
  --incremental true \
  --parallel-scans 4

# Memory configuration
CX_JAVA_MEMORY="-Xmx6g -Xms2g" cx scan create \
  --project-name BigApp \
  --source-dir .

Troubleshooting

Common Issues

# Authentication failed
cx config reset
cx configure --base-auth-url https://cxone.checkmarx.net/auth/realms/public \
  --api-key "NEW_API_KEY"

# Scan timeout
cx scan create \
  --project-name MyApp \
  --timeout 7200 \
  --source-dir .

# View detailed logs
export CX_LOG_LEVEL=DEBUG
cx scan create --project-name MyApp --source-dir .

Best Practices

Run SAST scans on every commit (pre-push hook)
Scan dependencies alongside code (enable SCA)
Configure strong policies: reject critical/high vulns
Use incremental scans for fast feedback on PRs
Review false positives and mark as “not exploitable”
Generate reports for compliance (PCI-DSS, HIPAA)
Integrate with ticketing system for remediation tracking
Archive baseline scans for historical comparison
Use profile matching your tech stack