Checkmarx SAST

Overview

The Checkmarx SAST integration connects the Praetorian Guard Platform (PGP) with your Checkmarx One environment, importing application security findings as risks and mapping your scanned repositories as assets. Checkmarx One consolidates multiple scanning engines — SAST, SCA, Secrets detection, KICS (Infrastructure as Code), and Container scanning — and this integration brings those findings directly into PGP so your application security posture is tracked alongside the rest of your attack surface.

If you already rely on Checkmarx for code scanning, this integration lets you keep using it while PGP becomes the central system of record for all findings, assets, and risk workflow. You get a single prioritized risk list, one triage workflow, and unified reporting — while Checkmarx continues to handle the scanning.

What the Integration Does

The integration is read-only: PGP queries the Checkmarx One API and imports scan results as risks and their associated repositories as assets. It does not modify any projects, scans, or configurations in Checkmarx.

How it works:

Authentication — PGP exchanges your Checkmarx API key (a JWT refresh token) for a short-lived access token via the OpenID Connect token endpoint, then uses Bearer token authentication for all API calls.
Project enumeration — PGP queries the /api/projects endpoint to discover all projects in your Checkmarx tenant.
Scan retrieval — For each project, PGP fetches completed scans from the last 7 days, falling back to the most recent scan if none are found in that window.
Result import — PGP retrieves vulnerability results from each scan and maps them to PGP risks with appropriate severity, CVSS scores, and remediation details.
Asset creation — Each Checkmarx project's Git repository is imported as a repository asset in PGP, serving as the container for all associated findings.

Supported Scan Types

Type	Description	What PGP Captures
SAST	Static Application Security Testing — source code vulnerabilities (e.g., injection, XSS)	File, line, method, data flow paths, CWE classifications, source/sink analysis
SCA	Software Composition Analysis — vulnerable open-source dependencies	CVE identifiers, CVSS scores, package name, version, recommended upgrade
Secrets	Secret Detection — hardcoded credentials, API keys, tokens	File, line, rule ID, code snippet, validity status
KICS	Infrastructure as Code Scanning	Terraform, CloudFormation, Kubernetes manifest misconfigurations; description, severity
Containers	Container Image Scanning	Container image vulnerabilities, description, severity

Detected Risks

Risks are created from Checkmarx findings with type-specific naming conventions:

Type	Risk Name Format	Example
SAST	`{QueryName}-{SimilarityID}`	`SQL_Injection-12345678`
SCA	`{CVE ID}`	`CVE-2024-1234`
Secrets	`{RuleID}-{SimilarityID}`	`generic-api-key-a1b2c3d4e5f6`
KICS	`{QueryName}-{SimilarityID}`	`S3_Bucket_Public-87654321`

Severity Mapping

Risk severity is determined from the Checkmarx finding data:

CVSS Score (preferred for SCA, if greater than 0) — numeric score mapped to the CVSS-equivalent severity.
Severity Level (all other types) — direct mapping: Critical → Critical, High → High, Medium → Medium, Low → Low.

Intelligent Filtering

Not every Checkmarx finding needs to land in PGP. The integration automatically filters out noise so you focus on what is actionable:

Included: Findings in To Verify or Confirmed states.
Excluded: Findings marked Not Exploitable, Proposed Not Exploitable, or Fixed.
Excluded: Informational severity findings.
Excluded: SCA results with local-only attack vectors (non-network CVSS). Only NETWORK or ADJACENT_NETWORK attack vectors are imported.
Excluded: SSCS Scorecard results (sscs-scorecard type).

Prerequisites

A Checkmarx One (AST) tenant — for example, https://ast.checkmarx.net or a region-specific URL like https://eu-2.ast.checkmarx.net.
An API key (JWT refresh token) generated from Checkmarx One with access to projects and scan results.
Permission to add integrations in your PGP deployment.

Finding Your Checkmarx One URL

Your instance URL is the base URL you use to access Checkmarx One. Common examples:

Region	URL
US	`https://ast.checkmarx.net`
EU	`https://eu.ast.checkmarx.net`
EU-2	`https://eu-2.ast.checkmarx.net`

No trailing slash is needed.

Creating an API Key

Log in to Checkmarx One.
Navigate to Settings (gear icon) → Identity and Access Management.
Create or select an API key with access to Projects and Scans/Results.
Generate the key and copy the refresh token — this is the value you will enter as API Key in PGP. Store it securely; it is displayed only once.

For detailed instructions, see Checkmarx documentation on generating API keys.

Setup

In PGP, open Integrations from the main navigation.
Locate Checkmarx SAST under the Secure Code Scanning category.
Click Integrate.
Enter the integration data using the fields below, then click Connect.

Field	Required	Description
Checkmarx One URL	Yes	The base URL of your Checkmarx One instance (e.g., `https://ast.checkmarx.net`).
API Key	Yes	The API key (JWT refresh token) generated from Checkmarx One.

PGP validates your credentials by exchanging the refresh token for an access token and making a lightweight test call to GET /api/projects?offset=0&limit=1. Once saved, the integration runs on a regular schedule, automatically importing new scan results.

Verify

After the next integration run, check Assets for repository entries that correspond to your Checkmarx projects.
Check Risks and filter by source to see findings imported from Checkmarx.
If expected data is missing, see the Troubleshooting section below.

What Data Is Synced

Scan Results to PGP Risks

Vulnerability findings from SAST, SCA, Secrets, KICS, and Container scans are imported as risks.
Each risk includes the finding type, severity, description, and remediation guidance.
A proof file with full finding metadata is attached for evidence and traceability.
SCA findings include CVE identifiers and CVSS scores for accurate severity mapping.
Findings marked Not Exploitable, Fixed, or Informational are automatically excluded.

Projects to PGP Assets

Each Checkmarx project's Git repository URL is imported as a repository asset.
Repository assets serve as containers for all findings from that project.
Assets are linked to the scan's Git branch and repository metadata.

API Endpoints Used

Endpoint	Method	Purpose
`{issuer}/protocol/openid-connect/token`	POST	Exchange refresh token for access token
`/api/projects`	GET	Enumerate all projects (paginated, 100 per page)
`/api/scans`	GET	Fetch completed scans per project (last 7 days or latest)
`/api/results`	GET	Retrieve vulnerability results per scan (paginated)

Troubleshooting

Issue	Cause	Fix
Authentication failed	API key (refresh token) is invalid, expired, malformed, or the Checkmarx One URL does not match your tenant (including region).	Verify the URL matches your browser exactly. Re-generate the API key in Checkmarx One under Settings → Identity and Access Management and update it in PGP.
API returns 4xx error	URL is incorrect, token lacks required permissions, or the API key cannot list projects.	Confirm the URL includes `https://` and matches your Checkmarx region. Confirm the key scopes in Checkmarx under Settings → Identity and Access Management.
No assets or risks appear	Projects may not have completed scans in the last 7 days, scans lack a Git repository URL, or all results are filtered out.	Trigger a scan in Checkmarx, ensure projects have recent scans with Git repo URLs configured, and check that scans have non-informational findings.
Missing SCA vulnerabilities	SCA results with local-only attack vectors are filtered.	Only network-exploitable SCA findings (NETWORK or ADJACENT_NETWORK attack vectors) are imported. This is expected behavior.
Data seems outdated	The integration uses recent scans (last 7 days). New scans appear on the next scheduled run.	Verify the latest scan has completed in Checkmarx and has a Git repository URL.
Connection error	Instance URL is incorrect or PGP cannot reach Checkmarx.	Confirm the URL includes `https://` and matches your Checkmarx region.

Security and Data Handling

OAuth 2.0 refresh-token exchange over HTTPS — the refresh token is never sent to Checkmarx scan APIs directly, only to the IAM token endpoint.
API key encrypted at rest and in transit within your PGP deployment.
Entirely read-only — PGP never modifies projects, scans, results, or any configuration in Checkmarx.
Only scan metadata and vulnerability details are imported (descriptions, severity, file locations, package info) — no source code is accessed or stored.
Access tokens are short-lived and obtained per integration run.

Integration category: Secure Code Scanning. Data direction: Read-only (Checkmarx to PGP). Authentication: OAuth 2.0 refresh token exchange.