Checkmarx - Repository Scans

Checkmarx is a source scanner for detecting security vulnerabilities. In order to use Checkmarx, you will need to install and maintain your own Checkmarx server. Connectivity to your Checkmarx server determines how you can utilize your Checkmarx server and what kind of ZeroNorth-orchestrated scans you can perform.

Overview

The sections in this article are organized as follows:

  • Your Checkmarx Server is in Your Private Network
    • Repo Scan with your Private Checkmarx Server
  • Your Checkmarx Server is Accessible to ZeroNorth
    • Repo scan with your Accessible Checkmarx Server
    • Scanning a Local Clone of a Repository (similar to an Artifact scan)

Your Checkmarx Server is in Your Private Network

If your Checkmarx server is in your private network and is not accessible by ZeroNorth’s cloud platform (the most common case), then you can do the following via ZeroNorth:

  • ZeroNorth-orchestrated repository scans off GitHub Cloud/Enterprise or Bitbucket cloud/Enterprise using ZeroNorth’s Integration Orchestrator on-prem node.

Repo Scan with your Private Checkmarx Server

In this use case, the assumptions are:

  • Your Checkmarx server is in your private network and is not reachable by the ZeroNorth cloud platform.
  • You want to scan your project directly off your code repository, which is GitHub cloud, GitHub Enterprise, Bitbucket cloud, or Bitbucket Enterprise.
  • You have a Docker environment that can host and run ZeroNorth’s Integration Orchestrator Docker image.
  • The Docker environment has outbound access to https://api.zeronorth.io:443 .

Instructions:

  1. Set up and run the ZeroNorth Integration Orchestrator using the instructions in the article ZeroNorth Integration-Orchestrator (an on-prem option) . Ensure that the zeronorth/integration-orchestrator node is running before proceeding with the following steps.
  2. Activate the Checkmarx Scenario using the instruction in the article Activate Scenario - Checkmarx .
  3. Create the necessary Integration and Target(s) pointing to the code repository to be scanned. Ensure that the Integration you are using has Initiate Scan From set to “Customer’s Environment”.
  4. Create Policy(s) combining the Target(s) from step 3 with the Scenario from step 2. It may be necessary to specify the Checkmarx “Team”.

Running the Scan

Repo scanning can be done in one of the following ways:

  • Run the scan manually by going into znOPS > Policies and then running the Policy.
  • Create a webhook on the Policy (see Integration Guide - ZeroNorth Webhooks ) and then run the Policy via the webhook.
  • Trigger the Policy via the API (contact support@zeronorth.io for instructions on how to use ZeroNorth REST API).

Your Checkmarx Server is Accessible to ZeroNorth

If your Checkmarx server is publicly accessible, or is made accessible to ZeroNorth via a connectivity solution such as IP-whitelisting, then you have more options:

  • ZeroNorth-orchestrated repository scans off GitHub cloud or similar repository services
  • ZeroNorth-orchestrated scan of local clones of project repositories, submitted as an “artifact” via the ZeroNorth Integration Docker image or the ZeroNorth CLI command line executable

Repo Scan with your Accessible Checkmarx Server

In this use case, the assumptions are:

  • Your Checkmarx server is accessible to the ZeroNorth cloud platform.
  • You want to scan your project directly off your code repository, which is GitHub cloud or Bitbucket cloud.

Instructions:

  1. Activate the Checkmarx Scenario using the instruction in the article Activate Scenario - Checkmarx .
  2. Create the necessary Integration and Target(s) pointing to the code repository to be scanned. Ensure that the Integration you are using has Initiate Scan From set to “ZeroNorth Platform”.
  3. Create Policy(es) combining the Target(s) from step 2 with the Scenario from step 1. It may be necessary to specify the Checkmarx “Team”.

Running the Scan

Repo scanning can be done in one of the following ways:

  • Run the scan manually by going into znOPS > Policies and then running the Policy.
  • Create a webhook on the Policy (see Integration Guide - ZeroNorth Webhooks ) and then run the Policy via the webhook.
  • Trigger the Policy via the API (contact support@zeronorth.io for instructions on how to use ZeroNorth REST API).

Scanning a Local Clone of a Repository

Sometimes, it is desirable to scan a local (checked out) clone of a project repository instead of scanning the code directly off the repository. This use cases is supported when the Checkmarx server is accessible to the ZeroNorth cloud platform.

Assumptions:

  • Your Checkmarx server is accessible to the ZeroNorth cloud platform.
  • You want to scan a local clone of the repository, or the result of a build process.
  • You have a Docker environment that can host and run ZeroNorth’s Integration Docker image.
  • The Docker environment has outbound access to https://api.zeronorth.io:443.

Instructions:

  1. Set up the ZeroNorth Integration image using the instructions in the article Integration Guide - ZeroNorth Docker Image for CI/CD Pipeline .
  2. Activate the Checkmarx Scenario using the instruction in the article Activate Scenario - Checkmarx .
  3. Create the necessary Integration and Target(s) pointing to the code repository to be scanned. Ensure that the Integration you are using has Initiate Scan From set to “ZeroNorth Platform”.
  4. Create Policy(es) combining the Target(s) from step 3 with the Scenario from step 2.

Running the Scan

Running the scan is akin to submitting the project clone/build as an artifact to the ZeroNorth cloud platform. See the example Docker run commands in the “Using the Docker Image” section of the article Integration Guide - ZeroNorth Docker Image for CI/CD Pipeline.