Skip to main content

Audit Quick Start

Checkmarx SAST works by scanning your project code using a set of queries designed to find vulnerabilities or compliance issues in the code. Sometimes issues are found which you believe are not valid for your project, such as false positives, and you wish to avoid these results.

CxAudit provides you with the option of editing individual queries so that you will not be alerted about these non-issues. You can then test your edited customized queries in a test area to verify that they work as you intend. You can then upload the customized queries to the production site so the next time the project is scanned the results will be valid.

Checkmarx Audit provides you with a sandbox laboratory where you can experiment by making changes to project code and vulnerability queries and examine the effects. CxAudit is installed on your local machine, while WebAudit is accessed from the cloud.

CxAudit consists of the following windows:

  • CXAudit Workspace

  • Audit/View

CxAudit Workspace

The CxAudit Workspace provides a general overview of recent projects and a platform to launch auditing actions. From the workspace you can see a short list of projects that were recently scanned using SAST, the scanned dates, and a summary of the results of each scan organized by severity. By default, Audit loads into workspace the five most recent projects that were scanned by SAST.

The following action options are provided from the workspace:

  • Auditing a selected project. You scan the project (full and incremental), view the results, edit queries and/or project source code and rescan the project, observing the effects of the changes. The changes can be saved locally and uploaded to SAST server.

  • Adding a new local project to the list of projects. You can then use CxAudit to scan this local project.

  • Editing queries. The Query Editor allows you to make adjustments to the Checkmarx queries. You can use the Editor without loading any projects into the workspace.

  • Viewing scan results, project code, and vulnerability queries, without permissions for making any changes.

Audit_Workspace_and_Audit_View_Diagram.png

Each of the above options open the Audit/View window. The selected options determines what you can perform in the Audit/View window. The Audit/View window will appear with slight differences depending on the selected option.