- Checkmarx Documentation
- Checkmarx One
- Checkmarx One Integrations
- CI/CD Integrations
- Checkmarx One CLI Integrations for CI/CD
- Checkmarx One AWS CodeBuild Integration
Checkmarx One AWS CodeBuild Integration
You can integrate Checkmarx One with AWS CodeBuild using our CLI Tool. This enables you to run Checkmarx One scans as well as performing other Checkmarx One CLI commands in CodeBuild.
Prerequisites
You have a Checkmarx One account and you have an OAuth Client or API Key for Checkmarx One authentication. To generate the required authentication, see Authentication for Checkmarx One CLI and Plugins.
Notice
The OAuth method has an advantage in the fact that you can specify the precise permissions needed for the integration. As opposed to an API Key, which automatically inherits all permissions of the user who generates the key.
You have an AWS account and access to CodeCommit.
You have created a repo in CodeCommit.
Setting up Checkmarx One CLI Integration
Before running Checkmarx One CLI commands in your CodeBuild project, you need to create and configure a buildspec.yaml file. This involves first configuring project variables for accessing Checkmarx One and then adding our buildspec.yaml to your repo and configuring it for your needs.
Once your project is set up, you can use CLI commands to run scans, retrieve scan results and perform CRUD actions on your Checkmarx One Projects and Applications. For an explanation of the CLI commands, see Checkmarx One CLI Commands.
Create a CodeBuild Project
Go to developer tools inside your AWS account.
Go to CodeBuild > Build Projects > Create build project.
Fill in the fields as desired.
Warning
The Operating System must be Ubuntu and, Buildspec > "Use buildspec file" should be enabled.
Configuring Project Variables
Create variables for the parameters needed to connect to you Checkmarx One account.
Notice
The environment variables need to be set separately for each CodeBuild in AWS.
In your AWS account, go to Developer Tools > CodeBuild > Build projects > {project_name} > Edit > Environment.
Create project variables by entering a Variable name and Value and selecting the Type for each of the variables described in the table below, and then clicking Update Environment.

Project Variables
Key | Value |
---|---|
CX_PROJECT_NAME | The name of the project in Checkmarx One. |
CX_BASE_URI |
|
CX_BASE_AUTH_URI |
|
CX_TENANT | The name of your tenant account. |
Use one of the following authentication methods. | |
OAuth CX_CLIENT_ID and CX_CLIENT_SECRET (Recommended method) | These values are obtained from the Checkmarx One web application, see Creating an OAuth Client for Checkmarx One Integrations. Creating an OAuth Client for Checkmarx One Integrations |
CX_API_KEY | This is obtained from the Checkmarx One web application, see Generating an API Key.Generating an API Key |
CX_VERSION | The version of the Checkmarx One CLI tool that you are using. |
Configuring a Project to Run Checkmarx CLI Commands
Add the buildspec.yaml or buildspec.yml file from one of the integration examples provided below to your project repository.
Create the CodeBuild as described above.
Edit the Checkmarx One CLI
scan create
command in the spec file, specifying the relevant scan parameters as described below in Configuring Scan Settings. Alternatively, you can run other CLI commands, see Checkmarx One CLI Commands.You can add triggers to run the CodeBuild, or you can run the CodeBuild manually by clicking Developer Tools > CodeBuild > Build projects > {project_name} > Start build.
Sample CodeBuild Spec Files
We provide samples that use various methods for installing the Checkmarx One CLI.
Option 1 - Install the CLI using Homebrew
Notice
This option can be installed on any environment. This method includes installing Homebrew on your image.
version: 0.2 phases: install: commands: - /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" - eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" - brew install checkmarx/ast-cli/ast-cli build: commands: - cx scan create --project-name "$CX_PROJECT_NAME" --file-source "." --branch "main" --scan-info-format 'json' --agent 'CodeCommit' --base-uri "$CX_BASE_URI" --tenant "$CX_TENANT" --client-id "$CX_CLIENT_ID" --client-secret "$CX_CLIENT_SECRET"
Option 2 - Install the CLI using wget and Checkmarx One CLI release
Notice
For this option you need to add to the environment a CX_VERSION variable, with the desired cli version to use.
version: 0.2 phases: install: commands: - wget -O ./cxcli.tar.gz "https://github.com/Checkmarx/ast-cli/releases/download/${CX_VERSION}/ast-cli_${CX_VERSION}_linux_x64.tar.gz" - tar xzvf ./cxcli.tar.gz build: commands: - ./cx scan create --project-name "$CX_PROJECT_NAME" --file-source "." --branch "main" --report-format 'summaryHTML' --agent 'CodeCommit' --base-uri "$CX_BASE_URI" --tenant "$CX_TENANT" --client-id "$CX_CLIENT_ID" --client-secret "$CX_CLIENT_SECRET"
Notice
Check for updates to the code samples in GitHub.
Configuring Scan Settings
The following snippet shows how you can run a Checkmarx One scan in CodeBuild using the cx scan create
command with the minimum required parameters; -s
(location of the source code), --project-name
(name of the Checkmarx One Project), and --branch
(name of the branch of the Checkmarx One Project) as well as the Project variables that you configured for connecting to Checkmarx One. For additional scan arguments see scan create.
- cx scan create -s "." --project-name "$CX_PROJECT_NAME" --base-uri "CX_BASE_URI" --tenant "$CX_TENANT" --client-id "$CX_CLIENT_ID" --client-secret "CX_CLIENT_ID_SECRET" --branch "main"
Viewing Scan Results in CodeBuild
Notice
As with all Checkmarx One scans, you can view the scan results in the Checkmarx One web application or via API.
You can also check the CodeBuild logs to view the result of the command execution.
![]() |