Skip to main content

Checkmarx One AWS CodeBuild Integration

You can integrate Checkmarx One into your CodeCommit Repo using our CLI Tool. You can run Checkmarx One scans as well as perform other Checkmarx One commands using the CLI Tool.


  • You have a Checkmarx One account and you have an OAuth2 Client or API Key for Checkmarx One authentication. To generate the required authentication, see ???.

  • You have an AWS account and access to CodeCommit.

  • You have created a repo in CodeCommit.

Setting up Checkmarx One CLI Integration

Before running Checkmarx One CLI commands in your CodeBuild project, you need to create and configure a buildspec.yaml file. This involves first configuring project variables for accessing Checkmarx One and then adding our buildspec.yaml to your repo and configuring it for your needs.

Once your project is set up, you can use CLI commands to run scans, retrieve scan results and perform CRUD actions on your Checkmarx One Projects and Applications. For an explanation of the CLI commands, see Checkmarx One CLI Commands.

Create a CodeBuild Project

  1. Go to developer tools inside your AWS account.

  2. Go to CodeBuild > Build Projects > Create build project.

  3. Fill in the fields as desired.


The Operating System must be Ubuntu and, Buildspec > "Use buildspec file" should be enabled.

Configuring Project Variables

Create variables for the parameters needed to connect to you Checkmarx One account.


The environment variables need to be set separately for each CodeBuild in AWS.

  1. In your AWS account, go to Developer Tools > CodeBuild > Build projects > {project_name} > Edit > Environment.

  2. Create project variables by entering a Variable name and Value and selecting the Type for each of the variables described in the table below, and then clicking Update Environment.


Project Variables




The name of the project in Checkmarx One.




The name of your tenant account.

Use one of the following authentication methods.


(for OAuth2, recommended)

These values are obtained from the Checkmarx One web application, see Creating an OAuth2 Client for Checkmarx One Integrations. (recommended method)Creating an OAuth2 Client for Checkmarx One Integrations


This is obtained from the Checkmarx One web application, see Generating an API Key.Generating an API Key


The version of the Checkmarx One CLI tool that you are using.

Configuring a Project to Run Checkmarx CLI Commands

  1. Add the buildspec.yaml or buildspec.yml file from one of the integration examples provided below to your project repository.

  2. Create the CodeBuild as described above.

  3. Edit the Checkmarx One CLI scan create command in the spec file, specifying the relevant scan parameters as described below in Configuring Scan Settings. Alternatively, you can run other CLI commands, see Checkmarx One CLI Commands.

  4. You can add triggers to run the CodeBuild, or you can run the CodeBuild manually by clicking Developer Tools > CodeBuild > Build projects > {project_name} > Start build.

Sample CodeBuild Spec Files

We provide samples that use various methods for installing the Checkmarx One CLI.

Option 1 - Install the CLI using Homebrew


This option can be installed on any environment. This method includes installing Homebrew on your image.

version: 0.2

      - /bin/bash -c "$(curl -fsSL"
      - eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
      - brew install checkmarx/ast-cli/ast-cli
      - cx scan create --project-name "$CX_PROJECT_NAME" --file-source "." --branch "main" --scan-info-format 'json' --agent 'CodeCommit' --base-uri "$CX_BASE_URI" --tenant "$CX_TENANT" --client-id "$CX_CLIENT_ID" --client-secret "$CX_CLIENT_SECRET"

Option 2 - Install the CLI using wget and Checkmarx One CLI release


For this option you need to add to the environment a CX_VERSION variable, with the desired cli version to use.

version: 0.2

      - wget -O ./cxcli.tar.gz "${CX_VERSION}/ast-cli_${CX_VERSION}_linux_x64.tar.gz"
      - tar xzvf ./cxcli.tar.gz
      - ./cx scan create --project-name "$CX_PROJECT_NAME" --file-source "." --branch "main" --report-format 'summaryHTML' --agent 'CodeCommit' --base-uri "$CX_BASE_URI" --tenant "$CX_TENANT" --client-id "$CX_CLIENT_ID" --client-secret "$CX_CLIENT_SECRET"


Check for updates to the code samples in GitHub.

Configuring Scan Settings

The following snippet shows how you can run a Checkmarx One scan in CodeBuild using the cx scan create command with the minimum required parameters; -s (location of the source code), --project-name (name of the Checkmarx One Project), and --branch (name of the branch of the Checkmarx One Project) as well as the Project variables that you configured for connecting to Checkmarx One. For additional scan arguments see scan create.

- cx scan create -s "." --project-name "$CX_PROJECT_NAME" --base-uri "CX_BASE_URI" --tenant "$CX_TENANT" --client-id "$CX_CLIENT_ID" --client-secret "CX_CLIENT_ID_SECRET" --branch "main"

Viewing Scan Results in CodeBuild


As with all Checkmarx One scans, you can view the scan results in the Checkmarx One web application or via API.

You can also check the CodeBuild logs to view the result of the command execution.