SAST Query Editor
Overview
Checkmarx Query Editor complements Checkmarx SAST by enabling you to easily customize SAST’s analysis queries or configure additional queries for security, quality assurance, and application logic purposes.
Query Editor can be used to adapt SAST’s basic security functionality to non-standard code. It includes intuitive tools for adding code elements to various parts of queries and for locating relevant parts of existing queries and combining them to create your own. This helps eliminate false positives and ensure that all real vulnerabilities are identified. Use it to expand on SAST’s functionality and include queries supporting your specific QA or application logic needs.
Caution
There is a hard limit of 5 sessions of Query Editor that may run at a time and an idle session timeout of 60 minutes.
Note
Common queries cannot be edited in the Query Browser.
Accessing Query Editor
The first method described below opens the Query Editor associated with a project. The second opens the Query Editor independent of any project.
Viewing a Project's Query Editor
Select a project from the Applications and Projects list to open its scans panel.
In the SAST section of the panel, hover over
and click Audit Scan in the drop-down menu to open the Query Editor. After the Query Editor scans the project, it is ready to use.
Viewing the Query Editor Independently
To open the Query Editor independently of any project, click 
in the left navigation bar, then Query Editor.
 |
Navigating the Query Editor Ribbon
Use the features on the ribbon at the top of the page to customize your use and view of the query editor. Hover over the icon to view its details before selecting.
From left to right:
Search for query names, project files, and their source code, and scan results in the current project.
Use the AI Query Builder to help design and write queries while elevating your Checkmarx query language proficiency.
Toggle the Attack Vector view for your vulnerabilities. This view is off by default.
Toggle between Query Editor views. The default view is Horizontal.
Download the scan logs as a .zip file for your project by clicking
, then Download Logs. These logs assist your support engineers in troubleshooting the scan in case of an error or failure.
Viewing the Project Code
In the Project Files side panel, view the packages contained in the project. Click a file to open a tab and see its code in the File Source Code window. Select multiple files to open multiple tabs and similarly view their code.
Navigating the Query Browser
Under Query Browser, drill down on a query view by cycling through the languages ribbon with arrows and selecting a query level from the dropdown. Cx includes all default Checkmarx queries.
 |
Clicking a query will open its code in a neighboring tab under Queries. Clicking on another query will open another tab. Click on a tab to switch to that query view.
Navigating the Queries Ribbon
Under Queries, while a query is selected and its code is viewable, use the ribbon at the end of the row to view the query info detail, run the query (or multiple queries), add another query, or override the query at the tenant, project, and, if applicable, application level. Hover over the icon in the ribbon to view its details before selecting. Note this ribbon is visible only after the project has been successfully scanned.
Running a Query
The Results tab is blank until you run a query that returns results with vulnerabilities in the project code. Click on the query or queries, then click 
or 
to run them. Your query run history and results are listed in the Results Browser window. Toggle the Hide Empty switch to hide results with (0) vulnerabilities.
Adding a Query
Add a new query by clicking 
on the ribbon. Fill out its details in the form and click Save when done.
 |
Creating and Running an Override Query
Default Checkmarx queries are not editable. They are listed under the Cx folder and marked in the tab with the Checkmarx logo, as shown below:
Instead, an option is available to create override queries based on any Checkmarx queries, except for the Common queries. When you create an override query, its source code is copied from the selected Checkmarx query, which you can modify and apply to the tenant, application, or project-level scans. A dedicated folder is created in the queries tree at each override level.
 |
When you do not want to run and apply a certain query in a project, override it with an override query, which will run instead. This method is useful, especially for testing purposes, and works for tenant and application-level queries.
Overriding a query at the tenant level will also override the query for all applications and projects in that tenant.
Overriding a query at the application level will also affect the projects in that specific application. This Override per Application option will be visible when the application does not include multi-application projects. To avoid confusion, in cases where the application includes a project associated with multiple applications, the Override per Application option will be disabled and hidden.
Overriding a query at the project level only applies to that project.
Note
Generally, a query applied at a lower level takes precedence over a higher-level one. If you override a query at the tenant level, you can still apply a different query at the application or project level.
To override a query, perform the following:
Click on the query in the Queries tab.
Edit the query code in the tab.
The asterisk in front of the query name in the tab title indicates that the query has been changed but not saved.
Save the override queries by clicking
on the ribbon.
Click Run Query.
When the project is rescanned, the modified query will be used, and the Results Browser will update the history with the override query.
Debugging Your Query
To Debug your queries, create a query, or override an existing one and add cxLog.WriteDebugMessage("debug here"); to the query. Run the query and see the debug message under the Debug tab.
