Skip to main content

Getting Started with Codebashing

The goal of this section is to provide you with the information and guidance to facilitate a successful roll-out and adoption of Codebashing. Use the following as a step-by-step checklist.

New Customer Welcome Letter

As a new customer, you will receive a welcome letter once Checkmarx has processed your order. The letter includes helpful information and links to get you started.

Codebashing Tenant Provisioning

To configure your Codebashing Tenant, we need some information and actions from you.

For SSO/SAML integration, we will contact you for your SAML metadata. We recommend you limit access to Codebashing by applying group-level access control at your (customer-end) SSO endpoint. Your Identity & Access Management team may assist you with this.

If your environment has aggressive outbound web or inbound email filtering, we suggest you add Codebashing domains and IPs to the allowlist at the relevant web and/or email gateway.

For additional information on these topics, see the following resources:

  • Set up and configure the SSO/SAML integration. Checkmarx will contact you to configure this setup. For additional information and instructions on SAML integration, refer to Setting Up Access via SSO using SAML.

  • Work with your Identity & Access Management (SSO team) to develop possibilities to limit Codebashing to the developers that require it. For further information, refer to Setting Up Access via SSO using SAML.

  • Add * to the allowlist in your environment, if necessary.

  • Use the Checkmarx CxSAST solution with Codebashing. For further information and instructions, refer to Enabling Codebashing.

Pre-Planning of your Codebashing Solution

Getting the most out of your Codebashing purchase is important to you and to us at Checkmarx. It may be tempting to start right away, but we strongly recommend that you follow the steps outlined below before launching/deploying Codebashing to your developer groups.

Step 1 - Define Success Criteria for Your AppSec Training Program

As a start, you should think about what your wider AppSec Programs goals are and how AppSec training is going to help achieve them. Your criteria for success should be as objective and quantitative as possible. We suggest you use the SMART framework as a good way to organize your goals: specific, measurable, achievable, relevant, and time-bound.

Step 2 - Understand the Top 5 Best Practices

Here are the Top 5 best practices of our most successful customers:

  1. Mandate training

    • Mandatory training ensures your developers benefit more by engaging and challenging themselves on the Codebashing platform.

  2. SSO Integration with Codebashing

    • This is the initial step when your Codebashing tenant is set up. SSO integration eases the onboarding process and is easy to administer. It is important to work with your Identity & Access Management Team. There are detailed instructions in the “Codebashing Setup” to walk you through step-by-step.

  3. Customize the SSO integration to capture relevant fields from the Active Directory.

    • This helps you expose additional fields from your Active Directory (AD) to provide richer data for your filter moving forward (examples: Department, Manager, BU). This is a critical step to have set up if you plan to integrate with your Learning Management System (LMS). More details are in the LMS link below.

  4. Integrate your training data with your Learning Management System

  5. Build a fun reward program to promote adoption and retain engagement in the Codebashing platform:

    1. It is a fun way to show the importance of Application Security.

    2. Recognize your star developers that reach the top of the leaderboard.

    3. Users who complete the training can add “AppSec Champion” to their email signature.

    4. Think about what would work within your organizational culture and if it can include other existing recognition/reward programs/systems you have.


Small tokens of recognition help raise awareness about the importance of AppSec education. These tokens could include T-shirts, trophies, or anything unique that connects with your organization's culture.

Step 3 - Get Familiar with the Admin Console

Review the content under Managing Codebashing as Administrator to familiarize yourself with Codebashing at the admin level.

Example Rollout Phase

  • Kick-off ideas and communicate with your user community.

    • Formal kick-off meeting with all stakeholders.

    • Sample email template. Adjust it based on your organization and culture.

      • Define and communicate goals

      • Define the timeline and expectations

      • Any other organizational message that needs to be communicated

  • Formal email to communicate the actual rollout, for sample email templates, refer to Sample Email Templates for Rolling out Codebashing.

Ongoing Adoption

  • Periodically review your progress and revisit the success criteria defined for the questionnaire.

  • Issue internal quarterly newsletters or emails on progress success.

Codebashing Discovery Questionnaire

Program Overview and Goals

  1. How would you define your goals and expectations for using Codebashing within your organization?

  2. Who will be administrating the Codebashing solution?

  3. Will you integrate Codebashing utilizing SSO? If so, what information/fields would you need to pull from your user directory?

  4. How many users will you be onboarding initially? Do you know exactly which users are going to be onboarded to Codebashing? Are they all part of a group or multiple groups within AD for instance?

  5. Will you be integrating Codebashing with your existing learning management system?

  6. Describe in as much detail as possible your existing AppSec Education program.

  7. Will any courses be mandatory for all or only a subset of users? If not mandatory, how do you plan to execute user engagement and adoption?

  8. How do you plan to measure the success of Codebashing?

  9. How, to whom, and with what frequency will those success measures be reported?