Skip to main content

Single Tenant Flow

Checkmarx One supports integration with GitHub, GitLab, Bitbucket & Azure DevOps in a single tenant environment, enabling automated scanning of your projects whenever the code is updated. Checkmarx One’s integration listens for the code repository commit events and uses a webhook to trigger Checkmarx scans when a push, or a pull request occurs. Once a scan is completed, the results can be viewed in Checkmarx One.

In addition, for pull requests, a comment is created in the code repository, which includes a scan summary, list of vulnerabilities and a link to view the scan results in Checkmarx One.

Single tenant environment integration supports cloud based code repositories as well as self-hosted ones. The integration flow is the same for both.

Notice

This integration supports both public and private git based repos.

Notice

You can select several repos to create multiple integrations in a bulk action.

Prerequisites

Setting up the Integration and Initiating a Scan

Note

The procedure below reflects GitHub integration.

To see all the code repositories Domain Names & API Domain Names see Domain Names and API Domain Name.

To integrate your code repository organization with Checkmarx One, perform the following:

  1. In the Applications and Projects home page, click on New > New Project - Code Repository Integration.

    Code_Repo_Integration.png

    The Import From window opens.

  2. Select the code repository (For example: GitHub).

    Single_Tenant_Select_GitHub.png
  3. Configure the following fields and click Next:

    • Domain Name or IP Address - Code repository domain.

      For example: https://github.com

      • Domain Name: Cloud based code repositories.

      • IP Address: Self-hosted code repositories.

    • API Domain Name or IP Address - Code repository API domain.

      For example: https://api.github.com

      • API Domain: Cloud based code repositories.

      • IP Address: Self-hosted code repositories.

    • Client ID - See Prerequisites for retrieving the relevant code repository Client ID.

    • Client Secret - See Prerequisites for retrieving the relevant code repository Client secret.

      Single_Tenant_Credentials.png
  4. Select the code repository User/Organization or Group (for the requested repository) and click Select Organization.

    GitHub_Select_Org.png
  5. In the Organization Settings screen you can decide whether to enable the "Monitor new repositories creation" feature.

    For more information about the feature see Monitor New Repositories.

    GitHub_Org_Settings.png
  6. Select the Repository inside the code repository organization and click Next.

    Note

    • A separate Checkmarx One Project will be created for each repo that you import.

    • There can’t be more than one Checkmarx One Project per repo. Therefore, once a Project has been created for a repo, that repo is greyed out in the Import dialog.

    GitHub_Select_Repo.png
  7. In the Repositories Settings screen, perform the following and click Next.

    • Permissions:

      • Scan Trigger: Push, Pull request - Enable/disable automatic scans for every push event or pull request.

      • Pull Request Decoration - Enable/disable pull request decoration.

        For additional information see Code Repository Integration Usage & Results.

    • Scanners: Select the scanners for All/Specific repositories. At lease 1 scanner must be selected for each repository.

    • Protected Branches: Select which Protected Branches to scan for each repository.

      Note

      For additional information about Protected Branches see About Protected Branches

    • Add SSH key.

    • Assign Groups: Specify the Groups to which you would like to assign the project.

    • Assign Tags: Add Tags to the Project. Tags can be added as a simple strings or as key:value pairs.

    • Set Criticality Level: Manually set the project criticality level.

      GitHub_Repo_Settings.png
  8. Select which Protected Branches to scan for each Repository and click Next.

    Note

    For additional information about Protected Branches see About Protected Branches

    GitHub_Select_Branches.png
  9. In the Advanced Options screen it is possible to select Scanning the default branch upon the creation of the Project.

    Click Create Project.

    GitHub_Advanced_Options.png
  10. The project is successfully created in the Applications and Projects home page, and the scan is initiated.

    Note

    In order to update the scanners see Imported Project Settings

    GitHub_SH_Scanning.png

Updating Project Settings

See Code Repository Settings.

Domain Names and API Domain Name

The table below presents all the options for Domain Names and API Domain Names of the supported code repositories.

Code Repository

Domain Name

API Domain Name

Comments

GitHub Cloud

https://github.com

https://api.github.com

GitHub Self-hosted

For example:

https://company.github.com

For example:

https://company.github.com/api/v3

The API Domain Name will be inferred from domain name if not populated

GitLab Cloud

https://gitlab.com

https://gitlab.com/api/v4

GitLab Self-hosted

For example:

https://company.gitlab.com

For example:

https://company.gitlab.com/api/v4

The API Domain Name will be inferred from domain name if not populated

Azure DevOps Cloud

https://dev.azure.com

https://dev.azure.com

Azure DevOps Self-hosted

For example:

https://company.azure.com

For example:

https://company.azure.com

The API Domain Name will be inferred from domain name if not populated

Bitbucket Cloud

Not supported

Not supported

Bitbucket Self-hosted

For example:

https://company.bitbucket.com

For example:

https://company.bitbucket.com/rest/api/1.0

The API Domain Name will be inferred from domain name if not populated