Skip to main content

M&O Migration

You can retain your user data from M&O in the new CxSAST Policy Management by executing an SQL procedure after deploying Policy Management. The SQL procedure migrates the pertinent information from the M&O database tables ( CxARM ) to the new Policy Management tables (part of CxDB ).


This is an optional step and only relevant for previous M&O customers.

The procedure currently migrates the following fields:

  • Policies, Rules, and Conditions

    • Associated Projects

    • Default and Disabled Policies

  • Incidents

  • User roles and permissions (already migrated during the Policy Management deployment)


The migration process should only be executed after deploying Policy Management.

Prerequisites for the Migration

To perform the migration, there are some prior requirements:

  • SQL Server 2016 (13.X) or later.

  • You must ensure your M&O data remains in the database (CxARM) and its consistency has been preserved even after uninstalling M&O.

  • You must have deployed the new Policy Management and ensure everything works as expected.

Migration Steps

  1. Access the .SQL files provided with the Policy Management package in the folder M&O Migration Scripts :

    1. Policies Migration (Migrates all Policies, Rules, and Conditions)

    2. Incidents Migration (Migrates all Incidents)

  2. Run the following command from the directory with the files downloaded above (after the -i flag, insert only the files you want to migrate):

    sqlcmd -U <Username> -S <DatabaseHost> -i policies_migration.sql incidents_migration.sql


You may choose to run just the policies_migration.sql or policies_migration.sql together with incidents_migration.sql. Never run just incidents_migration.sql.

After the Migration

You should verify your data has correctly migrated. Running some tests on existing policies is strongly encouraged.

Contact Checkmarx Support for assistance if you detect any issues.

Insights & Considerations

Policy Enablement/Disablement

This feature (available in M&O) is not in CxSAST Policy Management, so all its policies will be migrated as active.

Vulnerability Name Wildcards (% and -) in Rule Conditions

This feature (available in M&O) is not in CxSAST Policy Management, so they are all removed during the migration.

As an example:


Policy Management

Vulnerability Namecontains%Sql_Injection_

Vulnerability NamecontainsSql_Injection