Skip to main content

Checkmarx SAST Overview

Checkmarx SAST™ is a unique source code analysis solution that provides tools for identifying, tracking, and repairing technical and logical flaws in the source code, such as security vulnerabilities, compliance issues, and business logic problems.

Without needing to build or compile a software project's source code, SAST builds a logical graph of the code's elements and flows. SAST then queries this internal code graph. SAST comes with an extensive list of hundreds of pre-configured queries for known security vulnerabilities for each programming language. Using the SAST Auditor tool, you can configure your own additional queries for security, QA, and business logic purposes.

SAST provides scan results either as static reports, or in an interactive interface that enables tracking runtime behavior per vulnerability through the code, and provides tools and guidelines for remediation. Scan results can be customized to eliminate false positives and various types of workflow metadata can be added to each result instance. These metadata are maintained through subsequent scans, as long as the instance continues to be found.

The input to SAST's scanning and analysis is the source code, not binaries, so no building or compiling is required, and no libraries need to be available. The code doesn't even need to be able to compile and link properly. Consequently, SAST can run scans and generate security reports at any given point in a software project's development life cycle.

SAST supports Open Source Analysis (OSA) enabling licensing and compliance management, vulnerability alerts, policy enforcement, and reporting. OSA supports the most common programming languages, enabling organizations to secure all their open-source components in addition to their in-house developed code analysis coverage.

You can integrate SAST into several aspects of your development cycle. Software build automation tools (Apache Ant and Maven), software development version control systems (SCM Integrations), issue tracking and project management software (Atlassian JIRA Integration), repository hosting services (GitHub Integration), application vulnerability management platforms (ThreadFix Integration), continuous integration platforms (Bamboo and Jenkins), continuous code quality inspection platforms (SonarQube) and source code management tools (Azure DevOps and TFS) can all integrate with SAST.

SAST scans can be manually activated, periodically scheduled, or initiated upon build by one of our integrated build systems.

SAST also supports a wide range of OS platforms, programming languages, and frameworks.

SAST is deployed on a server and accessed by users via our web interface or one of our IDE plugins, Eclipse, Visual Studio, Visual Studio Code Extension, and IntelliJ.