Skip to main content

Checkmarx One Quick Start Guide

This Quick Start guide describes how to get started using Checkmarx One basic functionalities and features.

Administrator Initial Log in

Getting Started

  1. Open the Welcome email from Checkmarx, which contains the following:

    • Username

    • Account Name

    • Link for the Checkmarx One Application server.

  2. Click the link to get started

    3214114912.png
  3. Upon clicking the link the following screen will be presented.

    Click the Click here to proceed option

    Click_to_Proceed.png

Setting up 2 Factor Authentication

  1. Follow the instructions to set up Mobile Authentication in order to activate the account.

    It is suggested to use the Google Authenticator mobile application.

    2FA.png
  2. Perform the following:

    • Type the 6-digit code

    • Click Submit

Notice

  • After configuring MFA, the system stores your MFA device information.

  • In case MFA is configured from a different device, the Device Name field will appear and it is mandatory.

Updating the Initial Password

Note

Password limitations

The password must contain the following:

  • Minimum 10 characters length.

  • At least 1 upper case character.

  • At least 1 lower case character.

  • At least 1 digit.

  • At least 1 special character.

Perform the following:

  1. Set up a new password,

  2. Confirm the password.

  3. Click Save and continue

    Change_Pass.png

Sign in to Checkmarx One

  1. In the Sign in window perform the following:

    • Type the Username

    • Type the Password

    • Click Sign in

    Sign_in.png
  2. Perform the following

    • Type the 6-digit code again (The same code as in the Setting up 2 Factor Authentication section)

    • Click Sign in

    OTP2.png

Note

Remember device

  • It is optional to check the Remember device checkbox. Once checked, the browser data will be saved, so the user will not be asked again to type the 6-digit code for this browser (For the next log in attempt).

  • In case a different browser will be used, this 6-digit code window will appear again, including the Remember device checkbox.

  • It is possible to remember up to 2 different devices (Browsers).

Checkmarx One application home page opens

Open_Checkmarx_One.png

Scanning a new Source File

The primary functional entities in Checkmarx One are Projects. This is the level on which scans are run and results are viewed.

  • Projects – Each Project represents a source repository, such as a component, microservice, etc. (although the actual code is submitted separately each time that you run a scan). The Project configuration specifies the set of queries that is run when the Project is scanned. Checkmarx One aggregates statistics for all of the scans run on a Project.

  • Applications – Each Application represents a different product line. Several related Projects can be grouped under one Application. Statistics are aggregated for all Projects that are included in the Application.

To scan a new project, perform the following steps:

  1. Make sure that Projects tab is selected.

  2. Click on the Scan button.

    Click_Scan.png
  3. A New Scan window opens.

  4. In the New Scan window, name the Project.

    Name_The_Project.png
  5. In the Source to Scan section there are 2 scan options:

    1. Scan from a zipped file:

      • Click the Select File link.

      • Select the requested zip archive file.

      Select_zip_Scan.png
      File_Uploaded.png
    2. Scan a Repository URL:

      • Click the Repository button.

      • Enter the Repository URL.

      • Click Fetch Branches button.

      Select_Repo_Scan.png
    3. Type your Personal Access Token and click Login

      For example:

      3214737594.png
    4. In case that the Token is incorrect, an error will be presented while trying to connect.

      For example:

      3214115088.png
    5. Click Next

      3214213358.png
  6. Select the scanners, and click Scan

    3214770309.png
  7. The New Scan window is automatically closed.

  8. In the Checkmarx One home page an indication about the scan status is presented.

    Scan_Initiated.png

Analyzing Scan Results

After a scan is finished it is possible to view and analyze the scan results.

The Project Risk Level is presented via Checkmarx One home page.

Project_Risk_Level.png

Project Preview

  1. Click the Project line in the Checkmarx One home page.

  2. A Project preview panel is opened on the right screen side. This view represents the latest scan that was performed including the scanners that were used for the last scan.

    Project_Preview_Panel.png

Project Overview

  1. Click Go to Projectbutton.

    2697105111.png
  2. Project Overview screen opens.

    3223486708.png
  3. In the Overview screen it is possible to see the following aggregated information (Widgets) for all the scanners results:

    • Risk Level - Presents the Project risk level (High, Medium, Low).

      3219259593.png
    • Total Vulnerabilities - Presents the amount of total vulnerabilities, distribution by severities (High, Medium, Low).

      3218866620.png
    • Vulnerabilities per Scan Type - Presents vulnerabilities distribution by scan types - SAST, KICS, SCA.

      3219914850.png
    • Last Scan time - Presents the amount of days passed from the last scan date to the current date.

      3219816554.png
    • Severity Over Time - Presents the latest vulnerabilities value distributed by severity (High, Medium, Low).

      This value is calculated per day within the selected time range.

      3219849322.png
    • Aging Summary - Presents the amount of vulnerabilities distributed by severities (High, Medium, Low) for the first discovery date in a specific time range.

      3218965022.png
    • Compliance Vulnerabilities overview - Presents all the compliance standards that exist in the Checkmarx One Database.

      3219063053.png

Scan History

  1. Click Scan History tab

    3223617756.png
  2. Scan History tab presents a list of all the scans that were performed within a Project.

  3. Clicking the scan line opens a scan preview panel on the right screen side. This view presents the scan information including the scanners that were used for that specific scan.

    3223748873.png
  4. To view the results for a specific scanner, click the Results button for the relevant scan type.

    For example:

    3221455252.png
    3218997508.png

Analyzing SAST Results

Open SAST Result Viewer

There are 2 option to open SAST results view:

  1. Quickly open SAST Results viewer for each scan and drill-down the results. This is performed by clicking the “eye” icon on the right side of the scan line.

    For example:

    3221455260.png
    3217130541.png
  2. Another option to open SAST Results view is:

    1. Click the scan line in the Scan History tab.

    2. A scan preview panel will open on the right screen side.

      3223322866.png
    3. Click the Results button for the SAST scan type.

      3223617768.png

Analyze SAST Results

  1. In the SAST results screen it is possible to perform the following:

    1. Drill-down the SAST scan results.

    2. See all the vulnerability languages.

    3. Understand exactly which vulnerability exists in each code line for every language.

  2. Expand the language section to understand which vulnerabilities exist in the scanned source file.

    3223584888.png
  3. Click a vulnerability to open the Attack Vector view.

    For example:

    3223814359.png
  4. It is possible to switch the Attack Vector view by clicking the Change View button.

    3223715991.png

Analyzing SCA Results

Open SCA Result Viewer

To view the results for SCA scan type, Perform the following:

  1. Scan a source file using SCA scanner.

  2. Click the Project line in the Checkmarx One home page (To see the last scan) or go to Scan History tab and click the requested scan.

  3. Click the Results button for the SCA scan type.

    For example:

    3223650487.png

Analyze SCA Results

The default SCA results view is the Vulnerabilities view. This view presents a list of all vulnerabilities discovered in the SCA scan. The vulnerabilities are listed by CVE (Common Vulnerabilities and Exposures) and the information is presented for the packages to which they apply.

3223322852.png
  1. Click on the row of a specific vulnerability to drill-down and see detailed information about that vulnerability.

  2. A new tab opens, presenting additional information about the vulnerability.

    This screen includes a description of the vulnerability, links to external resources, the CVSS (Common Vulnerability Scoring System) score, with a breakdown of its components, and remediation recommendations.

    There is also a control for marking this vulnerability to be ignored in subsequent scans of this Project.

    3223290097.png

Notice

For more information about viewing SCA results, see Viewing SCA Scan Results.

Analyzing KICS Results

Open KICS Result Viewer

To view the results for KICS scan type, Perform the following:

  1. Scan a source file using KICS scanner.

  2. Click the Project line in the Checkmarx One home page (To see the last scan) or go to Scan History tab and click the requested scan.

  3. Click the Results button for the KICS scan type.

    For example:

    3225780559.png
  4. Expand the Platform section to understand which vulnerabilities exist in the scanned source file.

    3225518405.png
  5. Click a vulnerability to open the Code Viewer view.

    For example:

    3227811986.png

Filtering Scan Results

Scan results can be filtered by the columns that are presented in the scan Results view.

Filtering SAST Scan Results

For SAST results, the filtering options are according to 2 main groups - Primary group and Secondary group.

  1. Primary Group - Language (Default), Severity, Status, Source File, Sink File, Source Node, Sink Node.

    3227353237.png
  2. Secondary Group - Vulnerability (Default), Severity, Status, Source Node, Sink Node, Source File, Sink File.

    3227648186.png

Filtering SCA Scan Results

For SCA scan results, the filtering options are according to the following:

  • Filtering is performed by the columns content.

  • There is an AND condition between the filters.

  • There is no limitation for the number of possible filters.

Filtering KICS Scan Results

For KICS scan results, the filtering options are according to 2 main groups - Primary group and Secondary group.

  1. Primary Group - Platform (Default), Query Name, Status, State, Issue Type, File.

    3227549864.png
  2. Secondary Group - Severity (Default), Query Name, Status, State, Issue Type, File.

    3225780587.png

Project Scanners

Scanners tab provides additional information about the scanners that have been used for a specific scan. The information presented in the widgets reflects the last scan that was performed.

This view presents the statistical overview of the scanners. The scanners are clickable and permits a statistical display for that specific scanner.

SAST

SAST scanner view contains the following widgets:

  • Recurring Results - Presents the number of recurrent vulnerabilities.

    3227418857.png
  • New Results - Presents the number of recurrent vulnerabilities.

    3227746508.png
  • Total Vulnerabilities - Presents the total number of vulnerabilities per severity (High, Medium, Low).

    3227746516.png
  • Results by State - Presents the number of vulnerabilities per state (Confirmed, To verify, Not exploitable, etc.).

    3227418843.png
  • Results by Language - Presents the number of vulnerabilities per language (Java, C#, etc.).

    3225846111.png
  • Results by Vulnerability - Presents the number of vulnerabilities per category (Stored XSS, XPath Injection, etc.).

    3227746526.png

SCA

SCA scanner view contains the following widgets:

  • Scanned Packages - Presents the number of scanned packages.

    3227746538.png
  • Outdated Packages - Presents the number of outdated packages.

    3227615474.png
  • Total Vulnerabilities - Presents the total number of vulnerabilities per severity (High, Medium, Low).

    3227779247.png
  • Results by Legal Risk - Presents the total number of results by legal risk per severity (High, Medium, Low, Unknown).

    3225747905.png
  • Results by License Type

    3227975908.png
  • Top Vulnerable Packages - The top 10 vulnerable packages sorted by total vulnerabilities

    3227517168.png

KICS

SCA scanner view contains the following widgets:

  • Scanned Files - Presents the number of scanned files.

    3227517178.png
  • New Vulnerabilities - Presents the number of new vulnerabilities.

    3227779259.png
  • Total Vulnerabilities - Presents the total number of vulnerabilities per severity (High, Medium, Low).

    3227812083.png
  • Results by State

    3227418843.png
  • Results by Platform - Presents the number of results per platform (Ansible, Terraform, etc.).

    3228041481.png
  • Results by Category

    3227713742.png

Project Compliance

Project Compliance tab provides the Checkmarx One users with a detailed information about the following:

  • Which scan has been verified for the compliance standards.

  • A detailed information about each compliance standard.

Checkmarx One Compliance view contains the following widgets:

  • Compliance List - Presents a list of all compliance standards.

    3232367355.png
  • Total Vulnerabilities - Presents the amount of vulnerabilities that have been found for the compliance with its standard, in addition to its distribution by severity (High, Medium, Low).

    3231941480.png
  • Ageing Summary - Presents the amount of vulnerabilities that have been found for the compliance with its standard, in addition to its distribution by severity (High, Medium, Low) for the first discovery date in a specific time range.

    3232072528.png
  • Vulnerabilities Categories - Presents a detailed information about each vulnerability that has been found for the compliance with its standard.

    3232072486.png