- Checkmarx Documentation
- Checkmarx One
- Checkmarx One Quick Start Guide
Checkmarx One Quick Start Guide
This Quick Start guide describes how to get started using Checkmarx One basic functionalities and features.
Administrator Initial Log in
Getting Started
Open the Welcome email from Checkmarx, which contains the following:
Username
Account Name
Link for the Checkmarx One Application server.
Click the link to get started
Upon clicking the link the following screen will be presented.
Click the Click here to proceed option
Setting up 2 Factor Authentication
Follow the instructions to set up Mobile Authentication in order to activate the account.
It is suggested to use the Google Authenticator mobile application.
Perform the following:
Type the 6-digit code
Click Submit
Notice
After configuring MFA, the system stores your MFA device information.
In case MFA is configured from a different device, the Device Name field will appear and it is mandatory.
Updating the Initial Password
Note
Password limitations
The password must contain the following:
Minimum 14 characters length.
At least 1 upper case character.
At least 1 lower case character.
At least 1 digit.
At least 1 special character.
Perform the following:
Set up a new password,
Confirm the password.
Click Save and continue
Sign in to Checkmarx One
In the Sign in window perform the following:
Type the Username
Type the Password
Click Sign in
Perform the following
Type the 6-digit code again (The same code as in the Setting up 2 Factor Authentication section)
Click Sign in
Note
Remember device
It is optional to check the Remember device checkbox. Once checked, the browser data will be saved, so the user will not be asked again to type the 6-digit code for this browser (For the next log in attempt).
In case a different browser will be used, this 6-digit code window will appear again, including the Remember device checkbox.
It is possible to remember up to 2 different devices (Browsers).
Checkmarx One application home page opens
![]() |
Scanning Projects
The primary functional entities in Checkmarx One are Projects. This is the level on which scans are run and results are viewed.
Projects – Each Project represents a source repository, such as a component, microservice, etc. (although the actual code is submitted separately each time that you run a scan). The Project configuration specifies the set of queries that is run when the Project is scanned. Checkmarx One aggregates statistics for all of the scans run on a Project.
Applications – Each Application represents a different product line. Several related Projects can be grouped under one Application. Statistics are aggregated for all Projects that are included in the Application.
Notice
It is not required to assign a project to an application. For this Quick Start Guide, we will simply create a project and run the scan.

GIF - How to create a Project and run the scan
Creating a Project
In the Applications and Projects home page, click on the
button and then select New Project - Manual Scan.
The New Project window opens.
In the New Project window, configure the following:
Project Name - Should indicate the source code to be scanned and tracked.
Project Tags (Optional) - Assign tags to a project. Tags are very useful for projects filtering purposes.
Tagging has no dependencies in any other component, and it is possible to configure any required value.
Groups (Optional) - Assign groups to a project. Once a group is assigned to a project, all the group members will be able to perform actions in the project (Scan source codes, view results, etc.)
By Rule (Optional) - Rules that are configured in the Scanner Default Settings are presented in the Project configuration wizard. This option allows the user to perform the following:
See which rules were configured for the Tenant level.
Update/Add rules and apply them to the Project level.
Click Create Project. The new project is successfully added to the Applications and Projects list.
Running a Scan
On the Application and Projects home page select the Projects tab (default).
In the row of the project that you created, click
Scan.
The New Scan window opens. By default, under Project Name, the project of the row in which you clicked
Scan is selected.
Notice
If you would like to scan a different project, it is possible to select a different project from the drop-down menu.
In the Source to Scan section, there are 2 scan options:
Scan from a zipped file:
With the File option selected (default), click the Select File link.
Select the requested zip archive file.
Scan a Repository URL:
Click the Repository button.
Enter the Repository URL.
Click Fetch Branches button.
Type your Personal Access Token and click Login
For example:
In case that the Token is incorrect, an error will be presented while trying to connect.
For example:
Under Scan Tags, add a tag to the new scan (optional)..
Tags can be added in two different formats:
Label: <string>
key:value: <key string:value string>
Click Next. The New Scan dialog appears and you are asked to select the scanners.
Select one or more scanners.
Click Scan. The New Scan dialog closes and the scan starts.
You can monitor the scan's status in the Projects tab.
Analyzing Scan Results
After a scan is finished it is possible to view and analyze the scan results.
The Project Risk Level is presented via Checkmarx One home page.
![]() |
Project Preview
Click the Project line in the Checkmarx One home page.
A Project preview panel is opened on the right screen side. This view represents the latest scan that was performed including the scanners that were used for the last scan.
Project Overview
Click Go to Projectbutton.
Project Overview screen opens.
In the Overview screen it is possible to see the following aggregated information (Widgets) for all the scanners results:
Risk Level - Presents the Project risk level (High, Medium, Low).
Total Vulnerabilities - Presents the amount of total vulnerabilities, distribution by severities (High, Medium, Low).
Vulnerabilities per Scan Type - Presents vulnerabilities distribution by scan types - SAST, KICS, SCA.
Last Scan time - Presents the amount of days passed from the last scan date to the current date.
Severity Over Time - Presents the latest vulnerabilities value distributed by severity (High, Medium, Low).
This value is calculated per day within the selected time range.
Aging Summary - Presents the amount of vulnerabilities distributed by severities (High, Medium, Low) for the first discovery date in a specific time range.
Compliance Vulnerabilities overview - Presents all the compliance standards that exist in the Checkmarx One Database.
Scan History
Click Scan History tab
Scan History tab presents a list of all the scans that were performed within a Project.
Clicking the scan line opens a scan preview panel on the right screen side. This view presents the scan information including the scanners that were used for that specific scan.
To view the results for a specific scanner, click the Results button for the relevant scan type.
For example:
Analyzing SAST Results
Open SAST Result Viewer
There are 2 option to open SAST results view:
Quickly open SAST Results viewer for each scan and drill-down the results. This is performed by clicking the “eye” icon on the right side of the scan line.
For example:
Another option to open SAST Results view is:
Click the scan line in the Scan History tab.
A scan preview panel will open on the right screen side.
Click the Results button for the SAST scan type.
Analyze SAST Results
In the SAST results screen it is possible to perform the following:
Drill-down the SAST scan results.
See all the vulnerability languages.
Understand exactly which vulnerability exists in each code line for every language.
Expand the language section to understand which vulnerabilities exist in the scanned source file.
Click a vulnerability to open the Attack Vector view.
For example:
It is possible to switch the Attack Vector view by clicking the Change View button.
Analyzing SCA Results
Open SCA Result Viewer
To view the results for SCA scan type, Perform the following:
Scan a source file using SCA scanner.
Click the Project line in the Checkmarx One home page (To see the last scan) or go to Scan History tab and click the requested scan.
Click the Results button for the SCA scan type.
For example:
Analyze SCA Results
The default SCA results view is the Risks view. This view presents a list of all vulnerabilities and other risks discovered in the SCA scan. The vulnerabilities are listed by CVE (Common Vulnerabilities and Exposures) and the information is presented for the packages to which they apply.

Click on the row of a specific vulnerability to drill-down and see detailed information about that vulnerability.
A new tab opens, presenting additional information about the vulnerability.
This screen includes a description of the vulnerability, links to external resources, the CVSS (Common Vulnerability Scoring System) score, with a breakdown of its components, and remediation recommendations.
There is also a control for changing the state of this risk. This will also affect subsequent scans of this Project.
Notice
For more information about viewing SCA results, see SCA Results.
Analyzing IaC Security Results
The IaC Security Result Viewer provides visibility into risks and vulnerabilities found in IaC projects. Common risks include misconfigurations, accidental resource deletions, version compatibility issues, and vulnerabilities within third-party providers.
For customers who have an IaC license, the IaC Security Result Viewer also offers a general view of potential security gaps related to their API endpoints. While the level of detail is more generalized in this case, it still provides valuable information to enhance the overall security posture.
For customers who hold both an IaC license and an API Security license, API-related risks will be shown in the API Security Result Viewer here which takes the security assessment to the next level. It provides in-depth details for each identified risk, including its association with specific endpoints.
Open IaC Security Result Viewer
To view the results for the IaC Security scan type, perform the following:
Scan a source file using the IaC Security scanner.
Click the Project line in the Checkmarx One home page (To see the last scan) or go to Scan History tab and click the requested scan.
Click the Results button for the IaC Security scan type.
For example:
Expand the Platform section to understand which vulnerabilities exist in the scanned source file.
Click a vulnerability to open the Code Viewer view.
For example:
Filtering Scan Results
Scan results can be filtered by the columns that are presented in the scan Results view.
Filtering SAST Scan Results
For SAST results, the filtering options are according to 2 main groups - Primary group and Secondary group.
Primary Group - Language (Default), Severity, Status, Source File, Sink File, Source Node, Sink Node.
Secondary Group - Vulnerability (Default), Severity, Status, Source Node, Sink Node, Source File, Sink File.
Filtering SCA Scan Results
For SCA scan results, the filtering options are according to the following:
Filtering is performed by the columns content.
There is an AND condition between the filters.
There is no limitation for the number of possible filters.
Filtering IaC Security Scan Results
For IaC Security scan results, the filtering options are according to 2 main groups - Primary group and Secondary group.
Primary Group - Platform (Default), Query Name, Status, State, Issue Type, File.
Secondary Group - Severity (Default), Query Name, Status, State, Issue Type, File.
Project Scanners
Scanners tab provides additional information about the scanners that have been used for a specific scan. The information presented in the widgets reflects the last scan that was performed.
This view presents the statistical overview of the scanners. The scanners are clickable and permits a statistical display for that specific scanner.
SAST
SAST scanner view contains the following widgets:
Recurring Results - Presents the number of recurrent vulnerabilities.
New Results - Presents the number of new vulnerabilities.
Total Vulnerabilities - Presents the total number of vulnerabilities per severity (High, Medium, Low).
Results by State - Presents the number of vulnerabilities per state (Confirmed, To verify, Not exploitable, etc.).
Results by Language - Presents the number of vulnerabilities per language (Java, C#, etc.).
Results by Vulnerability - Presents the number of vulnerabilities per category (Stored XSS, XPath Injection, etc.).
SCA
SCA scanner view contains the following widgets:
Scanned Packages - Presents the number of scanned packages.
Outdated Packages - Presents the number of outdated packages.
Total Vulnerabilities - Presents the total number of vulnerabilities per severity (High, Medium, Low).
Results by Legal Risk - Presents the total number of results by legal risk per severity (High, Medium, Low, Unknown).
Results by License Type
Top Vulnerable Packages - The top 10 vulnerable packages sorted by total vulnerabilities
IaC Security
IaC Security scanner view contains the following widgets:
Scanned Files - Presents the number of scanned files.
New Vulnerabilities - Presents the number of new vulnerabilities.
Total Vulnerabilities - Presents the total number of vulnerabilities per severity (High, Medium, Low).
Results by State
Results by Platform - Presents the number of results per platform (Ansible, Terraform, etc.).
Results by Category
Project Compliance
Project Compliance tab provides the Checkmarx One users with a detailed information about the following:
Which scan has been verified for the compliance standards.
A detailed information about each compliance standard.
Checkmarx One Compliance view contains the following widgets:
Compliance List - Presents a list of all compliance standards.
Total Vulnerabilities - Presents the amount of vulnerabilities that have been found for the compliance with its standard, in addition to its distribution by severity (High, Medium, Low).
Ageing Summary - Presents the amount of vulnerabilities that have been found for the compliance with its standard, in addition to its distribution by severity (High, Medium, Low) for the first discovery date in a specific time range.
Vulnerabilities Categories - Presents a detailed information about each vulnerability that has been found for the compliance with its standard.