Skip to main content
  • Checkmarx Documentation
  • Checkmarx One
  • Checkmarx One Quick Start Guide

Checkmarx One Quick Start Guide

This Quick Start guide describes how to get started using Checkmarx One basic functionalities and features.

Administrator Initial Log in

Getting Started

  1. Open the Welcome email from Checkmarx, which contains the following:

    • Username

    • Account Name

    • Link for the Checkmarx One Application server.

  2. Click the link to get started

    3214114912.png

  3. Upon clicking the link the following screen will be presented.

    Click the Click here to proceed option

    Click_to_Proceed.png

Setting up 2 Factor Authentication

  1. Follow the instructions to set up Mobile Authentication in order to activate the account.

    It is suggested to use the Google Authenticator mobile application.

    2FA.png

  2. Perform the following:

    • Type the 6-digit code

    • Click Submit

Notice

  • After configuring MFA, the system stores your MFA device information.

  • In case MFA is configured from a different device, the Device Name field will appear and it is mandatory.

Updating the Initial Password

Note

Password limitations

The password must contain the following:

  • Minimum 10 characters length.

  • At least 1 upper case character.

  • At least 1 lower case character.

  • At least 1 digit.

  • At least 1 special character.

Perform the following:

  1. Set up a new password,

  2. Confirm the password.

  3. Click Save and continue

    Change_Pass.png

Sign in to Checkmarx One

  1. In the Sign in window perform the following:

    • Type the Username

    • Type the Password

    • Click Sign in

    Sign_in.png

  2. Perform the following

    • Type the 6-digit code again (The same code as in the Setting up 2 Factor Authentication section)

    • Click Sign in

    OTP2.png

Note

Remember device

  • It is optional to check the Remember device checkbox. Once checked, the browser data will be saved, so the user will not be asked again to type the 6-digit code for this browser (For the next log in attempt).

  • In case a different browser will be used, this 6-digit code window will appear again, including the Remember device checkbox.

  • It is possible to remember up to 2 different devices (Browsers).

Checkmarx One application home page opens

Open_Checkmarx_One.png

Scanning Projects

The primary functional entities in Checkmarx One are Projects. This is the level on which scans are run and results are viewed.

  • Projects – Each Project represents a source repository, such as a component, microservice, etc. (although the actual code is submitted separately each time that you run a scan). The Project configuration specifies the set of queries that is run when the Project is scanned. Checkmarx One aggregates statistics for all of the scans run on a Project.

  • Applications – Each Application represents a different product line. Several related Projects can be grouped under one Application. Statistics are aggregated for all Projects that are included in the Application.

Notice

It is not required to assign a project to an application. For this Quick Start Guide, we will simply create a project and run the scan.

Figure 1. 
Creating_a_Project_and_Running_the_Scan.gif

GIF - How to create a Project and run the scan



Creating a Project

  1. In the Applications and Projects home page, click on the Image_937.png button and then select New Project - Manual Scan.

    Image_941.png

    The New Project window opens.

    Image_945.png

  2. In the New Project window, configure the following:

    • Project Name - Should indicate the source code to be scanned and tracked.

    • Project Tags (Optional) - Assign tags to a project. Tags are very useful for projects filtering purposes.

      Tagging has no dependencies in any other component, and it is possible to configure any required value.

    • Groups (Optional) - Assign groups to a project. Once a group is assigned to a project, all the group members will be able to perform actions in the project (Scan source codes, view results, etc.)

    • By Rule (Optional) - Rules that are configured in the Scanner Default Settings are presented in the Project configuration wizard. This option allows the user to perform the following:

      • See which rules were configured for the Tenant level.

      • Update/Add rules and apply them to the Project level.

  3. Click Create Project. The new project is successfully added to the Applications and Projects list.

    Image_942.png

Running a Scan

  1. On the Application and Projects home page select the Projects tab (default).

  2. In the row of the project that you created, click Scans.png Scan.

    Image_942b.png

    The New Scan window opens. By default, under Project Name, the project of the row in which you clicked Scans.png Scan is selected.

    Image_947.png

    Notice

    If you would like to scan a different project, it is possible to select a different project from the drop-down menu.

  3. In the Source to Scan section, there are 2 scan options:

    1. Scan from a zipped file:

      • With the File option selected (default), click the Select File link.

      • Select the requested zip archive file.

      Select_zip_Scan.png
      File_Uploaded.png

    2. Scan a Repository URL:

      • Click the Repository button.

      • Enter the Repository URL.

      • Click Fetch Branches button.

      Select_Repo_Scan.png

    3. Type your Personal Access Token and click Login

      For example:

      3214737594.png

    4. In case that the Token is incorrect, an error will be presented while trying to connect.

      For example:

      3214115088.png

  4. Under Scan Tags, add a tag to the new scan (optional)..

    Tags can be added in two different formats:

    Label: <string>

    key:value: <key string:value string>

    Scan_Zip_14.png

  5. Click Next. The New Scan dialog appears and you are asked to select the scanners.

  6. Select one or more scanners.

    Image_982.png

  7. Click Scan. The New Scan dialog closes and the scan starts.

  8. You can monitor the scan's status in the Projects tab.

    Image_948.png

Analyzing Scan Results

After a scan is finished it is possible to view and analyze the scan results.

The Project Risk Level is presented via Checkmarx One home page.

Project_Risk_Level.png

Project Preview

  1. Click the Project line in the Checkmarx One home page.

  2. A Project preview panel is opened on the right screen side. This view represents the latest scan that was performed including the scanners that were used for the last scan.

    Project_Preview_Panel.png

Project Overview

  1. Click Go to Projectbutton.

    2697105111.png

  2. Project Overview screen opens.

    3223486708.png

  3. In the Overview screen it is possible to see the following aggregated information (Widgets) for all the scanners results:

    • Risk Level - Presents the Project risk level (High, Medium, Low).

      3219259593.png

    • Total Vulnerabilities - Presents the amount of total vulnerabilities, distribution by severities (High, Medium, Low).

      3218866620.png

    • Vulnerabilities per Scan Type - Presents vulnerabilities distribution by scan types - SAST, KICS, SCA.

      3219914850.png

    • Last Scan time - Presents the amount of days passed from the last scan date to the current date.

      3219816554.png

    • Severity Over Time - Presents the latest vulnerabilities value distributed by severity (High, Medium, Low).

      This value is calculated per day within the selected time range.

      3219849322.png

    • Aging Summary - Presents the amount of vulnerabilities distributed by severities (High, Medium, Low) for the first discovery date in a specific time range.

      3218965022.png

    • Compliance Vulnerabilities overview - Presents all the compliance standards that exist in the Checkmarx One Database.

      3219063053.png

Scan History

  1. Click Scan History tab

    3223617756.png

  2. Scan History tab presents a list of all the scans that were performed within a Project.

  3. Clicking the scan line opens a scan preview panel on the right screen side. This view presents the scan information including the scanners that were used for that specific scan.

    3223748873.png

  4. To view the results for a specific scanner, click the Results button for the relevant scan type.

    For example:

    3221455252.png
    3218997508.png

Analyzing SAST Results

Open SAST Result Viewer

There are 2 option to open SAST results view:

  1. Quickly open SAST Results viewer for each scan and drill-down the results. This is performed by clicking the “eye” icon on the right side of the scan line.

    For example:

    3221455260.png
    3217130541.png

  2. Another option to open SAST Results view is:

    1. Click the scan line in the Scan History tab.

    2. A scan preview panel will open on the right screen side.

      3223322866.png

    3. Click the Results button for the SAST scan type.

      3223617768.png

Analyze SAST Results

  1. In the SAST results screen it is possible to perform the following:

    1. Drill-down the SAST scan results.

    2. See all the vulnerability languages.

    3. Understand exactly which vulnerability exists in each code line for every language.

  2. Expand the language section to understand which vulnerabilities exist in the scanned source file.

    3223584888.png

  3. Click a vulnerability to open the Attack Vector view.

    For example:

    3223814359.png

  4. It is possible to switch the Attack Vector view by clicking the Change View button.

    3223715991.png

Analyzing SCA Results

Open SCA Result Viewer

To view the results for SCA scan type, Perform the following:

  1. Scan a source file using SCA scanner.

  2. Click the Project line in the Checkmarx One home page (To see the last scan) or go to Scan History tab and click the requested scan.

  3. Click the Results button for the SCA scan type.

    For example:

    3223650487.png

Analyze SCA Results

The default SCA results view is the Risks view. This view presents a list of all vulnerabilities and other risks discovered in the SCA scan. The vulnerabilities are listed by CVE (Common Vulnerabilities and Exposures) and the information is presented for the packages to which they apply.

Image_1006.png

  1. Click on the row of a specific vulnerability to drill-down and see detailed information about that vulnerability.

  2. A new tab opens, presenting additional information about the vulnerability.

    This screen includes a description of the vulnerability, links to external resources, the CVSS (Common Vulnerability Scoring System) score, with a breakdown of its components, and remediation recommendations.

    There is also a control for changing the state of this risk. This will also affect subsequent scans of this Project.

    Image_1007.png

Notice

For more information about viewing SCA results, see Viewing SCA Results.

Analyzing IaC Security Results

Open IaC Security Result Viewer

To view the results for IaC Security scan type, perform the following:

  1. Scan a source file using IaC Security scanner.

  2. Click the Project line in the Checkmarx One home page (To see the last scan) or go to Scan History tab and click the requested scan.

  3. Click the Results button for the IaC Security scan type.

    For example:

    Image_1008.png

  4. Expand the Platform section to understand which vulnerabilities exist in the scanned source file.

    3225518405.png

  5. Click a vulnerability to open the Code Viewer view.

    For example:

    3227811986.png

Filtering Scan Results

Scan results can be filtered by the columns that are presented in the scan Results view.

Filtering SAST Scan Results

For SAST results, the filtering options are according to 2 main groups - Primary group and Secondary group.

  1. Primary Group - Language (Default), Severity, Status, Source File, Sink File, Source Node, Sink Node.

    3227353237.png

  2. Secondary Group - Vulnerability (Default), Severity, Status, Source Node, Sink Node, Source File, Sink File.

    3227648186.png

Filtering SCA Scan Results

For SCA scan results, the filtering options are according to the following:

  • Filtering is performed by the columns content.

  • There is an AND condition between the filters.

  • There is no limitation for the number of possible filters.

Filtering IaC Security Scan Results

For IaC Security scan results, the filtering options are according to 2 main groups - Primary group and Secondary group.

  1. Primary Group - Platform (Default), Query Name, Status, State, Issue Type, File.

    3227549864.png

  2. Secondary Group - Severity (Default), Query Name, Status, State, Issue Type, File.

    3225780587.png

Project Scanners

Scanners tab provides additional information about the scanners that have been used for a specific scan. The information presented in the widgets reflects the last scan that was performed.

This view presents the statistical overview of the scanners. The scanners are clickable and permits a statistical display for that specific scanner.

SAST

SAST scanner view contains the following widgets:

  • Recurring Results - Presents the number of recurrent vulnerabilities.

    3227418857.png

  • New Results - Presents the number of new vulnerabilities.

    3227746508.png

  • Total Vulnerabilities - Presents the total number of vulnerabilities per severity (High, Medium, Low).

    3227746516.png

  • Results by State - Presents the number of vulnerabilities per state (Confirmed, To verify, Not exploitable, etc.).

    3227418843.png

  • Results by Language - Presents the number of vulnerabilities per language (Java, C#, etc.).

    3225846111.png

  • Results by Vulnerability - Presents the number of vulnerabilities per category (Stored XSS, XPath Injection, etc.).

    3227746526.png

SCA

SCA scanner view contains the following widgets:

  • Scanned Packages - Presents the number of scanned packages.

    3227746538.png

  • Outdated Packages - Presents the number of outdated packages.

    3227615474.png

  • Total Vulnerabilities - Presents the total number of vulnerabilities per severity (High, Medium, Low).

    3227779247.png

  • Results by Legal Risk - Presents the total number of results by legal risk per severity (High, Medium, Low, Unknown).

    3225747905.png

  • Results by License Type

    3227975908.png

  • Top Vulnerable Packages - The top 10 vulnerable packages sorted by total vulnerabilities

    3227517168.png

IaC Security

IaC Security scanner view contains the following widgets:

  • Scanned Files - Presents the number of scanned files.

    3227517178.png

  • New Vulnerabilities - Presents the number of new vulnerabilities.

    3227779259.png

  • Total Vulnerabilities - Presents the total number of vulnerabilities per severity (High, Medium, Low).

    3227812083.png

  • Results by State

    3227418843.png

  • Results by Platform - Presents the number of results per platform (Ansible, Terraform, etc.).

    3228041481.png

  • Results by Category

    3227713742.png

Project Compliance

Project Compliance tab provides the Checkmarx One users with a detailed information about the following:

  • Which scan has been verified for the compliance standards.

  • A detailed information about each compliance standard.

Checkmarx One Compliance view contains the following widgets:

  • Compliance List - Presents a list of all compliance standards.

    3232367355.png

  • Total Vulnerabilities - Presents the amount of vulnerabilities that have been found for the compliance with its standard, in addition to its distribution by severity (High, Medium, Low).

    3231941480.png

  • Ageing Summary - Presents the amount of vulnerabilities that have been found for the compliance with its standard, in addition to its distribution by severity (High, Medium, Low) for the first discovery date in a specific time range.

    3232072528.png

  • Vulnerabilities Categories - Presents a detailed information about each vulnerability that has been found for the compliance with its standard.

    3232072486.png
In this section: