Skip to main content

Checkmarx One SCM Integrations

Checkmarx One supports integration with most of the popular SCM platforms. You can import a project from your SCM directly to Checkmarx One, enabling automated scanning of your source code whenever the project is updated. Checkmarx One listens for commit events and uses a webhook to trigger Checkmarx scans when a push, or a pull request occurs. Once a scan is completed, the results can be viewed in Checkmarx One.

There is an alternative method for integrating GitHub with Checkmarx One which is done by creating a GitHub Action for running Checkmarx One scans. That method is more complex to implement but it enables full customization of the process. You can see a quick tutorial for GitHub Action integration here.

SCM Integration Permissions

Only users with the required permissions in the SCM are able to set up integrations with Checkmarx One (i.e., create an “Import Project”). The following sections explain the permissions needed to set up an integration with each of the supported SCMs.

Notice

Checkmarx requires the permissions described below solely for the purpose of using the SCMs APIs to create a webhook that triggers scans when relevant activity (e.g., Push or Pull request) occurs in the repo. Checkmarx does not initiate any changes to the repo itself.

GitHub

  • An Organization Owner can set up an integration with any repository in the Organization.

  • A Repository Admin can set up an integration with that specific Repository.

GitLab

  • A Maintainer or Owner of a Group can set up an integration with any Project in that Group.

  • A Maintainer or Owner of a Project can set up an integration with that specific Project.

Bitbucket

  • All users with Administrator accounts can set up an integration with any repository.

  • Users with Developer accounts who are designated as an Admin on the Workspace level can set up an integration with any repository in the Workspace.

  • Users with Developer accounts who are designated as Admin for a specific repository can set up an integration with that specific repository.

Warning

When a user is newly assigned as an Admin to a Workspace, this does not give them admin rights for repositories that were created before they were assigned to that Workspace.

Azure DevOps

  • The Organization Owner can set up an integration with any Project in the Organization.

  • Users assigned directly or indirectly to the organizational group Project Collection Administrator can set up an integration with any Project in the Organization1.

  • A user who is a direct or indirect member of a project group for which the permissions Manage project properties and View permissions for this node are allowed (for example, the default group Project Administrators) can set up an integration with that Project.

  • A user for which the permissions Manage project properties and View permissions for this node are allowed can set up an integration with that Project.

For more info about Azure permissions, see Azure DevOps Permissions.

1] By default, the group Project Collection Service Accounts is a member of the Project Collection Administrator group, so that its members inherit the permissions needed to set up integrations from the parent group.