Skip to main content

Code Repository Integrations

Checkmarx One supports integration with most of the popular Code Repository platforms. You can import a project from your code repository directly to Checkmarx One, enabling automated scanning of your source code whenever the project is updated. Checkmarx One listens for commit events and uses a webhook to trigger Checkmarx scans when a push, or a pull request occurs. Once a scan is completed, the results can be viewed in Checkmarx One.

Code Repository Permissions

Only users with the required permissions in the code repository are able to set up integrations with Checkmarx One (create a “Code Repository Integration”). 

Notice

Checkmarx requires the permissions described below solely for the purpose of using the code repository APIs to create a webhook that triggers scans when relevant activity occurs in the repo (Push or Pull request). Checkmarx does not initiate any changes to the repo itself.

The following table explain the permissions needed to set up an integration with each of the supported code repositories.

Code Repository

Code Repository Level

Code Repository Role

Allowed in Checkmarx One

GitHub

Organization

Owner

  • Set up an integration with any repository in the organization.

  • Create a Webhook for the organization.

  • See the code repository coverage widget statistics.

Repository

Admin

  • Set up an integration with repositories that are assigned to the user.

  • Create a Webhook for the repository.

GitLab

Group

Maintainer/Owner

  • Set up an integration with any project in the group.

  • See the code repository coverage widget statistics.

Project

Maintainer/Owner

  • Set up an integration with projects that are assigned to the user.

  • Create a Webhook for the repository

Bitbucket

Workspace

Administrator/Developer who is configured as an Admin on the workspace level

Set up an integration with any project in the workspace

Project

Owner/Admin

  • Set up an integration with repositories that are assigned to the user.

  • Create a Webhook for the repository.

Member/Contributor

Set up an integration with the repository that is assigned to the user

Azure DevOps

Group

Owner/Users that are assigned directly or indirectly to the Project Collection Administrator organizational group

Note

By default, the group Project Collection Service Accounts is a member of the Project Collection Administrator group, so that its members inherit the permissions needed to set up integrations from the parent group.

  • Set up an integration with any project in the organization.

  • See the code repository coverage widget statistics

Project

Member of a project group for which Project Administrator permissions exist.

  • Set up an integration with the project that is assigned to the user.

  • Create a Webhook for the repository.

Code Repository Integration without Admin Permissions

Checkmarx One also supports integration with most of the popular code repository platforms for users without Admin permissions for the relevant organization/repository. 

You can import a project from your code repository directly to Checkmarx One, scan the code manually, and once a scan is completed the results can be viewed in Checkmarx One.

However, the feature comes with some limitations.

It is not possible to perform the following via Checkmarx One:

  • Create a Webhook for the organization level (organization level Webhooks are supported only for GitHub).

  • Create a Webhook for the repository level.

  • See the code repository coverage widget statistics.

  • Push & pull requests events via code repository won’t trigger automatic scan in Checkmarx One.

The following table explain the permissions needed to set up an integration with each of the supported code repositories for users without Admin permissions.

Code Repository

Code Repository Level

Code Repository Role

Allowed in Checkmarx One

GitHub

Organization

Member

Set up an integration with permitted repositories in the organization

Repository

Member

Set up an integration with the repository that is assigned to the user

GitLab

Group

Developer/Reporter/Guest

Set up an integration with permitted projects in the group

Project

Developer/Reporter

Set up an integration with the repository that is assigned to the user

Bitbucket

Workspace

Users which are not configured as workspace Admins

Set up an integration with permitted projects in the group

Project

Designated as Admin for a specific repo

  • Set up an integration with repository that is assigned to the user.

  • Create a Webhook for the repository.

Azure DevOps

Group

Users who are not assigned to the Group Project Collection Administrator organization

Set up an integration with permitted projects in the group

Project

Member of a project group for which the following permissions exist:

  • Build Administrator

  • Contributors

  • Project Valid Users

  • Readers

Set up an integration with the repository that is assigned to the user