Skip to main content

Code Repository Integration Usage & Results

Triggering a Scan

To trigger a scan you need to perform one of the following actions via any Code Repository:

Push Event

To verify what is the expected result for a Push event flow, perform the following:

  1. Go to the Repository in the Code Repository organization and perform a push event.

  2. Refresh the Applications and Projects home page and verify that a scan is triggered.

    6166249823.png
  3. Wait for the scan to be finished.

  4. Open the scan results in Checkmarx One.

  5. For additional information about the scan results, click here

Pull Request

When initiating a pull request via Code Repository, the following is expected:

  • An indication via Checkmarx One that a scan is in progress.

  • A notification message via code repository that a Checkmarx One scan is in progress (Comment section).

  • A notification message via code repository that a Checkmarx One scan is completed (Comment section).

  • The scan results are presented via Checkmarx One Scanners view.

  • Checkmarx vulnerabilities report enriches the code repository pull request containing the New Issues that were found via scan.

To verify the above for a Pull request flow, perform the following:

  1. Go to the code repository project in the code repository organization and perform a pull request.

  2. Go to the Comment section in the Code Repository pull request and verify that Checkmarx One Scan is in progress… comment exists.

    6164678667.png
  3. A scan status notification will be presented as well.

    6166970624.png
  4. Refresh the Applications and Projects home page and verify that a scan is triggered.

    6165629000.png
  5. Wait for the scan to be finished.

  6. Open the scan results in Checkmarx One. For additional information about the scan results, click here

  7. Check the Project Total Vulnerabilities widget in Checkmarx One (HIGH, MEDIUM, LOW, INFO).

    For example:

    Vulnerabilities_Distribution_by_Severity.png
  8. Go to the Comment section in the code repository pull request.

  9. Verify that a Checkmarx vulnerabilities report is presented, containing New Issues summary.

    For example:

    GitHub_New_Issues2.png

Azure DevOps Comment Status

Azure DevOps comments section contains an additional Status configuration field.

By design, Checkmarx configures the comment as Active when new vulnerabilities are detected.

Developers are sometimes required to close active pull requests comments before a pull requests can be merged.

In case that no New vulnerabilities are found in the repository scan the comment will be set to Close.

Branch Scanning

Note

  • Every time that a developer performs a “commit” to a specific branch, a new piece of code is added to this branch.

  • Every “commit” will automatically trigger a scan for this branch in Checkmarx One.

  • During the scan, a comparison between the source branch & the target branch is being performed, which enables the enrichment of the code repository “comment” section.

  • The scan results will enrich the pull request “comment” section with the following information:

    • New Issues - New vulnerabilities that were found in the target branch scan.

    • Fixed Issues - Issues that were found in the source branch and were fixed in the target branch by the developer.

The above will provide the developer the ability to focus only on the “New Issues” that were found in the latest scan.

When initiating a pull request via a new branch, the following is expected:

  • An indication via Checkmarx One that a scan is in progress.

  • A notification message via code repository that a Checkmarx One scan is in progress (Comment section).

  • A notification message via code repository that a Checkmarx One scan is completed (Comment section).

  • The scan results are presented via Checkmarx One Scanners view.

  • A comparison between the source branch & the target branch is being performed, which enables the enrichment of the code repository pull request “comment” section, containing the New Issues vs Fixed Issues that were found on the target branch that was scanned.

To verify the above for a new branch Pull request flow, perform the following:

  1. Go to the the code repository project in the the code repository organization and perform a pull request via a new branch.

  2. Go to the Comment section in the pull request and verify that Checkmarx One Scan is in progress… comment exists.

    6164678667.png
  3. A scan status notification will be presented as well.

    6166970624.png
  4. Refresh the Applications and Projects home page and verify that a scan is triggered.

    6165629000.png
  5. Wait for the scan to be finished.

  6. Open the scan results in Checkmarx One. For additional information about the scan results, click here

  7. Check the Project Total Vulnerabilities widget in Checkmarx One (HIGH, MEDIUM, LOW, INFO).

    For example:

    Vulnerabilities_Distribution_by_Severity.png
  8. Go to the Comment section in the code repository pull request.

  9. Verify that a Checkmarx vulnerabilities report is presented containing New Issues vs Fixed Issues summary.

    For example:

    GitHub_New_Issues_vs_Fixed2.png

Summary Report Content

Vulnerabilities summary report contains 4 columns. The columns content changes according to the scanner type.

SAST Scanner Vulnerabilities

Column

Description

Severity

All the vulnerabilities are sorted according to their severity - High, Medium, Low, Info

Issue

Link to the Vulnerability type, including the following information:

  • Vulnerability risk - What might happen.

  • Vulnerability cause - How does it happen.

  • General recommendations - How to avoid it.

  • Code examples

Note

There are cases that a specific vulnerability type is not included in Checkmarx database.

In such cases an external link to www.cwe.mitre.org site will be provided containing additional information about the vulnerability.

Source File / Package

Direct link to the vulnerable source code line in the code repository.

Checkmarx Insight

Attack Vector - Direct link to the vulnerable source code line in Checkmarx SAST scanner scan results.

SCA Scanner Vulnerabilities

Column

Description

Severity

All the vulnerabilities are sorted according to their severity - High, Medium, Low, Info

Issue

Link to devhub.checkmarx.com site containing information about the vulnerable package.

Source File / Package

Vulnerable package name

Checkmarx Insight

Direct link to the vulnerable package in Checkmarx SCA scanner scan results.

IaC Scanner Vulnerabilities

Column

Description

Severity

All the vulnerabilities are sorted according to their severity - High, Medium, Low, Info

Issue

Vulnerability title.

Source File / Package

Direct link to the vulnerable source code line in the code repository.

Checkmarx Insight

Vulnerability description - Limited to 150 characters.

PR decorations: Best practices and troubleshooting

The sub-sections below describe the best ways to use and troubleshoot PR decorations in scan results. These tips will help you understand your scan results better, fix any problems, and create high-quality code right from the start of your project.