Skip to main content

Quick Start Guide - Checkmarx One Azure DevOps Plugin

Overview

The Checkmarx One Azure DevOps plugin enables you to trigger SAST, SCA, and KICS scans directly from an Azure DevOps pipeline. It provides a wrapper around the Checkmarx One CLI Tool which creates a zip archive from your source code repository and uploads it to Checkmarx One for scanning. This plugin provides easy integration with Azure while enabling scan customization using the full functionality and flexibility of the CLI tool.

Prerequisites

  • The source code for your project is hosted on a Git repo (public or private)

  • You have a Checkmarx One account and have credentials to log in to your account

Getting Started Using the Azure DevOps Plugin

This tutorial will guide you through the initial setup and basic workflow for using the Checkmarx One Azure DevOps plugin. We will use an OAuth2 Client to authenticate with Checkmarx One and we will create a pipeline to scan a project that is hosted on your Azure Git repo.

Step 1 – Create an OAuth2 Client in Checkmarx One

First, you need to create an OAuth2 Client in Checkmarx One to be used for authentication in Azure DevOps. To create an OAuth2 client, see Creating an OAuth2 Client for Checkmarx One Integrations.

Step 2 – Installing and Setting up the Checkmarx One Plugin

The Checkmarx One plugin for Azure DevOps is available free on Azure DevOps Marketplace. Install the plugin and then create a Service connection to access your Checkmarx One environment.

  1. Open your project in the Azure DevOps console.

  2. Click on the Marketplace icon :marketplace: in the header bar and then select Browse marketplace from the dropdown menu.

  3. Search for the Checkmarx One plugin and click on it, then click Get it free.

  4. Follow the prompts to run the installation.

  5. In the Azure console, click on project settings > service connections.

  6. Click New service connection at the top right of the screen.

  7. In the New service connection pane, select the radio button next to Checkmarx One Service Connection and then click Next.

    The service connection setup form is displayed.

  8. Fill in the Server URL with the appropriate URL for your environment.

  9. If the authentication URL is different than the server URL, then enter the appropriate authentication URL.

    Notice

    For Checkmarx One cloud platform, this is required.

  10. Enter the OAuth2 Client ID and Secret that you created in Checkmarx One in Step 1.

  11. In the Details section, it is recommended to give the connection a descriptive name (e.g., Checkmarx One Connection) and add a brief description. (optional)

    5945982995.png
  12. Click Save.

Step 3 - Create an Azure Pipeline

For this tutorial we will create a simple pipeline that gets the source code from your Azure repo and runs a Checkmarx One scan on the source code.

  1. In your Azure DevOps console, in the main navigation, select Pipelines AzurePipeline.

  2. On the Pipelines screen, click New pipeline.

    A new pipeline form opens.

  3. Specify the repo where the source code is located. We will specify an Azure repo using the following procedure:

    1. Click on Other Git and then select Azure Repos Git.

      5946081349.bmp
    2. Select the desired Team project, Repository and Default branch from the dropdown lists and then click Continue.

  4. In the Select Template section, click on Empty job.

    5946114226.bmp
  5. Click on the “+” button for “Agent job 1” and search for the Checkmarx One plugin.

    5945721048.bmp
  6. Hover over the Checkmarx One plugin and click Add.

    The Checkmarx One task configuration form is shown in the right-side panel.

  7. Under Checkmarx One Service Connection, select from the dropdown list the connection that you configured for Checkmarx One in Step 2 above.

  8. By default, the Project Name is designated as $(Build.Repository.Name). You can enter an alternative name if you prefer.

  9. By default, the Branch Name is designated as $(Build.SourceBranchName). You can enter an alternative name if you prefer.

  10. Under Tenant Name, enter the name of your Checkmarx One tenant account.

  11. Under Additional Parameters, you can specify any CLI arguments that you would like to apply to scans of this project. See documentation here.

    Notice

    By default all scanners that you are authorized to run (licensed or open source) will run. To limit scans to one or more specific scanners, add the argument --scan-types {scanner} ,where {scanner} is one or more of the following scanners sast or sca or kics.

  12. When you are finished configuring the task, to save the pipeline and run an initial scan, click Save & queue and then in the dialog that opens click Save and Run.

    6161498240.png