Skip to main content

Creating Checkmarx One Pipelines in Azure

You can add a Checkmarx One scan to an existing pipeline or you can create a new pipeline for the scan.

There are several ways to create a new pipeline in Azure DevOps. The following sections describe the two primary methods for creating a new pipeline with a Checkmarx One scan build step.

Additionally, you can set a pipeline variable to use a proxy server, as described here.

Creating a Checkmarx One Pipeline Using a Pre-configured Task

Creating a Pipeline without using a YAML

To create a Checkmarx One scan pipeline without using a YAML:

  1. In your Azure DevOps console, in the main navigation, select Pipelines AzurePipeline.

  2. On the Pipelines screen, click Create Pipeline.

    A new pipeline form opens.

  3. Click on Other Git.

    This will take you to the classic editor, which enables you to create a pipeline without using a YAML.

  4. Select the platform where the source code is located.

    6007030949.bmp
  5. If you haven’t created a connection for that platform, you will be prompted to do so.

  6. Once you have created the connection, you will be prompted to fill in the relevant fields specifying the project, repo and branch of the source code that you would like to scan.

  7. In the Select a template section, click on Empty job.

    6007030956.bmp
  8. Click on the “+” button for “Agent job 1” and search for the Checkmarx AST plugin.

    6007030962.bmp
  9. Hover over the Checkmarx AST plugin and click Add.

    The Checkmarx AST task is shown under “Agent job 1”.

  10. Click on the Checkmarx AST task to open the configuration form in the right-side panel.

    Image_190.png

    Notice

    If you have already installed the plugin, it will appear in the top section. If you haven't installed it yet, then you need to hover over the plugin in the Marketplace section, click Get it free and follow the prompts to install it.

  11. Under Checkmarx One Service Connection, select from the dropdown list the connection that you configured for Checkmarx One earlier. For more information, see Checkmarx One Azure DevOps Plugin Initial Setup.

  12. For Project Name, specify the name of the Project to be used in Checkmarx One. (Default: $(Build.Repository.Name).

  13. For Branch Name, specify the name of the branch to be used in Checkmarx One. (Default: $(Build.SourceBranchName).

  14. Under Tenant Name, enter the name of your Checkmarx One tenant account.

  15. Under Checkmarx One Scan Parameters, under Additional Parameters, you can specify any CLI arguments that you would like to apply to scans of this project. See documentation here.

    Notice

    By default all scanners that you are authorized to run (licensed or open source) will run. To limit scans to one or more specific scanners, add the argument --scan-types {scanner} ,where {scanner} is one or more of the following scanners sast, sca, iac-security, or api-security.

  16. You can optionally adjust the Control Options and Output Variables.

  17. You can add additional tasks to the Agent job both before and after the Checkmarx One scan. You can also add additional Agent jobs to the pipeline.

  18. Click on the Triggers tab and specify how this pipeline will be triggered. You can create schedules to run periodic scans or you can specify the build completion events that will trigger scans.

  19. You can optionally set up a proxy pipeline variable. See below.

  20. When you are finished configuring the pipeline, click Save & queue.

    6155568595.png
  21. Select one of the following options from the dropdown menu:

    • Save - save the pipeline without running an initial scan.

    • Save & queue - save the pipeline and run it, executing an initial scan. You will be prompted to add a save comment and specify the run configuration before confirming the run command.

Setting up a Proxy Pipeline Variable (Optional)

To set up a pipeline variable:

  1. On the pipeline configuration screen, click on the Variables tab.

    6126764059.png
  2. Click + Add.

    6126403777.png
  3. Enter the following configuration information:

    • In the Name field, enter HTTP_PROXY.

    • In the Value field, enter the value of your proxy address.

    • Select the Settable at queue time check box.

      6126796817.png
  4. When you are finished configuring the pipeline, click Save & queue.

    6155634311.png
  5. Select one of the following options from the dropdown menu:

    • Save - save the pipeline without running an initial scan.

    • Save & queue - save the pipeline and run it, executing an initial scan. You will be prompted to add a save comment and specify the run configuration before confirming the run command.

Creating a Checkmarx One Pipeline Using a YAML

To create a Checkmarx One pipeline using a YAML file:

  1. In your Azure DevOps console, in the main navigation, select Pipelines AzurePipeline.

  2. On the Pipelines screen, click New pipeline.

    A new pipeline form opens.

  3. Select the repo platform where the source code is located. Select one of the options that shows YAML in the title.

    6010044465.bmp
  4. If you haven’t authorized access to this repo through Azure, then you will be redirected to do so.

  5. Once you have authorized the connection, the Select a repository screen is shown.

    6008012826.png
  6. Select the desired repository. If necessary, follow the prompts to approve access to the repo.

    The Configure your pipeline screen is shown in your Azure DevOps console.

    6008012832.png
  7. Select the type of pipeline to which you would like to add the Checkmarx One scan. To create a basic pipeline, click on Starter pipeline. Alternatively, you can add the Checkmarx One task to an existing pipeline by clicking on Existing Azure Pipelines YAML file.

    The Review your pipeline YAML screen is shown.

    6008012838.png
  8. Place your cursor at the end of your YAML code.

  9. Click Show assistant at the top right of the screen.

    6008540119.bmp
  10. Search for Checkmarx AST and select it.

    The Checkmarx AST configuration form is shown in the right-side panel.

  11. Under Checkmarx One Service Connection, select from the dropdown list the connection that you configured for Checkmarx One earlier. For more information, see Checkmarx One Azure DevOps Plugin Initial Setup.

  12. For Project Name, specify the name of the Project to be used in Checkmarx One. (Default: $(Build.Repository.Name).

  13. For Branch Name, specify the name of the branch to be used in Checkmarx One. (Default: $(Build.SourceBranchName).

  14. Under Tenant Name, enter the name of your Checkmarx One tenant account.

    6155568780.png
  15. Under Checkmarx One Scan Parameters, under Additional Parameters, you can specify any CLI arguments that you would like to apply to scans of this project. See documentation here.

    Notice

    By default all scanners that you are authorized to run (licensed or open source) will run. To limit scans to one or more specific scanners, add the argument --scan-types {scanner} ,where {scanner} is one or more of the following scanners sast, sca, iac-security, or api-security.

  16. Click Add.

    The Checkmarx code is added to your build process.

  17. Add additional code for any other tasks that you would like to add to the pipeline either before or after the Checkmarx One scan.

  18. To save the pipeline and run an initial scan, click Save and run at the top right of the screen. Alternatively, you can save without running by clicking on the down arrow and selecting Save.

    The Save and run panel opens.

    6008012850.png
  19. In the Save and run panel enter a Commit message and an Optional extended description.

  20. Select the radio button for you desired commit branch.

  21. Click Save and run.