Using the Checkmarx VS Code Extension - Checkmarx One Results
Loading Checkmarx One Results in Visual Studio Code
Once you have run a Checkmarx One scan on the source code of your VS Code project, you can import the scan results into VS Code. The results are integrated within VS Code in a manner that makes it easy to identify the vulnerable code, triage the results, and take the required remediation actions.
First you need to import the results from the latest scan of your VS Code project. Then you can view the results in your VS Code IDE.
You can also run new scans on an existing Checkmarx project directly from your IDE.
 |
GIF - How to load results from a Checkmarx scan
Importing your Checkmarx One Scan Results
To import results from a scan:
In the VS Code console, click on the Checkmarx icon (in the left-side navigation pane) to open the Checkmarx panel.
The plugin will try to automatically show results for the relevant scan by matching your project and VCS branch to an existing Checkmarx One scan.
If the desired scan is not displayed, you can select the scan manually by entering the Scan ID of the desired scan in the Scan field.
Use one of the following methods to submit the relevant Scan ID.
In the Checkmarx panel, hover over the Project field and click on the edit icon
: .A list of available Checkmarx Projects is shown.
Notice
You can filter the list by typing a search text.
Select the desired Project.
Click on the
icon next to Branch.A list of available branches of the specified Project is shown.
Notice
You can filter the list by typing a search text.
Select the desired Branch.
Click on the
icon next to Scan.A list of available scans of the specified branch is shown. Scans are identified by the date and time that the scan ran.
Select the desired scan.
The scan results are imported into VS Code and the results summary as well as the Scan ID of the selected scan and the results tree are shown in the Checkmarx panel.
Log in to the Checkmarx One web application.
Navigate to the the desired Project page.
On the Scan History tab, copy the Scan ID of the desired scan.
In the VS Code console > Checkmarx panel, hover over the Scan field and then click on the search icon
.In the field that opens, paste the scan ID and then press Enter.
The scan results are imported into VS Code and the Project, Branch and Scan fields are populated. Also, the results tree is shown below the selection section.
Running Scans from VS Code
You can run a new Checkmarx One scan on the project that is open in your VS Code workspace.
You must first create a Checkmarx project and run the initial scan using some other method, e.g., web portal, API, CLI etc. and load the scan results in the VS Code console. Then, you are able to run subsequent scans on that project from VS Code.
Notice
The scan applies the scan configuration that was used for the previous scan of this project . For example, if the last time you scanned this project you excluded certain files, those files will be excluded also from the current scan.
Warning
This feature needs to be enabled for your organization's account by a Checkmarx admin user under Account Settings in the Checkmarx One web portal. Before enabling this feature, you should consider the ramifications; since there is a limitation to the number of concurrent scans that you can run based on your license, enabling IDE scans may cause scans triggered by CI/CD pipelines and SCM integrations to be added to the scan queue (run on a "first in first out" basis), causing major delays for those scans.
 |
GIF - How to run a new scan from the IDE
To run a scan:
In the Checkmarx panel in your IDE, open the existing Checkmarx project under which your current workspace has already been scanned.
Hover over the Checkmarx project name and click on the "play" button that appears.
Notice
Checkmarx runs a sanity check to verify that your current workspace matches the files that were previously scanned under this Checkmarx project. If a mismatch is detected, a warning is shown. You are given the option to run the scan despite the mismatch.
When the scan is completed, a dialog appears, asking if you would like to load the results from the new scan. Click Yes to show the new scan results in the Checkmarx panel.
Viewing Checkmarx One Scan Results
You can navigate the tree display to view details about a specific vulnerability.
Notice
In order to show the source code for a specified attack vector, you need to have the relevant project open in your VS Code console.
To view the Checkmarx One results in the Checkmarx panel:
After you import the scan results, and the results are shown in the Checkmarx panel, click on an arrow to expand that item in the tree.
Notice
The Checkmarx vulnerabilities are also shown in the Problems tab at the bottom of the screen.
You can use the Checkmarx Toolbar (on the top) to adjust the display, see below.
Click on a SAST vulnerability.
The Checkmarx results panel is shown on the right. It opens showing the General tab, which includes a summary of the vulnerability info, a brief description and the Attack Vector.
You can click on the Learn More tab to view additional details about the vulnerability, including recommended remediation actions.
You can click on the Remediation Examples tab to view a sample of code that is subject to this vulnerability, followed by a remediated version of that code.
You can click on the Changes tab to view all changes that have been made to the result predicate of the vulnerability (severity, status and comments), see Triaging Results.
Back In the General tab, scroll down to the Attack Vector section and click on a node in the Attack Vector.
An editor opens containing the source code in the respective file and location for the selected node.
You can hover over a vulnerability and click View Problem to show info about the problem.
Viewing and Remediating SCA Results
 |
GIF - How to automatically remediate SCA vulnerabilities
Click on an SCA vulnerability in the results tree.
Detailed info about the vulnerability is shown in the results window. This includes a description of the vulnerability, info about the package where it was identified and a detailed breakdown of the metrics contributing to the CVSS score.
Checkmarx offers remediation recommendations. When the Remediation button is highlighted, this indicates that you can automatically upgrade to the recommended version by clicking on the button.
Notice
This feature is currently supported only for direct npm dependencies.
Checkmarx Toolbar
At the top of the Checkmarx panel, a toolbar with the following actions is available:
Icon | Item | Description | |
|---|---|---|---|
| Filter High | Show/hide high severity vulnerabilities | |
| Filter Medium | Show/hide medium severity vulnerabilities | |
| Filter Low | Show/hide low severity vulnerabilities | |
| Filter Info | Show/hide info severity vulnerabilities | |
| Filter by state | Filter results by state (multi-select, by default all are selected except for Not Exploitable) | |
| New search | Search for a scan by selecting the Project and branch | |
| More options | Select/deselect grouping categories. Options are: File, Language, Vulnerability Type, Severity, State, Status and Direct/Transitive Dependency (relevant for SCA). You can group by multiple parameters. The groups will be nested according to the order in which they are selected (i.e., the first selection will be the top level grouping and the next selection will be a nested grouping below that etc.) The Select All option, restarts the selection wizard, enabling you to choose a new project, branch and scan. The Clear selections option, clears the selected project, branch and scan. The Settings option, opens the plugin settings window. |
Codebashing Links
Codebashing is an interactive AppSec training platform built by developers for developers. Codebashing sharpens the skills that developers need to avoid security issues, fix vulnerabilities, and write secure code in the first place. See Codebashing documentation here.
When you select a SAST vulnerability for which a Codebashing lesson exists, a link to the relevant lesson is shown. Click on the link to open the lesson in a new browser.
Note
If you don’t yet have a license for Codebashing, a dialog opens showing a link to start a free trial.
 |
Managing (Triaging) Results
Checkmarx One tracks specific vulnerability instances throughout your SDLC. Each vulnerability instance has a ‘Predicate’ associated with it, which is comprised of the following attributes: ‘state’, ‘severity’ and ‘comments’. After reviewing the results of a scan, you have the ability to triage the results and modify these predicates accordingly. For more info about triaging results in Checkmarx One, see Managing (Triaging) Vulnerabilities.
You can manage the results directly in the VS Code console.
Warning
Only users with the Checkmarx One role update-result (e.g., a risk-manager) are authorized to make changes to the predicate. Only users with the role update-result-not-exploitable (e.g., an admin) are authorized to mark a vulnerability as ‘Not Exploitable’.
 |
GIF - How to change the status and severity of a vulnerability
To edit the result predicate:
Navigate to the vulnerability that you would like to edit.
To adjust the severity, click on the Severity field, and select from the dropdown list the severity that you would like to assign. Options are: High, Medium, Low or Info.
To adjust the state, click on the State field, and select from the dropdown list the state that you would like to assign. For SAST and IaC Security, options are: To Verify, Not Exploitable, Proposed Not Exploitable, Confirmed or Urgent. For SCA, options are: Not Ignored or Ignored.
Notice
If you mark a vulnerability as Not Exploitable or Ignored it will not be shown in the results in the web app for this scan or for subsequent scans of this Project.
To add a comment, click on the Show comment button and enter your comment in the field that opens.
In order to apply your changes, click Update.
The new predicate is applied to the vulnerability instance in this scan as well as to recurring instances of the vulnerability in subsequent scans of the Project. The changes made to the predicate are shown in the Changes tab.