Skip to main content

Using the Checkmarx VS Code Extension - Checkmarx One Results

Loading Checkmarx One Results in Visual Studio Code

Once you have run a Checkmarx One scan on the source code of your VS Code project, you can import the scan results into VS Code. The results are integrated within VS Code in a manner that makes it easy to identify the vulnerable code, triage the results, and take the required remediation actions.

First you need to import the results from the latest scan of your VS Code project. Then you can view the results in your VS Code IDE.

Notice

Alternatively, you can run a new can on an existing Checkmarx One project from your IDE and load the results.

Figure 1. Loading Scan Results
Loading Scan Results

GIF - How to load results from a Checkmarx scan



Importing your Checkmarx One Scan Results

To import results from a scan:

  1. In the VS Code console, click on the Checkmarx icon (in the left-side navigation pane) to open the Checkmarx panel.

    6468339708.png
  2. Enter the Scan ID of the scan that you would like to display, using one of the following methods.

    Warning

    Only scans that completed successfully are shown in the IDE. Scans with only partial results aren't shown.

Running Scans from VS Code

You can run a new Checkmarx One scan on the project that is open in your VS Code workspace.

You must first create a Checkmarx project and run the initial scan on a particular branch of the project using some other method, e.g., web portal, API, CLI etc. and load the scan results in the VS Code console. Then, you are able to run subsequent scans on that project branch from VS Code.

The IDE initiated scan applies the scan configuration that was used for the previous scan of this project branch. For example, if the last time you scanned this branch of the project you excluded certain files, those files will be excluded also from the current scan.

Notice

Scans initiated via the IDE are "Incremental" scans. Learn more about incremental scans here.

Warning

This feature needs to be enabled for your organization's account by a Checkmarx admin user under Settings.pngSettings > Global Settings > Plugins in the Checkmarx One web portal. Before enabling this feature, you should consider the ramifications; since there is a limitation to the number of concurrent scans that you can run based on your license, enabling IDE scans may cause scans triggered by CI/CD pipelines and SCM integrations to be added to the scan queue (run on a "first in first out" basis), causing major delays for those scans.

Figure 2. Running Scans from the IDE
Running Scans from the IDE

GIF - How to run a new scan from the IDE



To run a scan:

  1. In the Checkmarx panel in your IDE, select the existing Checkmarx project and branch under which your current workspace has already been scanned.

  2. Hover over the header bar of the Checkmarx One Results panel and click on the "play" button that appears.

    Image_146.png

    Notice

    Checkmarx runs a sanity check to verify that your current workspace matches the files that were previously scanned under this Checkmarx project. If a mismatch is detected, a warning is shown. You are given the option to run the scan despite the mismatch.

  3. When the scan is completed, a dialog appears, asking if you would like to load the results from the new scan. Click Yes to show the new scan results in the Checkmarx panel.

Viewing Checkmarx One Scan Results

You can navigate the tree display to view details about a specific vulnerability.

Notice

In order to show the source code for a specified attack vector, you need to have the relevant project open in your VS Code console.

To view the Checkmarx One results for SAST and IaC Security vulnerabilities:

Notice

Some of the tabs described below are only relevant for SAST vulnerabilities. Viewing SCA vulnerabilities is described in the following section.

  1. After you import the scan results, and the results are shown in the Checkmarx panel, click on an arrow to expand that item in the tree.

    Notice

    The Checkmarx vulnerabilities are also shown in the Problems tab at the bottom of the screen.

  2. You can use the Checkmarx Toolbar (on the top) to adjust the display, see below.

  3. Click on a SAST or IaC Security vulnerability.

    The Checkmarx results panel is shown on the right. It opens showing the General tab, which includes a summary of the vulnerability info, a brief description and the Attack Vector.

    VSCodeViewResults1.png
  4. You can click on the Triage tab to view the severity, state and comments for this vulnerability. As part of the triaging process, you can change the severity, and state and add comments, see Managing (Trieaging) Results.

  5. You can click on the Learn More tab to view additional details about the vulnerability, including recommended remediation actions.

  6. You can click on the Remediation Examples tab to view a sample of code that is subject to this vulnerability, followed by a remediated version of that code.

  7. Back In the General tab, scroll down to the Attack Vector section and click on a node in the Attack Vector.

    An editor opens containing the source code in the respective file and location for the selected node.

    VSCodeViewResults2.png

    You can hover over a vulnerability and click View Problem to show info about the problem.

    VSCodeViewResults3.png
    VSCodeViewResults4.png

Viewing and Remediating SCA Results

Figure 3. SCA Auto Remediation
SCA Auto Remediation

GIF - How to automatically remediate SCA vulnerabilities



  1. Click on an SCA vulnerability in the results tree.

    Detailed info about the vulnerability is shown in the results window. This includes a description of the vulnerability, info about the package where it was identified and a detailed breakdown of the metrics contributing to the CVSS score.

    Image_765.png
  2. Checkmarx offers remediation recommendations. When the Remediation button is highlighted, this indicates that you can automatically upgrade to the recommended version by clicking on the button.

    Notice

    This feature is currently supported only for direct npm dependencies.

AI Guided Remediation

AI Guided Remediation harnesses the power of AI to help you to understand the vulnerabilities in your code, and resolve them quickly and easily. When you initiate an AI chat, we automatically provide the context to OpenAI. The interaction differs slightly for SAST vulnerabilities and for IaC Security vulnerabilities, as described below.

Prerequisites

In order to use AI Guided Remediation, make sure that the following prerequisites are in place.

  • This feature needs to be enabled for your organization's account by a Checkmarx admin user under Account Settings > Settings > Plugins in the Checkmarx One web portal. See Plugins Settings

  • You need to provide your OpenAI API Key in the Extension Settings. See Configuring API Guided Remediation

  • The relevant project files need to be in your VS Code workspace.

SAST AI Guided Remediation

For SAST vulnerabilities when you click Start Remediation Checkmarx sends the Checkmarx scan results file to OpenAI together with code snippets around each node of the Attack Vector. We also submit a pre-configured series of instructions to OpenAI, which generates a response that includes the following:

  • Confidence - A score between 0 (low) and 100 (high) indicating the degree of confidence in the exploitability of this vulnerability in the context of your code.

  • Explanation - A brief description of the vulnerability.

  • Proposed Remediation - An explanation of the changes needed in order to remediate the vulnerability, as well as a customized code snippet that can be used in your code.

You can then follow up by asking additional free text questions.

To use AI Guided Remediation for SAST:

  1. In the Checkmarx One results pane, select a SAST vulnerability that you would like to remediate.

  2. In the results panel, click on the AI Guided Remediation tab and then click on the Start Remediation button.

    Image_300.png
  3. AI Guided Remediation provides remediation information divided into the following sections: Confidence, Explanation and Proposed Remediation.

    Image_633.png
  4. In the Ask a question box at the bottom you can ask a free text question to follow up on the discussion.

  5. When you are satisfied with the suggestion that you received, you can take the code snippet and paste it directly into the relevant place in your code in order to remediate the vulnerability. You can then re-scan the project to verify that the remediation was effective.

IaC Security AI Guided Remediation

For IaC Security vulnerabilities we provide the context to OpenAI and suggest questions that you can ask in order to obtain the relevant remediation information.

Notice

When sending your IaC files to OpenAI, we protect your sensitive data by anonymizing all passwords and secrets before the content is sent. The query used for identifying sensitive data can be seen here.

To use AI Guided Remediation for IaC Security:

  1. In the Checkmarx One results pane, select an IaC Security vulnerability that you would like to remediate.

  2. In the results panel, click on the AI Guided Remediation tab.

  3. Before starting the communication with OpenAI, if you would like to check which secrets will be masked, click on Masked Secrets.

    The Masked Secret section is expanded to show all items that will be masked.

    Image_312.png
  4. In the AI Guided Remediation panel, you can start the conversation by clicking on one of the suggested questions.

    Image_301.png
  5. Continue the conversation with OpenAI until you gather the info that you need about remediating the vulnerability. You can also ask OpenAI to provide a code sample of the revised content.

Checkmarx Toolbar

At the top of the Checkmarx panel, a toolbar with the following actions is available:

Icon

Item

Description

Image_150.png

Run Scan

Runs a new scan on the project that is open in your workspace

6468339773.bmp

Filter High

Show/hide high severity vulnerabilities

6468339779.png

Filter Medium

Show/hide medium severity vulnerabilities

6468339785.bmp

Filter Low

Show/hide low severity vulnerabilities

6468339791.png

Filter Info

Show/hide info severity vulnerabilities

6468339797.png

Filter by state

Filter results by state (multi-select, by default all are selected except for Not Exploitable)

6468339803.bmp

New search

Search for a scan by selecting the Project and branch

6468339815.bmp

More options

Select/deselect grouping categories. Options are: File, Language, Vulnerability Type, Severity, State, Status and Direct/Transitive Dependency (relevant for SCA). You can group by multiple parameters. The groups will be nested according to the order in which they are selected (i.e., the first selection will be the top level grouping and the next selection will be a nested grouping below that etc.)

The Select Different Results option, restarts the selection wizard, enabling you to choose a new project, branch and scan.

The Clear Results Selection option, clears the selected project, branch and scan.

The Settings option, opens the plugin settings window.

Managing (Triaging) Results

Checkmarx One tracks specific vulnerability instances throughout your SDLC. Each vulnerability instance has a ‘Predicate’ associated with it, which is comprised of the following attributes: ‘state’, ‘severity’ and ‘comments’. After reviewing the results of a scan, you have the ability to triage the results and modify these predicates accordingly. For more info about triaging results in Checkmarx One, see Managing (Triaging) Vulnerabilities.

You can manage the results directly in the VS Code console.

Warning

Only users with the Checkmarx One role update-result (e.g., a risk-manager) are authorized to make changes to the predicate. Only users with the role update-result-not-exploitable (e.g., an admin) are authorized to mark a vulnerability as ‘Not Exploitable’.

Warning

Triaging via the IDE is not currently supported for SCA vulnerabilities.

Figure 4. Triaging Results
Triaging Results

GIF - How to change the status and severity of a vulnerability



To edit the result predicate:

  1. Navigate to the vulnerability that you would like to edit.

  2. To adjust the severity, click on the Severity field, and select from the dropdown list the severity that you would like to assign. Options are: High, Medium, Low or Info.

    6468339821.png
  3. To adjust the state, click on the State field, and select from the dropdown list the state that you would like to assign. Options are: To Verify, Not Exploitable, Proposed Not Exploitable, Confirmed or Urgent.

    Notice

    If you mark a vulnerability as Not Exploitable it will not be shown in the results in the web app for this scan or for subsequent scans of this Project.

  4. To add a comment, click on the Show comment button and enter your comment in the field that opens.

  5. In order to apply your changes, click Update.

    The new predicate is applied to the vulnerability instance in this scan as well as to recurring instances of the vulnerability in subsequent scans of the Project. The changes made to the predicate are shown in the Changes tab.

Documentation & Feedback

The Documentation & Feedback section in the Checkmarx panel provides quick links to view our documentation and submit requests for improvements.