Feedback Apps
Feedback Apps feature provides the ability to export Checkmarx One scan results to external tools such as Bug Tracking and Alerting services.
Feedback Profiles can be assigned to projects that are configured for repository scans as well as projects that are configured for ZIP scans.
To assign repository scans for Checkmarx projects (Manually created projects) - See Assigning a Feedback Profile to a Checkmarx Project - Repository path scans
Feedback Profiles contain Feedback Apps, divided into the following types:
Bug Tracking: Jira, GitHub Issues, Azure DevOps Bug Board.
Alerting: Slack, Microsoft Teams, Email notification service.
Checkmarx users use Bug Trackers as a way of triaging and managing bugs, and Alerting tools as their way of notifying vulnerabilities with other team members.
The Feedback Apps automation will create, modify, and close bug tracking tickets and/or automate alerting tools to notify team members about security vulnerabilities.
Note
It might be that the number of tickets that will be opened in the bug tracking service won't be the same as the number of detected vulnerabilities in Checkmarx One.
In the Feedback Apps, Checkmarx One presents the number of detected vulnerabilities. In the bug tracking service (Jira, Azure Board, GitHub Issue) Checkmarx One performs aggregation for matching vulnerabilities in the new tickets.
It is also possible to use multiple Feedback Apps - For example create a bug in Jira and send a Slack notification. To handle this type of request, users need to Create a New Feedback Profile that will handle one or more Feedback Apps.
Feedback Apps Flow
Feedback Apps feature is developed to have the ability to export Checkmarx One scan results to an external tool.
Feedback Profiles can be assigned to projects that are configured for repository scans as well as projects that are configured for ZIP scans.
To assign repository scans for Checkmarx projects (Manually created projects) - See Assigning a Feedback Profile to a Checkmarx Project - Repository path scans
Important
Initiating scans can occur through two methods: either by initiating a Pull Request/Push event directly from the code repository or by manually triggering them via the Checkmarx One user interface.
If a manual scan is initiated for a code repository integration project, it will only trigger the associated profiles for the Protected Branches that undergo scanning.
Importing a Code Repository Project
The supported Code Repositories are:
Creating a New Feedback App
To create a Feedback App, perform the following steps:
Click on the Integrations icon. The icon is located in the left navigation pane of the Application and Project home page.
Click on Apps
Click on + Create App
A side panel will be opened on the right.
Select the relevant Feedback App.
Note
The rest of the configuration steps are determined according to the selected App.
Creating a new Profile, assigning a Project & Apps
A Profile is the entity that connects Feedback Apps to Checkmarx One projects.
A Profile creation contains several steps:
Verification
Go to the relevant Feedback App and verify the following:
Bug Tracking Services (Jira, GitHub Issues, Azure DevOps Board) - Verify that tickets are opened/closed according to the discovered Checkmarx One scan vulnerabilities.
Collaboration tools (Slack and Microsoft Teams) - Verify that messages are received according to the discovered Checkmarx One scan vulnerabilities.