Skip to main content

Feedback Apps

Feedback Apps feature provides the ability to export Checkmarx One scan results to external tools such as Bug Tracking and Alerting services.

Feedback Profiles can be assigned to projects that are configured for repository scans as well as projects that are configured for ZIP scans.

To assign repository scans for Checkmarx projects (Manually created projects) - See Assigning a Feedback Profile to a Checkmarx Project - Repository path scans

Feedback Profiles contain Feedback Apps, divided into the following types:

  • Bug Tracking: Jira, GitHub Issues, Azure DevOps Bug Board.

  • Alerting: Slack, Microsoft Teams, Email notification service.

Checkmarx users use Bug Trackers as a way of triaging and managing bugs, and Alerting tools as their way of notifying vulnerabilities with other team members.

The Feedback Apps automation will create, modify, and close bug tracking tickets and/or automate alerting tools to notify team members about security vulnerabilities.

Note

It might be that the number of tickets that will be opened in the bug tracking service won't be the same as the number of detected vulnerabilities in Checkmarx One.

In the Feedback Apps, Checkmarx One presents the number of detected vulnerabilities. In the bug tracking service (Jira, Azure Board, GitHub Issue) Checkmarx One performs aggregation for matching vulnerabilities in the new tickets.

It is also possible to use multiple Feedback Apps - For example create a bug in Jira and send a Slack notification. To handle this type of request, users need to Create a New Feedback Profile that will handle one or more Feedback Apps.

Feedback Apps Flow

Feedback Apps feature is developed to have the ability to export Checkmarx One scan results to an external tool.

Feedback Profiles can be assigned to projects that are configured for repository scans as well as projects that are configured for ZIP scans.

To assign repository scans for Checkmarx projects (Manually created projects) - See Assigning a Feedback Profile to a Checkmarx Project - Repository path scans

Important

Initiating scans can occur through two methods: either by initiating a Pull Request/Push event directly from the code repository or by manually triggering them via the Checkmarx One user interface.

If a manual scan is initiated for a code repository integration project, it will only trigger the associated profiles for the Protected Branches that undergo scanning.

Importing a Code Repository Project

The supported Code Repositories are:

Creating a New Feedback App

To create a Feedback App, perform the following steps:

  1. Click on the Integrations icon. The icon is located in the left navigation pane of the Application and Project home page.

    Integrations_icon.png
  2. Click on Apps

    Feedback_Apps_Click_Apps.png
  3. Click on + Create App

    A side panel will be opened on the right.

    Feedback_Apps_Create_New_App.png
  4. Select the relevant Feedback App.

    Note

    The rest of the configuration steps are determined according to the selected App.

    Feedback_Apps_Select_App.png

Creating a new Profile, assigning a Project & Apps

A Profile is the entity that connects Feedback Apps to Checkmarx One projects.

A Profile creation contains several steps:

Verification

Go to the relevant Feedback App and verify the following:

  1. Bug Tracking Services (Jira, GitHub Issues, Azure DevOps Board) - Verify that tickets are opened/closed according to the discovered Checkmarx One scan vulnerabilities.

  2. Collaboration tools (Slack and Microsoft Teams) - Verify that messages are received according to the discovered Checkmarx One scan vulnerabilities.