- Checkmarx Documentation
- SAST/SCA Integrations
- CI/CD Plugins
- SonarQube Plugin
- SonarQube Plugin Overview
SonarQube Plugin Overview
Checkmarx CxSAST is a powerful Static Source Code Analysis (SAST) solution designed for identifying, tracking and fixing technical and logical security flaws. CxSAST is integrated seamlessly into the Software Development Life Cycle (SDLC), enabling the early detection and mitigation of crucial security flaws.
Pulling automatic scan results when executing SonarQube. CxSAST scans are performed by Checkmarx and scan results are automatically pulled by the CxSAST SonarQube plugin upon execution. The CxSAST SonarQube plugin does not initiate new Checkmarx scans.
Providing interface for viewing scan results, summary and trends in the SonarQube environment.
Providing direct links from within the SonarQube dashboard to detailed CxSAST scan results and reports.
Maven and other SonarQube scanners. Only SonarQube Scanner CLI is supported.
Custom rules (queries)
Subset scans, which means that results are treated as full scans.
Checkmarx results in SonarQube are limited to the file scope of SonarQube scan. If SonarQube scan does not include a certain file, that file's vulnerabilities are not reflected in the results. Sonar only scans files that it considers to be part of a project and may omit some of the files. To view what code was indeed scanned by SonarQube, go to SonarQube Project > Code. This is especially important to note when:
Running local Checkmarx scans (from zip archives), which might include files that are not a part of the project itself.
Using sonar with sonar msbuild scanner, which may skip files\folders in the project. In this case you can see the list files scanned at: {your project directory}\.sonarqube\out\{Project root} \FilesToAnalyze.txt .
Checkmarx and SonarQube differ in what is considered to be a new vulnerability. New vulnerabilities in Checkmarx are determined by Checkmarx server results, where new vulnerabilities in SonarQube are determined by SonarQube's inner logic. Therefore, a new vulnerability in SonarQube may never appear in the Checkmarx results and vice versa.
Checkmarx vulnerability level results such as Blocker, Critical etc. cannot be manipulated via SonarQube. If you want to change these results, you need to change them on the Checkmarx server in the code viewer. The results are then updated in SonarQube accordingly.
The plugin may produce multiple .xml reports in every SonaQube scan. If the project is large or SonarQube scans run frequently, the system may run out of disk space, therefore it is recommended to periodically clear the Results folder at <local disc>:\CxReports.
Pre-installed languages |
|
Additional languages | Free Downloads
To be purchased
|