Skip to main content

Configuring a Project for the Checkmarx SonarQube Plugin

Generally the SonarQube workflow is organized accordingly and uses the concept of the SonarQube 'project' with 'scan' to configure and order the actions in the workflow. The outcome of this flow will be quality measures and issues (vulnerabilities). In our case, the flow includes Checkmarx scan results, and once the SonarQube execution is complete, the Checkmarx scan results can be viewed in SonarQube as explained below:

  1. Log into your SonarQube account, in most cases the Projects List screen appears. If the Projects List screen is not displayed, select Projects from the menu bar.

  2. To configure an existing project, select a project from the list, for example Cx-Client-Common. The Project screen is displayed.

  3. Under Project Settings 6252497960.png, select Checkmarx. The Checkmarx Configuration screen is displayed.

  4. Define the Checkmarx Configuration parameters as outlined in the table below.

  5. Click <Save> to save the changes when done. You can now run the SonarQube scan according to your current development procedure. Refer to Analyzing Source Code in the SonarQube Documentation for further information and instructions.



Server URL

Checkmarx Server URL or IP address with or without port, e.g., http://server-name, https://ip:port.


Enter a login username.


Enter a login password.

<Test Connection>

Click and wait until the server URL and the credentials are validated and the Success status is indicated.

Checkmarx Project

Select the relevant project from the available projects drop-down. The selected project must be an active CxSAST project with the current scan results. Search the Checkmarx configuration page by entering the project name or part of a project name.

Remediation effort (mins) per Checkmarx Vulnerability

Define the amount of effort (in minutes) required to fix a vulnerability (0 = no effort).


On the Checkmarx project configuration page, for projects that are not yet scanned, Invalid Date will be displayed instead of the actual analysis date because of an internal issue with SonarQube versions 9.6 to 10.1. See here for more details.