Skip to main content

Configuring GitHub Integration (v9.0.0 and up)


  • These instructions apply to CxSAST 9.0 HF14 and up.

  • For CxSAST 9.2, these instructions apply to HF7 and up.

As a prerequisite, you have to first install and configure Git (please refer to Installing and Configuring Git (v8.6.0 and up). You also need access to a GitHub account:


  • GitHub no longer supports basic authentication, which means that that a personal access token is now required. For additional information, refer to the relevant GitHub notice.

  • These instructions assume that you have a repository on the GitHub site and that you created a personal access token. To create a personal access token, refer to the instructions on the GitHub site.

  • Refer to Adding SSH Key to GitHub and GitHub Webhooks for instructions on adding an SSH Key to GitHub and verifying that a webhook was created.

1. Open the Source Control and proceed according to the steps for setting a GIT repository and choosing a branch to be scanned on the interface.

2. From the dropdown list, select GIT.

3. Under Repository URL, enter the URL of your repository on the GitHub site.

4. Under Authentication, select Personal Token.

5. Enter your personal token and click <Test Connection> to verify that the connection is established.

6. Check GitHub Scan Automation (webhook). You are asked to re-enter your personal token to validate the webhook credentials.

7. Re-enter the token where required and then click <Validate Webhook Credentials>. The credentials are validated.


8. Enter the GitHub repository owner and collaborator credentials into the relevant User Name and Password fields.


  • The GitHub user with repository owner authorization is used for creating and using a GitHub WebHook (see GitHub Webhooks).

  • The GitHub user with repository collaborator authorization is used to create commit comments.

9. Configure the Event threshold. A scan in Checkmarx CxSAST will be initiated only after this number of events (commits) has occurred, since the last triggered scan.


By default, the event threshold value is set to 5, because triggering a scan after fewer events may overload the system. If the user specifies a lower number, a warning message is displayed.

10. Click Validate Webhook Credentials to confirm that the authentication to the GitHub webhooks works correctly. A 'Server Connection Verified Successfully' message is displayed.

11. Click <OK> to complete the procedure.