Setting up Integration with ThreadFix through CxSAST
You can integrate CxSAST with Threadfix enabling CxSAST to automatically initiate a scan and push the scan results to ThreadFix.
To set up the integration with ThreadFix through CxSAST:
Install Python 3.5.1 on the Checkmarx server.
Install the Python requests library (pip install requests from the command line).
Create an API Key in ThreadFix. To do so, go to User > Adminsitration > API Keys.
Click <Create New Key>.
Click <Create Key>.
Edit the files Push.py and Push_to_threadfix.bat in your Checkmarx executable folder (i.e., C:\Program Files\Checkmarx\Executables or C:\Program Files (x86)\Checkmarx\Executables) as follows:
Set the value of the EXECUTABLE variable to your configuration (i.e., C:\Program Files (x86)\Checkmarx\Executables ).
Set the value of the PYTHON variable to your configuration (i.e., C:\Users\Administrator\AppData\Local\Programs\Python\Python35\python ).
Edit Push_to_threadfix.bat and change the following:
Set the value of the EXECUTABLE variable to your configuration (i.e., C:\Program Files (x86)\Checkmarx\Executables ).
Set the value of the PYTHON variable to your configuration (i.e., C:\Users\Administrator\AppData\Local\Programs\Python\Python35\python ).
Edit Push.py and change the following:
Set the value of the TFURI variable to your configuration (i.e., TFURI=”http://threadfixurl:8080/threadfix/rest/”, if ThreadFix runs on port 8080).
Set the value of the TFAPIKEY variables to your configuration (i.e., add the new API key).
Create a Post Scan Action in Checkmarx – Go to Management > Scan Settings > Pre & Post Scan Actions.
Create a New Action and populate according to the example below.
Click <Create>.
You can set this new Post Scan Action to any new or existing CxSAST project.
Notice
Checkmarx automatically creates Team and Application in ThreadFix if they do not already exist. The Application name and Team name in ThreadFix are equal to the Project name and Team name in Checkmarx.