Checkmarx - V 1
What is Checkmarx?
Checkmarx enables you to run a series of scanners on each of your projects, each identifying risks affecting different aspects of your software development and deployment.
Checkmarx's core functionalities, such as integration with CI/CD and IDEs, Policy configuration, Triaging results etc. are available across scanners. The platform is designed for the cloud development generation and is delivered from the cloud. It seamlessly secures your entire codebase, enabling you to deliver and deploy more secure code.
Pipeline Integration
Checkmarx scans will be performed each time a pipeline is run. A link to the scan results will be available in the 'Checkmarx' stage within the 'Security' job of the pipeline. The link will also be available in the 'Extensions' tab of the pipeline run.
Pipeline Blocking Policy
Currently (as of April 17, 2025)
Pipelines are running Checkmarx scans, however, the results are not yet available for developers. The Checkmarx state within the pipeline will show a green status, regardless of the result and vulnerabilities found.
At a future date
If a vulnerability is found that meets the policy conditions, the pipeline will throw an orange warning. This warning will not impact the pipeline. You will still be able to deploy to production. Please use this time to resolve these vulnerabilities.
At a later future date
If a vulnerability is found that meets the policy conditions, there will be a given time (see chart below) that the vulnerability must be resolved by. Once this Pipeline Blocking SLO has been reached for any given vulnerability, the pipeline will throw a red error. This error will allow you to deploy to sub-prod environments to test and patch the vulnerabilities, however, the pipeline will not permit production deployment until the offending vulnerabilities are resolved.
| Severity | SNOW Ticket Created? | Remediation SLO | Pipeline Blocking SLO |
|---|---|---|---|
| CRITICAL - ZERO DAY | YES | Immediate | Immediate |
| CRITICAL | YES | 15 Days | 30 Days |
| HIGH | YES | 30 Days | 60 Days |
| MEDIUM | YES | 90 Days | N/A |
| LOW | YES | 180 Days | N/A |
Subject-to-change
The pipeline blocking policy is subject-to-change. We are still working closely with the Global Security Team and Sr. Leadership to determine the policy. We will be updating this document when the policy is finalized. Please check this document again at a later date.
Custom Repos
The pipeline integration is enabled for pipeline versions v4.5 and above. Repositories that use our CloudOne pipeline will automatically create an associated project in Checkmarx. If you would like to scan a repo that is not managed by our CloudOne pipeline, please specify the project name in the format of "<3-letter>/<repo_name>" (see the 'Applications and Projects' section below).
Login
- Navigate to: https://us.ast.checkmarx.net/
- If prompted for the tenant, use 'netapp'
- At the login page, there is no need to fill out the username & password fields. Instead, click the "NetApp SSO" button at the bottom of the login form.
Applications and Projects
Checkmarx uses the terms "Applications" and "Projects". Each 3-letter appcode will have its own "Application" in Checkmarx. Each repository will have its own "Project" in Checkmarx. The Project name will be in the format "<3-letter>/<repo_name>". Within each project, you will see results for multiple scan types (SCA, SAST, Container, etc..).
Viewing scan results
IDE Integration
Triaging Security Results
Note: To mark a 'false positive', please set the state to 'Not Exploitable'.
- Triaging SAST Results
- Triaging SCA Results
- Triaging IaC Security Results
- Triaging Container Security Results
Contact
If you run into any issues or have questions, please open an INC ticket assigned to ITSO > CloudOne DevOps L3