Configure Checkmarx scans on your pipeline

  • Release version: Zurich
  • Updated March 12, 2026
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Configure Checkmarx scans on your pipeline

    This guide explains how to integrate Checkmarx security scans within your CI/CD pipelines using Azure DevOps, Jenkins, GitHub Actions, GitLab, or Harness. Incorporating these scans into your pipeline stages enables automatic retrieval of scan details into ServiceNow DevOps Change Velocity, facilitating centralized security management and visibility.

    Show full answer Show less

    Key Features

    • Pipeline Integration: Supports adding Checkmarx scans at any pipeline stage across various orchestration tools.
    • Custom Action Code: Required for Azure DevOps, GitHub Actions, and Checkmarx SAST on Jenkins; optional for Jenkins pipelines with existing Checkmarx One scans.
    • Multiple Checkmarx Products: Supports both Checkmarx SAST and Checkmarx One with tailored configuration parameters.
    • Tool-Specific Configuration:
      • Azure DevOps: Modify pipeline YAML to include the ServiceNow DevOps Security Results task with appropriate scanner and project details.
      • Jenkins: Use Pipeline Syntax to generate and insert the snDevOpsSecurityResult step with required security attributes.
      • GitHub Actions: Add the ServiceNow DevOps Security Results custom action from GitHub Marketplace with secrets for authentication and scanner metadata.
      • GitLab: Configure via a generic Docker container image or follow the GitLab integration topic for detailed steps.
      • Harness: Use the generic Docker container image with a custom stage that runs the sndevopscli command, passing pipeline and scan metadata.

    Key Outcomes

    • Enables automated security scanning within existing CI/CD workflows, improving security posture without disrupting development velocity.
    • Facilitates seamless transmission of scan results into ServiceNow DevOps Change Velocity for enhanced tracking and remediation.
    • Supports flexible configuration to fit various pipeline orchestration tools and Checkmarx products.
    • Provides clear instructions and code snippets/templates for quick implementation by DevOps teams.

    Configure Checkmarx scans on your Azure DevOps, Jenkins, GitHub, GitLab, or Harness pipelines.

    You can configure Checkmarx scans on any stage of the pipeline and the scan details are retrieved from the corresponding stage to DevOps Change Velocity. If you’re using Azure DevOps or GitHub Actions orchestration tools, then you must add the custom action code in your pipeline always. If you’re using Jenkins, and your pipeline already has a Checkmarx One security scan (checkmarxASTScanner) step, you don’t have to add the custom action code in your pipeline. For Checkmarx SAST, the custom action code must be added in your pipeline even if it has the security scan step (checkmarxASTScanner).

    If you want to configure Checkmarx for the GitLab tool, you can either use the generic Docker container image to add the Checkmarx security step or perform the steps specified in the Integrate security tools with GitLab topic.

    For Harness pipelines, you can configure Checkmarx scans only through the generic Docker Container Image. For more information, see Implement custom actions for pipelines using a generic Docker container image.

    1. Navigate to the step in your pipeline and add the custom action.
      Azure DevOps
      1. Navigate to your pipeline .yml file.
      2. In the Tasks section on the right side, search for the ServiceNow DevOps Security Results extension task.
      3. Enter the ServiceNow endpoint.
      4. Enter the Security results attributes as the following.
        • Checkmarx SAST
          - task: ServiceNow-DevOps-Build-Security-Results@1
    inputs:
      connectedServiceName: "" # ServiceNow DevOps Change Velocity Service Connection
      securityResultAttributes: |
        {"scanner": "Checkmarx SAST",  "projectId": "", "securityToolId": ""}
      # scanner: Scanning tool and is required e.g. Checkmarx SAST.
      # projectId: Id of your Checkmarx SAST project and is required. This attribute is applicable only for Checkmarx SAST.
      # securityToolId: Security tool onboarded in ServiceNow (sys_id of the onboarded security tool) and is optional.
        • Checkmarx One
          - task: ServiceNow-DevOps-Build-Security-Results@1
    inputs:
      connectedServiceName: "" # ServiceNow DevOps Change Velocity Service Connection
      securityResultAttributes: |
        {"scanner": "Checkmarx One", "projectName": "", "projectId": "", "scanId": "", "securityToolId": ""}
      # scanner: Scanning tool and is required e.g. Checkmarx One.
      # projectName: Name of your Checkmarx One project and is required. This attribute is applicable only for Checkmarx One.
      # projectId: Id of your Checkmarx One project and can be used instead of projectName field. This attribute is applicable only for Checkmarx One.
      # scanId: Checkmarx One scan id and is optional. This attribute is applicable only for Checkmarx One.
      # securityToolId: Security tool onboarded in ServiceNow (sys_id of the onboarded security tool) and is optional.
      5. Select Add to add the custom action code to your pipeline.
      Jenkins
      1. Navigate to the Pipeline Syntax from a configured pipeline.
      2. Select the snDevOpsSecurityResult step from the Sample Step list, and update the values for the security scan attributes in the step.
      3. Select Generate Pipeline Script to create a snippet. You can copy and paste the snippet into the pipeline.
        • Checkmarx SAST
          snDevOpsSecurityResult securityResultAttributes: '{"scanner": "Checkmarx SAST", "projectId": "", "securityToolId": ""}'
// scanner: Scanning tool and is required e.g. Checkmarx SAST.
// projectId: Id of your Checkmarx SAST project and is required. This attribute is applicable only for Checkmarx SAST.
// securityToolId: Security tool onboarded in ServiceNow (sys_id of the onboarded security tool) and is optional.
        • Checkmarx One
          snDevOpsSecurityResult securityResultAttributes: '{"scanner": "Checkmarx One", "projectName": "", "projectId": "", "scanId": "", "securityToolId": ""}'
// scanner: Scanning tool and is required e.g. Checkmarx One.
// projectName/projectId: Name/Id of your Checkmarx One project and is required. This attribute is applicable only for Checkmarx One.
// scanId: Checkmarx One scan id and is optional. This attribute is applicable only for Checkmarx One.
// securityToolId: Security tool onboarded in ServiceNow (sys_id of the onboarded security tool) and is optional.
      GitHub Actions
      1. Navigate to your workflow .yml file.
      2. In the Marketplace section on the right side, search for the ServiceNow DevOps Security Results custom action.
      3. Add the following snippet into your .yml file.
        • Checkmarx SAST
          ServiceNowSecurityScanResults:
    # jobs that must complete successfully before this job will run
    needs: build
    # type of machine to run the job on
    runs-on: ubuntu-latest
    name: ServiceNow Security Scan Results
    steps:
      - name: ServiceNow DevOps Security Results
        uses: ServiceNow/servicenow-devops-security-result@v3.0.0
        with:
            # Devops Integration User Name
            devops-integration-user-name: ${{ secrets.SN_DEVOPS_USER }}
            # Devops Integration User Password
            devops-integration-user-password: ${{ secrets.SN_DEVOPS_PASSWORD }}
            # ServiceNow Instance URL
            instance-url: ${{ secrets.SN_INSTANCE_URL }}
            # Orchestration Tool Id
            tool-id: ${{ secrets.SN_ORCHESTRATION_TOOL_ID }}
            # GitHub Context
            context-github: ${{ toJSON(github) }}
            # Display Name of the Job
            job-name: 'ServiceNow Security Scan Results'
            security-result-attributes: '{"scanner": "Checkmarx SAST", "projectId": "", "securityToolId": ""}'
            # scanner: Scanning tool and is required e.g. Checkmarx SAST.
            # projectId: Id of your Checkmarx SAST project and is required. This attribute is applicable only for Checkmarx SAST.
            # securityToolId: Security tool onboarded in ServiceNow (sys_id of the onboarded security tool) and is optional.
        • Checkmarx One
          ServiceNowSecurityScanResults:
    # jobs that must complete successfully before this job will run
    needs: build
    # type of machine to run the job on
    runs-on: ubuntu-latest
    name: ServiceNow Security Scan Results
    steps:
      - name: ServiceNow DevOps Security Results
        uses: ServiceNow/servicenow-devops-security-result@v3.0.0
        with:
            # Devops Integration User Name
            devops-integration-user-name: ${{ secrets.SN_DEVOPS_USER }}
            # Devops Integration User Password
            devops-integration-user-password: ${{ secrets.SN_DEVOPS_PASSWORD }}
            # ServiceNow Instance URL
            instance-url: ${{ secrets.SN_INSTANCE_URL }}
            # Orchestration Tool Id
            tool-id: ${{ secrets.SN_ORCHESTRATION_TOOL_ID }}
            # GitHub Context
            context-github: ${{ toJSON(github) }}
            # Display Name of the Job
            job-name: 'ServiceNow Security Scan Results'
            security-result-attributes: '{"scanner": "Checkmarx One", "projectName": "", "projectId": "", "scanId": "", "securityToolId": ""}'
            # scanner: Scanning tool and is required e.g. Checkmarx One.
            # projectName/projectId: Name/Id of your Checkmarx One project and is required. This attribute is applicable only for Checkmarx One.
            # scanId: Checkmarx One scan id and is optional. This attribute is applicable only for Checkmarx One.
            # securityToolId: Security tool onboarded in ServiceNow (sys_id of the onboarded security tool) and is optional.
      For more information, see GitHub marketplace.
      Harness Run the generic Docker Container Image to use the following script. For more information, see Implement custom actions for pipelines using a generic Docker container image.
      - stage:
    name: ServiceNow DevOps Security Result
    identifier: Security
    description: ""
    type: Custom
    spec:
      execution:
        steps:
          - stepGroup:
              name: Security
              identifier: Security
              steps:
                - step:
                    type: Run
                    name: ServiceNow DevOps Security Result
                    identifier: ServiceNow_DevOps_Security_Result
                    spec:
                      connectorRef: docker_hub_connector_for_harness
                      image: servicenowdocker/sndevops:5.0.0
                      shell: Sh
                      command: |-
                        sndevopscli create securityScan -p  

                        "{"pipelineInfo":{
                            "buildNumber":"<+stage.nodeExecutionId>",
                            "taskExecutionUrl":"<+pipeline.executionUrl>?stage=<+stage.nodeExecutionId>", 
                            "orchestrationPipeline":"<+org.identifier>/<+project.identifier>/<+pipeline.name>" 
                          },
                          "securityResultAttributes":{
				"scanner":"Veracode",
				"applicationName":"",
				"buildVersion":"",
				"securityToolId":""
                          }
                        }"
                      envVariables:
                        SNOW_URL: <+variable.SNOW_URL>
                        SNOW_TOOLID: <+variable.SNOW_TOOLID>
                        SNOW_TOKEN: <+variable.SNOW_TOKEN>
              stepGroupInfra:
                type: KubernetesDirect
                spec:
                  connectorRef: kubernates_connector
                  namespace: harness-delegate-ng
    tags: {}
    2. Run the pipeline to retrieve the security scan results.