Onboard Checkmarx to DevOps Change Velocity - Workspace

  • Release version: Australia
  • Updated March 12, 2026
  • 5 minutes to read

    • Connect to your Checkmarx instance using the DevOps Change Workspace playbook.

    Before you begin

    Complete the tasks specified in the Getting started with DevOps Change Velocity topic.

    Role required: sn_devops.admin or sn_devops.tool_owner

    About this task

    Checkmarx has two types of tools - Checkmarx SAST and Checkmarx One.

    Procedure

    1. Navigate to Workspaces > DevOps Change Workspace and use one of the following options to open the Playbook to onboard Checkmarx.
      OptionSteps
      Homepage
      1. Select the Connect tools widget
      2. On the  Connect to a tool  modal, select Checkmarx One or Checkmarx SAST from the Security category.
      Applications module
      1. Select Applications (Applications icon.).
      2. Select an existing application, or create one. To create an application, see Create an application - Classic.
      3. From the  Recommended actions  pane, select the  Connect a tool  card.
      4. On the  Connect to a tool  modal, select Checkmarx One or Checkmarx SAST from the Security category.
      Tools module
      1. Select Tools (Tools icon.).
      2. From the Capability list, select Security.
      3. Select Connect a tool.
      4. On the  Connect to a tool  modal, select Checkmarx One or Checkmarx SAST.
    2. Enter a name to identify your tool and select Next. Connect to Checkmarx tool in playbook
    3. On the instance details playbook activity section, enter the following credentials based on whether you are connecting to Checkmarx One or Checkmarx SAST.
      ToolSteps
      Checkmarx SAST
      1. In the Server URL field, enter the server URL of the Checkmarx SAST instance. Enter Checkmarx SAST instance details playbook activity
      2. In the API id field, enter the API ID of your Checkmarx SAST instance.
      3. In the API key field, enter the API key of your Checkmarx SAST instance.
      Checkmarx One
      1. In the CheckmarxOne Access Control Base URL field, enter the Checkmarx One Access Control Base URL of your Checkmarx One instance. Enter Checkmarx One instance details playbook activity
      2. In the CheckmarxOne API Base URL field, enter the API base URL of your Checkmarx One instance.
      3. In the Tenant field, enter the name of the tenant of your Checkmarx SAST instance.
      4. In the Client Id field, enter the client ID of your Checkmarx SAST instance.
      5. In the Client Secret field, enter the client secret of your Checkmarx SAST instance.

      Ensure that your Checkmarx SAST user has a role that has permissions to read Project and Scan Results to get summary details. For more information, see Checkmarx documentation. Ensure that your Checkmarx One user has the create-scan and manage-project roles to access Scan summary details. For more information, see Checkmarx documentation.

    4. Select Connect and review the details of the successfully connected Checkmarx instance.
    5. Specify the access for the tool.
      1. If you want to control access to the tool, add the groups that must be given access to the tool in the Maintained by field.
        The tasks these users in the groups can perform depends on the role assigned to them.
        • DevOps Tool Owner role: Can view and edit the tool.
        • DevOps App Owner role: Can view the tool and can associate, discover, import historical data, and modify pipeline steps (if applicable) of the tool's objects (such as plans, repositories, and pipelines).
        • DevOps Administrator role: Can edit all tools.
        • Other DevOps roles: Can view the tool.
        Note:
        If you don't select a group and skip this step, all users with the DevOps Tool Owner role will be able to edit the tool.
      2. If you choose to control access to the tool, the All App Owners can view and associate tool objects to applications option becomes available for selection.

        This option enables all users having the DevOps App Owner role to access the tool. If selected, they’ll be able to view, associate, discover, import historical data, and modify pipeline steps (if applicable) of the tool's objects.

      3. Select Assign.

      Specify tool access playbook activity

    6. If this isn’t the first instance of the security tool you’re onboarding, select the orchestration tool to associate with your security tool instance from the Associate orchestration tool instances playbook activity.

      This activity isn’t displayed if this is the first security tool instance you’re onboarding.

      Note:
      This playbook activity is required only if you’re onboarding more than one security tool instances. When multiple security tool instances are onboarded in ServiceNow, you must associate only one of the security tool instances to the same orchestration tool or pipeline record.
      Associate orchestration tool instance playbook activity
    7. From the Add custom action to pipelines playbook activity section, copy the required custom action code and add it as a step in your pipeline.
      • If only one security instance is onboarded in ServiceNow, the pipelines will be automatically associated with Checkmarx when the pipeline is run.
      • If this is the first security tool instance you’re onboarding, the custom action codes for the orchestration tool that you’ve onboarded in ServiceNow will be available to copy.
        • If you are using Azure DevOps or GitHub Actions orchestration tools, then you must add the custom action code in your pipeline always.
        • You can configure Checkmarx scans on any stage of the pipeline and the scan details are retrieved from the corresponding stage to DevOps Change Velocity. If you’re using Azure DevOps or GitHub Actions orchestration tools, then you must add the custom action code in your pipeline always. If you’re using Jenkins, and your pipeline already has a Checkmarx One security scan (checkmarxASTScanner) step, you don’t have to add the custom action code in your pipeline. For Checkmarx SAST, the custom action code must be added in your pipeline even if it has the security scan step (checkmarxASTScanner).
      • If this is the not the first security tool instance you’re onboarding, the respective custom action codes for orchestration tools that you’ve selected in step 6 will be available to copy. If you’re using Jenkins, and your pipeline already has a Checkmarx One security scan (checkmarxASTScanner) step, you don’t have to add the custom action code in your pipeline.
      • If you want to configure Checkmarx for the GitLab tool, you can either use the generic Docker container image to add the Checkmarx security step or perform the steps specified in the Integrate security tools with GitLab topic.
      • For Harness pipelines, you can configure Checkmarx scans only through the generic Docker Container Image. For more information, see Implement custom actions for pipelines using a generic Docker container image
      • Alternatively, you can associate pipeline with security tool instance by adding security tool ID to the custom action code. This will override any previously associated security tool instance.
      Add custom actions to pipeline playbook activity Checkmarx SAST
    8. Mark the activity as complete.
    9. From the Summary page, select View tool record to review the details of the connected instance.

      Playbook summary page

    What to do next

    Configure Checkmarx scans on your pipeline