Configure Checkmarx scans on your pipeline

Release version: Washingtondc

Updated August 1, 2024

5 minutes to read

Summarize

Summarized using AI

Summary of Configure Checkmarx scans on your pipeline

This guide provides instructions for configuring Checkmarx scans within various DevOps pipeline tools, including Azure DevOps, Jenkins, GitHub Actions, GitLab, and Harness. It emphasizes the requirement to add custom action code to your pipeline for successful integration of Checkmarx scans.

Show full answer Show less

Key Features

Pipeline Integration: Configure Checkmarx scans at any pipeline stage, with scan details sourced from the respective stage in DevOps Change Velocity.
Custom Action Code: Mandatory for Azure DevOps and GitHub Actions; Jenkins users with an existing Checkmarx One step don't need to add it again.
Tool-Specific Instructions: Each tool (Azure DevOps, Jenkins, GitHub Actions, GitLab, Harness) has specific steps and requirements for configuring the Checkmarx integration.

Key Outcomes

By following these configurations, ServiceNow customers can effectively implement Checkmarx security scans in their CI/CD pipelines, ensuring continuous security assessment and compliance throughout the development process. This leads to improved software quality and reduced vulnerabilities in applications.

Configure Checkmarx scans on your Azure DevOps, Jenkins, GitHub, GitLab, or Harness pipelines.

You can configure Checkmarx scans on any stage of the pipeline and the scan details are retrieved from the corresponding stage to DevOps Change Velocity. If you’re using Azure DevOps or GitHub Actions orchestration tools, then you must add the custom action code in your pipeline always. If you’re using Jenkins, and your pipeline already has a Checkmarx One security scan (checkmarxASTScanner) step, you don’t have to add the custom action code in your pipeline. For Checkmarx SAST, the custom action code must be added in your pipeline even if it has the security scan step (checkmarxASTScanner).

If you want to configure Checkmarx for the GitLab tool, you can either use the generic Docker container image to add the Checkmarx security step or perform the steps specified in the Integrate security tools with GitLab topic.

For Harness pipelines, you can configure Checkmarx scans only through the generic Docker Container Image. For more information, see Implement custom actions for pipelines using generic Docker container image.

Navigate to the step in your pipeline and add the custom action.


Azure DevOps	Navigate to your pipeline .yml file. In the Tasks section on the right side, search for the ServiceNow DevOps Security Results extension task. Enter the ServiceNow endpoint. Enter the Security results attributes as the following. Checkmarx SAST - task: ServiceNow-DevOps-Build-Security-Results@1 inputs: connectedServiceName: "" # ServiceNow DevOps Change Velocity Service Connection securityResultAttributes: \| {"scanner": "Checkmarx SAST", "projectId": "", "securityToolId": ""} # scanner: Scanning tool and is required e.g. Checkmarx SAST. # projectId: Id of your Checkmarx SAST project and is required. This attribute is applicable only for Checkmarx SAST. # securityToolId: Security tool onboarded in ServiceNow (sys_id of the onboarded security tool) and is optional. Checkmarx One - task: ServiceNow-DevOps-Build-Security-Results@1 inputs: connectedServiceName: "" # ServiceNow DevOps Change Velocity Service Connection securityResultAttributes: \| {"scanner": "Checkmarx One", "projectName": "", "projectId": "", "scanId": "", "securityToolId": ""} # scanner: Scanning tool and is required e.g. Checkmarx One. # projectName: Name of your Checkmarx One project and is required. This attribute is applicable only for Checkmarx One. # projectId: Id of your Checkmarx One project and can be used instead of projectName field. This attribute is applicable only for Checkmarx One. # scanId: Checkmarx One scan id and is optional. This attribute is applicable only for Checkmarx One. # securityToolId: Security tool onboarded in ServiceNow (sys_id of the onboarded security tool) and is optional. Select Add to add the custom action code to your pipeline.
Jenkins	Navigate to the Pipeline Syntax from a configured pipeline. Select the snDevOpsSecurityResult step from the Sample Step list, and update the values for the security scan attributes in the step. Select Generate Pipeline Script to create a snippet. You can copy and paste the snippet into the pipeline. Checkmarx SAST `snDevOpsSecurityResult securityResultAttributes: '{"scanner": "Checkmarx SAST", "projectId": "", "securityToolId": ""}' // scanner: Scanning tool and is required e.g. Checkmarx SAST. // projectId: Id of your Checkmarx SAST project and is required. This attribute is applicable only for Checkmarx SAST. // securityToolId: Security tool onboarded in ServiceNow (sys_id of the onboarded security tool) and is optional.` Checkmarx One snDevOpsSecurityResult securityResultAttributes: '{"scanner": "Checkmarx One", "projectName": "", "projectId": "", "scanId": "", "securityToolId": ""}' // scanner: Scanning tool and is required e.g. Checkmarx One. // projectName/projectId: Name/Id of your Checkmarx One project and is required. This attribute is applicable only for Checkmarx One. // scanId: Checkmarx One scan id and is optional. This attribute is applicable only for Checkmarx One. // securityToolId: Security tool onboarded in ServiceNow (sys_id of the onboarded security tool) and is optional.
GitHub Actions	Navigate to your workflow .yml file. In the Marketplace section on the right side, search for the ServiceNow DevOps Security Results custom action. Add the following snippet into your .yml file. Checkmarx SAST ServiceNowSecurityScanResults: # jobs that must complete successfully before this job will run needs: build # type of machine to run the job on runs-on: ubuntu-latest name: ServiceNow Security Scan Results steps: - name: ServiceNow DevOps Security Results uses: ServiceNow/servicenow-devops-security-result@v3.0.0 with: # Devops Integration User Name devops-integration-user-name: ${{ secrets.SN_DEVOPS_USER }} # Devops Integration User Password devops-integration-user-password: ${{ secrets.SN_DEVOPS_PASSWORD }} # ServiceNow Instance URL instance-url: ${{ secrets.SN_INSTANCE_URL }} # Orchestration Tool Id tool-id: ${{ secrets.SN_ORCHESTRATION_TOOL_ID }} # GitHub Context context-github: ${{ toJSON(github) }} # Display Name of the Job job-name: 'ServiceNow Security Scan Results' security-result-attributes: '{"scanner": "Checkmarx SAST", "projectId": "", "securityToolId": ""}' # scanner: Scanning tool and is required e.g. Checkmarx SAST. # projectId: Id of your Checkmarx SAST project and is required. This attribute is applicable only for Checkmarx SAST. # securityToolId: Security tool onboarded in ServiceNow (sys_id of the onboarded security tool) and is optional. Checkmarx One ServiceNowSecurityScanResults: # jobs that must complete successfully before this job will run needs: build # type of machine to run the job on runs-on: ubuntu-latest name: ServiceNow Security Scan Results steps: - name: ServiceNow DevOps Security Results uses: ServiceNow/servicenow-devops-security-result@v3.0.0 with: # Devops Integration User Name devops-integration-user-name: ${{ secrets.SN_DEVOPS_USER }} # Devops Integration User Password devops-integration-user-password: ${{ secrets.SN_DEVOPS_PASSWORD }} # ServiceNow Instance URL instance-url: ${{ secrets.SN_INSTANCE_URL }} # Orchestration Tool Id tool-id: ${{ secrets.SN_ORCHESTRATION_TOOL_ID }} # GitHub Context context-github: ${{ toJSON(github) }} # Display Name of the Job job-name: 'ServiceNow Security Scan Results' security-result-attributes: '{"scanner": "Checkmarx One", "projectName": "", "projectId": "", "scanId": "", "securityToolId": ""}' # scanner: Scanning tool and is required e.g. Checkmarx One. # projectName/projectId: Name/Id of your Checkmarx One project and is required. This attribute is applicable only for Checkmarx One. # scanId: Checkmarx One scan id and is optional. This attribute is applicable only for Checkmarx One. # securityToolId: Security tool onboarded in ServiceNow (sys_id of the onboarded security tool) and is optional. For more information, see GitHub marketplace.
Harness	Run the generic Docker Container Image to use the following script. For more information, see Implement custom actions for pipelines using generic Docker container image. - stage: name: ServiceNow DevOps Security Result identifier: Security description: "" type: Custom spec: execution: steps: - stepGroup: name: Security identifier: Security steps: - step: type: Run name: ServiceNow DevOps Security Result identifier: ServiceNow_DevOps_Security_Result spec: connectorRef: docker_hub_connector_for_harness image: servicenowdocker/sndevops:5.0.0 shell: Sh command: \|- sndevopscli create securityScan -p "{"pipelineInfo":{ "buildNumber":"<+stage.nodeExecutionId>", "taskExecutionUrl":"<+pipeline.executionUrl>?stage=<+stage.nodeExecutionId>", "orchestrationPipeline":"<+org.identifier>/<+project.identifier>/<+pipeline.name>" }, "securityResultAttributes":{ "scanner":"Veracode", "applicationName":"", "buildVersion":"", "securityToolId":"" } }" envVariables: SNOW_URL: <+variable.SNOW_URL> SNOW_TOOLID: <+variable.SNOW_TOOLID> SNOW_TOKEN: <+variable.SNOW_TOKEN> stepGroupInfra: type: KubernetesDirect spec: connectorRef: kubernates_connector namespace: harness-delegate-ng tags: {}

Run the pipeline to retrieve the security scan results.