Checkmarx One Vulnerability Integration with ServiceNow
The Vulnerability Response Integration with Checkmarx One uses data imported from the Checkmarx One platform to help identify, prioritize, and track vulnerabilities in the code, its dependencies, and environment.
Requesting Apps from the ServiceNow Store
Navigate to the ServiceNow Store for all the available apps and information about submitting requests to the store.
Checkmarx One Vulnerability Integration
Important
In ServiceNow, only one AVIT will be created for vulnerabilities found in scans with the same SimilarityID.
The Checkmarx One platform scans for vulnerabilities across multiple engines: SAST, SCA, IaC, Container Security, API Security, Secret Detection, and OSSF Scorecard. The integration imports these findings into the ServiceNow Vulnerability Response module and leverages the Application Vulnerability Response (AVR) feature to map third-party vulnerabilities effectively.
A set of scheduled jobs runs the integrations on demand by default, but they can be configured to execute automatically on a daily, weekly, or custom timeframe basis. These jobs are chained to execute in a specific sequence to ensure data integrity. You can also execute these jobs manually to trigger an on-demand synchronization. This process keeps your ServiceNow instance aligned with the latest vulnerability data from Checkmarx One, simplifying the remediation lifecycle.
Checkmarx One Vulnerability Integrations
A chain of four scheduled integrations handles the integration's data import process. These integrations are designed to run in a specific sequence to ensure data integrity. While they are expected to run automatically daily, you can execute them manually for on-demand synchronization.
Each integration job has a Start Time field. This field is essential, as it instructs the integration to process only data (projects, scans, or vulnerabilities) created or updated in Checkmarx One after this specified time. After each successful run, the Start Time is automatically updated to the time of that run's completion, ensuring the next run fetches only new data.
To view the Checkmarx One vulnerability integration, navigate to Checkmarx One Vulnerability Integration > Integrations.
The integrations included in the base system are:
Important
Integration Sequence: These integrations are co-dependent and must run in the correct sequence (Application List → Scan Summary → Vulnerable Items → AVIT Closure). Running them out of order or manually modifying their chaining logic requires advanced expertise and can lead to incomplete or inaccurate vulnerability data.
Data Flow Direction: This integration provides a one-way synchronization from Checkmarx One to ServiceNow. Any state changes, comments, or triage actions (such as marking an AVIT as a False Positive or requesting an exception) made in ServiceNow will not be reflected in the Checkmarx One platform. All triage and remediation state management should be performed in the system you designate as your primary source of truth.
Integration Flow:
Checkmarx One Application List Integration: Finds Projects
Checkmarx One Scan Summary Integration: Finds Scans for those Projects
Checkmarx One Vulnerable Items Integration: Imports Vulnerabilities from those Scans
Checkmarx One AVIT Closure Integration: Closes Vulnerabilities No Longer Present in Latest Scans
To view data in third-party vulnerabilities, see View Vulnerability Libraries.
Checkmarx One Application List Integration
Purpose: This is the first job in the chain. It discovers which projects to track in ServiceNow.
How it Works: It queries the Checkmarx One API and retrieves any projects created after the Start Time specified on this integration record. It then creates or updates corresponding records in the Application Release (sn_vul_app_release) table in ServiceNow.
Default State: Active and scheduled to run daily.
Checkmarx One Scan Summary
Purpose: This job runs immediately after the Application List integration is complete. It finds the relevant scans for the projects discovered in the previous integration.
How it Works: It retrieves summary information for scans completed after the Start Time. The logic for which scan is considered "latest" is determined by the Scan Synchronization field on the Configuration page (e.g., latest across all branches, or the latest from each branch). This data populates the Application Vulnerability Scan Summaries (sn_vul_app_vul_scan_summary) table.
Default State: Active and On Demand (triggered by completing the Application List Integration).
Checkmarx One Application Vulnerable Item Interaction
Purpose: This job imports the vulnerability findings from the scans identified in the previous integration.
How it Works: It retrieves all vulnerability details from the relevant scans. It creates new Application Vulnerable Items (AVIT) for new findings and updates the state of existing ones, populating the Application Vulnerable Item (sn_vul_app_vulnerable_item) table. Like the other jobs, it respects the Start Date and Time to ensure it only processes recent scans.
Default State: Active and On Demand (triggered by completing the Scan Summary Integration).
Checkmarx One AVIT Closure Integration
Purpose: This is the final job in the chain that handles the automatic closure of Application Vulnerable Items (AVIT) that are no longer present in the latest scans.
How it Works: It identifies the latest scans based on the Scan Synchronization configuration and automatically closes AVIT not found in those scans by setting their state to "Closed" and source remediation status to "FIXED". The closure logic respects the configured scan synchronization setting (latest across all branches, latest from each branch, or latest from the primary branch) to determine which scans to use as the reference for closure decisions.
Default State: Active and On Demand (triggered by completing the Application Vulnerable Item Integration).
Note
It is expected behavior for this integration to show 0 values for imported items, new items, and updated items in the integration run record. This integration focuses specifically on closing AVITs, so the closure operations occur without changing these counters.
Roles
Specific roles are required for installing and configuring the integration:
System Administrator (admin): This role is required to install the application from the ServiceNow Store.
App-Sec Manager (sn_vul.app_sec_manager): After installation, a user with this role can configure the integration settings, view imported data, and manage the integration runs.