Configuring the Checkmarx One Vulnerability Integration

Configuration is typically a one-time activity performed after the initial installation. Before proceeding, ensure the OAuth2 Client has been created in Checkmarx One with all the required permissions. For a list of permissions, see the Preparing for the Checkmarx One Vulnerability Integration section.

Important

Switching between multiple Checkmarx One tenants within the same ServiceNow integration instance is not supported and may lead to data inconsistencies or incorrect vulnerability data. Each integration instance should be configured for a single Checkmarx One tenant only.

To Configure the Checkmarx One Vulnerability Integration:

Navigate to your instance of Service Now and log in.
Search for Checkmarx One Vulnerability Integration.
Click Configuration.
Provide the information required to complete the Checkmarx One configuration.
Note
Fields marked with a red asterisk are compulsory.

Enter the following in the required fields on the Configuration page:

IAM URL: Checkmarx One IAM URL (remove ‘/’ from the end of the URL)
API Base URL: Checkmarx One Base URL (remove ‘/’ from the end of the URL)
Tenant: Checkmarx One Tenant
Client ID: Oauth 2 Client ID
Client Secret: Oauth 2 Client Secret

Select the checkboxes for the scanner results you wish to import (e.g.,Include SCA, Include SAST, Include IaC, Include Container Security, Include API Security, Include 2MS, Include OSSF Scorecard, or all to get the scanner results).

Parameter	Description
IAM URL	The base URL of the Identity Access Management (IAM) service for your Checkmarx One environment. Do not include a trailing slash ( `/` ).
API Base URL	The base URL of your Checkmarx One Environment API. Do not include a trailing slash ( `/` ). Note On Single-Tenant Environments: The `IAM URL` and `API Base URL` will be the exact same URL.
Tenant	The name of your organization's Checkmarx One tenant.
OAuth Client ID/Secret	The credentials generated from your Checkmarx One account. Refer to the Preparing for Checkmarx One Vulnerability Integration section for creation steps.
Include SAST / SCA / IaC, Container Security, API Security, OSSF Scorecard, Secret Detection	Select the checkboxes for the scanner types you want to import results from. At least one scanner type must be selected. Note: API Security results are linked to existing SAST findings. If you select `Include API Security` , you must also select `Include SAST` . API security does not generate separate AVIs instead, it enhances the existing SAST AVIs with API related details.
Exclude SCA Dev and Test Dependencies	When enabled, the integration will process SCA results but exclude any vulnerabilities found in development and test dependencies. (Only applicable for SCA)
Include First Detection Date	When enabled, the "First Found" date from Checkmarx One will be mapped and displayed in the Application Vulnerable Item table (AVIT).
Close findings of Deleted Projects	When enabled, if a project is deleted in Checkmarx One, its corresponding open Application Vulnerable Items (AVIs) in ServiceNow will be automatically updated to a state of `Closed` with a substate of `Skipped` in the subsequent integration run.
Severity	Multi-select the vulnerability severity levels to import. By default all severities are selected i.e. `Critical` , `High` , `Medium` , `Low` , and `Info` .
Filter Project	Select how you want to filter which Checkmarx One projects are included in the integration. Options are `By Id` or `By Name` .
Enter Project IDs	(Active when "Filter Project" is set to "By Id") Enter a list of project UUIDs to either include or exclude from the integration run. The filtering mode is determined by the presence of the `exclude` keyword. Include Mode: To import only the specified projects, enter their UUIDs separated by a semicolon ( `;` ). Example: `a1b2c3d4-...;e5f6g7h8-...;i9j0k1l2-...` Exclude Mode: To import all projects except for the specified ones, begin the list with the keyword `exclude=` and then list the UUIDs to exclude. Example: `exclude=z9y8x7w6-...;v5u4t3s2-...` Note You cannot mix include and exclude modes. The presence of `exclude=` at the start of the list sets the mode for the entire field. The maximum number of IDs is 1000.
Enter Project Names	(Active when "Filter Project" is set to "By Name") Enter a list of project names to either include or exclude. This field supports exact names or substring matching. The filtering mode is determined by the presence of the exclude keyword. Include Mode: To import only projects whose names match the specified strings or patterns, enter them separated by a semicolon ( `;` ). Example: `MyWebApp;Backend-API;PROD` Exclude Mode: To import all projects except for those whose names match the specified strings, begin the list with `exclude=` and then list the names to exclude. Example: `exclude=OldProject;test-project;DEV` Note You cannot mix include and exclude modes. The Project name matching is case-sensitive should not contain ; and =. The maximum number of entries and project names is limited to 1000.
Result State	Multi-select the vulnerability states to import from Checkmarx One. To filter by custom states defined in your Checkmarx One instance, select Other . A text field will appear where you can enter a list of your custom state names, separated by a semicolon ( `;` ). Example (Custom): `ReadyToFix;ApprovedForRemediation`
Scan Type	Multi-select the scan types to import ( `Fast Scan` , `Full Scan` , `Incremental Scan` ). Note: To import results from all scan types, it is recommended to leave this field empty rather than selecting all options.
Scan Synchronization	Select which scans to import for the filtered projects: Latest Scan Across All Branches: Imports only the single most recent scan from any branch of a project. Latest Scan from Each Branch: Imports the latest scan for each individual branch within a project. Latest Scan of Primary Branch: Fetches the latest scan and results from the project's designated primary branch . If a project has primary branch not defined, it will fetch Latest Scan Across All Branches . The scan must have been completed after the integration's `Start Time` . Important Switching between scan synchronization options is only allowed when the integration instance is clean with no previously synced data.
Triaging in ServiceNow	Check this box to manage the vulnerability lifecycle within ServiceNow. All imported AVIs are set to an `Open` state when checked, allowing you to use ServiceNow's "Mark as False Positive" and "Request Exception" workflows. If this box is unchecked, AVIs will retain their original state from Checkmarx One (e.g., `Not Exploitable` , `Confirmed` ). Note This integration provides a one-way synchronization from Checkmarx One to ServiceNow. Any state changes or triage actions performed in ServiceNow (such as marking an AVI as a False Positive or requesting an exception) will not be reflected in Checkmarx One .

Click Save and Test Credentials.

The URL will be the same for Single Tenant, IAM URL, and API Base.

The system tests the credentials and confirms if the validation is successful.

If the authentication is successful, continue to perform the Checkmarx One Vulnerability Integration.

In this section:

Configuring the Checkmarx One Vulnerability Integration

Important

To Configure the Checkmarx One Vulnerability Integration:

Note

Note

Note

Note

Important

Note

Search results