Skip to main content

Product Description

Overview

Software developers are relying more and more on open source components to expedite the software development process. Projects often use numerous open source libraries, each of which calls on numerous direct and transitive dependencies. No matter how secure your proprietary code is, these open source dependencies can expose you to a broad range of security and legal risks.

Checkmarx SCA is our proprietary Software Composition Analysis (SCA) solution for detecting risks associated with your open source dependencies. Checkmarx SCA is a cloud native SaaS solution which enables you to easily identify, prioritize, and remediate the risks posed by your open source packages. These risks may include security vulnerabilities, license requirements and outdated open source packages. Checkmarx SCA addresses all of these issues, providing highly accurate, relevant, and actionable insights.

We provide a convenient web portal (UI), making it easy to create projects, run scans and view results. We also provide (REST) APIs, CLI tools and specialized plugins, enabling you to seamlessly integrate open source security measures into your software development life cycle (SDLC).

Exploitable Path

Checkmarx elevates the standard for SCA by leveraging source-level insight from our industry-leading SAST technologies, empowering security teams to easily identify vulnerabilities that have an actual Exploitable Path from your source code. This enables developers to prioritize remediation efforts, dramatically reducing time from vulnerability detection to remediation and increasing developers’ productivity.

Automatic Notifications

Our dedicated open source security research team, ensure that you are always getting the most up to date and accurate info about the open source packages used in your project. Our cloud-based database is continuously updated, ensuring that the most current vulnerabilities are included. When new vulnerabilities are disclosed that affect your open source packages, we automatically send out notifications and recalculate the risk level of your project.

Workflow

Run a scan on the source code in a zip file or Git repository. The Checkmarx proprietary scanning engine detects and identifies specific component versions within the scanned project and any declared or transitive dependencies resolved during a build. This provides the greatest coverage with the highest accuracy possible, accelerating time-to-remediation. Checkmarx SCA identifies vulnerable packages, out of date packages and license violations.

After a scan is completed, a comprehensive Risk Report is generated. These results can be viewed in the web portal, exported (as pdf, xml, json or csv), or accessed via API or specialized plugins. The web portal shows a high level overview of all the projects in your organization, enabling you to gain insights at a glance into the risks to which your projects are exposed. You can drill down into the results to view detailed analysis of the individual packages and vulnerabilities in your projects. You can track your project throughout your SDLC, comparing successive scan results to identify new vulnerabilities and track remediation efforts. In the event that the Checkmarx analyst team discovers new vulnerabilities in one or more of the packages in your project, you will be notified by email about the vulnerabilities, provided that you enabled email notifications.

Purge Policy for Data Sent to the Cloud

Each customer is provisioned with a dedicated and encrypted S3 based storage path that stores its data along with proprietary settings and meta-data generated by Checkmarx SCA. The storage path is only accessible to the specific customer and its authorized, authenticated users. Uploads are performed over TLS 1.2 using pre-signed, time limited URLs that are only accessible on-demand and in the context of data access activities. In addition, in cases where the source code is uploaded to the Checkmarx SCA cloud, it is only stored for a limited period of up to 24 hours. Metadata and manifest files are stored for as long as the retention period requires.