Skip to main content

Cloud Insights

Overview

Note

This documentation is currently in the beta/early access phase. We are actively working on enhancements and improvements that will be added over time.

The nature of cloud-native applications requires solutions that can quickly adapt, effectively mitigate risks, and secure critical assets.

Checkmarx One Cloud Insights offers actionable insights to solve these challenges by correlating data across the entire software development lifecycle (SDLC) and runtime environments. By integrating with runtime environments, developers can focus on the riskiest issues which matter the most to their business.

By correlating context from runtime environments with pre-deployment data, Checkmarx One reduces noise and alert fatigue by prioritizing Internet-facing vulnerabilities and filtering out non-runtime vulnerabilities.

When a vulnerability is found in runtime, Checkmarx One elevates the risk score per the runtime context so that such a vulnerability can be prioritized first.

To further enhance these capabilities, Checkmarx One provides integration with AWS, Wiz, and other leading CNAPP vendors.

When integrating with Wiz, Checkmarx One establishes a secure connection with Wiz’s API endpoints to request relevant data, such as information about clusters, pods, containers, and network exposures.

With the AWS integration, customers provide their IAM role, which can read clusters and other metadata to retrieve a list of images under each connected cluster.

After obtaining the information from Wiz or AWS, Cloud Insights matches container image names with the Checkmarx One project name and corresponding source code repository. Checkmarx One then correlates runtime data with the risk calculation based on detected vulnerabilities and misconfigurations identified earlier in the SDLC.

By combining Checkmarx One scanners with runtime information provided by Cloud Insights, organizations can achieve visibility and control over their cloud-native applications. This integrated approach enables security and development teams to identify vulnerabilities within Checkmarx One projects and prioritize them based on their exposure in runtime, ensuring that critical issues are addressed promptly and effectively.

Integration Flow

The Cloud Insights integration flow differs between the initial integration and subsequent ones.

  • In the initial integration, users use the Integrate Cloud Account button on the Welcome screen. In subsequent integrations, users use the Manage Accounts > Create Account option.

  • In the initial integration users are prompt with the cluster findings summary at the end of the discovery stage. In subsequent integrations the summary is not presented.

Viewing Cloud Insights Results

Once you have set up a Cloud Insights integration account and run the data enrichment, the Cloud Insights data can be viewed via the Checkmarx One web application. Detailed information about the containers in your account and the corresponding Checkmarx One projects are shown in the Workspace Workspace.png > Cloud Insights screen. In addition information about runtime usage impacts on the risk score of the associated Application as represented on Application Risk Management screen.

Viewing the Cloud Insights Screen

The Cloud Insights screen contains a header bar and tabs showing Inventory and Attack Paths.

Header Bar

The header bar shows the name of the account for which data is being shown as well as details about the status of that account.

To switch accounts:

  1. Click on Manage Accounts.

    A side panel opens, showing a list of Cloud Insight accounts that have been set up in your system.

  2. Click on the account that you would like to show and then click on the Select Account button.

Inventory Tab

The Inventory tab shows a list of container images, grouped by cluster name. The table shows the Checkmarx One Project that corresponds to each image and the SAST vulnerabilities identified in that Project. You can click on a Project name to open the Overview page for that Project.

There is a column indicating whether or not each image is internet-facing (i.e., exposed to the public). You can filter the display by this element.

Image_1007.png
Manually Assigning Projects

You can manually assign a Checkmarx One Project to an image that was identified by Cloud Insights. This can be done in cases where the system didn't automatically identify a corresponding Project. You can also replace the automatically correlated Project with a different Project that you determine to correspond more precisely.

To Manually Assign a Project:

  1. Hover on the row of the relevant image and click on the More_Options.png icon.

  2. Then, select Assign to a project.

    A side panel opens showing the list of Checkmarx One Projects in your account.

  3. Select the desired Project.

  4. Click on the Assign Project button.

Attack Paths Tab

The Attack Paths tab shows a list of public-facing images and a visualization of the path by which they are accessible from the internet. This screen has a left-side panel that shows the list of public-facing clusters and a main visualization pane that shows nodes representing the clusters. The red number in each node indicates the number public-facing images in that cluster.

Image_1010.png

You can drill down to see additional details about a specific cluster. This can be done by clicking either on the cluster list in the left-side panel or on the node of that cluster in the visualization. You can also search for a cluster by name. In the drill-down display, the left-side panel shows details about the vulnerabilities identified in the latest SAST scan of the corresponding Checkmarx One Project. And, the main pane shows the full path from the internet, through the cluster and pod, to the specific container images.

Image_1011.png

You can drill down further to see the actual SAST scan results for the corresponding Project either by clicking on Open SAST results in the visualization or by hovering over the result in the left-side panel and clicking on Results.

Viewing Cloud Insights Data in Application Risk Management

Cloud Insights contribute greatly to the ability to manage risks (triage) across your Applications. Vulnerabilities used in a runtime environment (i.e., vulnerabilities in Projects that are associated with a container image that is used in runtime) will generally have higher priority than other vulnerabilities. And, vulnerabilities that are actually exposed to the internet will generally be the highest priority.

Therefore Cloud Insights results are integrated into the Application Risk Management feature. In the Risk management tab of an Application, you can now filter the results to show only Runtime vulnerabilities. There is also an icon indicating which vulnerabilities are Internet Facing.

Image_1015.png

In addition, the identification of an internet facing vulnerability is factored in to determining the overall Risk Score for that vulnerability in the Risk Management tab.