Cloud Insights
Overview
Note
This documentation is currently in the beta/early access phase. We are actively working on enhancements and improvements that will be added over time.
The nature of cloud-native applications requires solutions that can quickly adapt, effectively mitigate risks, and secure critical assets.
Checkmarx One Cloud Insights offers actionable insights to solve these challenges by correlating data across the entire software development lifecycle (SDLC) and runtime environments. By integrating with runtime environments, developers can verify that code fixes make their way through every step of the SDLC, including the container image and clusters.
By correlating context from runtime environments with pre-deployment data, Checkmarx One reduces noise and alert fatigue by prioritizing Internet-facing vulnerabilities and filtering out non-runtime vulnerabilities.
When a vulnerability is found in runtime, Checkmarx One elevates the risk score per the runtime context so that such a vulnerability can be prioritized first.
To further enhance these capabilities, Checkmarx One provides integration with AWS, Wiz, and other leading CNAPP vendors.
When integrating with Wiz, Checkmarx One establishes a secure connection with Wiz’s API endpoints to request relevant data, such as information about clusters, pods, containers, and network exposures.
With the AWS integration, customers provide their IAM role, which can read clusters and other metadata to retrieve a list of images under each connected cluster.
After obtaining the information from Wiz or AWS, Cloud Insights matches container image names with the Checkmarx One project name and corresponding source code repository. Checkmarx One then correlates runtime data with the risk calculation based on detected vulnerabilities and misconfigurations identified earlier in the SDLC.
By combining Checkmarx One scanners with runtime information provided by Cloud Insights, organizations can achieve visibility and control over their cloud-native applications. This integrated approach enables security and development teams to identify vulnerabilities within Checkmarx One projects and prioritize them based on their exposure in runtime, ensuring that critical issues are addressed promptly and effectively.
Integration Flow
The Cloud Insights integration flow differs between the initial integration and subsequent ones.
In the initial integration, users use the Integrate Cloud Account button on the Welcome screen. In subsequent integrations, users use the Manage Accounts > Create Account option.
In the initial integration users are prompt with the cluster findings summary at the end of the discovery stage. In subsequent integrations the summary is not presented.
Integrating with CNAPP Vendors
Integrating with Wiz
Checkmarx One Cloud Insights offers actionable insights to solve these challenges by correlating data across the entire software development lifecycle (SDLC) and runtime environments. By integrating with runtime environments, developers can verify that code fixes make their way through every step of the SDLC, including the container image and clusters.
Checkmarx One integrates with Wiz by establishing a secure connection with Wiz’s API endpoints. Cloud Insights sends API requests to Wiz’s GraphQL endpoints for inventory and runtime-related data, such as clusters, pods, containers, and network exposures. Wiz’s API processes these queries, executing them against its data sources, and returns the results to Checkmarx One.
Preconditions
Wiz Client ID
Wiz Client Secret
API endpoint for the Wiz environment
Integration Procedure
Note
Make sure that the preconditions are met.
To integrate with Wiz, proceed as follows:
Log in to Checkmarx One.
Click on Workspace > Cloud Insights.
Click on Integrate Cloud Account.
In the Account Integration dropdown, select Wiz integration.
Configure the following:
Wiz API Endpoint
Wiz Client ID
Wiz Client Secret
Name the account
Click on Create Account.
Cloud Insights will start discovering the cluster findings.
Once the discovery finishes, the findings are displayed.
Click on Let's Start Exploring
The internet-facing clusters are displayed in the Attack Paths screen and Inventory table.
Support Cloud Service Provider Native Connection
Integrating with AWS
Integrating with an AWS account allows organizations without a CNAPP solution to leverage Checkmarx's advanced security capabilities by combining it with runtime context from AWS EKS.
To integrate with an AWS account, customers provide their IAM role, which can read clusters and other metadata from AWS EKS. Using the K8S API, Cloud Insights receives a list of images under each connected cluster. Once the list is received, Cloud Insights leverages the AWS Network Analyzer to add a public exposure flag to all relevant mapped container images. This way, Checkmarx One knows which resources are publicly exposed and can determine the risk level for better prioritization.
Preconditions
Create an AWS IAM Role:
Sign in to your AWS account.
Click on the Cloud Formation Template link - Cloud Formation Template.
Important
This CloudFormation JSON file creates an IAM role in AWS that can be assumed by Checkmarx One AWS accounts. The role has an inline policy that allows it to describe regions and EKS clusters. It also has a managed policy that permits running a network access analyzer, which is used to check if a container is public-facing.
Upload the JSON file to your AWS account.
For more information, refer to AWS CloudFormation documentation.
Copy the RoleARN value:
Once the CloudFormation template file uploads, navigate to the Output tab in your AWS account and copy the RoleARN value.
Integration Procedure
Note
Make sure that the preconditions are met.
To integrate with AWS, proceed as follows:
Log in to Checkmarx One.
Click on Workspace > Cloud Insights.
Click on Manage Accounts.
Click on Create Account.
In the Account Integration dropdown, select Amazon Web Services.
Configure the following:
AWS RoleARN value - Copied in the preconditions.
Name the account.
Click on Create Account.
Cloud Insights will start discovering the cluster findings.
Once the discovery finishes, the internet-facing clusters are displayed in the Attack Paths screen and Inventory table.
External Third-Party Enrichment
The External Third-Party Enrichment workflow is designed to provide Checkmarx One users with the ability to ingest data from runtime environments into their third-party CNAPP/Cloud Security vendors by using APIs.
Checkmarx Cloud Insights correlates the runtime environments data with Checkmarx One Projects and source code repositories, enriching Checkmarx One scanners results.
Additionally, third-party CNAPP/Cloud Security vendors can query the Checkmarx One platform to obtain Checkmarx One scanner results data related to the container images ingested by the vendors, allowing them to enrich their systems accordingly.
This integration is done via Checkmarx One Rest APIs. Documentation of these APIs, and the E2E workflow for creating a third-party enrichment are available here.
Preconditions
A valid Checkmarx One API Key (bearer token)
A valid "External ID" - a unique ID for a specific vendor, provided by your Checkmarx support agent
A valid JSON enrichment file - see below how to create this file
Creating a JSON Enrichment File
Create a JSON file that provides detailed information about the clusters, pods and containers in your system. Use the schema povided in the Cloud Formation Template.
Example:
{
"externalID":"1223-123-123123",
"clusters": [
{
"name": "NAME",
"region": "REGION",
"pods":[{
"name":"NAME",
"ips":["IP1","IP2"],
"containers":[{
"image":"IMAGE",
"name":"NAME",
"public_exposed":true,
}]
}]
}
]
}You can validate your file using our Online Validator tool.