Cloud Insights
Note
Cloud Insights is included in the Essential, Professional and Enterprise license bundles.
Overview
The nature of cloud-native applications requires solutions that can quickly adapt, effectively mitigate risks, and secure critical assets.
Checkmarx One Cloud Insights offers actionable insights to solve these challenges by correlating data across the entire software development lifecycle (SDLC) and runtime environments. By integrating with runtime environments, developers can focus on the riskiest issues which matter the most to their business.
By correlating context from runtime environments with pre-deployment data, Checkmarx One reduces noise and alert fatigue by prioritizing Internet-facing vulnerabilities and filtering out non-runtime vulnerabilities.
When a vulnerability is found in runtime, Checkmarx One elevates the risk score per the runtime context so that such a vulnerability can be prioritized first.
To further enhance these capabilities, Checkmarx One provides integration with AWS, Wiz, and other leading CNAPP vendors.
When integrating with Wiz, Checkmarx One establishes a secure connection with Wiz’s API endpoints to request relevant data, such as information about clusters, pods, containers, and network exposures.
With the AWS integration, customers provide their IAM role, which can read clusters and other metadata to retrieve a list of images under each connected cluster.
After obtaining the information from Wiz or AWS or other supported CNAPP providers, Cloud Insights matches container image names with the Checkmarx One Project name and corresponding source code repository. Checkmarx One then correlates runtime data with the risk calculation based on detected vulnerabilities and misconfigurations identified earlier in the SDLC.
By combining Checkmarx One scanners with runtime information provided by Cloud Insights, organizations can achieve visibility and control over their cloud-native applications. This integrated approach enables security and development teams to identify vulnerabilities within Checkmarx One projects and prioritize them based on their exposure in runtime, ensuring that critical issues are addressed promptly and effectively.
Excluded Images
After ngelogreceiving the list of images from your cloud provider, Checkmarx automatically excludes images that we consider to be 3rd party images that don't impact on the matching inventory of your application assets. Those images aren't shown in Checkmarx Cloud Insights.
Setting up the Cloud Insights Integration
For Wiz and AWS users, the setup process is performed by the user in the Checkmarx One web application. For other CNAPP vendors the setup is done in your CNAPP account using the procedure established by your vendor. The setup process for each type of integration is described in the following articles.
Viewing Cloud Insights Results
Overview
Once you have set up a Cloud Insights integration account and the runtime data has been synced with your Checkmarx One account, the Cloud Insights, data correlating runtime info with Checkmarx scan results, can be viewed via the Checkmarx One web application.
In addition, if your account has an enrichment integration, it is possible to view SAST vulnerabilities that were identified by Checkmarx in the correlated repos in your CNAPP platform. For Wiz users with a Code Security license, this integration takes effect automatically when you create a Wiz Cloud Insights account. For other CNAPP vendors, this requires a custom integration, described here.
Viewing Cloud Insights Results in Checkmarx One
In Checkmarx One, the Workspace 
> Cloud Insights screen shows detailed information about the containers in your account and the corresponding Checkmarx One Projects. In addition, information about runtime usage is factored in to assigning the risk score of vulnerabilities shown on the Using Application Risk Management screen.
Viewing the Cloud Insights Screen
The Cloud Insights screen contains a Header Bar and tabs showing Inventory and Attack Paths.
Header Bar
The header bar shows the name of the account for which data is being shown, as well as details about the status of that account. The following items are shown:
Sync Date - indicates the last time that runtime data was imported from the CNAPP provider.
Status - indicates the status of the integration. Once the data has been successfully imported (at least once) the status is shown as Connected. If the runtime data import has not yet completed successfully, the status is Pending.
Notice
It may take a few hours for the import to complete. If after 24 hr the status is still Pending, you should ensure that all prerequisites are in place (see prerequisites for Wiz, AWS and Other CNAPP Vendors). For Wiz and AWS integrations, you can also click on the ReSync button to initiate a new enrichment process. If the issue is not resolved, please contact Checkmarx Support for assistance.
ReSync button - Click on this button to manually initiate a new sync of the Cloud Insights data for this account. For Wiz and AWS accounts this initiates a new enrichment process, importing new data about the clusters in your system. For other integrations, this only reruns the project association process (e.g., taking into consideration new projects created in Checkmarx) without importing new data from the cloud provider.
Manage Accounts - enables you to create a new account, or to select a different Cloud Insights account to display (as described below).
Switching Accounts
To switch accounts:
Click on Manage Accounts.
A side panel opens, showing a list of Cloud Insight accounts that have been set up in your system.
Click on the account that you would like to show and then click on the Select Account button.
Inventory Tab
The Inventory tab shows a list of container images identified in the runtime environment, grouped by cluster name. The table shows the Checkmarx One Project that corresponds to each image (based on our matching algorithms) and the vulnerabilities identified in that Project. You can click on a Project name to open the Overview page for that Project.
There is a column indicating whether or not each image is Internet Facing (i.e., exposed to the public). You can easily identify the most urgent remediation activities by filtering to show only Internet Facing Projects.
Manually Assigning Projects
You can manually assign a Checkmarx One Project to an image that was identified by Cloud Insights. This can be done in cases where the system didn't automatically identify a corresponding Project. You can also replace the automatically correlated Project with a different Project that you determine to correspond more precisely.
To Manually Assign a Project:
Hover on the row of the relevant image and click on the
icon.Then, select Assign to a project.
A side panel opens showing the list of Checkmarx One Projects in your account.
Select the desired Project.
Click on the Assign Project button.
When a Project has been assigned manually, a special icon is shown in the row of that image in the Inventory table.
Manually Setting the "Internet Facing" Parameter
If you determine that the automatic designation of an image as Internet Facing or Not Internet Facing is inaccurate, you can manually override this determination.
This can also be done as a bulk action by selecting the checkbox next to each of the relevant images and then choosing the desired option in the top bar.
To manually adjust the "Internet Facing" parameter:
Hover on the row of the relevant image and click on the
icon.Then, select Set Internet Facing.
A drop-down menu opens showing the options: Facing, Not Facing or Auto Detect.
Facing - manually set as Internet Facing.
Not Facing - manually set as Not Internet Facing.
Auto Detect - allow the system to determine whether or not it is internet facing, using proprietary algorithms.
Select the desired option.
When a manual determination has been set, a special icon is shown in the row of that image in the Inventory table.
Attack Paths Tab
The Attack Paths tab shows a list of public-facing images and a visualization of the path by which they are accessible from the internet. This screen has a left-side panel that shows the list of public-facing clusters and a main visualization pane that shows nodes representing the clusters. The red number in each node indicates the number public-facing images in that cluster.
You can drill down to see additional details about a specific cluster and its internet facing images. This can be done by clicking either on the cluster list in the left-side panel or on the node of that cluster in the visualization. You can also search for a cluster by name.
In the drill-down display, the left-side panel shows a list of internet facing images and details about the vulnerabilities identified in the latest scan of the corresponding Checkmarx One Projects, broken down by scanner type. The main pane shows the full path from the internet, through the cluster and pod, to the source code repo of a specific container image, and the related vulnerabilities. Select an image in the left-side pane to show the visualization for that image.
You can drill down further to see the actual Checkmarx One scan results for the corresponding Project, either by clicking on Open SAST results in the visualization or by hovering over the result in the left-side panel and clicking on Results.
Viewing Cloud Insights Data in Application Risk Management
Cloud Insights reduces the noise created by vulnerable code that isn't actually deployed in runtime, enabling you to prioritize the immediate risks to your business. This is done by factoring runtime usage into the risk assessment in our Application Risk Management feature. Vulnerabilities deployed in a runtime environment are assigned a higher risk score than other vulnerabilities. And, vulnerabilities that are actually exposed to the internet are given considered to be an even higher riskmana.
Also, in the Risk Management tab of an Application, you can now filter the results to show only Runtime vulnerabilities. There is also an icon indicating which vulnerabilities are Internet Facing.
Viewing Cloud Insights Data on the Projects Page
You can filter the table data to display the deployed projects in a runtime environment to focus only on the relevant projects and reduce the noise of other projects by selecting the Runtime button. You can filter the projects by internet-facing or not-facing and view only the riskiest projects to prioritize which to investigate first by clicking the Internet Facing filter.
Viewing Checkmarx SAST Results in Wiz
If you have a Cloud Insights Wiz integration and a Code Security license for Wiz, then SAST vulnerabilities identified in Checkmarx One scans are automatically sent to your Wiz to enrich the data shown in the Vulnerability Findings. The data is assigned to the relevant repo based on the correlation made by Cloud Insights between your repos and Checkmarx Projects.
