Enrichment Workflow for Other CNAPP Vendors
The External 3rd Party Enrichment workflow enables a synergistic integration between Checkmarx One and 3rd Party CNAPP providers for the benefit of our mutual customers.
CNAPP vendors submit data from the runtime environments of our mutual customers into the corresponding Checkmarx One account. Checkmarx Cloud Insights then correlates the runtime data with Checkmarx One Projects and source code repositories, enriching Checkmarx One scanners results.
Then, the third-party CNAPP/Cloud Security vendors can query the Checkmarx One platform to obtain Checkmarx One scanner results data related to the container images ingested by the vendors, allowing them to enrich their systems accordingly.
This integration is done via Checkmarx One Rest APIs. Documentation of these APIs is available here.
Warning
This process should be done by the CNAPP vendor, and not by individual Checkmarx customers.
Prerequisites
A valid Checkmarx One API Key (bearer token)
A valid "External ID" - a unique ID for a specific vendor, provided by your Checkmarx support agent
A valid JSON enrichment file - see below how to create this file
Creating a JSON Enrichment File
Create a JSON file that provides detailed information about the clusters, pods and containers in your system, based on the following schema.
Notice
The max. size limit is 20MB.
Schema:
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"clusters": {
"type": "array",
"items":
{
"type": "object",
"properties": {
"name": {
"type": "string",
"maxLength": 200,
"minLength": 1
},
"region": {
"type": "string",
"maxLength": 20
},
"pods": {
"type": "array",
"items":
{
"type": "object",
"properties": {
"name": {
"type": "string",
"maxLength": 200,
"minLength": 1
},
"ips": {
"type": "array",
"items":
{
"type": "string",
"maxLength": 20
}
},
"containers": {
"type": "array",
"items":
{
"type": "object",
"properties": {
"image": {
"type": "string",
"maxLength": 200,
"minLength": 1
},
"name": {
"type": "string",
"maxLength": 200,
"minLength": 1
},
"publicExposed": {
"type": "boolean"
}
},
"required": [
"image",
"name"
],
"additionalProperties": false
}
}
},
"required": [
"name",
"containers"
],
"additionalProperties": false
}
}
},
"required": [
"name",
"pods"
],
"additionalProperties": false
}
},
"externalID": {
"type": "string"
}
},
"required": [
"clusters",
"externalID"
],
"additionalProperties": false
}Example:
{
"externalID":"1223-123-123123",
"clusters": [
{
"name": "NAME",
"region": "REGION",
"pods":[{
"name":"NAME",
"ips":["IP1","IP2"],
"containers":[{
"image":"IMAGE",
"name":"NAME",
"publicExposed":true,
}]
}]
}
]
}You can validate your file using our Online Validator tool.
Third-Party Enrichment Workflow
Step 1 - Create account and run enrichment
Create a JSON enrichment file, following the specifications described above.
Use POST /cnas/accounts/enrich to create a new Cloud Insights enrichment account using the ExternalID that was provided by Checkmarx. Take note of the Account ID that is returned.
Use POST /api/uploads to generate an upload link.
Use PUT /{uploadLink}, to upload the JSON enrichment file to the pre-signed URL.
Use POST /api/accounts/{id}/enrich, specifying the Account ID and upload link, to trigger the enrichment process.
Step 2 - Obtain results
Notice
These APIs can be used to import results from Checkmarx One into the 3rd party platform.
Use GET /cnas/accounts/{accountID}/containers to obtain the Project ID of a Checkmarx One project associated with a specific image.
Use GET /scans, specifying the Project ID in the query params, in order to obtain the Scan ID of the most recent scan of that project.
Use GET /results or GET /sast-results, specifying the Scan ID in the query parameters, in order to obtain results for all risks identified in that scan of that project.
Alternatively, you can view the results on the Cloud Insights screen of the Checkmarx One web application (UI).