Skip to main content

Checkmarx SAST Vulnerability Integration with ServiceNow

The Vulnerability Response Integration with Checkmarx connects your on-premise Checkmarx SAST and cloud-based Checkmarx SCA application security testing platforms with the ServiceNow Vulnerability Response application.

This integration does not initiate scans. Instead, it pulls data from Checkmarx for completed scans. Using a series of scheduled jobs, the plugin imports the latest scan results for each configured project, mapping the findings into the appropriate ServiceNow tables as Application Vulnerable Items (AVITs).

Checkmarx Vulnerability Integrations

The integration's data import process is handled by two parallel chains of four scheduled integrations, one chain for SAST and one for SCA. These integrations are designed to run in a specific sequence. While they are scheduled to run automatically each day, you can also execute them manually for on-demand synchronization.

Each integration job has a Start Time field. This field is important, as it instructs the integration to process only data (projects, scans, or vulnerabilities) that have been created or updated in Checkmarx after the specified time. After each successful run, the Start Time is automatically updated to the time of that run's completion, ensuring the next run fetches only new data.

To view the Checkmarx vulnerability integrations: Navigate to Checkmarx Vulnerability Integration > Integrations .

The eight integrations included in the base system are grouped into two chains:

SAST Integration Chain

  • Checkmarx Application List Integration

    • Purpose: This is the first job in the SAST chain. It discovers which SAST projects to track in ServiceNow.

    • How it Works: It queries the Checkmarx SAST API and retrieves any projects that have been created or updated after the Start Time. Then, it creates or updates corresponding records in the Application Release (sn_vul_app_release) table in ServiceNow.

    • Default State: Active and scheduled to run daily.

  • Checkmarx Scan Summary Integration

    • Purpose: This job runs after the SAST Application List integration completes. It finds the latest relevant scans for the discovered SAST projects.

    • How it Works: It retrieves summary information for the latest SAST scans that have been completed after the Start Time. This data populates the Application Vulnerability Scan Summaries (sn_vul_app_vul_scan_summary) table.

    • Default State: Active and On Demand (triggered by the completion of the Application List Integration).

  • Checkmarx Application Vulnerable Item Integration

    • Purpose: This job imports the actual SAST vulnerability findings from the scans identified in the previous integration.

    • How it Works: It retrieves all vulnerability details from the relevant SAST scans and creates new Application Vulnerable Items (AVITs) for new findings, populating the Application Vulnerable Item (sn_vul_app_vulnerable_item) table.

    • Default State: Active and On Demand (triggered by the completion of the Scan Summary Integration).

  • Checkmarx SAST AVIT Closure Integration

    Note

    It is expected behavior for this integration to show 0 values for Imported Items, New Items, and Updated Items in the integration run record. This integration focuses specifically on closing AVITs, ensuring that closure operations occur without altering these counters.

    • Purpose: This is the final job in the SAST chain. It handles the automatic closure of SAST AVITs that are no longer present in the latest scans.

    • How it Works: It identifies the latest scan for each project and automatically closes AVITs not found in that scan by setting their state to Closed and source remediation status to FIXED.

    • Default State: Active and On Demand (triggered by the completion of the Application Vulnerable Item Integration).

SCA Integration Chain

  • Checkmarx SCA Application List Integration

    • Purpose: This is the first job in the SCA chain. It discovers which SCA projects to track in ServiceNow.

    • How it Works: It queries the Checkmarx SCA API for projects created after the Start Time and creates or updates corresponding records in the Application Release ( sn_vul_app_release ) table. SCA projects are distinguished by having "SCA" appended to their Source Application ID.

    • Default State: Active and scheduled to run daily.

  • Checkmarx SCA Scan Summary Integration

    • Purpose: This job runs after the SCA Application List integration. It finds the latest scans for the discovered SCA projects.

    • How it Works: It retrieves summary information for the latest SCA scans completed after the Start Time, populating the Application Vulnerability Scan Summaries (sn_vul_app_vul_scan_summary) table.

    • Default State: Active and On Demand (triggered by the completion of the SCA Application List Integration).

  • Checkmarx SCA Application Vulnerable Item Integration

    • Purpose: This job imports the actual SCA vulnerability findings from the scans identified in the previous integration.

    • How it Works: It retrieves all vulnerability details from the relevant SCA scans and creates or updates Application Vulnerable Items (AVITs) in the Application Vulnerable Item ( sn_vul_app_vulnerable_item) table.

    • Default State: Active and On Demand (triggered by the completion of the SCA Scan Summary Integration).

  • Checkmarx SCA AVIT Closure Integration

    Note

    It is expected behavior for this integration to show 0 values for Imported Items, New Items, and Updated Items in the integration run record. This integration focuses specifically on closing AVITs, ensuring that closure operations occur without altering these counters.

    • Purpose: This is the final job in the SCA chain, handling the automatic closure of SCA AVITs.

    • How it Works: It identifies the latest scan for each SCA project and automatically closes AVITs not found in that scan by setting their state to Closed and source remediation status to FIXED.

    • Default State: Active and On Demand (triggered by the completion of the SCA Application Vulnerable Item Integration).

Important

  • Integration Sequence: These integrations are co-dependent and must run in the correct sequence for each chain (Application List → Scan Summary → Vulnerable Items → AVIT Closure). Running them out of order can lead to incomplete or inaccurate vulnerability data.

  • Data Flow Direction: This integration provides a one-way synchronization from Checkmarx to ServiceNow. Any state changes, comments, or triage actions made in ServiceNow will not be reflected back in the Checkmarx SAST or SCA platforms.

Flow of Integration:

SAST Flow:

  1. Checkmarx Application List Integration: Finds SAST Projects

  2. Checkmarx Scan Summary Integration: Finds Scans for those Projects

  3. Checkmarx Application Vulnerable Item Integration: Imports Vulnerabilities from those Scans

  4. Checkmarx SAST AVIT Closure Integration: Closes Vulnerabilities No Longer Present in Latest Scans

SCA Flow:

  1. Checkmarx SCA Application List Integration: Finds SCA Projects

  2. Checkmarx SCA Scan Summary Integration: Finds Scans for those Projects

  3. Checkmarx SCA Application Vulnerable Item Integration: Imports Vulnerabilities from those Scans

  4. Checkmarx SCA AVIT Closure Integration: Closes Vulnerabilities No Longer Present in Latest Scans

Roles

Specific roles are required for installing and configuring the integration:

  • System Administrator (admin): This role is required to install the application from the ServiceNow Store.

  • App-Sec Manager (sn_vul.app_sec_manager): After installation, a user with this role can configure the integration settings, view imported data, and manage the integration runs.

In this section: