Preparing for the Checkmarx SAST & SCA Vulnerability Integration
A successful integration requires some initial planning and setup to ensure a smooth installation and configuration process. This guide outlines the necessary steps to prepare your ServiceNow instance and your Checkmarx environments for seamless communication. It assumes you have a working knowledge of the Checkmarx SAST and SCA products.
Validate ServiceNow Instance Sizing
Before importing a large volume of vulnerability data, it is crucial to confirm that your ServiceNow instance is sized appropriately. An undersized instance can result in slow processing times and prolonged load times, negatively impacting the overall user experience.
Reach out to ServiceNow Customer Service and Support to verify your instance's capacity based on the number of vulnerable items you anticipate importing from your Checkmarx scans.
Preparing Checkmarx SAST
Checkmarx SAST is an on-premise software, which means that establishing secure connectivity between your ServiceNow cloud instance and your SAST server is a primary requirement. The following steps will guide you through preparing your SAST environment.
Verify SAST Version Requirements
The required version of Checkmarx SAST depends on the version of the ServiceNow plugin you have installed. Newer plugin versions may utilize features available only in more recent SAST releases to enhance performance, such as utilizing paginated APIs for fetching results.
To ensure compatibility, please consult the official changelog . Locate your plugin version in the change log to find the corresponding supported SAST versions and hotfixes.
Configure a ServiceNow MID Server
To establish the required secure connectivity, a ServiceNow MID (Management, Instrumentation, and Discovery) Server is required . The MID Server acts as a secure communication bridge between your ServiceNow instance and your on-premise SAST server.
Ensure you have a MID Server installed and validated on a host machine that has network connectivity to your Checkmarx SAST server URL. For detailed instructions, refer to the official ServiceNow documentation on installing a MID Server.
Create a Dedicated SAST User Role
The integration requires a dedicated user account in Checkmarx SAST with permissions to read scan results and other system information. For security, it is best practice to create a dedicated role (e.g., ServiceNow Integration Role ) that contains only the permissions listed below.
Required SAST Permissions:
Use Odata
Save/Update Project
View Failed Sast Scan
Generate Scan
Report Export
Scan Results
View Results
Manage System Settings
Manage Result Comment
Preparing Checkmarx SCA
Follow these steps to prepare your cloud-based Checkmarx SCA tenant for integration.
Identify SCA Environment URLs
The integration must connect to multiple endpoints for your SCA tenant. During configuration, you will need to provide three distinct URLs:
Checkmarx SCA Access Control Server URL: The base URL for the Identity and Access Management (IAM) service (e.g.,
https://platform.checkmarx.com).Checkmarx SCA Server URL: The base URL of your SCA Environment API (e.g.,
https://api.sca.checkmarx.net).SCA Web App URL: The base URL of the SCA user interface, which is used to construct direct links to findings within ServiceNow.
Assign SCA User Permissions
The integration requires a user account in Checkmarx SCA with permissions to read project and scan data.
Required SCA Permission:
SCA Scanner