Skip to main content

Checkmarx Audit Overview

Checkmarx Audit complements Checkmarx CxSAST by enabling you to easily and intuitively customize SAST’s analysis queries or configure your own additional queries for:

  • Security

  • QA

  • Application logic purposes.

Audit can be used to adapt SAST’s basic security functionality to non-standard code. This helps in eliminating false positives and ensuring that all real vulnerabilities are identified. Audit can also be used for expanding SAST’s functionality to include queries for supporting specific QA or application logic needs.

This guide explains how to use the Audit user interface, and also how to use its features with existing queries to customize and create queries. You don’t need to extensively study the SAST query programming language (detailed in the Checkmarx CxQuery API Guide). Audit includes intuitive tools for adding code elements to various parts of queries, and for locating relevant parts of existing queries and combining them to create your own.

Who Should Work with Audit

In general, the user of the Audit tool can be a person who serves as an organization’s Security Auditor or Security Champion, who is familiar with SAST and the audited code, and who thus grasps the value of the results provided by this tool.

The user of Audit can also benefit from Cx Query Language API training.

What Can You Do with Audit

You can use Audit for the following purposes:

  • Improving Security Analysis: SAST comes with an extensive list of hundreds of preconfigured queries to identify known security vulnerabilities in source code using the standard code libraries of each programming language. However, if your code project includes less common libraries or custom code elements, SAST might not identify all vulnerabilities and/or might point out false positive vulnerabilities.

    Use Audit to 'teach' SAST's queries how to recognize these elements.

  • Custom analysis: You can use Audit for expanding SAST's functionality to analyze project-specific aspects of your source code. This includes two primary types of analysis:

    • Application Logic: Track the logical flow through source code by querying to find what influences a specified element, what the element influences, and where else the element appears.

    • QA: Locate potential bugs or other application-specific issues by querying where the code might allow specified information elements to reach specified application output.

Custom analysis can be done ad-hoc, by querying directly from a source code element, or such queries can be added to future code scans.

The Audit System

Audit is a Windows client application that interacts with the SAST server over HTTP. Audit projects are synchronized with the SAST server along with last scan results, or you can open a local or network folder to create a new project. Code analysis and query editing is performed locally. You can experiment with changes to the query set and run local scans, and later decide whether to save query changes and/or scan results to the server.

Audit includes an interface for viewing and managing scan results, similar to the SAST web interface's interactive scan results. Audit's unique features are integrated into its scan results interface.