Managing Checkmarx One Traffic and AWS S3 Access
Checkmarx One supports integration with on-prem external tools and vendors. The supported tools include the following:
Code repositories - GitLab Self-Hosted, GitHub Self-Hosted, Bitbucket Self-Hosted, Azure DevOps Self-Hosted
Bug tracking tools - Jira
If your organization generally restricts inbound and outbound traffic, and you want to allow it for Checkmarx One, you'll need to add the IP addresses for Checkmarx One outgoing and incoming traffic to your firewall allowlist to successfully integrate with the tools mentioned above.
The IP addresses for Checkmarx One's outgoing traffic are listed by region in Whitelisting IPs for Checkmarx One's outgoing traffic .
The IP addresses for incoming traffic are dynamic. To manage these, we recommend implementing domain-based rules using application control and URL filtering, as described in Implementing domain-based rules for Checkmarx One's incoming traffic.
To submit the necessary CLI commands for plugins, make sure to open access to AWS S3 endpoints if it is closed by default. Proceed as explained in Providing access to AWS S3 endpoints.
Whitelisting IPs for Checkmarx One's outgoing traffic
The table below lists the relevant IP addresses per region.
Notice
For regions with multiple IP addresses, you need to add all the IPs.
The IPs listed below apply to Multi-Tenant instances only.
IPs for Single Tenant environments are specific for each Single Tenant setup.
Region | Outgoing traffic from Checkmarx |
---|---|
EU (Europe) |
|
EU2 (Europe) |
|
| |
| |
IND (India) |
|
ANZ (Australia + New Zealand) |
|
SGP (Singapore) |
|
MEA (Middle East and Africa) |
|
Implementing domain-based rules for Checkmarx One's incoming traffic
IP addresses are dynamic and may change periodically. To avoid frequent updates to IP-based rules and ensure consistent access even when IPs change, implement domain-based rules using application control and URL filtering.
To do it, proceed as follows:
Open your network security management console.
Navigate to the section where security policies are defined.
Use the Application & URL Filtering feature to create a new application or site object.
Specify
*.checkmarx.net
as the Fully Qualified Domain Name (FQDN) .Add a new rule to your security policy that allows traffic to the created application/site object.
Set the action to Accept or the appropriate permission level, and place the rule in the correct section of your firewall rules.
Ensure that your firewall or network device has DNS resolution enabled to dynamically resolve FQDNs to IP addresses.
Test the connectivity to confirm that traffic is being allowed correctly based on the FQDN.
Providing access to AWS S3 endpoints
To submit the necessary CLI commands for plugins, ensure that access to AWS S3 endpoints is opened as described here: https://docs.aws.amazon.com/general/latest/gr/s3.html.
For instance, in the US-East region, the following endpoint should be added to your allowlist: s3.dualstack.us-east-1.amazonaws.com
.