GitLab Self-Hosted
Notice
It is possible to add the Checkmarx One external IP addresses to the customer Firewall allowlist - For more information see Managing Checkmarx One Traffic and AWS S3 Access
Additionally, if the code repository is not internet accessible, it is possible to configure the code repository IP address instead of its hostname during the initial integration with the code repository - as it is not resolved via DNS.
Overview
Checkmarx One supports GitLab integration, enabling automated scanning of your GitLab projects whenever the code is updated. Checkmarx One’s GitLab integration listens for GitLab commit events and uses a webhook to trigger Checkmarx scans when a push, or a pull request occurs. Once a scan is completed, the results can be viewed in Checkmarx One.
In addition, for pull requests, a comment is created in GitLab, which includes a scan summary, list of vulnerabilities and a link to view the scan results in Checkmarx One.
Notice
This integration supports both public and private git based repos.
The integration is done on a per project basis, with a specific Checkmarx One Project corresponding to a specific GitLab repo.
Notice
You can select several repos to create multiple integrations in a bulk action.
Prerequisites
The source code for your project is hosted on a GitLab repo.
You have a Checkmarx One account and have credentials to log in to your account.
Important
Creating new import configurations or editing existing configurations requires
update-tenant-paramspermission. Importing new Projects using an existing configuration requirescreate-projectpermission.The GitLab user has Maintainer or Owner privileges for this Project, see Code Repository Integrations.
You have your GitLab Client ID & Client Secret - See Retrieving GitLab Application ID & Application Secret.
Retrieving GitLab Application ID & Application Secret
To retrieve GitLab Application ID & Application Secret, perform the following steps:
In your GitLab account, click on your user → Preferences (top right).
Click on Applications.
Configure the following fields:
Name.
Redirect URI - The Checkmarx One environment URL.
For example: https://master.dev.cxast.net/
Confidential - On (Default).
Expire Access Tokens - On (Default).
Scopes - Check the api checkbox.
Click on Save Application.
Copy the Application ID & Secret.
Click on Continue.
Setting up the Integration and Initiating a Scan
This process involves first connecting to your repo by specifying the repo URL and your authentication credentials, and then selecting the repos to import and configuring the Project settings.
It is possible to configure multiple configurations for connecting to GitLab self-hosted code repositories, each using a different URL and/or different authentication credentials. Once the initial configuration is set up, for each subsequent import action you can choose either to use the existing configuration or to create a new one.
To create GitLab self-hosted code repository Projects:
In the Workspace
, click on New > New Project - Code Repository Integration. 
The Import From window opens.
Select Self-Hosted > GitLab.
Configure the connection to your code repository, as follows:
If you are setting up an import configuration for the first time, enter data for the following fields and then click Save & Continue.
Instance Name - Designate a name for this import configuration.
URL - Your GitLab self-managed domain.
For example: https://gitlab.example.com
Application ID - See Retrieving GitLab Application ID & Application Secret for retrieving your Applicaiton ID.
Secret - See Retrieving GitLab Application ID & Application Secret for retrieving your Application Secret.
If you are importing Projects using an existing configuration, select the radio button next to the configuration that you would like to use, and then click Next.
If you are adding a new configuration in addition to an existing configuration, click + Add Configuration, then fill in the data for this configuration as described above, and then click Save & Continue.
Notice
If you would like to edit an existing configuration (e.g., change the URL or credentials), go to Global Settings > Code Repository.
Upon initial log in, approve the GitLab account authorization request via Checkmarx One.
Click Authorize.
Sign in to GitLab using one of the following options:
Select the GitLab User/Organization or Group (for the requested repository) and click Select Organization.
Select the Repository inside the GitLab organization and click Next.
Note
A separate Checkmarx One Project will be created for each repo that you import.
There can’t be more than one Checkmarx One Project per repo. Therefore, once a Project has been created for a repo, that repo is greyed out in the Import dialog.
In the Repositories Settings screen, configure the following and click Next.
Permissions:
Scan Trigger: Push, Pull request - Automatically trigger a scan when a push event or pull request is done in your SCM. (Default: On)
Pull Request Decoration - Automatically send the scan results summary to the SCM. (Default: On)
SCA Auto Pull Request - Automatically send PRs to your SCM with recommended changes in the manifest file, in order to replace the vulnerable package versions. (Default: Off)
Scanners: Select the scanners for All/Specific repositories. At lease 1 scanner must be selected for each repository.
Protected Branches: Select which Protected Branches to scan for each repository.
Note
For additional information about Protected Branches see About Protected Branches
Add SSH key.
Assign Groups: Specify the Groups to which you would like to assign the project.
Assign Tags: Add Tags to the Project. Tags can be added as a simple strings or as key:value pairs.
Set Criticality Level: Manually set the project criticality level.
Note
If multiple repositories are selected, an additional configuration option will appear at the top of the wizard for applying settings to all selected repositories. Configure the necessary parameters, then scroll down on the right-side panel and click Apply to all.
For example:
Select which Protected Branches to scan for each Repository and click Next.
Note
For additional information about Protected Branches see About Protected Branches
In the Advanced Options screen it is possible to select Scanning the default branch upon the creation of the Project.
Click Create Project.
The Project is successfully created in the Applications and Projects home page, and the scan is initiated.
Note
In order to update the scanners see Imported Project Settings
Editing Project Settings
To learn about editing Project Settings for an existing code repository integration Project, see Code Repository Project Settings.