All Collections
Older Release
Checkmarx CxSAST Connector (older revision)
Checkmarx CxSAST Connector (older revision)

Getting started with Checkmarx CxSAST connector

Updated over a week ago

Am I reading the right user guide?

Certain connectors have more than one user guide. It depends on the environment's setup and on the connector's available releases (new vs. older revisions).

To access the user guide that is relevant to your environment, simply click on the "How to connect" button located on the connector's setup page. By doing so, you will be directed to the user guide that aligns with your specific environment, ensuring relevancy and accuracy.


Supported product: CxSAST

Supported version: 9.0.0 and higher

Required user roles: Odata API, SAST Reviewer

You can set the user roles under Access Control --> Edit User --> Roles

Required user teams: Make sure the user have access to relevant teams.

You can set the user roles under Access Control --> Edit User --> Teams

  • for SSL - please make sure that the IIS binding are not restricted for a specific host name, and that SNI is not enabled:


Same as other SAST tools, the vulnerabilities are not associated with CVSS or other numeric score. Checkmarx gives each vulnerability a Severity, and Vulcan will map those values into a numeric values that will represent their score.

  • High --> 10

  • Medium --> 6.5

  • Low --> 3

  • Info --> 0

For more information about risk, read this article.

Configuring Checkmarx Connector

In the Connectors page, click on Add a Connector.

Click on Checkmarx CxSAST connector.

Fill the following field:

Server URL - URL of your Checkmarx account.

Username - User with required permissions to access the Checkmarx account

Password - Password match to username

Client Secret - A default value on your account. Insert new value only in case you know it was changed by your organization (otherwise, keep the default value).

Choose Result State - Select which Result States you would like Vulcan to pull from Checkmarx. Only checked boxes will be pulled. By default, Vulcan will pull all results.

Note - you can change this setting later, and all current vulnerabilities in the de-selected states will be moved to "Fixed" (and new ones will not be pulled).

Important: If you are using Checkmarx v9.3.0 and above, Vulcan will not be able to pull Custom Result States, as they are not supported at this time. Please contact your customer success manager for more information.

Click on Create.

You can view the connector's progress under the Log tab:

Viewing data from Checkmarx in Vulcan

Vulcan provides the option to remediate vulnerabilities from 2 different angels:

  • Assets

  • Vulnerabilities


The data from Checkmarx will be displayed under Code Projects - This tab gathers all data came from SAST and SCA tools. To filter only Checkmarx data, simply use the Search Bar.

The Project column will indicate the projects you have in Checkmarx.

The Last Report column will indicate the last scanned time in Checkmarx.

The Vulnerabilities column will indicate the number of vulnerabilities that exist in a project (High, Medium and Low)

The Top Risk column will indicate the highest risk-value from all risks that exist in a project.

The Tags column will indicate all the tags that related to projects. Vulcan creates tags out of the value of the Team.

Clicking on each project will open its Asset Card where you can view in detailed the project's data, including - All related vulnerabilities, affected code lines, details of projects and correlated data from other sources.

If you want to view specific vulnerability, click on it and you will get a representation of that vulnerability and its details.

You can view all data from Checkmarx in Vulnerabilities. In order to filter only Checkmarx data, simply use the Search Bar.

You can start the remediation process by clicking on a vulnerability and view all details fetched from your Checkmarx account.


What are the API calls used by the connector?

Did this answer your question?