Checkmarx (SAST, SCA, KICS, Container Scan) Integration with AccuKnox¶
This integration fetches SAST, SCA, KICS, and Container scan results from Checkmarx One and sends them to AccuKnox to visualize and prioritize vulnerabilities across projects.
Prerequisites¶
- Docker installed
.envfile created with the necessary variables (see below)
Environment Variables¶
Below are the required variables to configure the integration:
Checkmarx Variables¶
| Variable | Description |
|---|---|
CX_API_KEY |
API token to authenticate with Checkmarx One Generate API Key |
CX_PROJECT |
Project filter (supports wildcards and exclusion) |
CX_PRIMARY_BRANCH |
true to consider only the primary branch of projects |
CX_PROJECT Usage Guide:¶
{"*":"*"}→ All projects, all branches{"*dvwa*":"*"}→ Only projects with dvwa in the name, all branches{"*dvwa*":"main"}→ Only projects with dvwa in the name and branch =main{-*dvwa*:"main"}→ Exclude projects with dvwa in the name; only includemainbranch from others
AccuKnox Variables¶
| Variable | Description |
|---|---|
AK_ENDPOINT |
AccuKnox API endpoint (e.g., https://cspm.demo.accuknox.com) |
AK_LABEL |
Label to tag the findings in AccuKnox UI Create Labels |
AK_TENANT_ID |
Tenant ID in AccuKnox platform Get Tenant ID |
AK_TOKEN |
API token to authenticate with AccuKnox Generate Token |
Sample .env file¶
CX_API_KEY=eyJhbGciOiJIUzUxMiIsInR5..................
CX_PROJECT={"*":"*"}
CX_PRIMARY_BRANCH=false
AK_ENDPOINT=https://cspm.demo.accuknox.com
AK_LABEL=cxprime
AK_TENANT_ID=123
AK_TOKEN=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ0b2tl...............
Run the Integration¶
docker run --rm -it \
--env-file .env \
-v $PWD:/app/data/ \
accuknox/checkmarx-one-job:1.4
The script fetches results from Checkmarx One using the API key and project filter, then forwards them to AccuKnox for visualization and risk prioritization.
View Results in AccuKnox SaaS¶
To view the Checkmarx findings:
- Navigate to the AccuKnox Console.
- Go to Issues > Findings.
- Select one of the following categories to view the identified vulnerabilities:
- CX SAST
- CX SCA
- CX KICS
- CX Containers
Notes¶
- Make sure your
.envfile does not contain trailing spaces or special characters that could break parsing. - The
AK_LABELhelps categorize data inside the AccuKnox dashboard (e.g.,cxprime,checkmarx-scan). Learn More - To schedule this job, you can embed this in a CI/CD pipeline or cron job runner.