Overview
The Checkmarx connector integrates with the Checkmarx API to provide SAST and SCA scanning and results management. It supports 21 operations for scan management, vulnerability queries, result triage, project configuration, and team administration.
All operations are policy-evaluated and audit-logged through the ARX BaseConnector.execute() pipeline before reaching the Checkmarx API.
Connector class: CheckmarxConnector
Module: app.connectors.checkmarx
Prerequisites
| Requirement |
Details |
| Checkmarx instance |
A Checkmarx SAST/SCA instance (e.g. https://checkmarx.company.com) |
| API token |
OAuth token generated from Administration > API Security > OAuth Clients |
| Vault path |
Store credentials as base_url, client_id, and client_secret in the ARX vault |
Required Vault Credentials
{
"base_url": "https://checkmarx.company.com",
"client_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"client_secret": "your-secret-here"
}
SDK Usage
from app.connectors.checkmarx import CheckmarxConnector
cmx = CheckmarxConnector(agent_id="agent-001", org_id="org-acme")
# List projects
projects = await cmx.list_projects()
# Get scan details by project ID
scans = await cmx.get_project_scans("1")
# Retrieve scan results and statistics
results = await cmx.get_scan_results("scan-id-123")
# Trigger a new scan (MEDIUM risk -- requires policy approval)
await cmx.queue_scan(project_id="1", source="git-repo-url")
# Update team or project settings
updated = await cmx.update_project(project_id="1", name="New Name")
Operations
Projects (8 operations)
| Operation |
Method |
Path |
Risk |
Description |
projects:read |
GET |
/api/projects |
LOW |
List all projects |
projects:read_detail |
GET |
/api/projects/{id} |
LOW |
Get project details by ID |
projects:create |
POST |
/api/projects |
MEDIUM |
Create a new project |
projects:update |
PUT |
/api/projects/{id} |
MEDIUM |
Update project configuration |
projects:delete |
DELETE |
/api/projects/{id} |
HIGH |
Delete a project and all associated scans |
projects:read_source_settings |
GET |
/api/projects/{id}/sourceSettings |
LOW |
Get source code repository settings |
projects:update_source_settings |
PUT |
/api/projects/{id}/sourceSettings |
MEDIUM |
Update repository configuration |
projects:read_teams |
GET |
/api/projects/{id}/teams |
LOW |
List teams with access to project |
Scans (7 operations)
| Operation |
Method |
Path |
Risk |
Description |
scans:read |
GET |
/api/scans |
LOW |
List scans and filtering criteria |
scans:read_detail |
GET |
/api/scans/{id} |
LOW |
Get scan details by ID |
scans:queue |
POST |
/api/scans |
MEDIUM |
Queue a new scan |
scans:get_results |
GET |
/api/scans/{id}/results |
LOW |
Retrieve scan vulnerabilities and statistics |
scans:stop |
PUT |
/api/scans/{id}/stop |
MEDIUM |
Stop a running scan |
scans:delete |
DELETE |
/api/scans/{id} |
HIGH |
Delete scan results |
scans:read_exclusions |
GET |
/api/scans/{id}/exclusions |
LOW |
List file/folder exclusions for scan |
Results Triage (6 operations)
| Operation |
Method |
Path |
Risk |
Description |
results:read_issues |
GET |
/api/results |
LOW |
Query vulnerabilities with filters and sorting |
results:update_state |
PUT |
/api/results/{id}/state |
MEDIUM |
Mark issue as confirmed, not exploitable, or proposed not exploitable |
results:assign_comment |
POST |
/api/results/{id}/comments |
LOW |
Add triage comment to vulnerability |
results:read_comments |
GET |
/api/results/{id}/comments |
LOW |
Retrieve triage comments on result |
results:bulk_update_state |
PUT |
/api/results/bulk/state |
MEDIUM |
Update state for multiple results in bulk |
results:bulk_assign_comment |
POST |
/api/results/bulk/comments |
LOW |
Add comment to multiple results |
Risk Classifications
| Level |
Operations |
Rationale |
| LOW |
All read operations, result queries, comment listing |
No state changes; safe for autonomous execution |
| MEDIUM |
Create/update projects, queue/stop scans, update result triage state, assign comments |
Modifies scan or triage state but reversible |
| HIGH |
projects:delete, scans:delete |
Deletes projects or scan history; may require approval |
Policy Examples
Allow read-only Checkmarx access for SOC agents
- name: checkmarx-readonly
connector: checkmarx
operations:
- "projects:read*"
- "scans:read*"
- "results:read*"
risk_max: low
approval: none
Allow scan management with approval for deletes
- name: checkmarx-scan-ops
connector: checkmarx
operations:
- "scans:*"
- "results:*"
risk_max: high
approval:
medium: auto
high: hitl
hitl_channel: "#sec-approvals"
Block destructive project operations
- name: checkmarx-no-deletes
connector: checkmarx
deny:
- "projects:delete"
-"scans:delete"