The automation and integration of Application Security Testing (AST) is essential for building out a true DevSecOps program. Automation is the easy part. Invoke a security scanners’ REST API or a command line interface inside a pipeline and you can get automated scans. The key, and more tricky part, is integration. What I mean by that is having the ability to integrate the security scanners’ results within their CI/CD tooling to make a security assessment without having to leave the CI/CD ecosystem is desired.
Announced today, we're thrilled to share that CxSAST, CxSCA, and CxCodebashing all now integrate seamlessly within GitLab’s ecosystem via CxFlow: Checkmarx’s scan and result orchestration application.
Below is a high-level overview on integrating Checkmarx security into GitLab’s user interface.
Stayin’ Put
GitLab’s users, whether they are Software Developers, DevOps, or AppSec engineers, want to consume as much of the application security scanner's results as possible within GitLab. GitLab is already a complete DevOps platform from managing -> to planning -> to creating -> to releasing, so it is just common sense GitLab users would want to have security directly within GitLab. GitLab users can consume Checkmarx security-related vulnerability results at three different integration points:- Merge Request Overviews
- GitLab Issues
- Security Dashboard (for GitLab Gold/Ultimate tier or public projects)
- High level summary of CxSAST & CxSCA findings
- Data flow from source to sink within the source code
- Short summary of the specific vulnerability that was identified
- Links to just-in-time training (CxCodebashing) and online resources for remediation
- Links into Checkmarx platform for even more comprehensive results
CxFlow – Under the Hood
Checkmarx maintains a spring boot application called CxFlow, which acts as a scan and results orchestration tool to automate security scans and integrate the results into CI/CD tools such as GitLab. Some key features and capabilities include:- Scan Initiation – CLI or Webhook Events
- CxFlow can be configured in two different ways: using CxFlow from a command line interface or have CxFlow work as a server and listen for Webhook events. Once an event is triggered or received, the initiation of a Checkmarx scan will occur automatically.
- Merge requests, or even commits of the source, will trigger an existing pipeline within GitLab’s CI/CD and initiate a scan via CxFlow; the existing pipeline just needs an edit to include a stage that will invoke CxFlow.
- The scan initiation will either create a new project if it does not exist or update a current one.
- Results Management
- As far as consuming results, the scan results are file based (csv, json, or xml) making it easy to import into defect tracking systems or dashboards.
- CxFlow also drives a result feedback loop eliminating having to do manual intervention (opening and even closing defects).
- You can always filter the results created based on any filtering criteria.
- The results are easy to consume, in a way developers want to consume and most importantly, actionable.
- Defect Tracking
- Consolidates issues of the same vulnerability type in the same file – instead of multiple issues, it is just one.
- Once all references to the vulnerability type of that issue are fixed, the ticket will automatically close.
- You can base it on policy – severity / CWE / vulnerability type or state (urgent / confirmed).
- Defect tracking is also supported for both CxSAST and CxSCA results.
- Feedback Channels
- Not only does it support GitLab Security Dashboard and GitLab Issues, but also Jira, Email, Service Now and Rally.
- Ease of Consuming the AST Service
- Effortless option for the development teams to quickly scan projects.
- There is no overhead when configuring and managing builds.
- Mass Effortless Scan Configuration
- You can quickly automate the scan of multiple repositories.
- Again, there is no overhead when configuring and managing builds of many repos.
- Automation with Developers' Common Toolsets
- In this case, GitLab.
- You want to get the details of issues to those who must address them – the developers.
- Drive security testing based on GitLab activity.
- Publish issues to existing backlogs.
- Keep developers within GitLab.
- Eliminate Unnecessary Manual Tasks with Checkmarx Automation Capabilities
- Free up time to focus on things that matter.
- Shift as far left as possible.
- Constantly scanning the latest code.
- Replaces need to scan in the IDE.
GitLab / Checkmarx Workflow
Below is a visual picture of the Checkmarx workflow with GitLab’s CI/CD. Now let’s describe this flow in more detail:- Setting Variables
- Defining a Stage
- CxFlow CLI Initiates the Scan
- Checkmarx Performs SAST & SCA Scans
- CxFlow Parses Results and Updates GitLab