Checkmarx One

Checkmarx One Integration with DefectDojo

Checkmarx One brings enterprise-grade application security testing across SAST, SCA, IaC, and API security under a single platform — built for organizations that need deep code analysis coverage with the governance controls that regulated industries require. What it doesn't provide is a cross-functional vulnerability management workflow: the SLA enforcement, remediation ownership tracking, risk acceptance audit trails, and longitudinal portfolio reporting that security operations teams need to run a program, not just a scanner. Integrating Checkmarx One with DefectDojo fills that operational layer. Findings from every Checkmarx scan type flow into a managed lifecycle where security and engineering teams work from the same record — from detection through verified remediation.

Why Checkmarx One Matters

Checkmarx One is a cloud-native application security platform designed for scale across enterprise codebases, combining multiple scan engines under unified management.

• Checkmarx SAST is one of the most established static analysis engines in the enterprise market, with deep taint analysis across 30+ languages and frameworks — covering complex dataflow vulnerabilities like SQL injection, XSS, path traversal, and insecure deserialization across multi-file and multi-function code paths
• Checkmarx SCA provides open source dependency analysis across all major package ecosystems, combining vulnerability data with reachability analysis to surface which vulnerable code paths are actually invoked — reducing false prioritization on unreachable findings
• Checkmarx IaC Security analyzes Terraform, CloudFormation, Kubernetes manifests, Helm charts, and Ansible playbooks for misconfigurations before deployment, with fix suggestions inline
• Checkmarx API Security discovers APIs in source code and assesses them for security issues — covering undocumented APIs, broken authentication patterns, and sensitive data exposure at the API layer
• Checkmarx One's unified query language (CxQL) allows security teams to write and tune custom queries across their codebase, reducing false positives in ways that out-of-the-box rule sets often can't
• Findings are exportable via the Checkmarx One API and CLI in JSON and SARIF formats, both compatible with DefectDojo

Advantages of This Integration

Checkmarx One produces findings at enterprise scale. DefectDojo turns those findings into an accountable remediation program.

• Unified view across all scan types: SAST, SCA, IaC, and API security findings live in separate Checkmarx One scan results. DefectDojo aggregates them under a single product and engagement structure, giving security teams one place to assess total application risk without context-switching between scan consoles or report exports.
• Remediation lifecycle with verified closure: Checkmarx One shows what's vulnerable. DefectDojo tracks whether anything was done — who was assigned, when the SLA clock started, whether the fix was verified in a subsequent scan, and whether the finding re-introduced itself after remediation. That closed-loop tracking is what transforms scanning into a program.
• SLA enforcement at finding level: DefectDojo applies configurable SLA policies by severity across all imported Checkmarx findings. Critical SAST findings get a 7-day target; High severity SCA findings get 30 days. Breach tracking and alerting surface overdue items in dashboards and weekly reports without manual status chasing.
• False positive management that persists across scans: Checkmarx One produces false positives, particularly in complex codebases. Findings marked as false positives in DefectDojo are retained across reimports — the next Checkmarx scan won't re-open them, and the rationale is documented for audit review.
• Cross-team remediation routing: SAST findings go to application developers, SCA findings may go to a dependency management team, IaC findings go to platform engineering, API findings go to API owners. DefectDojo's assignment model routes each finding type to the right owner with the right context, without requiring a manual triage meeting for every scan cycle.
• Portfolio-level application security reporting: Security teams managing dozens of applications get aggregated metrics across all products in DefectDojo — open findings by severity, scan type, age, and SLA status. This is the data that feeds quarterly security reviews, board reporting, and compliance evidence packages.
• Ticketing workflow for engineering handoff: Triaged Checkmarx findings push from DefectDojo directly to Jira, GitHub Issues, or ServiceNow with the relevant code location, dataflow trace, and remediation guidance included — giving developers actionable context without requiring Checkmarx One console access.

How This Integration Works

Checkmarx One findings are exported via the Checkmarx One CLI (cx) or API in JSON or SARIF format, then imported into DefectDojo using the appropriate parser.

Step 1 — Run scans and export results via Checkmarx One CLI

# Authenticate with Checkmarx One

cx configure set --prop-name cx_apikey --prop-value <your-api-key>

cx configure set --prop-name cx_base_uri --prop-value https://<tenant>.checkmarx.net

# Run a full scan (SAST + SCA) and export results as JSON

cx scan create --project-name <project-name> \

--branch <branch> \

--source . \

--report-format json \

--output-path ./checkmarx-results.json

# Export results for an existing scan by scan ID

cx results show --scan-id <scan-id> \

--report-format json \

--output-path ./checkmarx-results.json

# SARIF output (alternative, also supported by DefectDojo)

cx results show --scan-id <scan-id> \

--report-format sarif \

--output-path ./checkmarx-results.sarif

Step 2 — Import into DefectDojo

Use Checkmarx One Scan as the scan type for JSON output, or SARIF for SARIF format:

curl -X POST https://<defectdojo-host>/api/v2/import-scan/ \

-H "Authorization: Token <your-api-token>" \

-F "scan_type=Checkmarx One Scan" \

-F "file=@checkmarx-results.json" \

-F "engagement=<engagement-id>" \

-F "product=<product-id>" \

-F "active=true" \

-F "verified=false"

Step 3 — Reimport for recurring scans

For projects scanned on a regular CI/CD cadence, use the reimport endpoint to update existing findings rather than accumulate redundant test records:

curl -X POST https://<defectdojo-host>/api/v2/reimport-scan/ \

-H "Authorization: Token <your-api-token>" \

-F "scan_type=Checkmarx One Scan" \

-F "file=@checkmarx-results.json" \

-F "test=<test-id>"

DefectDojo marks findings absent from the new scan as resolved, creates records for new findings, and leaves previously accepted or false-positived findings untouched.

Data Granularity: What Gets Imported

Use Cases

In a CI/CD pipeline with branch-level scanning: Checkmarx One scans run on every merge to main. Results reimport into DefectDojo for each application, updating finding status automatically. Security engineers triage new findings in DefectDojo, assign to developers via Jira integration, and track SLA compliance through dashboards — without logging into Checkmarx One for every review cycle. Findings marked NOT_EXPLOITABLE in Checkmarx are carried over as false positives in DefectDojo, preventing reimport noise.

For large enterprise portfolios with centralized security governance: An organization with 150 applications and a central AppSec team uses Checkmarx One across all repos. DefectDojo aggregates findings by application product, giving the AppSec team a prioritized view of where Critical and High findings are concentrated, which applications are missing SLA targets, and where false positive rates suggest query tuning is needed. That portfolio intelligence isn't available from Checkmarx One's native reporting at the same level of cross-application aggregation.

During secure SDLC gate reviews: Applications must pass a security review before major release. Checkmarx One scans run against the release branch; results import into a release-specific DefectDojo engagement. Security and engineering jointly triage findings, document risk acceptances for known issues with compensating controls, and the engagement record serves as the documented gate review artifact — auditable and timestamped.

For SCA reachability-driven prioritization: Checkmarx SCA's reachability analysis flags which vulnerable dependency code paths are actually invoked. Security teams import these findings into DefectDojo and use the reachability field to tier their remediation queue — reachable Critical findings get immediate SLA treatment, unreachable High findings get deferred review. DefectDojo's tagging and filtering surfaces this distinction throughout the finding lifecycle.

For IaC misconfiguration management across infrastructure teams: Checkmarx IaC Security findings for Terraform and Kubernetes manifests import into DefectDojo as part of infrastructure pipeline runs. Platform and security teams jointly triage misconfigurations, apply risk acceptances where compensating controls exist, and track remediation across subsequent IaC scan reimports — all in DefectDojo rather than scattered across CI pipeline logs.

Operational Tips

• Separate scan types into distinct DefectDojo engagements: SAST, SCA, IaC, and API security findings have different owners, SLA expectations, and remediation workflows. Keeping them in separate engagements — even within the same product — makes assignment, tracking, and reporting cleaner than mixing all finding types into a single engagement.
• Map Checkmarx state to DefectDojo handling on import: Checkmarx One findings carry a state field — NOT_EXPLOITABLE and PROPOSED_NOT_EXPLOITABLE should map to false positive or risk accepted status in DefectDojo on import, so they don't re-enter the active triage queue. Validate that your import pipeline handles this mapping correctly.
• Use CxQL query tuning before importing at scale: Checkmarx SAST can produce significant finding volume in large codebases if custom queries aren't tuned. Reducing false positives at the scanner level before importing into DefectDojo is more efficient than bulk false-positiving in the vulnerability management platform after the fact.
• Tag findings by scan engine on import: Adding tags for sast, sca, iac, or api in DefectDojo enables filtering and reporting by engine type across your portfolio — useful for understanding which scan type is driving the most remediation workload and where query tuning effort should be focused.
• Leverage dataflow traces in developer tickets: Checkmarx SAST findings include source-to-sink dataflow paths showing exactly how user-controlled data flows through the codebase to the vulnerable sink. When pushing findings to Jira from DefectDojo, include the dataflow trace — it's the single most useful piece of information for a developer trying to understand and fix a SAST finding.
• Align reimport cadence with SLA windows: If your Critical SLA is 7 days and Checkmarx scans run weekly, findings could already be at SLA breach before the first DefectDojo update. For high-criticality applications, daily or per-commit scanning with automated reimport gives DefectDojo the data it needs to track SLA compliance accurately.
• Use engagement naming conventions tied to scan context: A naming convention like CxOne SAST - main - <App Name> - Q2 2025 makes it straightforward to locate historical scan records, compare posture across quarters, and produce engagement-level evidence for compliance reviews without ambiguity about which scan corresponds to which time period.