.svg){kind=small}
.svg)
Jira
Jira is a comprehensive work and project management platform by Atlassian that provides issue tracking, task management, workflow customization, and agile project management capabilities including Scrum and Kanban boards to help software development, IT, and cross-functional teams plan, track, and deliver projects efficiently. The platform integrates seamlessly with development tools, CI/CD pipelines, and third-party applications to centralize work tracking, enable collaboration across teams, provide real-time reporting and analytics, and support agile methodologies throughout the software development lifecycle from ideation to deployment.
What is Jira
XXXX is a fast, open-source, static analysis tool designed to find bugs and enforce code standards. It combines the simplicity of grep with the power of semantic code analysis, allowing developers to search for code patterns using an intuitive syntax that resembles the target code itself.
The Value of Jira
As a security engineer, managing application security testing across multiple platforms can be challenging. Checkmarx One offers a unified security platform that consolidates multiple testing types into a single solution, providing several key advantages:
Comprehensive testing Coverage
Checkmarx One combines SAST (Static Application Security Testing), KICS (Infrastructure as Code Security), and SCA (Software Composition Analysis) in one platform, providing multi-layer security coverage across your entire application stack.
Contextual Security Analysis
By correlating findings across multiple scanning engines, Checkmarx One provides more accurate risk assessments with fewer false positives, helping teams focus on genuine security concerns.
Unified View of Security Posture
Rather than managing multiple security tools, Checkmarx One's unified platform gives teams visibility across the entire software security landscape from a single interface.
Benefits of the DefectDojo Integration
While Checkmarx One provides excellent security testing capabilities, integrating it with DefectDojo offers substantial additional benefits for security teams and organizations:
Centralized Vulnerability Management
By importing Checkmarx One findings into DefectDojo, you can consolidate all your security findings from multiple tools (not just Checkmarx) into a single platform. This enables more efficient vulnerability management, tracking, and remediation workflows.
Enhanced Reporting Capabilities
DefectDojo's powerful reporting engine allows you to generate custom reports across all your security tools, providing executives and stakeholders with clear visibility into your security posture and remediation progress.
Granular Tracking of Finding Lifecycle
DefectDojo enables detailed tracking of each finding's status over time, including verification, false positive handling, and risk acceptance processes that complement Checkmarx One's capabilities.
Integration with Development Workflows
DefectDojo's integrations with issue trackers like Jira, Azure DevOps, and GitHub Issues make it easier to assign vulnerabilities to the right teams and track remediation as part of your existing development processes.
How the Integration Works
The integration between Checkmarx One and DefectDojo is implemented through a specialized parser that accurately imports findings from Checkmarx One JSON exports into DefectDojo:
Data Flow Process
- Export findings from Checkmarx One - Generate a JSON export of your findings from the Checkmarx One platform.
- Import into DefectDojo - Use the Checkmarx One parser in DefectDojo to import the findings.
- Parsing and mapping - The parser processes the JSON file, extracts relevant data, and maps it to DefectDojo's finding model.
- Deduplication - Findings are deduplicated based on unique IDs to prevent duplicates when reimporting.
- Finding enhancement - Additional metadata like tags identifying the finding type (SAST, KICS, SCA) are added for better categorization.
Technical Implementation
The parser is designed to handle different variations of Checkmarx One output formats, ensuring compatibility with various export options from the platform. It implements specialized handling for different finding types (SAST, KICS, SCA) to ensure that all relevant data is captured properly.
Data Granularity and Mapping
The integration captures detailed information from Checkmarx One findings, preserving the rich context needed for effective remediation:
Key Data Points Captured
|
Basic Information |
Title, Description, Severity, Finding Type |
Core details needed for understanding the vulnerability |
|
Technical Context |
CWE IDs, File Paths, Line Numbers, Code Snippets |
Precise location information for developers to identify the issue |
|
Metadata |
IDs, Finding Types, Tags |
Categorization and traceability back to Checkmarx One |
|
Remediation Data |
Expected Values, Actual Values, Mitigation Instructions |
Clear guidance on how to fix the vulnerability |
|
Temporal Data |
First Found Date, Status |
Tracking the finding over time |
Getting Started
Implementing this integration is straightforward with these steps:
- Ensure you have a recent version of DefectDojo (the Checkmarx One parser was added in version 2.x)
- Export findings from Checkmarx One in JSON format
- In DefectDojo, create a new test and select "Checkmarx One Scan" as the scan type
- Upload your JSON file and complete the import
- Review your imported findings and set up any desired workflows
For more technical details, refer to the sample data files and documentation in the DefectDojo repository.
“The ability to import XXXX findings into DefectDojo has streamlined our vulnerability management process. We now have a single source of truth for all security findings, regardless of which tool discovered them.”
Security Team - Anonymous