loading...

Add Sec to your DevOps Pipeline with Checkmarx

shostarsson profile image Rémi Lavedrine Updated on ・4 min read

In a previous post, I explained the quick opportunities about adding more security within your organisation.

In this post, I will go through all the process of adding a Static Application Security Testing software to your pipeline in order to scan your code for security vulnerabilities.
That Software is Checkmarx.

1. What is Checkmarx ? 🤔

Checkmarx is an Application Security Testing and Static Code Analysis Solution.
It scans source code, identifies security vulnerabilities within it, and provides remediation with sample code.

Features include :

  • Static Application Security Testing
  • Dependency Scanning
  • Interactive Application Security Testing
  • Runtime Application Security Testing.

Development Management
Checkmarx in a Software Development Lifecycle

Compared to other similar security tools, Checkmarx is flexible, integrates with other popular CI/CD tools, and supports a wide range of programming languages.
On the flipside, as an enterprise-level software, it is not cheap. 💸

2. What is the Process ? 🤔

To use a software like Checkmarx to its best, you have to automate it within your CI/CD pipeline.
The point is to check the security of all your repositories everytime you are releasing something (either a major version or on a more frequent basis).

Nevertheless, remember that this analysis will require work from your teams to triage the identified vulnerabilities and correct them.
So do it at a sustainable pace regarding your team capabilities.

2.1. Analyse the Codebase Locally on your Computer 💻

  1. Download the repository (or repositories)
  2. Start a scan using the Checkmarx Command Line Interface
  3. Check the scan result on the Checkmarx interface

2.2. Analyse the Codebase within your CI/CD Pipeline 🖥️

I assume you are using Jenkins on your CI/CD pipeline.

  1. A hook on Jenkins starts a script
  2. That script downloads the repository
  3. That script starts a scan on the downloaded repository
  4. That script alerts if something went wrong during the scan (through return code)
  5. Checkmarx alerts on the scan result

You can use that tool to mass clone the repositories on your machine,

GitHub logo Shosta / DLBitbucketRepos

Download all the repositories that you can access on Bitbucket to easily statically analyze the security of it and data leakage.

DLBitbucketRepos

Download all the repositories that you can access on Bitbucket

This program is made to clone all the repositories that you have on Bitbucket at once. It is very usefull if you want to statically analyze the code on a security perspective for instance.

You can look for Certificate files, leaked information (like password, logins, keys, etc...).

And more than that, you can look in the git history if some information where leaked in the past, even if they are not available in the code at the moment.




3. How to Use the Checkmarx Command Line Interface ? 👨‍💻

It is very easy to start a scan from your machine.

Download the Checkmarx CLI Plugin on the following links :

Install the Checkmarx CLI PLugin ("CxConsolePlugin") to any folder that you feel appropriate.
Then, to start a scan, you just have to fire the runCxConsole.sh script which is inside the "CxConsolePlugin" folder.

CxConsolePlugin Usage :

runCxConsole.sh Scan -Projectname "SP/Cx/Engine/AST/SecurityScanTest" -CxServer https://securecode.itn.intraorange/ -cxuser $checkmarxLogin -cxpassword $checkmarxAppPassword -locationtype GIT -locationprivatekey $locationPrivateKey -locationurl $locationUrl locationbranch $locationBranch -preset All -comment 'Scan de test' -reportpdf ~/SecurityScanTest.pdf

3.1. Good Security Practices 👍

As you can see in the command above, at some point you have to fill in your Checkmarx login and password (-cxuser and -cxpassword).

It is good security practice to never ever write your password in clear text in your terminal.
Just because, anyone (or any malware) can just look at your command-line history on your terminal and then have your password available in plain text.

Learning by doing. 😉

Try clicking ctrl+r on your terminal and then look for git clone.
Or you can try history | grep "git clone" (as you frequently leak your passwords through git commands).

That is why you MUST never enter your password on your terminal as anyone can then have access to it.

To avoid leaking passwords in the terminal history, I developed a short script to start a Checkmarx's scan using its CLI plugin.

You can find it in the following Github repository (feel free to fork it and improve it 😉).

GitHub logo Shosta / CheckmarxAutomation

How to Automate Checkmarx Scans

CheckmarxAutomation

How to Automate Checkmarx Scans

Script Usage :

./CheckmarxAutomation.sh -h
usage: CheckmarxAutomation
      [[-u|--cxuser] <username>] Your Login on Checkmarx
      [-h|--help]

Using It :

./CheckmarxAutomation.sh -u remi
Please, Fill in your Checkmarx Password :

So that way, your password is not going to leak in your terminal history. 👍🏼

3.2. Issues Workarounds ⛔

1. SSH Private Keys not Found

You are using SSH to connect to your repository, but Checkmarx cannot find the private key, as you can see below :

[2019-09-25 09:42:00,000 FATAL] Command parameters are invalid: Private key file is not found in: ~/.ssh/PrivateKey

If you are using ssh keys to log to your Git repository (and you should 🔐), you MUST use an absolute path to describe it on the -locationprivatekey parameter.

2. Checkmarx Server not Available

The Checkmarx server cannot be accessed from your machine, as you can see below :

[2019-09-25 09:42:00,000 ERROR] Failed to validate server connectivity: Cx web service is not available at: https://securecode.mysersver/

To solve this issue, you have to be sure that Checkmarx is allowed from your proxy and use the Checkmarx server's IP address.


Tell me if you think that adding that kind of solution is something that you are thinking about.
And if you are already using it, tell me if you find it useful and if it is improving the level of security of your application.

Discussion

pic
Editor guide