Source Code Security Pipeline

A properly configured source codebase is required for creating a source code security pipeline. If the source codebase doesn't exist, it should be created first. For more information, see the "Code bases" section.

 

Click the DevSecOps menu item on the left and then the +Add new button at the top right of the Source code pipelines pipelines tab to add a new source code pipeline.

 

 

The Choose the codebase for pipeline window appears. Double-click the name of the codebase you want to add.

 

image110.png

 

The new codebase pipeline appears on the Source code pipelines tab.

 

image117.png

 

Click the Show pipeline config image12.png icon on the source codebase pipeline card. The pipeline details page appears. This page contains two warnings about incorrect pipeline configuration because the orchestration (CI/CD) tool and the scan tool haven’t been added to the pipeline yet.

 

image109.png

 

Click the Actions image4.png button at the top right and select the Add new element item from the drop-down menu. Select the CI item in the window that appears to add the CI/CD orchestration tool (e.g., TeamCity) to the security pipeline.

 

image55.png

 

In the next window, select TeamCity from the list of tools and click the Create button. The Pipeline auth token field can be left blank.

 

image50.png

 

The new TeamCity card and the confirmation notification appear, and one corresponding warning disappears from the Pipeline Structure tab.

 

image39.png

 

The next step is to add a scan tool.

Click the Actions image4.png button at the top right and select the Add new element item from the drop-down menu. Select the SAST tool item in the window that appears to add the Checkmarx scan tool to the pipeline.

 

 

Select the Checkmarx item from the list of tools in the Create SAST scan config window.

 

 

 

In the window that appears, configure the following parameters:

  • Scan mode - Select the scanning mode (Full/Incremental).
  • Predefined preset/Dynamically modified preset - – Select the predefined or dynamic preset that will be used for the scan. The Predefined preset option allows the next step to select any preset imported from Checkmarx. More information on Dynamic Presets is provided later in this section.
  • Preset — of Select the Checkmarx preset that will be used for the scan. This parameter is used only if the Predefined preset is selected in the previous field.

After filling in the other fields (Root team, Team, Excluded directories), click the Create button, see the "Security pipeline structure" section.

 

If the Team field is left blank, a team with a name corresponding to the name of the application in Maverix will be automatically created..

 

The new Checkmarx tool card appears on the pipeline details page, and the last warning disappears from the page.

 

The name of the used preset is displayed on the tool card.

 

 

Now click the Actions image4.png button at the top right and select the Export CI/CD item from the drop-down menu to export the newly created security pipeline to the CI/CD orchestration tool (e.g., TeamCity). This is required to synchronize the pipeline settings in Maverix and in TeamCity. The confirmation message appears at the bottom right.

 

 

After the successful export to the CI/CD tool, click the Actions image4.png button and select the Start scan item from the drop-down menu to start a source code security scan using the Checkmarx tool.

Dynamic presets in Checkmarx

If Checkmarx is used as a SAST tool, you can use Dynamically modified preset.

 

If a particular programming language (and corresponding checks) is not selected in the Predefined preset, the code written in this language will be ignored during the scan..


When using the Dynamically modified preset , the programming languages that make up the codebase are automatically recognized, and a new preset is formed, which includes checks for the detected languages. However, if a rule(s) that defines conditional risk acceptance (see the "Risk acceptance" section) has been created in Maverix, the corresponding condition(s) will also be automatically added to the Dynamically modified preset.

The advantages of such approach are as following:

  • On-the-fly response to changes in the code base (e.g., the appearance of new programming languages) with the following update of the Checkmarx preset to activate specific checks.
  • Reducing scan time by skipping unnecessary checks.

If a new programming language appears in the codebase or a previously used one disappears, the preset is dynamically updated according to the changes.