CxSCA Quick Start Guide

The simplest way to run scans and view results in CxSCA is via our web portal. This Quick Start guide shows you how to get started using the CxSCA web portal and describes the platform’s main features.

CxSCA users are assigned specific roles which determine what permissions they have in the system. Some features described in this article may not be available to you if you do not have the relevant permissions.

Step 1. Log in to the Web Portal

In order to log in to your account, you need to have your Account name, Username, and Password. If you have not yet received this info, contact your organization’s Checkmarx administrator.

If you are your organization’s primary admin user, you should have received a “Welcome to CxSCA” email from Checkmarx. In that case you need to complete the registration process before logging in. See Completing Your Account Registration.

  1. Go to one of the following URLs:

  2. In the Account field, enter your account name and click Next.
    The login screen opens.

  3. Enter your Username and Password, and click Login.
    The CxSCA web portal opens, showing the Dashboard (HOME) screen.

Step 2. Create a Project and Run the Scan

In order to run a scan in CxSCA, you need to create a Project. Each time that you rescan the source code, you do so within the same Project, enabling you to track vulnerabilities throughout your SDLC. There are two types of Projects in SCA:

  • General - upload the source code as a ZIP file, or enter a URL to a public repository.

  • GitHub - integrate your Project with a private GitHub repository.

For this tutorial we will create a General Project. To learn how to create a GitHub Project, see Creating a GitHub Project.

To create a General Project and run the scan:

  1. On the Dashboard, click on the Create New Project button.
    The Create New Project window opens, showing the General Project tab.

  2. In the Project Name field, enter a name for the Project.

  3. You can enable the Exploitable Path feature, which analyzes whether your source code provides a path that can be exploited by a specific vulnerability. To activate this feature toggle the Enable Exploitable Path switch to the right. For more information see Exploitable Path (BETA).

  4. Add your source code using one of the following methods:

    • Drag the ZIP file containing your source code into the box (or click on the box and navigate to the desired file).

    • Enter the Public Git URL of the source code.

  5. Click Next.
    The Assign Teams options are shown.

  6. Verify that All users is selected (default).

    Note: Once you have set up teams, you will be able to specify which teams the Project is assigned to.

  7. Click Create and Scan.
    While your Project is being set up, you may see a Please Wait window. Do not navigate away from this screen until the scan is initialized.

As the Project is scanned, the Last Scanned column on the Projects tab will show Scanning… When the status shows a relative time (e.g. a few seconds ago), the scan is completed and you can view the results.

After creating a Project, there are additional settings that can be configured, these settings can be accessed by clicking on the context menu for the Project and selecting Project Settings, see Editing Project Settings (Notifications).

Step 3: View Scan Results

The top section of the Dashboard shows aggregated results for all of your organization’s Projects. The Projects pane shows results for each individual Project. Each record shows general Project info and overall results for the most recent scan of that Project.

You can drill-down to view detailed results for a specific Project by clicking on the row of the desired Project.
The Project page (Overview tab) opens showing widgets representing the packages and vulnerabilities discovered in the Project. The bottom pane shows the Top Vulnerable Packages.

Packages Drill-Down

Click on the row of a specific package to open the Project - Scan Results screen (Package tab), showing detailed information about the specific risks that apply to that package. This screen shows detailed info about various types of risks that apply to open source dependencies, including: vulnerabilities, legal risks, and outdated versions.

Vulnerabilities Drill-Down

Click on the Vulnerabilities tab to show a list of all vulnerabilities discovered in the Project. The vulnerabilities are listed by CVE and info is shown about the packages to which they apply. Click on the row of a specific vulnerability to drill-down to see detailed info about that vulnerability.

A new tab opens, showing detailed information about the vulnerability. This screen includes a description of the vulnerability, links to external resources, the CVSS score (with a breakdown of its components), and remediation recommendations. There is also a control for marking this vulnerability to be ignored in subsequent scans of this Project.

 

To learn more about viewing SCA results, see Viewing Scan Results.

Next Steps