CxAudit Overview

Checkmarx CxAudit complements Checkmarx CxSAST by enabling you to easily and intuitively customize CxSAST’s analysis queries or configure your own additional queries for:

  • Security
  • QA
  • Application logic purposes.

CxAudit can be used to adapt CxSAST’s basic security functionality to non-standard code. This helps in eliminating false positives and ensuring that all real vulnerabilities are identified. CxAudit can also be used for expanding CxSAST’s functionality to include queries for supporting specific QA or application logic needs.

This guide explains how to use the CxAudit user interface, and also how to use its features with existing queries to customize and create queries. You don’t need to extensively study the CxSAST query programming language (detailed in the Checkmarx CxQuery Language API Guide). CxAudit includes intuitive tools for adding code elements to various parts of queries, and for locating relevant parts of existing queries and combining them to create your own.

Who Should Work with CxAudit

In general, the user of the CxAudit tool can be a person who serves as an organization’s Security Auditor or Security Champion, who is familiar with CxSAST and the audited code, and who thus grasps the value of the results provided by this tool.

The user of CxAudit can also benefit from Cx query language API training.

What Can You Do with CxAudit

You can use CxAudit for the following purposes:

  • Improving Security Analysis: CxSAST comes with an extensive list of hundreds of preconfigured queries to identify known security vulnerabilities in source code using the standard code libraries of each programming language. However, if your code project includes less common libraries or custom code elements, CxSAST might not identify all vulnerabilities and/or might point out false positive vulnerabilities.

Use CxAudit to 'teach' CxSAST's queries how to recognize these elements.

  • Custom analysis: You can use CxAudit for expanding CxSAST's functionality to analyze project-specific aspects of your source code. This includes two primary types of analysis:
    • Application Logic: Track the logical flow through source code by querying to find what influences a specified element, what the element influences, and where else the element appears.
    • QA: Locate potential bugs or other application-specific issues by querying where the code might allow specified information elements to reach specified application output.

Custom analysis can be done ad-hoc, by querying directly from a source code element, or such queries can be added to future code scans.

The CxAudit System

CxAudit is a Windows client application that interacts with the CxSAST server over HTTP. CxAudit projects are synchronized with the CxSAST server along with last scan results, or you can open a local or network folder to create a new project. Code analysis and query editing is performed locally. You can experiment with changes to the query set and run local scans, and later decide whether to save query changes and/or scan results to the server.
CxAudit includes an interface for viewing and managing scan results, similar to the CxSAST web interface's interactive scan results. CxAudit's unique features are integrated into its scan results interface.