AWS CodePipeline

Overview

Checkmarx brings seamless integration with AWS CodePipeline to help customers manage software exposure at the speed of DevOps with minimal friction to existing development practices.

By leveraging a simple serverless AWS CloudFormation template along with an Open Source module, customers can add a step to any CodePipeline Continuous Delivery pipeline that will ensure their code is scanned by their Checkmarx SAST infrastructure.

Deployment

The Checkmarx CodePipeline Integration can be deployed leveraging SSM Secure Parameters or by simply using plain text password (not recommended).

CloudFormation Template

The following is a base template that can be leveraged to deploy the Checkmarx CodePipeline integration. In the event the template does not meet the needs of your organization, it should be customized accordingly:

https://s3.amazonaws.com/checkmarx-public/cx-sast-lambda.yml

Lambda Function Artifact

The Lambda Function Artifact can be downloaded from here:

https://s3.amazonaws.com/checkmarx-public/cx-lambda-1.0.zip

The source for the Checkmarx CodePipeline Integration can be found at the following GitHub Repository:

https://github.com/CxRepositories/cx-lambda

SSM Parameters

To leverage SSM parameters, the following can be referenced:

Name

SSM Parameters

Encrypted

Example Command

Name

SSM Parameters

Encrypted

Example Command

Checkmarx URL

/Checkmarx/checkmarxURL

No

aws ssm put-parameter --name /Checkmarx/checkmarxURL --type String --value “https://cx.xxxxx.com”

Checkmarx User

/Checkmarx/checkmarxUser

Yes

aws ssm put-parameter --name /Checkmarx/checkmarxUser --type SecureString --value “xxxx”

Checkmarx Password

/Checkmarx/checkmarxPassword

Yes

aws ssm put-parameter --name /Checkmarx/checkmarxPassword --type SecureString --value “xxxxxx”

The following CloudFormation template variables are mapped to specific values within the template, some referenced within IAM role definition along with others referenced for Environment Variables used within the lambda function

CloudFormation Parameter

Lambda Environment Variable

Default

Description

CloudFormation Parameter

Lambda Environment Variable

Default

Description

SSM

SSM

True

Boolean value, which indicates if SSM parameters are used.

SSMParamPath

N/A

Checkmarx

High-level path to drive IAM role access to Parameters in SSM. Checkmarx defaults to /Checkmarx/* access.

KMSKeyAlias

N/A

aws/ssm

KMS Key Alias for the SSM Secure Parameter store.

Cxurl

CX_URL

N/A

This value is required and should reference the Parameter path in SSM containing the url of the Checkmarx instance.

CxUser

CX_USER

N/A

This value is required and should reference the Parameter path in SSM containing the Checkmarx service account for triggering scans. Scanner role access is required for this user account

CxPassword

CX_PASSWORD

N/A

This value is required and should reference the Parameter path in SSM containing the Checkmarx service account password.

CxTeam

CX_TEAM

\CxServer \SP\Checkmarx\Automation

Default Checkmarx Team where projects will automatically be created under. It is recommended that this is replaced with an organizational specific global default value.

CxPreset

CX_PRESET

Checkmarx Default

Default Scanning preset for Checkmarx Scans. It is highly recommended that this is replaced by an organizational specific global default preset.

Important things to note:

  • If SSM is false, then the CxUser, CxPassword, CxUrl values are used within the lambda function as the raw value

  • If SSM is true, the value is the path to the Parameter store within SSM where the lambda function can retrieve the value to use.

  • The CxUser and CxPassword SSM parameters must be SecureString

  • It is important that the SSMParamPath reflects the actual path of the Parameter value so that the IAM role is sufficiently created

  • It is important that the KMSKeyAlias reflects the key used to encrypt SecureString values within SSM. The default would be aws/ssm if not specified when creating the Parameter in AWS

VPC Configuration

In the event an internal VPC must be referenced in the AWS configuration, it is recommended to create any customization to the base template following AWS documentation: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-vpcconfig.html

Stack Creation

Here is a sample CloudFormation creation command using the AWS CLI:

aws cloudformation create-stack --stack-name cx-lambda --template-url https://s3.amazonaws.com/checkmarx-public/cx-sast-lambda.yml --capabilities CAPABILITY_IAM --parameters ParameterKey=CxUrl,ParameterValue="/Checkmarx/checkmarxURL" ParameterKey=CxUser,ParameterValue="/Checkmarx/checkmarxUser" ParameterKey=CxPassword,ParameterValue="/Checkmarx/checkmarxPassword"

Usage

  1. Create SSM Parameters /Checkmarx/checkmarxUser (SecureString), /Checkmarx/checkmarxPassword (SecureString), /Checkmarx/checkmarxURL (String).

  2. Create the CloudFormation Stack to deploy the Checkmarx Lambda function. aws cloudformation create-stack --stack-name cx-lambda --template-url https://s3.amazonaws.com/checkmarx-public/cx-sast-lambda.yml --capabilities CAPABILITY_IAM --parameters ParameterKey=CxUrl,ParameterValue="/Checkmarx/checkmarxURL" ParameterKey=CxUser,ParameterValue="/Checkmarx/checkmarxUser" ParameterKey=CxPassword,ParameterValue="/Checkmarx/checkmarxPassword" --------------------------------------------------------------------------- ---------------------------------------- | CreateStack | +---------+---------------------------------------------------------------- ---------------------------------------+ | StackId| arn:aws:cloudformation:us-east-1:275043232443:stack/cx-lambda/b49e2950- 5403-11e9-b46a-0a780bcb48a6 | +---------+---------------------------------------------------------------- ---------------------------------------+

  3. Validate the stack created successfully.

  4. Validate CxScan Lambda Function is created.

     

  5. Navigate to a CloudPipeline project that you would like to add Checkmarx scanning to and add a new stage called Checkmarx.

     

  6. Add a new action called CxScan and select the action provider of AWS Lambda. Here the newly created CxScan lambda function should be referenced.

  • In the User Parameters there should be a reference to a JSON blob that defines project details. At minimum, the project name is provided - {“project” : “lambda”}

  • The input artifact can be either SourceArtifact or BuildArtifact. In the event BuildArtifact is used, the following value must be present in the User Parameters. For example: {“project” : “lambda”, “source” : “build”}.

User Parameters JSON

Parameter

Default Value

Description

Parameter

Default Value

Description

project

N/A

Checkmarx Project to be used or created if not found

source

N/A

If specified as build, the build artifact will be used

team

Value provided during stack creation for CX_TEAM

If specified, the base team referenced here will be used as parent team while creating a project

preset

Value provided during stack creation for CX_PRESET

If specified, the scanning preset will be defined as per this value during the project/scan creation

Full Example:

{ "project":"lambda", "source":"build", "team":"\CxServer\SP\Checkmarx", "preset":"Mobile" }

Simple example:

{"project":"lambda"}

Build Execution

Once the build is executed, a new project will be created and a new scan will be triggered

A new scan is triggered:

A new project was created for the scan:

Assumptions

  • This solution requires that an existing Checkmarx SAST solution is available for use, and that the network architecture is in place such that the deployed CxScan lambda function has appropriate access.

  • IAM roles must be specified appropriately for AWS resources (Parameters, CodePipelines, KMS).