Checkmarx integration with DevOps Change Velocity

  • Release version: Xanadu
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Checkmarx integration with DevOps Change Velocity

    The Checkmarx integration with DevOps Change Velocity enables ServiceNow customers to connect their Checkmarx security scanning tools with their CI/CD pipelines. This integration retrieves security scan results to help assess code vulnerabilities within the DevOps Change Velocity environment. It supports Checkmarx scans configured on popular orchestration tools including GitHub Actions, Jenkins, Azure DevOps, GitLab, and Harness.

    Show full answer Show less

    Two Checkmarx products are supported: Checkmarx One and Checkmarx SAST. Checkmarx One integration captures Static Application Security Testing (SAST) scans only, excluding Software Composition Analysis (SCA) scans. Scan details are retrieved from the relevant pipeline stage and made available in ServiceNow.

    Key Features

    • Supports integration with Checkmarx One and Checkmarx SAST tools for retrieving security scan results.
    • Compatible with multiple CI/CD orchestration tools: GitHub Actions, Jenkins, Azure DevOps, GitLab, and Harness pipelines.
    • Role-based permissions required on Checkmarx user accounts ensure secure and authorized access to scan data.
    • Custom action code additions are required in pipeline configurations depending on the orchestration tool and Checkmarx product used.
    • Scan results can be viewed directly within ServiceNow in Change Requests, pipeline Task Executions, or Pipeline UI.
    • Security scan data can be utilized to define change policies and automate change management processes.
    • Provides multiple onboarding methods: Workspace playbook, Service Catalog, or Classic interface for flexible integration setup.

    Practical Considerations for ServiceNow Customers

    • Before integration, install the necessary ServiceNow plugins: DevOps Vulnerability Integrations, and either Checkmarx One Vulnerability Integration or Checkmarx CxSAST Vulnerability Integration.
    • Ensure Checkmarx users have the appropriate roles with permissions to read project and scan results to allow ServiceNow to retrieve scan summaries.
    • When using Azure DevOps or GitHub Actions, always add the required custom action code in your pipelines to enable scan data retrieval.
    • For Jenkins, if using Checkmarx One scans, the custom action code is not required if the pipeline already includes a security scan step; for Checkmarx SAST, the code must be added regardless.
    • GitLab integrations can use a generic Docker container image or follow specific GitLab integration steps.
    • Harness pipelines support Checkmarx scans only through the generic Docker container image method.

    Expected Outcomes

    By integrating Checkmarx with DevOps Change Velocity, ServiceNow customers gain centralized visibility of security vulnerabilities detected during their CI/CD processes. This integration facilitates proactive risk management by enabling:

    • Quick assessment of code security status within change management workflows.
    • Informed decision-making for automated change policies based on security scan results.
    • Streamlined security governance without leaving the ServiceNow platform.

    Connect to your Checkmarx instance that is integrated with your CI/CD pipelines to retrieve security scan results. This helps you determine how vulnerable your code is.

    Checkmarx integration overview

    Checkmarx scans that are configured on GitHub Actions, Jenkins, Azure DevOps, GitLab, and Harness pipelines are supported in DevOps Change Velocity.

    Two Checkmarx tools can be integrated with DevOps Change Velocity, which are Checkmarx One and Checkmarx SAST. For more information, see Checkmarx One and Checkmarx SAST documentation.

    Ensure that your Checkmarx SAST user has a role that has permissions to read Project and Scan Results to get summary details. For more information, see Checkmarx documentation. Ensure that your Checkmarx One user has the create-scan and manage-project roles to access Scan summary details. For more information, see Checkmarx documentation.

    Note:
    If you are integrating with Checkmarx One, you can retrieve only Static Application Security Testing (SAST) scans but not Software Composition Analysis (SCA) scans.

    You can configure Checkmarx scans on any stage of the pipeline and the scan details are retrieved from the corresponding stage to DevOps Change Velocity. If you’re using Azure DevOps or GitHub Actions orchestration tools, then you must add the custom action code in your pipeline always. If you’re using Jenkins, and your pipeline already has a Checkmarx One security scan (checkmarxASTScanner) step, you don’t have to add the custom action code in your pipeline. For Checkmarx SAST, the custom action code must be added in your pipeline even if it has the security scan step (checkmarxASTScanner).

    If you want to configure Checkmarx for the GitLab tool, you can either use the generic Docker container image to add the Checkmarx security step or perform the steps specified in the Integrate security tools with GitLab topic.

    For Harness pipelines, you can configure Checkmarx scans only through the generic Docker Container Image. For more information, see Implement custom actions for pipelines using generic Docker container image.

    You can view the security scan results either in the related list of a Change Request, or the Task Execution of the pipeline, or in the Pipeline UI in your ServiceNow instance. You can also use security results in defining change policies and conditions for change automation.

    Get started

    You must install the DevOps Vulnerability Integrations (sn_devops_vul_ints) and Checkmarx One Vulnerability Integration (x_chec3_chexone) or Checkmarx CxSAST Vulnerability Integration (x_chec3_cxsast) plugins before connecting your Checkmarx instance to ServiceNow. For more information on activating a plugin, see Install a ServiceNow Store application.

    Note:
    The sn_vul.app_sec_manager role is added to the DevOps Tool Owner [sn_devops.tool_owner] role when the DevOps Vulnerability Integrations plugin (sn_devops_vul_ints) is installed.

    For more information on the scan results captured in ServiceNow, see Security scan results.

    Use one of the following options to onboard Checkmarx. For a guided experience, use the workspace to onboard a tool. Alternatively, you can use the Service Catalog or Classic experience.