Configure Checkmarx scans on your pipeline

  • Release version: Xanadu
  • Updated July 31, 2025
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Configure Checkmarx scans on your pipeline

    This guide explains how to integrate Checkmarx security scans within your Azure DevOps, Jenkins, GitHub, GitLab, or Harness pipelines. The integration allows you to retrieve detailed Checkmarx scan results directly into ServiceNow DevOps Change Velocity, enhancing your security insight and automation workflows.

    Show full answer Show less

    Key Features

    • Pipeline Integration: Configure Checkmarx scans at any pipeline stage to automatically send scan results to ServiceNow.
    • Supported Tools: Works with Checkmarx SAST and Checkmarx One scanners across various CI/CD tools.
    • Custom Action Code: Required for Azure DevOps and GitHub Actions pipelines; Jenkins pipelines may not require it if a Checkmarx One scan step exists, except for SAST scans where it is always needed.
    • GitLab and Harness Support: For GitLab, use either the generic Docker container image or follow GitLab integration steps. Harness pipelines use the generic Docker container image method exclusively.
    • Security Result Attributes: Define scanner type, project identifiers, and optionally onboarded security tool sysid to correctly map results.

    Implementation Guidance

    • Azure DevOps: Add the ServiceNow DevOps Security Results extension task in your pipeline YAML file with appropriate inputs such as ServiceNow endpoint and Checkmarx project details.
    • Jenkins: Use Pipeline Syntax to generate and add the snDevOpsSecurityResult step with parameters for Checkmarx SAST or Checkmarx One security attributes.
    • GitHub Actions: Insert the ServiceNow DevOps Security Results custom action in your workflow YAML, supplying secrets and scan attributes for either Checkmarx SAST or One.
    • GitLab: Employ the generic Docker container image or follow specific GitLab integration instructions to include Checkmarx scans.
    • Harness: Run the generic Docker container image as a custom pipeline step with environment variables to upload scan results.

    Benefits for ServiceNow Customers

    • Seamlessly integrate Checkmarx security scanning into your existing DevOps pipelines.
    • Automate the collection and ingestion of security scan results into ServiceNow DevOps Change Velocity for enhanced visibility and reporting.
    • Support for multiple CI/CD platforms ensures flexibility in your toolchain.
    • Customizable attributes allow precise mapping of scan data to your ServiceNow security tools.
    • Leverages ServiceNow’s DevOps Security Results extension or custom actions for streamlined configuration and maintenance.

    Next Steps

    Follow the instructions specific to your orchestration tool to add the appropriate custom action or task in your pipeline. Ensure you provide accurate ServiceNow connection details and Checkmarx project information. Once configured, run your pipeline to retrieve and view Checkmarx scan results within ServiceNow DevOps Change Velocity.

    Configure Checkmarx scans on your Azure DevOps, Jenkins, GitHub, GitLab, or Harness pipelines.

    You can configure Checkmarx scans on any stage of the pipeline and the scan details are retrieved from the corresponding stage to DevOps Change Velocity. If you’re using Azure DevOps or GitHub Actions orchestration tools, then you must add the custom action code in your pipeline always. If you’re using Jenkins, and your pipeline already has a Checkmarx One security scan (checkmarxASTScanner) step, you don’t have to add the custom action code in your pipeline. For Checkmarx SAST, the custom action code must be added in your pipeline even if it has the security scan step (checkmarxASTScanner).

    If you want to configure Checkmarx for the GitLab tool, you can either use the generic Docker container image to add the Checkmarx security step or perform the steps specified in the Integrate security tools with GitLab topic.

    For Harness pipelines, you can configure Checkmarx scans only through the generic Docker Container Image. For more information, see Implement custom actions for pipelines using generic Docker container image.

    1. Navigate to the step in your pipeline and add the custom action.
      Azure DevOps
      1. Navigate to your pipeline .yml file.
      2. In the Tasks section on the right side, search for the ServiceNow DevOps Security Results extension task.
      3. Enter the ServiceNow endpoint.
      4. Enter the Security results attributes as the following.
        • Checkmarx SAST
          - task: ServiceNow-DevOps-Build-Security-Results@1
    inputs:
      connectedServiceName: "" # ServiceNow DevOps Change Velocity Service Connection
      securityResultAttributes: |
        {"scanner": "Checkmarx SAST",  "projectId": "", "securityToolId": ""}
      # scanner: Scanning tool and is required e.g. Checkmarx SAST.
      # projectId: Id of your Checkmarx SAST project and is required. This attribute is applicable only for Checkmarx SAST.
      # securityToolId: Security tool onboarded in ServiceNow (sys_id of the onboarded security tool) and is optional.
        • Checkmarx One
          - task: ServiceNow-DevOps-Build-Security-Results@1
    inputs:
      connectedServiceName: "" # ServiceNow DevOps Change Velocity Service Connection
      securityResultAttributes: |
        {"scanner": "Checkmarx One", "projectName": "", "projectId": "", "scanId": "", "securityToolId": ""}
      # scanner: Scanning tool and is required e.g. Checkmarx One.
      # projectName: Name of your Checkmarx One project and is required. This attribute is applicable only for Checkmarx One.
      # projectId: Id of your Checkmarx One project and can be used instead of projectName field. This attribute is applicable only for Checkmarx One.
      # scanId: Checkmarx One scan id and is optional. This attribute is applicable only for Checkmarx One.
      # securityToolId: Security tool onboarded in ServiceNow (sys_id of the onboarded security tool) and is optional.
      5. Select Add to add the custom action code to your pipeline.
      Jenkins
      1. Navigate to the Pipeline Syntax from a configured pipeline.
      2. Select the snDevOpsSecurityResult step from the Sample Step list, and update the values for the security scan attributes in the step.
      3. Select Generate Pipeline Script to create a snippet. You can copy and paste the snippet into the pipeline.
        • Checkmarx SAST
          snDevOpsSecurityResult securityResultAttributes: '{"scanner": "Checkmarx SAST", "projectId": "", "securityToolId": ""}'
// scanner: Scanning tool and is required e.g. Checkmarx SAST.
// projectId: Id of your Checkmarx SAST project and is required. This attribute is applicable only for Checkmarx SAST.
// securityToolId: Security tool onboarded in ServiceNow (sys_id of the onboarded security tool) and is optional.
        • Checkmarx One
          snDevOpsSecurityResult securityResultAttributes: '{"scanner": "Checkmarx One", "projectName": "", "projectId": "", "scanId": "", "securityToolId": ""}'
// scanner: Scanning tool and is required e.g. Checkmarx One.
// projectName/projectId: Name/Id of your Checkmarx One project and is required. This attribute is applicable only for Checkmarx One.
// scanId: Checkmarx One scan id and is optional. This attribute is applicable only for Checkmarx One.
// securityToolId: Security tool onboarded in ServiceNow (sys_id of the onboarded security tool) and is optional.
      GitHub Actions
      1. Navigate to your workflow .yml file.
      2. In the Marketplace section on the right side, search for the ServiceNow DevOps Security Results custom action.
      3. Add the following snippet into your .yml file.
        • Checkmarx SAST
          ServiceNowSecurityScanResults:
    # jobs that must complete successfully before this job will run
    needs: build
    # type of machine to run the job on
    runs-on: ubuntu-latest
    name: ServiceNow Security Scan Results
    steps:
      - name: ServiceNow DevOps Security Results
        uses: ServiceNow/servicenow-devops-security-result@v3.0.0
        with:
            # Devops Integration User Name
            devops-integration-user-name: ${{ secrets.SN_DEVOPS_USER }}
            # Devops Integration User Password
            devops-integration-user-password: ${{ secrets.SN_DEVOPS_PASSWORD }}
            # ServiceNow Instance URL
            instance-url: ${{ secrets.SN_INSTANCE_URL }}
            # Orchestration Tool Id
            tool-id: ${{ secrets.SN_ORCHESTRATION_TOOL_ID }}
            # GitHub Context
            context-github: ${{ toJSON(github) }}
            # Display Name of the Job
            job-name: 'ServiceNow Security Scan Results'
            security-result-attributes: '{"scanner": "Checkmarx SAST", "projectId": "", "securityToolId": ""}'
            # scanner: Scanning tool and is required e.g. Checkmarx SAST.
            # projectId: Id of your Checkmarx SAST project and is required. This attribute is applicable only for Checkmarx SAST.
            # securityToolId: Security tool onboarded in ServiceNow (sys_id of the onboarded security tool) and is optional.
        • Checkmarx One
          ServiceNowSecurityScanResults:
    # jobs that must complete successfully before this job will run
    needs: build
    # type of machine to run the job on
    runs-on: ubuntu-latest
    name: ServiceNow Security Scan Results
    steps:
      - name: ServiceNow DevOps Security Results
        uses: ServiceNow/servicenow-devops-security-result@v3.0.0
        with:
            # Devops Integration User Name
            devops-integration-user-name: ${{ secrets.SN_DEVOPS_USER }}
            # Devops Integration User Password
            devops-integration-user-password: ${{ secrets.SN_DEVOPS_PASSWORD }}
            # ServiceNow Instance URL
            instance-url: ${{ secrets.SN_INSTANCE_URL }}
            # Orchestration Tool Id
            tool-id: ${{ secrets.SN_ORCHESTRATION_TOOL_ID }}
            # GitHub Context
            context-github: ${{ toJSON(github) }}
            # Display Name of the Job
            job-name: 'ServiceNow Security Scan Results'
            security-result-attributes: '{"scanner": "Checkmarx One", "projectName": "", "projectId": "", "scanId": "", "securityToolId": ""}'
            # scanner: Scanning tool and is required e.g. Checkmarx One.
            # projectName/projectId: Name/Id of your Checkmarx One project and is required. This attribute is applicable only for Checkmarx One.
            # scanId: Checkmarx One scan id and is optional. This attribute is applicable only for Checkmarx One.
            # securityToolId: Security tool onboarded in ServiceNow (sys_id of the onboarded security tool) and is optional.
      For more information, see GitHub marketplace.
      Harness Run the generic Docker Container Image to use the following script. For more information, see Implement custom actions for pipelines using generic Docker container image.
      - stage:
    name: ServiceNow DevOps Security Result
    identifier: Security
    description: ""
    type: Custom
    spec:
      execution:
        steps:
          - stepGroup:
              name: Security
              identifier: Security
              steps:
                - step:
                    type: Run
                    name: ServiceNow DevOps Security Result
                    identifier: ServiceNow_DevOps_Security_Result
                    spec:
                      connectorRef: docker_hub_connector_for_harness
                      image: servicenowdocker/sndevops:5.0.0
                      shell: Sh
                      command: |-
                        sndevopscli create securityScan -p  

                        "{"pipelineInfo":{
                            "buildNumber":"<+stage.nodeExecutionId>",
                            "taskExecutionUrl":"<+pipeline.executionUrl>?stage=<+stage.nodeExecutionId>", 
                            "orchestrationPipeline":"<+org.identifier>/<+project.identifier>/<+pipeline.name>" 
                          },
                          "securityResultAttributes":{
				"scanner":"Veracode",
				"applicationName":"",
				"buildVersion":"",
				"securityToolId":""
                          }
                        }"
                      envVariables:
                        SNOW_URL: <+variable.SNOW_URL>
                        SNOW_TOOLID: <+variable.SNOW_TOOLID>
                        SNOW_TOKEN: <+variable.SNOW_TOKEN>
              stepGroupInfra:
                type: KubernetesDirect
                spec:
                  connectorRef: kubernates_connector
                  namespace: harness-delegate-ng
    tags: {}
    2. Run the pipeline to retrieve the security scan results.