Integrate Checkmarx SAST (on-prem) with GitHub properly using CxFlow
By Admin
•
November 10, 2025
Here's how to integrate Checkmarx SAST (on-prem) with GitHub properly using CxFlow, the official Checkmarx bridge app.
Integration: Checkmarx SAST (On-Prem) + GitHub
Goal
Automate Checkmarx scans when code changes in GitHub and feed results back into GitHub PRs/issues.
1️⃣ Prerequisites
- Checkmarx SAST installed (CxManager, CxEngine, CxCLI available).
- GitHub repo access (admin).
- Server or CI runner to host CxFlow (Java 11+ required).
- A GitHub personal access token (PAT) with repo and workflow scopes.
- Checkmarx service account with Scan and Manage Projects privileges.
2️⃣ Download CxFlow
Download the latest cx-flow.jar from the official Checkmarx GitHub:
https://github.com/checkmarx-ts/cx-flow/releases
Place it on a build runner or a small EC2/Linux server dedicated for CI automation.
3️⃣ Configure application.yml
Create a config file in the same directory as cx-flow.jar:
server:
port: 8080
checkmarx:
base-url: http://<your-cxserver>:8080
username: <cx_user>
password: <cx_password>
team: /CxServer/SP/Company/DevTeam
scan-preset: "Default"
incremental: true
avoid-duplicate-projects: true
enablePolicyViolations: true
bug-tracker: GITHUB
github:
token: <your_github_pat>
url: https://github.com/<org>/<repo>
block-merge: true
error-triage: true
logging:
level:
com.checkmarx: INFO
4️⃣ Setup GitHub Webhook
In your GitHub repo:
- Go to Settings → Webhooks → Add webhook
- Payload URL:
http://<your-cxflow-server>:8080/webhook - Content type: application/json
- Events:✅ Pull requests✅ Pushes
- Save.
Now every new PR or push triggers a scan.
5️⃣ Test the Integration
Push a commit or open a PR.You should see in logs (on your CxFlow host):
Trigger received from GitHub → Initiating scan → Uploading results to CxSAST...
Scan completed → Posting results to GitHub...
In GitHub:
- PR comments show vulnerabilities.
- Optionally, Checkmarx blocks the merge if severity exceeds threshold (block-merge: true).
6️⃣ (Optional) Integrate with CI/CD (e.g., Jenkins, GitHub Actions)
You can also trigger scans via CLI:
java -jar cx-flow.jar \
--spring.config.location=application.yml \
--scan \
--repo-name=my-repo \
--branch=main
Or define a CI job that runs this automatically during build stages.
7️⃣ Tuning & Hardening
- Use incremental scans to speed up (only changed code).
- Enable "Scan Schedulers" in Checkmarx to avoid overlap if multiple PRs trigger at once.
- Define custom thresholds:
thresholds: high: 0 medium: 10 - Suppress known false positives from Checkmarx Audit.
✅ Quick Sanity Checklist
Step | Description | Done |
1 | CxSAST reachable via http://cxserver:8080 | ☐ |
2 | CxFlow JAR installed on CI host | ☐ |
3 | application.yml properly configured | ☐ |
4 | GitHub webhook added | ☐ |
5 | PAT added with repo access | ☐ |
6 | Test PR triggers scan | ☐ |
7 | Results appear in GitHub comments or block PR | ☐ |
Pro Tip: Secure Integration
- Never hardcode creds — store in Jenkins/GitHub Secrets.
- Use Checkmarx API Token Auth instead of username/password (if version supports it).
- Restrict inbound to /webhook only.
- Monitor CxFlow logs via centralized logging.