---
title: "Checkmarx CxSAST"
slug: "checkmarx"
updated: 2025-06-24T17:25:28Z
published: 2025-06-24T17:25:28Z
stale: true
---

> ## Documentation Index
> Fetch the complete documentation index at: https://help.nucleussec.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Checkmarx CxSAST

## Overview

          Note

          

Supported Checkmarx versions: 7.0+, 8.0+, 9.0+, . Nucleus requires the "Scanner" or "Reviewer" role within Checkmarx, from [this page](https://checkmarx.atlassian.net/wiki/spaces/KC/pages/1178009601/CxSAST+CxOSA+Roles+and+Permissions+v9.0.0+and+up) on the Checkmarx website.

Nucleus enables you to sync your Checkmarx SAST data directly from the Checkmarx console into the Nucleus console using an [automated connector](/docs/connectors). The connector uses the APIs provided by Checkmarx to seamlessly sync data from your Checkmarx server into various Nucleus projects for use in analysis, triage, automation, and reporting.

## Connector setup

1. In Nucleus, go to **Integration Hub > Connector Setup**.
2. Under the **Scanners** section, click the Checkmarx icon.
3. In the Setup Checkmarx Connector popup, complete the following fields:

| Field | Description |
| --- | --- |
| Name | Enter a short unique name for the connector, such as "Checkmarx ServerName" |
| Description | Optionally, enter a description for the connector |
| URL | Enter the URL for your Checkmarx login page |
| Username | Enter the username of the user you use to log into Checkmarx |
| Password | Enter the user password for the username you just entered |

AttentionIf you're using the Nucleus Agent to connect to an on-premise server for this tool, please refer to the document [here](https://help.nucleussec.com/docs/nucleus-agent).  

1. Click the **Save Connection** button and wait for the Success message.
2. Click the **Test Connection** button. You'll see a message to notify you that the connection test was successful. Your connector is now setup properly.
3. Close the popup window.
4. Go to **Import Files > From Connector** to start selecting scans to import!

## Import data from connector

1. Go to **Integration Hub > Import via Connector**.
2. Select the Checkmarx connector you just created.
3. Choose to import either a set of scans from Checkmarx or import an entire team's results at one time.  

![image.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/image%2834%29.png)
4. Click **Next** and select either the teams or the scans you want to import.
5. Select the import frequency as a one-time import, or auto-imported on a schedule.
6. Click **Save & Finish**.

## Import custom Checkmarx fields to Nucleus

Nucleus allows you to make a deeper connection with Checkmarx in order to orchestrate additional actions in Nucleus. To do this, you'll give Nucleus additional information about each application to better organize Checkmarx projects within the Nucleus asset database.

1. Log into Checkmarx.
2. Go to **Settings > Manage Custom Fields**.
3. Add any one of the following custom fields supported by Nucleus:

| Checkmarx Custom Field Name | Nucleus Field will be populated |
| --- | --- |
| git_repo_name | Asset Name |
| git_branch_name | Branch |
| git_repo_url | Repo URL |

Note that the Branch field will only be populated by `git_branch_name` if the `git_repo_name` is also set.

          Tip

          

You will need to have your developers fill out the custom field information when they upload their code to be scanned by Checkmarx.

### Example use case

Checkmarx uses a naming convention to specify branching of projects. A development team can fill out the git_repo_name and git_branch_name fields to tell Nucleus what git repository the project is for and what branch they are scanning.

## Special considerations

- Nucleus imports the team structure from Checkmarx as [nested asset groups](https://docs.nucleussec.com/v1/docs/how-do-nested-asset-groups-work) in the Nucleus Asset Management database so you can utilize your existing organizational hierarchy. This allows you to implement filters and automation rules from your Checkmarx data on your vulnerability scan results.
- Scheduled imports are designed for importing future scans and will only include 3 months of historical scans when it checks for new data. If you want to import historical data, you'll need to manually select historical scan results.
- **commit_hash** is pulled in as ‘Revision’.
- **customfields** is pulled in as **cxsast.customfields.field** only via connector.
- Checkmarx owner, projectname, preset, and team is always pulled in as additional metadata (**cxsast.owner**, **cxsast.projectname**, **cxsast.team**, **cxsast.preset**, **cxsast.teampath**.

## Status Mappings

Statuses from Checkmarx CxSAST are mapped to Nucleus statuses in the following way:

| Checkmarx CxSAST Result | Nucleus Status |
| --- | --- |
| `FalsePositive` attribute is set to `TRUE` | False Positive |
| `state` attribute is to `4` | Exception Requested |

If you have any questions, please reach out to our [support center](https://nucleussec.atlassian.net/servicedesk/customer/portal/3) or email support@nucleussec.com.