Skip to main content

Checkmarx Integration

Pixee's Checkmarx integration triages CxSAST and CxOne findings and delivers remediation as pull requests -- even when Checkmarx SARIF exports contain minimal metadata. The dedicated Checkmarx handler compensates for sparse output by re-deriving context directly from the codebase, and includes Checkmarx-specific codemods for SQL and NoSQL injection.

What Checkmarx Detects

Checkmarx (CxSAST and CxOne) is an enterprise SAST platform widely deployed in regulated industries including financial services, healthcare, and government.

Checkmarx detects:

  • SQL injection, XSS, path traversal, and authentication flaws via deep static analysis
  • Broad CWE coverage through commercial rule sets maintained by Checkmarx
  • Cross-language vulnerabilities across many programming languages
  • Compliance-relevant findings aligned with industry standards (OWASP, SANS, PCI DSS)

Checkmarx is known for thorough analysis with broad CWE coverage. It is also known for high false positive rates that require extensive manual tuning -- a pain point that grows with codebase scale and scanner deployment breadth.

How Pixee Enhances Checkmarx

Triage

Checkmarx findings are processed through Pixee's triage pipeline, which classifies each finding as TRUE_POSITIVE, FALSE_POSITIVE, or WONT_FIX with code-level justification.

The dedicated Checkmarx handler addresses a challenge unique to Checkmarx: metadata-sparse SARIF output.

Adaptive handling for metadata-poor SARIF. This is the key technical differentiator of the Checkmarx integration. Checkmarx's SARIF exports are notably sparse compared to other scanners -- minimal rule descriptions, no codeFlows, limited context about what the finding means or why it was flagged. Most downstream tooling struggles with this because triage accuracy depends on understanding the finding, not just its location.

Pixee's handler compensates. When Checkmarx SARIF provides minimal metadata, the adaptive triage pipeline re-derives context directly from the codebase. Rather than relying on the scanner to explain the finding, the system examines the actual code at the finding location, understands the surrounding context, and makes a triage decision based on what the code does -- not on what the scanner's sparse output says.

The result: Pixee's triage accuracy does not degrade when the scanner provides minimal context. Teams get the same quality of triage decisions regardless of how much metadata Checkmarx includes in its SARIF export.

Remediation

True positive findings receive automated code fixes delivered as pull requests.

Pixee includes Checkmarx-specific remediation codemods alongside its general-purpose codemod library and AI-powered fixes. Fixes match your team's code conventions. Developers review and merge Pixee PRs through their standard workflow.

For the full list of vulnerability types Pixee triages and fixes, see What Pixee Fixes.

Setup

  1. Export Checkmarx findings in SARIF format from CxSAST or CxOne.
  2. Connect your code repository to Pixee via the appropriate platform integration (GitHub, GitLab, Azure DevOps, or Bitbucket).
  3. Upload Checkmarx SARIF to Pixee (via CI/CD pipeline or direct upload).
  4. Pixee ingests and processes findings through the triage and remediation pipeline -- compensating for sparse metadata automatically.
  5. Review and merge Pixee-generated PRs in your normal workflow.

Prerequisites: Checkmarx CxSAST or CxOne license with SARIF export capability, Pixee connected to your SCM platform.

Common False Positive Patterns Pixee Eliminates

  • SQL injection on parameterized code: Findings flagged on code that already uses parameterized queries or ORM frameworks
  • XSS with framework-level encoding: Findings where framework auto-escaping is present (React JSX, Django template engine, Angular sanitization)
  • Tuning-dependent suppressions: Findings that would require manual Checkmarx tuning to suppress -- Pixee's triage handles this automatically with code-level justification
  • Test code at production severity: Test fixtures and example files flagged alongside production code
  • Context-poor findings: Findings where Checkmarx's sparse SARIF metadata makes manual review difficult -- Pixee re-derives context from the actual codebase

See Integrations Overview for the full scanner coverage matrix.