Technology Blog Posts by SAP
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

SAP Continuous Integration and Delivery and Checkmarx One

krzys
Product and Topic Expert
Product and Topic Expert
‎2025 Jun 16 2:10 PM
921

Enhancing SAP Continuous Integration and Delivery with Checkmarx One

In today’s fast-paced digital landscape, maintaining robust security and compliance is more crucial than ever. As users of SAP Continuous Integration and Delivery, you understand the importance of delivering high-quality code rapidly. But how do you ensure that your code is not just functional, but also secure? This is where Static Application Security Testing (SAST) comes into play.

SAST is a technique used to analyze an application’s source code, bytecode, or even binary code for vulnerabilities that could be exploited. By integrating SAST into your CI/CD pipelines, you can actively identify and mitigate potential security risks before code reaches production. This approach offers numerous benefits, including early detection of vulnerabilities, reduced technical debt, and improved overall code quality.

Checkmarx One is an advanced SAST tool designed to provide comprehensive security analysis across various stages of your software development lifecycle. Checkmarx One can integrate with CI/CD pipelines, automating the process of identifying and remediating security flaws. This not only minimizes the risk of vulnerabilities but also ensures that your applications comply with industry standards and best practices.

In this blog post, we’ll guide you through the process of integrating Checkmarx One into the Compliance stage of your SAP Continuous Integration and Delivery jobs. By following these steps, you’ll be able to enhance the security and compliance of your code, ultimately delivering more resilient and trustworthy applications. So, let’s get started and explore how Checkmarx One can be added to your CI/CD jobs!

Prepare the Script

We'll use a bash script to run the Checkmarx scan. This script downloads the command line client, and then executes the scan:

#!/bin/bash 
set -euo pipefail

# Define the URL to download the Checkmarx One CLI
CLI_VERSION="2.3.21"
CLI_BINARY_TAR="ast-cli_${CLI_VERSION}_linux_x64.tar.gz"
CLI_URL="https://github.com/Checkmarx/ast-cli/releases/download/${CLI_VERSION}/${CLI_BINARY_TAR}"

# Define the CLI filename
CLI_BINARY="cx"

# Download CLI and make it executable.
download_cli() {
  echo "Downloading Checkmarx One CLI version ${CLI_VERSION} from"
  echo "${CLI_URL}"
  
  if [ ! -f "${CLI_BINARY}" ]; then
    curl -L -o "${CLI_BINARY}.tar.gz" "$CLI_URL"
    tar -xzf "${CLI_BINARY}.tar.gz"
    rm "${CLI_BINARY}.tar.gz"
    chmod +x "${CLI_BINARY}"
  fi
  
  echo "Download complete."
}

# running the scan using env vars
execute_checkmarx_one_scan() {
  echo "Running checkmarx One scan."
  
  ./"${CLI_BINARY}" scan create \
    --project-name ${CX_PROJECT} \
    --file-source ${PWD} \
    --client-id ${CLIENT_ID} \
    --client-secret ${CLIENT_SECRET} \
    --base-uri ${CX_URI} \
    --base-auth-uri ${CX_URI} \
    --tenant ${CX_TENANT} \
    --branch ${GIT_BRANCH}
}

download_cli && execute_checkmarx_one_scan
 

The script will require certain variables and credentials. Specifically, we'll add

  • CLIENT_ID and CLIENT_SECRET as secrets
  • CX_PROJECT, CX_TENANT, CX_URI as additional variables to the configuration of our SAP Continuous Integration and Delivery job later.

If you want to run your script locally, make sure these variables are set in the environment. To run the script as part of your job, you need to add it to your source code repository. In our example, we'll store it as .cicd/cxone.sh .

Configure the SAP Continuous Integration and Delivery Job

Now let's work on the SAP Continuous Integration and Delivery job that executes this bash script.

  1. In SAP Continuous Integration and Delivery, navigate to your jobs or create a new one. This procedure will work with the Cloud Foundry Environment pipeline.

  2. In the Compliance stage, add an Additional Command by entering the following into the text field:

    ./.cicd/cxone.sh

  3. The script will require certain variables and credentials, which you need to add to your job:

    • Additional Credentials: CLIENT_ID and CLIENT_SECRET
    • Additional Variables: CX_PROJECT, CX_TENANT, CX_URI

    All of these credentials and variables can be acquired from your Checkmarx One instance or from your Checkmarx administrators.

  4. Once your configuration is complete, save the job.

  5. Run it and watch the magic.

1f7a83f1-59ba-4db6-886d-6059d3e5b601.png

Your CI job will now not only run the scan but also fail if your quality thresholds are not met. Visit the Checkmarx One web application or your build log for more information on the findings. If things don't work out immediately (well, they never do, don't they?), have a look at the following Troubleshooting section.

Error Handling and Troubleshooting

If you encounter errors while running the script, check the following:

  • Ensure that the required variables and credentials are set correctly. (In general, adding better error handling and error messages will improve the usability of the script in production environments.)
  • Check the build log for any error messages or clues that can help you diagnose the issue.

Tips and Best Practices

  • Make sure to update the CLI_VERSION variable in the script to match the latest version of the Checkmarx One CLI.
  • If you're using a different repository structure, update the job to point to the correct location of the script.

Now you have integrated Checkmarx One security scans into your SAP Continuous Integration and Delivery job. This will help you catch security vulnerabilities early in the development cycle and ensure that your code is secure and compliant with industry standards.

Please let us know what you think in the comments!