How to Prioritize Vulnerabilities with Checkmarx and Sysdig Runtime Insights

By Victor Hernando - MARCH 22, 2024

SHARE:

Back in August 2023, Checkmarx and Sysdig announced a new partnership. This collaboration enables customers of both Checkmarx and Sysdig to leverage the comprehensive visibility offered by Sysdig Runtime Insights to get even more value from the Checkmarx One application security platform.

Nowadays, an increasing number of companies are eager to integrate runtime intelligence into their security tools. This innovative approach yields numerous benefits, such as noise reduction, and provides developers and security teams with the necessary context to focus and address the most critical issues first. Fixing and prioritizing vulnerabilities in the early stages of the software lifecycle has become significantly easier thanks to features like runtime insights.

Checkmarx and Sysdig are working together to facilitate this transition. Checkmarx’s One AppSec platform now incorporates Runtime Insights from Sysdig’s Cloud-Native Application Platform (CNAPP), empowering application security teams to efficiently prioritize and resolve security issues at cloud speed.

Benefits of Using Checkmarx with Sysdig Runtime Insights

Sysdig’s Risk Spotlight enables developers to address vulnerabilities posing immediate risks by providing runtime insights context.

Now, let’s explore some of the advantages of integrating Sysdig’s Risk Spotlight into our partner Checkmarx.

Minimize the noise

Sysdig’s unique view on how vulnerabilities impact on applications allow joint Checkmarx and Sysdig customers to identify the most imminent security risks. Through the integration of runtime intelligence into Checkmarx’s Software Composition Analysis (SCA) tool, developers can now prioritize addressing the most critical vulnerabilities in use. This is accomplished effectively by significantly reducing noise by up to 95%.

Reduce the vulnerability fatigue

Developers often find themselves overwhelmed by the volume of vulnerabilities they encounter daily, leading to a flood of security issues. Through the Checkmarx SCA and Sysdig partnership, an effective developer feedback loop is established, offering precise, meaningful, and actionable insights seamlessly integrated into the software lifecycle. With this collaboration, Checkmarx users gain access to runtime data, enabling them to make more informed decisions, reducing their burden, and enhancing their overall software development experience.

Accelerate software delivery

Utilizing runtime insights enables developers to prioritize the most critical vulnerabilities for immediate resolution while deferring others that are not actively exploited at runtime. This new approach streamlines the software development and delivery process, facilitating faster iteration cycles from development to deployment. Develop, address, and deliver with greater speed and efficiency.

How to Enable Runtime Insights Integration Step by Step

Prerequisites

First, for the sake of simplicity, let’s get right to the point. It is assumed that you are familiar with both security tools: Sysdig and Checkmarx. Additionally, it’s necessary to have at least one active user account on both platforms. This is essential as it is mandatory to possess a Sysdig Risk Spotlight API token to enable the integration and access runtime insights within Checkmarx.

As a part of integrating Sysdig runtime insights with Checkmarx SCA workflow, it is necessary to initiate an image scan task. Checkmarx has designed this process to be streamlined through a single command line utilizing Checkmarx One CLI and Checkmarx SCA resolver tools. Additionally, the open source Syft is also used in this workflow for image scanning.

Let’s set up our environment:

  1. Download and configure Checkmarx One CLI, ensuring you insert your Checkmarx AST API Token when prompted. Leave the remaining fields blank.
  2. $ wget https://github.com/Checkmarx/ast-cli/releases/download/2.0.62/ast-cli_2.0.62_linux_x64.tar.gz $ tar zxvf ast-cli_2.0.62_linux_x64.tar.gz $ cx configure Creating directory Setup guide: https://checkmarx.com/resource/documents/en/34965-68621-checkmarx-one-cli-quick-start-guide.html AST Base URI []: AST Base Auth URI (IAM) []: AST Tenant []: Do you want to use API Key authentication? (Y/N): Y AST API Key []: <PASTE_YOUR_API_KEY_HERE>
  3. Download Checkmarx SCA resolver tool.
  4. $ wget https://sca-downloads.s3.amazonaws.com/cli/latest/ScaResolver-linux64.tar.gz
    $ tar zxvf ScaResolver-linux64.tar.gz
  5. Download and install Syft.
$ curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin

Enable Checkmarx + Sysdig integration

As of March 2024, Checkmarx users who wish to enable the Sysdig integration should contact a Checkmarx representative for assistance with the process.

How to run the Checkmarx scanner

  1. Create a new Checkmarx project.
  2. $ cx project create --project-name java-demo-app
    
    Project ID                           Name          Created at Tags Groups
    ----------                           ----          ---------- ---- ------
    cdbabb8f-b984-4984-a47e-e625f39d2828 java-demo-app 11-28-23   []   []
  3. Run a new image scan task.
  4. $ cx scan create --project-name java-demo-app -s '/home/victor/cicd-secure-scan/myapp' --branch stam-branch --scan-types sca --debug --async --sca-resolver './ScaResolver' --sca-resolver-params "--log-level Debug --scan-containers true --images quay.io/vhernandomartin/myimage:latest --containers-result-path /home/victor/cicd-secure-scan/myapp/.cxsca-container-results.json"
  5. Check the new scan task in the Checkmarx UI.

Conclusion

This new partnership enhances the capabilities of both Checkmarx and Sysdig customers by strengthening shift-left security with invaluable runtime insights. Together, Checkmarx and Sysdig present a unique approach to detecting and responding to security threats.

Do you want to learn more? Visit the Checkmarx site on the Sysdig ecosystem portal for further information, or register to watch the below webinar.

Subscribe and get the latest updates