Frequently Asked Questions - checkmarx-ltd/cx-flow GitHub Wiki
- What is CxFlow?
- What are the main benefits of CxFLow
- What are typical use cases?
- Is CxFlow supported by the product team?
- How does Checkmarx support CxFlow implementations?
- Does CxFlow have Checkmarx Licensing requirements?
- What Integrations does CxFlow support?
- What are the requirements for CxFlow?
- When are Issues created from CxFlow into a Defect Tracking system?
- How can I demo CxFlow?
- Is CxFlow open source?
- Has CxFlow been security tested and scanned for known vulnerabilities?
- If I have an issue / feature request item where can I report it?
- How do I obtain the latest version of CxFlow?
- How do I get started with CxFlow?
- How does CxFlow work with multiple GitHub organizations or multiple JIRA projects?
- Can a single yaml file be used to connect to multiple defect tracking systems?
- How do you manage the project creation within CxSAST when running CxFlow in WebHook mode?
- If using global WebHooks, can specific projects be excluded from scanning?
- Why cxflow spring boot fails to start application if application.xml is present in source code in GitLab pipeline
CxFlow is a solution that enables creating projects automatically, scans orchestration and facilitates feedback channels in a closed loop mode.
CxFlow aids in incorporating Checkmarx scanning into DevOps/Release pipelines as early as possible.
Refer to CxFlow Workflows for further information.
CxFlow is supported by the product team. Tickets can be opened via the regular workflow. SEG will decide to whom the ticket is routed, based on the production matrix and progress.
Checkmarx supports deploying and maintaining CxFlow by leveraging Checkmarx Professional Services for CxFlow iplementation, setup, and maintenance.
No. CxFlow is a tool developed interdependently from the Checkmarx product line and does not require any additions to existing customer licenses.
The table below lists all the supported integrations, features and states the recommended versions.
| Software/Services | Features | CxFlow Version |
|---|---|---|
| Jira | Issue Tracking | >= 1.0.0 |
| Custom Bug Types | ||
| Custom Transitions in Workflows | ||
| Custom Fields | ||
| GitHub | WebHooks | >= 1.2.0 |
| Pull Requests Scanning and Decorating | ||
| Push Events | ||
| Native Issues Tracker | ||
| GitLab | WebHooks | >= 1.2.0 |
| Merge Requests Scanning and Decorating | ||
| Push Events | ||
| Native Issues Tracker | ||
| Azure DevOps | WebHooks | >= 1.3.0 |
| Merge Requests | ||
| Push Events | ||
| Pipelines | ||
| Work Items | ||
| BitBucket | WebHooks | >= 1.4.3 |
| Post Webhooks (plugin) | >= 3.14.18 | |
| Merge Requests Scanning | ||
| Pull Events | ||
| Issue Tracker | ||
| Rally | Issue Tracking | >= 1.5.3 |
Refer to Pre-Requisites and Requirements
Issues are only created when a Push event into a protected branch occurs. When a Pull/Merge Request is created (and CxFlow scans the new code), the vulnerability information is displayed in the Pull/Merge Request comments and does NOT create issues in the defect tracking system.
Professional Services has created an easy-to-use CxFlow Demo Instance (sub-project of CxPsPowerHasks) script to assist with easy deployment and demonstration of CxFlow.
Yes. The code can be found here. Connect to preview
Note: CxFlow is a technical solution. Although it is open source and available for anyone to deploy, Checkmarx recommends and supports installations assisted by Checkmarx Professional Services
Yes. CxFlow has undergone multiple test runs at several stages with various testing tools. For additional information, contact your Checkmarx Representative.
CxFlow feature requests and issues should be reported like any other product feature request. CxFlow is available just like any other Checkmarx component.
You can find the current release on the GitHub releases page.
Please see the Labs page or the quick start on the home page.
Overrides can be used at the WebHook level and config as code can be added to the individual repos.
CxFlow Configuration
Config As Code
Yes - with the limitation of one Jira instance.
Overrides can be used to assign the same name to multiple projects. Alternatively, a groovy script can be used to help decide on project names and if it should be scanned. Refer also to CxFlow Configuration
Yes, this can be performed with overrides & Config As Code
Q: Why cxflow spring boot fails to start application if application.xml is present in source code in GitLab pipeline ?
Please pass command line parameter --spring.config.name=myproject in .gitlab-ci.yml file
Q: How to make scan compatible with Windows os if project have windows reserved keyword or folder with windows invalid characters ?
Please exclude files which contains windows reserved keyword or folder with windows invalid characters using excludeFiles parameter.
All work items in search bar or run a query in ADO to find all work items.