CxAnalytix Deployment Guide

CxAnalytix Server Requirements

CxAnalytix is recommended to run on a standalone server or as a Docker container. It can run on the CxSAST manager as it does not tend to have an extremely CPU intensive workload for most scan volumes. It is not recommended to run it on the CxSAST manager if it can be avoided.

Basic system specification:

• 4GB RAM
• CPU Cores should be 1 more than the configured number of concurrent scan threads (i.e. number of threads + 1)
• At least 1TB of space if storing extraction data for 2 weeks or less if you expect < 100 scans every 2 hours

MongoDB Sizing

If persisting the extracted data in MongoDB, there is not set guide to sizing. Several variables should be considered in selection of system sizing.

Data Retention

Most deployments intend to persist the vulnerability data in perpetuity (or don't have a plan to purge data). If this is the case, a MongoDB cluster with the ability to expand storage should be considered. This storage expansion will likely need to consider sharding configurations that can be done as part of the MongoDB server configuration or via embedding a shard key directly in the stored data. The Shard Key Cookbook can assist with choosing an appropriate configuration.

Shard Searching

Most searches for vulnerability data may not be done such that a specific set of shards can limit the scope of where the query is executed. This may result in searches across all shards. The expected volume of queries that may result in multi-shard searches should be taken into account when specifying the cluster members' hardware. The machine specification will also need to account for CPU required for any indexing and data ingestion.

Network Connections

Please view the connection diagram documentation for details about required network connections.

Operational Considerations

The state files should be archived periodically to ensure crawling does not re-crawl existing scans. The state files are written to the path specified by the StateDataStoragePath attribute in the CxAnalytixService configuration section.

If running CxAnalytix as a Docker container, the default location /var/cxanalytix should be mapped to a volume so that the files are persistent across Docker container executions.

Checkmarx Application Service Account

CxAnalytix requires a SAST service account to log in to the SAST APIs to crawl scans. The service account has the following requirements:

• It should be assigned at a team level that allows visibility to all projects that require crawling. Usually this is the /CxServer team but will depend on your team organization. Any projects assigned to teams above or at a sibling level of the service account's assigned team will not be visible to crawling requests.
• A role named CxAnalytix should be created and assigned to the service account user. The role should have the following minimum permissions:
  • SAST->Project & Scans->Save Sast Scan
  • Reports->Generate Scan Reports

If there are log messages indicating 403: Forbidden when attempting to access SAST REST API methods, this usually indicates the CxAnalytix role does not have appropriate privileges.