Package: Invicti AppSec Enterprise (on-premise, on-demand)
Checkmarx SCA Cloud integration
Checkmarx SCA Cloud is the cloud-hosted Software Composition Analysis platform by Checkmarx that identifies vulnerable open-source dependencies and license risks across your projects. The Invicti AppSec integration connects to the Checkmarx SCA Cloud API using username/password credentials and pulls completed scan results.
Prerequisites
| Field | Description |
|---|---|
| Username | Your Checkmarx SCA Cloud account username (email address) |
| Password | Your Checkmarx SCA Cloud account password |
| Tenant | Your Checkmarx SCA Cloud tenant name |
| Region | Your Checkmarx SCA Cloud region (us or eu) |
Get Credentials (on Checkmarx SCA Cloud Side)
- Log in to the Checkmarx SCA Cloud portal at https://sca.checkmarx.net (US) or https://eu.sca.checkmarx.net (EU).
- Use your registered email and password as credentials.
- Your Tenant name can be found in your account profile or was provided by your Checkmarx account representative.
If your organization uses SSO (Single Sign-On) for Checkmarx SCA Cloud, a service account with username/password authentication must be created for the integration. Contact your Checkmarx SCA administrator.
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the SCA Tab
On the Integrations > Scanners page, click on the SCA tab.
Step 3: Find and Activate Checkmarx SCA Cloud
Scroll through the list of SCA scanners to find Checkmarx SCA Cloud.
- If Checkmarx SCA Cloud is not activated, click the Activate button to enable the integration.
The scan method badges on the Checkmarx SCA Cloud card include Bind, KDT, Import, and UI-Import.
Step 4: Configure Connection Settings
Click the gear icon on the Checkmarx SCA Cloud card to open the settings panel. Fill in the required fields:
| Field | Description | Required |
|---|---|---|
| Username | Your Checkmarx SCA Cloud account email | Yes |
| Password | Your Checkmarx SCA Cloud account password | Yes |
| Tenant | Your Checkmarx SCA Cloud tenant name | Yes |
| Region | Select us for US region or eu for EU region | Yes |
Regional endpoints used internally:
- US:
https://platform.checkmarx.net(auth),https://api-sca.checkmarx.net(API) - EU:
https://eu.platform.checkmarx.net(auth),https://eu.api-sca.checkmarx.net(API)
Step 5: Test the Connection
Click Test Connection. A green Connection successful message confirms that Invicti AppSec can authenticate with your Checkmarx SCA Cloud tenant.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the SCA tab |
| 3 | Activate Checkmarx SCA Cloud |
| 4 | Enter Username, Password, Tenant, and Region |
| 5 | Test the connection |
Create a Scan
Navigate to Project Scanners
- Open a project in Invicti AppSec.
- Go to Settings > Scanners.
- Click Add Scanner.
Add Checkmarx SCA Cloud Scanner
- Select SCA as the scanner type.
- Choose Checkmarx SCA Cloud from the scanner list.
- Click Add to open the scan configuration drawer.
Scan Configuration Fields
| Field | Description | Required |
|---|---|---|
| Environment | Select the environment for the scan | No |
| Project | Select the Checkmarx SCA Cloud project (loaded from your tenant) | Yes |
| Branch | Source code branch associated with this scan | Yes |
| Meta Data | Additional metadata for the scan | No |
| Scan Tag | Tag to identify the scan | No |
The Project field is a searchable dropdown that loads projects from your Checkmarx SCA Cloud tenant. Ensure the correct region and tenant are configured in the integration settings.
Scheduler
Enable the Scheduler toggle to run Checkmarx SCA Cloud scans on a recurring schedule.
Webhook (Optional)
Add a webhook URL to receive scan completion notifications.
KDT Command
kdt scan -p <project_name> -t checkmarxscacloud -b <branch_name>
Troubleshooting
Connection Fails
| Issue | Resolution |
|---|---|
| Invalid credentials | Verify the username (email) and password are correct. Ensure the account is not locked or expired. |
| Tenant not found | Check the exact tenant name — it is case-sensitive. Contact your Checkmarx account team if unsure. |
| Wrong region | Ensure you selected the correct region (us or eu) that matches your Checkmarx SCA Cloud account. |
| SSO login not working | The integration requires username/password authentication. A dedicated service account must be created for SSO-only organizations. |
Scan Issues
| Issue | Resolution |
|---|---|
| Project not found | Verify the Project ID exists in the Checkmarx SCA Cloud portal under your tenant. |
| Empty results | The project may have no completed scans or no vulnerabilities in the latest scan. Check scan history in the portal. |
| Import fails | Ensure the uploaded JSON file is in the Checkmarx SCA export format. |
| Authentication expired | Checkmarx SCA Cloud sessions expire periodically. The integration re-authenticates automatically on each scan trigger. |
Best Practices
- Create a dedicated service account in Checkmarx SCA Cloud specifically for the Invicti AppSec integration to avoid disruption when team members change.
- Use a strong password and rotate it periodically, updating the integration settings accordingly.
- Use the Project ID (not project name) in scan configurations to avoid issues with duplicate project names across tenants.
- Monitor Checkmarx SCA Cloud for scan completion before triggering imports in Invicti AppSec pipelines.
- Confirm your correct region before configuring the integration to avoid authentication errors.
Limitations
- Authentication uses username and password only — API key-based authentication is not supported for Checkmarx SCA Cloud in this integration.
- Only the most recent completed scan results for the specified project are retrieved.
- The integration does not trigger new scans in Checkmarx SCA Cloud; it only retrieves existing completed scan results.
- Container scanning results from Checkmarx SCA Cloud are not currently imported into Invicti AppSec.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center