Blog

Building #DevSecTrust with JetBrains and Checkmarx

4 min.

April 22, 2024

In the world of application development, success relies on developers being able to use their preferred tools to deliver innovative, secure products. Getting the developer experience right is a mission that unites Checkmarx and JetBrains, a global software vendor that creates professional software development tools and advanced collaboration solutions. See this in action by watching our latest joint webinar

We are pleased to announce that we are building on our long-standing partnership and earlier integrations with JetBrains’ flagship, IntelliJ IDEA. This will deliver the full power of the Checkmarx One™ Application Security Platform into key JetBrains tools. Individual developers and teams will be able to boost their security performance while continuing to deliver applications at speed.

Partnering for Secure Code Productivity 

In 2022, Checkmarx and JetBrains first partnered by bringing Checkmarx SCA capabilities natively into IntelliJ IDEA Ultimate through the Package Checker. Using the pre-installed Packager Checker plugin, five million developers can use IntelliJ IDEA to initiate Checkmarx SCA scans directly from their development environment. This can be done for free, without the need to become a Checkmarx customer, with detailed results showing OSS vulnerabilities as soon as the scan is complete. Frictionless integration, with modern application development workflows, makes it easier to secure applications before they are compiled, instead of waiting for deployment to identify vulnerabilities. 

Building on this initial launch, the Checkmarx SCA plugin is also available for a wide range of JetBrains developer tools including WebStorm, PyCharm, Rider, ReSharper, Qodana, and GoLand.

Building #DevSecTrust 

The next phase of our partnership with JetBrains is now live. Checkmarx customers can now bring the full functionality of the Checkmarx One 3.0 application security platform, including SAST, SCA, and IaC security, to IntelliJ IDEA through the Checkmarx One JetBrains Plugin.  

We know that making security tools available to developers doesn’t automatically lead to more secure code. Fast, secure application development is the goal, but this is hard to achieve if security tools lack intuition and cause friction in developer workflows. To help developers, Checkmarx One doesn’t just provide detailed information on each vulnerability discovered, including remediation recommendations and examples. We also enable the developer to navigate with one click from the identified vulnerability directly to the best fix location in the source code, so no time is wasted.

Focusing on exploitable vulnerabilities is also critical to effective and efficient remediation. That’s why the newest releases of JetBrains’ IntelliJ IDEA, WebStorm, PyCharm, Rider, and ReSharper tools include Checkmarx’s Exploitable Path capabilities for Java, JavaScript, C#, and Python languages. This capability gives developers the ability to see whether there’s a path from the project code into the vulnerable package code through which the vulnerable packages could be exploited. Developer teams can focus on the remediation of actively exploitable vulnerabilities first so their time is spent on the most critical areas. 

Our #DevSecTrust approach can also be seen in reducing the number of irrelevant alerts. Checkmarx starts work before it is integrated into the IDE. It can be finely tuned by AppSec teams to ensure the accuracy of scans and effective prioritization of findings. Noise is reduced before it enters the workflow, so developers can be confident that the vulnerabilities they are being alerted to are genuine and they know what needs to be prioritized for fixing. This ultimately helps CISOs drive strategic initiatives to uplevel application security posture. 

Collaborative Development with Security in Mind

Checkmarx One 3.0 can also be integrated into TeamCity, a powerful CI/CD tool for DevOps teams of any scale, developed by JetBrains. This means organizations can normalize the inclusion of security scanning in team application development projects.

The Checkmarx One TeamCity plugin enables users to trigger SAST, SCA, IaC Security, and API Security scans directly from a TeamCity project. It provides a wrapper around the Checkmarx One CLI Tool which creates a zip archive from a source code repository and uploads it to Checkmarx One for scanning. This plugin provides easy integration with TeamCity while enabling scan customization using the full functionality and flexibility of the Command Line Interface (CLI) tool.

Key features of the TeamCity plugin include:

  • Automatically triggering CxSAST, CxSCA, IaC Security, and API Security scans from TeamCity projects.
  • Use of CLI arguments to customize scan configuration.
  • Automatic updates to the latest plugin version.
  • Interface for viewing scan results summary and trends in the TeamCity environment.
  • Direct links from within TeamCity to detailed Checkmarx One scan results and reports.
  • Generating SBOM reports.

This helps teams enhance software security, governance, and reporting.

A Powerful Partnership

JetBrains and Checkmarx are recognized leaders in their fields, and this long-term partnership unites us in delivering a game-changing developer experience, raising the profile of AppSec without compromising productivity or workflows. This empowers CISOs to elevate code security and deliver more secure apps, faster.

Getting Started

It couldn’t be easier to get started with Checkmarx in JetBrains tools. Our dependency checker plugin is already a native part of all JetBrains IDEs, so developers can access advanced SCA right now.

The Checkmarx One 3.0 plugin can be easily installed by Checkmarx customers into the IntelliJ IDEA development environment from the Checkmarx marketplace. It is also available as an on-premises solution. Similarly, the TeamCity plugin can be installed for customers with a Checkmarx account and is also available on-premises if required.For more information, contact the Checkmarx Team or watch our latest joint webinar today.