{"id":4723,"date":"2025-08-22T09:54:55","date_gmt":"2025-08-22T09:54:55","guid":{"rendered":"https:\/\/uplatz.com\/blog\/?p=4723"},"modified":"2025-08-28T02:34:00","modified_gmt":"2025-08-28T02:34:00","slug":"checkmarx-pocket-book","status":"publish","type":"post","link":"https:\/\/uplatz.com\/blog\/checkmarx-pocket-book\/","title":{"rendered":"Checkmarx Pocket Book"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2025\/08\/27-1024x576.png\" alt=\"Checkmarx Pocket Book\" width=\"840\" height=\"473\" class=\"alignnone size-large wp-image-4898\" srcset=\"https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2025\/08\/27-1024x576.png 1024w, https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2025\/08\/27-300x169.png 300w, https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2025\/08\/27-768x432.png 768w, https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2025\/08\/27.png 1280w\" sizes=\"auto, (max-width: 840px) 100vw, 840px\" \/><br \/>\n<!-- Checkmarx Pocket Book \u2014 Uplatz (50 Cards, Wide Layout, Readable Code, Scoped Styles) --><\/p>\n<div style=\"margin: 16px 0;\">\n<style>\n    .wp-nodejs-pb { font-family: Arial, sans-serif; max-width: 1320px; margin:0 auto; }\n    .wp-nodejs-pb .heading{\n      background: linear-gradient(135deg, #e0f2fe, #ccfbf1); \/* lighter gradient *\/\n      color:#0f172a; padding:22px 24px; border-radius:14px;\n      text-align:center; margin-bottom:18px; box-shadow:0 8px 20px rgba(0,0,0,.08);\n      border:1px solid #cbd5e1;\n    }\n    .wp-nodejs-pb .heading h2{ margin:0; font-size:2.1rem; letter-spacing:.2px; }\n    .wp-nodejs-pb .heading p{ margin:6px 0 0; font-size:1.02rem; opacity:.9; }<\/p>\n<p>    \/* Wide, dense grid *\/\n    .wp-nodejs-pb .grid{\n      display:grid; gap:14px;\n      grid-template-columns: repeat(auto-fill, minmax(400px, 1fr));\n    }\n    @media (min-width:1200px){\n      .wp-nodejs-pb .grid{ grid-template-columns: repeat(3, 1fr); }\n    }<\/p>\n<p>    .wp-nodejs-pb .section-title{\n      grid-column:1\/-1; background:#f8fafc; border-left:8px solid #0ea5e9;\n      padding:12px 16px; border-radius:10px; font-weight:700; color:#0f172a; font-size:1.08rem;\n      box-shadow:0 2px 8px rgba(0,0,0,.05); border:1px solid #e2e8f0;\n    }\n    .wp-nodejs-pb .card{\n      background:#ffffff; border-left:6px solid #0ea5e9;\n      padding:18px; border-radius:12px;\n      box-shadow:0 6px 14px rgba(0,0,0,.06);\n      transition:transform .12s ease, box-shadow .12s ease;\n      border:1px solid #e5e7eb;\n    }\n    .wp-nodejs-pb .card:hover{ transform: translateY(-3px); box-shadow:0 10px 22px rgba(0,0,0,.08); }\n    .wp-nodejs-pb .card h3{ margin:0 0 10px; font-size:1.12rem; color:#0f172a; }\n    .wp-nodejs-pb .card p{ margin:0; font-size:.96rem; color:#334155; line-height:1.62; }<\/p>\n<p>    \/* Color helpers *\/\n    .bg-blue { border-left-color:#0ea5e9 !important; background:#f0f9ff !important; }\n    .bg-green{ border-left-color:#10b981 !important; background:#f0fdf4 !important; }\n    .bg-amber{ border-left-color:#f59e0b !important; background:#fffbeb !important; }\n    .bg-violet{ border-left-color:#8b5cf6 !important; background:#f5f3ff !important; }\n    .bg-rose{ border-left-color:#ef4444 !important; background:#fff1f2 !important; }\n    .bg-cyan{ border-left-color:#06b6d4 !important; background:#ecfeff !important; }\n    .bg-lime{ border-left-color:#16a34a !important; background:#f0fdf4 !important; }\n    .bg-orange{ border-left-color:#f97316 !important; background:#fff7ed !important; }\n    .bg-indigo{ border-left-color:#6366f1 !important; background:#eef2ff !important; }\n    .bg-emerald{ border-left-color:#22c55e !important; background:#ecfdf5 !important; }\n    .bg-slate{ border-left-color:#334155 !important; background:#f8fafc !important; }<\/p>\n<p>    \/* Utilities *\/\n    .tight ul{ margin:0; padding-left:18px; }\n    .tight li{ margin:4px 0; }\n    .mono{ font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, monospace; }\n    .kbd{ background:#e5e7eb; border:1px solid #cbd5e1; padding:1px 6px; border-radius:6px; font-family:ui-monospace,monospace; font-size:.88em; }\n    .muted{ color:#64748b; }\n    .wp-nodejs-pb code{ background:#f1f5f9; padding:0 4px; border-radius:4px; border:1px solid #e2e8f0; }\n    .wp-nodejs-pb pre{\n      background:#f5f5f5; color:#111827; border:1px solid #e5e7eb;\n      padding:12px; border-radius:8px; overflow:auto; font-size:.92rem; line-height:1.55;\n    }\n    .q{font-weight:700;}<\/p>\n<p>    \/* Make long Q&A easier to scan inside a card *\/\n    .qa p{ margin:8px 0; }\n    .qa b{ color:#0f172a; }\n  <\/style>\n<div class=\"wp-nodejs-pb\">\n<div class=\"heading\">\n<h2>Checkmarx Pocket Book \u2014 Uplatz<\/h2>\n<p>50 deep-dive flashcards \u2022 Wide layout \u2022 Fewer scrolls \u2022 20+ Interview Q&amp;A \u2022 Readable code examples<\/p>\n<\/p><\/div>\n<div class=\"grid\">\n      <!-- ===================== SECTION 1 ===================== --><\/p>\n<div class=\"section-title\">Section 1 \u2014 Fundamentals<\/div>\n<div class=\"card bg-blue\">\n<h3>1) What is Checkmarx?<\/h3>\n<p>Checkmarx is an Application Security Testing (AST) platform that helps teams find and remediate vulnerabilities across source code, open\u2011source dependencies, IaC templates, and more. It supports shift\u2011left security with developer\u2011centric tooling, CI\/CD integrations, and policies that gate builds. Common use cases: securing microservices, mobile apps, cloud\u2011native stacks, and regulated workloads that require continuous scanning and reporting.<\/p>\n<pre><code class=\"mono\"># Quick feel: run the AST CLI (conceptual)\r\ncheckmarx ast scan --project MyApp --src .\/ --branch main<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-green\">\n<h3>2) Why Checkmarx? Core Strengths &#038; Tradeoffs<\/h3>\n<p><b>Strengths:<\/b> Broad scanner coverage (SAST, SCA, IaC, secrets), enterprise\u2011grade governance, and deep CI\/CD integrations. Developer features (PR feedback, incremental scans, training) reduce friction. <b>Tradeoffs:<\/b> Scans require tuning\/presets to control noise, and advanced rules\/policies need security expertise. Start with organization presets and iterate with audit feedback to balance signal and speed.<\/p>\n<pre><code class=\"mono\"># Create a security gate idea (pseudo)\r\nPolicy: fail build if severity \u2265 High and confidence \u2265 Medium and new issues &gt; 0<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-amber\">\n<h3>3) AST: Mental Model<\/h3>\n<p>AST groups complementary analyzers: <b>SAST<\/b> for data\u2011\/control\u2011flow in code, <b>SCA<\/b> for vulnerable dependencies &#038; licenses, <b>IaC<\/b> for misconfigurations, and optional dynamic\/API checks. Treat each as a signal; combine them with policies and risk acceptance. Optimize for developer loop time (fast incremental scans) and nightly\/full scans for thorough coverage.<\/p>\n<pre><code class=\"mono\"># Typical cadence\r\n- PR: quick SAST\/SCA + policy gate\r\n- Nightly: full SAST + IaC\r\n- Weekly: dependency updates + license review<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-violet\">\n<h3>4) Platform Components<\/h3>\n<p>Core pieces often include: <b>SAST<\/b> engine, <b>SCA<\/b> (OSS risk), <b>IaC<\/b> scanning for Terraform\/Cloud templates, <b>secrets<\/b> detection, a unified dashboard, and APIs\/CLI for automation. Many orgs also use developer training modules that map lessons to detected CWEs, helping teams remediate effectively.<\/p>\n<pre><code class=\"mono\"># CLI targets (illustrative)\r\ncheckmarx projects list\r\ncheckmarx ast results --project MyApp --latest<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-rose\">\n<h3>5) Checkmarx vs Other Tools<\/h3>\n<p>Compared to single\u2011purpose tools, a unified AST platform centralizes policy, reporting, and governance while still offering language coverage and CI hooks. Alternatives may excel in a niche (e.g., dependency risk only). Many enterprises pair a platform like Checkmarx with additional signals (DAST, container scan) and feed results to central risk dashboards.<\/p>\n<pre><code class=\"mono\">-- Goal: a single source of truth for vulns\r\n-- Inputs: SAST, SCA, IaC, Secrets \u2192 Policy \u2192 Build gate<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-cyan\">\n<h3>6) Licensing &#038; Deployment Options<\/h3>\n<p>Supports SaaS and self\u2011managed deployments. Choose based on data residency, network isolation, and ops capacity. For self\u2011managed, plan for scanners, API, queue, and storage resources, and integrate SSO and logging from day one.<\/p>\n<pre><code class=\"mono\"># Self\u2011managed planning (conceptual)\r\n- SSO (OIDC\/SAML)\r\n- Private runners\/agents\r\n- Log shipping to SIEM<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-lime\">\n<h3>7) Projects, Presets &#038; Branches<\/h3>\n<p>Group repositories into <b>projects<\/b>, assign language <b>presets<\/b> (rulesets), and scan per <b>branch<\/b>. Start with vendor presets, then tune false positives and performance by enabling\/disabling queries. Keep presets versioned and reviewed by AppSec.<\/p>\n<pre><code class=\"mono\"># Pseudo commands\r\ncheckmarx projects create --name MyApp\r\ncheckmarx presets clone --from default --name my\u2011preset<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-orange\">\n<h3>8) Releases &#038; Compatibility<\/h3>\n<p>Lock your CLI\/scanner versions in CI to ensure reproducible results. Validate upgrades in a staging pipeline, compare baseline findings, and then roll out org\u2011wide. Keep language plugins up to date for new frameworks and sink sources.<\/p>\n<pre><code class=\"mono\"># Pin with a container image\r\nsecurity\/checkmarx\u2011cli:1.x\r\n# or download versioned binaries in CI<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-indigo\">\n<h3>9) Organizations, Teams &#038; RBAC<\/h3>\n<p>Map <b>teams<\/b> to repositories\/services and control access via <b>RBAC<\/b>. Limit who can change presets\/policies; allow developers to triage findings on their projects. Use SSO groups to auto\u2011provision roles and audit changes.<\/p>\n<pre><code class=\"mono\">Role examples: OrgAdmin, ProjectAdmin, Developer, Viewer<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-emerald\">\n<h3>10) Q&amp;A \u2014 \u201cHow do I balance speed vs accuracy?\u201d<\/h3>\n<p><span class=\"q\">Answer:<\/span> Use <b>incremental scans<\/b> and <b>PR checks<\/b> for fast feedback, then schedule <b>full scans<\/b> off the critical path. Tune presets by language, gate only on new High\/Critical issues, and surface developer education links to reduce noise over time.<\/p>\n<\/p><\/div>\n<p>      <!-- ===================== SECTION 2 ===================== --><\/p>\n<div class=\"section-title\">Section 2 \u2014 Core Scanners &#038; Rules<\/div>\n<div class=\"card bg-blue\">\n<h3>11) SAST Basics<\/h3>\n<p>Static Application Security Testing reasons about source\/bytecode to identify flow\u2011based issues like SQLi, XSS, SSRF, path traversal, and insecure deserialization. It models sources, sanitizers, and sinks. Results include CWE, severity, confidence, and trace.<\/p>\n<pre><code class=\"mono\"># CLI (illustrative)\r\ncheckmarx ast sast --project MyApp --src . --language java<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-green\">\n<h3>12) SCA (Open\u2011Source Risk)<\/h3>\n<p>Software Composition Analysis detects vulnerable dependencies and license risks. It parses manifests\/lockfiles, maps versions to known advisories, and proposes upgrades or temporary suppressions. Pair with renovate\/dependabot to auto\u2011remediate.<\/p>\n<pre><code class=\"mono\">checkmarx ast sca --project MyApp --src .\r\n# Focus on new vulns introduced by your PR<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-amber\">\n<h3>13) IaC &#038; Cloud Config<\/h3>\n<p>Scan Terraform, CloudFormation, Kubernetes YAML, and similar for misconfigurations (public buckets, open security groups, privilege escalation). Shift\u2011left: scan PRs before merge and enforce baselines per environment.<\/p>\n<pre><code class=\"mono\">checkmarx ast iac --path infra\/\r\n-- Example rule: deny 0.0.0.0\/0 on ingress<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-violet\">\n<h3>14) API &#038; Web App Checks<\/h3>\n<p>Augment static checks with API specification validation (e.g., attack surface from OpenAPI) and dynamic tests where appropriate. Use static findings to prioritize endpoints and enforce authentication\/authorization patterns in code.<\/p>\n<pre><code class=\"mono\"># Concept: validate OpenAPI\r\ncheckmarx ast api --spec api.yaml --project MyApp<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-rose\">\n<h3>15) Secrets Detection<\/h3>\n<p>Identify hardcoded credentials, tokens, and keys in code and history. Block secrets at PR time, rotate exposed keys, and add pre\u2011commit hooks to prevent recurrence. Integrate with vaults to remove secrets from code.<\/p>\n<pre><code class=\"mono\">checkmarx ast secrets --src .\r\n# Add pre\u2011commit hook to scan staged files<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-cyan\">\n<h3>16) Query Language &#038; Rules<\/h3>\n<p>Security queries capture patterns of insecure flows. Start with vendor presets, then craft custom rules for frameworks, internal libraries, and company\u2011specific sinks\/sanitizers. Version and test rules alongside application code.<\/p>\n<pre><code class=\"mono\"># Pseudo rule idea\r\nRULE: Java SQLi \u2192 source(req.getParameter) \u2192 sink(Statement.execute)<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-lime\">\n<h3>17) Taint Flow Modeling<\/h3>\n<p>Taint analysis traces untrusted data from sources to sinks through sanitizers\/validators. Accurate models depend on recognizing framework methods (e.g., Spring, Express) and your helper libs. Extend models to reduce false positives and catch real issues.<\/p>\n<pre><code class=\"mono\">source: HttpServletRequest#getParameter\r\nsanitizer: PreparedStatement#setString\r\nsink: Statement#execute<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-orange\">\n<h3>18) Custom Rules &#038; FP Tuning<\/h3>\n<p>Suppress noisy findings with narrowly\u2011scoped ignores, not global disables. Prefer code fixes or sanitizer annotations over blanket suppressions. Keep an <b>audit log<\/b> explaining why each suppression is safe.<\/p>\n<pre><code class=\"mono\">\/\/ Example inline suppression (conceptual)\r\n\/\/ checkmarx:ignore-next-line reason=\"validated by schema\"\r\nexecute(query)<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-indigo\">\n<h3>19) Severity, Confidence &#038; Prioritization<\/h3>\n<p>Prioritize by severity (impact), confidence (likelihood), exploitability, and reachability. Gate builds on <b>new<\/b> high\u2011risk findings to avoid legacy backlogs blocking delivery. Use ticket aging\/SLA to drive remediation.<\/p>\n<pre><code class=\"mono\">Policy example: New High\/Critical = fail; Medium = warn; Low = pass<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-emerald\">\n<h3>20) Q&amp;A \u2014 \u201cShould I enable every rule?\u201d<\/h3>\n<p><span class=\"q\">Answer:<\/span> No. Start with a curated baseline tuned to your languages\/frameworks. Expand gradually as teams harden code. Over\u2011broad rulesets cause alert fatigue and increase MTTR.<\/p>\n<\/p><\/div>\n<p>      <!-- ===================== SECTION 3 ===================== --><\/p>\n<div class=\"section-title\">Section 3 \u2014 CI\/CD Integration &#038; Dev Workflow<\/div>\n<div class=\"card bg-blue\">\n<h3>21) CLI &#038; Auth<\/h3>\n<p>Use the vendor CLI in CI. Authenticate via token\/SSO, set the project key, and configure branch context. Cache the binary and language caches to accelerate jobs.<\/p>\n<pre><code class=\"mono\">checkmarx auth --api-url $CX_URL --tenant $TENANT --token $TOKEN\r\ncheckmarx ast scan --project MyApp --branch $CI_COMMIT_BRANCH<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-green\">\n<h3>22) GitHub Actions<\/h3>\n<p>Add jobs that run on pull_request, upload SARIF\/annotations, and enforce policies. Reuse composite actions across repos and pin action SHAs for supply\u2011chain safety.<\/p>\n<pre><code class=\"mono\">name: security\r\non: [pull_request]\r\njobs:\r\n  checkmarx:\r\n    runs-on: ubuntu-latest\r\n    steps:\r\n      - uses: actions\/checkout@v4\r\n      - uses: actions\/setup-node@v4\r\n      - run: npm ci --ignore-scripts\r\n      - run: checkmarx ast scan --project ${{ github.repository }} --src .<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-amber\">\n<h3>23) GitLab CI<\/h3>\n<p>Run scans in merge requests and block on policies. Use artifacts to persist results and dashboards to visualize risk by group\/project.<\/p>\n<pre><code class=\"mono\">security:\r\n  image: security\/checkmarx-cli:1\r\n  script:\r\n    - checkmarx ast scan --project $CI_PROJECT_PATH --src .\r\n  rules:\r\n    - if: '$CI_PIPELINE_SOURCE == \"merge_request_event\"'<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-violet\">\n<h3>24) Jenkins Pipelines<\/h3>\n<p>Install CLI on agents or use a container step. Fail stages on gated findings and publish HTML\/SARIF to artifacts. Parameterize project\/branch to reuse pipeline across services.<\/p>\n<pre><code class=\"mono\">pipeline {\r\n  stages {\r\n    stage('SAST') {\r\n      steps { sh 'checkmarx ast scan --project MyApp --src . --branch ${BRANCH_NAME}' }\r\n    }\r\n  }\r\n}<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-rose\">\n<h3>25) Azure DevOps<\/h3>\n<p>Use pipelines to run scans on PRs and main. Post comments to pull requests and create work items for high\u2011risk issues. Store tokens in variable groups or Key Vault.<\/p>\n<pre><code class=\"mono\">- stage: Security\r\n  jobs:\r\n    - job: SAST\r\n      steps:\r\n        - script: checkmarx ast scan --project $(Build.Repository.Name) --src .<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-cyan\">\n<h3>26) Bitbucket Pipelines<\/h3>\n<p>Containerize the CLI and run on pull\u2011requests. Use build status to block merges if policies fail. Cache dependencies to speed up scans.<\/p>\n<pre><code class=\"mono\">pipelines:\r\n  pull-requests:\r\n    '**':\r\n      - step:\r\n          image: security\/checkmarx-cli:1\r\n          script:\r\n            - checkmarx ast scan --project $BITBUCKET_REPO_FULL_NAME --src .<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-lime\">\n<h3>27) PR Decoration &#038; SARIF<\/h3>\n<p>Publish SARIF\/annotations so developers see findings inline. Link to training for each CWE and suggest safe fixes or framework idioms (e.g., parameterized queries, encoding\/escaping).<\/p>\n<pre><code class=\"mono\"># Example upload step (conceptual)\r\ncheckmarx ast results --format sarif &gt; results.sarif\r\nupload-sarif results.sarif<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-orange\">\n<h3>28) Incremental Scanning<\/h3>\n<p>Scan only changed files\/paths to reduce PR latency while maintaining full scans on schedules. Combine with caching and per\u2011language build artifacts to reach sub\u2011minute feedback where possible.<\/p>\n<pre><code class=\"mono\">checkmarx ast scan --incremental --base main --head $CI_COMMIT_SHA<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-indigo\">\n<h3>29) Baselines, Gates &#038; SLAs<\/h3>\n<p>Set a baseline on <em>main<\/em>, gate PRs on <b>new<\/b> High\/Critical issues only, and track remediation SLAs by severity. Celebrate burn\u2011down in dashboards and add security debt to planning.<\/p>\n<pre><code class=\"mono\"># Policy (pseudo)\r\nnew.high &gt; 0 \u2192 fail\r\nnew.medium &gt; 5 \u2192 warn\r\nlicense: disallow GPL\u20113.0 in prod<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-emerald\">\n<h3>30) Q&amp;A \u2014 \u201cHow to prevent security from blocking delivery?\u201d<\/h3>\n<p><span class=\"q\">Answer:<\/span> Gate on <b>new<\/b> risk, use incremental scans, provide inline guidance, and track SLAs. Reserve stricter gates for high\u2011risk services while giving others a grace period with strong observability.<\/p>\n<\/p><\/div>\n<p>      <!-- ===================== SECTION 4 ===================== --><\/p>\n<div class=\"section-title\">Section 4 \u2014 Governance, Risk &#038; Reporting<\/div>\n<div class=\"card bg-blue\">\n<h3>31) Policies &#038; Thresholds<\/h3>\n<p>Define organization policies: severities, confidence levels, license allow\/deny lists, and environment\u2011specific baselines. Version them as code and enforce via CI to keep behavior consistent across repos.<\/p>\n<pre><code class=\"mono\">policy:\r\n  fail_on:\r\n    - severity: HIGH\r\n      scope: new\r\n    - license: GPL-3.0<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-green\">\n<h3>32) Triage &#038; Workflow<\/h3>\n<p>Route findings to code owners, auto\u2011create tickets for High issues, and permit time\u2011boxed suppressions with justification. Require a second\u2011pair review for dismissals. Keep an audit trail for compliance.<\/p>\n<pre><code class=\"mono\"># Ticket fields\r\ncomponent, CWE, file:line, severity, fix suggestion, SLA<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-amber\">\n<h3>33) Compliance Mapping<\/h3>\n<p>Map controls\/findings to frameworks (OWASP ASVS, ISO 27001, SOC 2). Use reports showing coverage over time, remediation trends, and policy adherence. Link code reviews and training completion to demonstrate due diligence.<\/p>\n<pre><code class=\"mono\">report --framework OWASP-ASVS --period last-90d<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-violet\">\n<h3>34) Reports &#038; Dashboards<\/h3>\n<p>Dashboards should answer: What\u2019s our risk by service? What\u2019s new vs legacy? How fast do teams remediate? Provide filters by org\/team\/repo\/label and export PDFs\/CSV for audits.<\/p>\n<pre><code class=\"mono\">metrics: p95 PR scan time, new vulns\/week, SLA breach count<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-rose\">\n<h3>35) Ticketing &#038; Workflow Tools<\/h3>\n<p>Integrate with Jira\/Azure Boards. Auto\u2011assign based on code ownership, add labels (security, CWE\u201179), and attach traces. Transition tickets when scans verify the fix on the branch that closes the issue.<\/p>\n<pre><code class=\"mono\">jira create --project SEC --summary \"CWE\u201189 in OrdersService\" --assignee @team<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-cyan\">\n<h3>36) Notifications &#038; Webhooks<\/h3>\n<p>Send high\u2011priority alerts to on\u2011call channels, but reserve noisy info for digests. Use webhooks to trigger playbooks (e.g., rotate secrets, block deploy) when certain findings appear in protected branches.<\/p>\n<pre><code class=\"mono\">webhook: on finding where severity=Critical and branch=main \u2192 call \/rotate\u2011key<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-lime\">\n<h3>37) Multi\u2011Tenant &#038; Environments<\/h3>\n<p>Separate dev\/stage\/prod projects or tags to avoid cross\u2011contamination. For MSPs or large orgs, use folders\/tenants to isolate access, policies, and reporting. Standardize presets per environment.<\/p>\n<pre><code class=\"mono\">project: MyApp\u2011prod  | preset: strict\r\nproject: MyApp\u2011dev   | preset: fast\u2011feedback<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-orange\">\n<h3>38) REST APIs<\/h3>\n<p>Automate at scale: create projects, trigger scans, fetch results, and push metrics to BI. Respect rate limits and auth scopes; rotate tokens and store them securely. Prefer server\u2011to\u2011server workflows behind CI\/CD.<\/p>\n<pre><code class=\"mono\">GET \/api\/projects\/{id}\/results?format=sarif\r\nAuthorization: Bearer &lt;token&gt;<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-indigo\">\n<h3>39) Data &#038; Privacy<\/h3>\n<p>Decide whether source code leaves your network (SaaS) or stays on\u2011prem. For sensitive repos, use self\u2011hosted scanners and outbound\u2011restricted egress. Scrub PII from logs and respect legal hold requirements for exports.<\/p>\n<pre><code class=\"mono\">logging: redact tokens, emails, secrets; set retention 90d<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-emerald\">\n<h3>40) Q&amp;A \u2014 \u201cHow do I measure program health?\u201d<\/h3>\n<p><span class=\"q\">Answer:<\/span> Track <b>new<\/b> High findings per KLOC, median remediation time, PR scan latency, SLA adherence, and % repos under policy. Trend them monthly and review in engineering leadership forums.<\/p>\n<\/p><\/div>\n<p>      <!-- ===================== SECTION 5 ===================== --><\/p>\n<div class=\"section-title\">Section 5 \u2014 Security, Testing, Deployment, Observability &#038; Interview Q&amp;A<\/div>\n<div class=\"card bg-blue\">\n<h3>41) Secure Deployment<\/h3>\n<p>For self\u2011managed: isolate scanners and API components, encrypt traffic, restrict admin consoles, and back up configuration and results. Use infrastructure\u2011as\u2011code and immutable images for repeatability.<\/p>\n<pre><code class=\"mono\">network:\r\n  ingress: allow CI, SCM\r\n  egress: allow updates, block internet by default<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-green\">\n<h3>42) Access Control &#038; SSO<\/h3>\n<p>Integrate with SSO (OIDC\/SAML). Map groups to roles, enforce MFA, and require device trust for admin access. Enable audit logs and review role changes regularly.<\/p>\n<pre><code class=\"mono\">roles:\r\n  - name: OrgAdmin\r\n  - name: ProjectAdmin\r\n  - name: Developer<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-amber\">\n<h3>43) Testing Strategy<\/h3>\n<p>Combine unit tests with secure coding checks in CI. Add security unit tests for sanitizers\/validators, and regression tests for fixed CWEs. Validate that risky code paths have tests before closing tickets.<\/p>\n<pre><code class=\"mono\">test('escapes html', () =&gt; {\r\n  expect(escape('&lt;script&gt;')).toBe('&amp;lt;script&amp;gt;')\r\n})<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-violet\">\n<h3>44) Developer Education<\/h3>\n<p>Link findings to short, framework\u2011specific lessons. Track completion and reduction in repeat CWEs per team. Bake secure patterns into templates and internal libraries developers can reuse.<\/p>\n<pre><code class=\"mono\">lesson: CWE\u201179 in React \u2192 use dangerouslySetInnerHTML? Avoid; prefer encoding<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-rose\">\n<h3>45) Performance &#038; Scan Tuning<\/h3>\n<p>Cache dependencies, enable incremental scans on PRs, and shard monorepos into per\u2011service scans. Disable expensive rules irrelevant to your stack. Monitor scan duration and keep PR checks under a target (e.g., &lt; 5 minutes).<\/p>\n<pre><code class=\"mono\">-- Focus scans by path\r\n--include src\/,app\/ --exclude dist\/,node_modules\/<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-cyan\">\n<h3>46) Upgrades &#038; Migrations<\/h3>\n<p>Test new engine versions on a canary set of repos, compare findings, and adjust presets. Communicate changes to developers and update documentation\/screenshots. Keep rollback plans for critical pipelines.<\/p>\n<pre><code class=\"mono\">canary_repos: [ payments, accounts, checkout ]<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-lime\">\n<h3>47) Observability<\/h3>\n<p>Ship scanner metrics (duration, queue time, errors) and platform logs to your observability stack. Set SLOs for PR latency and error budgets. Alert on spikes in failures or missing results uploads.<\/p>\n<pre><code class=\"mono\">metrics: pr_scan_seconds, scans_failed_total, findings_new_high_total<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-orange tight\">\n<h3>48) Prod Checklist<\/h3>\n<ul>\n<li>Policies as code, versioned and reviewed<\/li>\n<li>PR gates on new High\/Critical findings<\/li>\n<li>SSO + RBAC + audit logging<\/li>\n<li>Secrets scanning and key rotation<\/li>\n<li>Regular engine upgrades and canaries<\/li>\n<li>Dashboards for MTTR and SLA<\/li>\n<\/ul><\/div>\n<div class=\"card bg-indigo\">\n<h3>49) Common Pitfalls<\/h3>\n<p>Enabling too many rules at once, gating on legacy debt, ignoring IaC\/secret risk, and leaving policies undocumented. Fix by iterating presets, gating only on new risk, and educating developers with concise tips.<\/p>\n<\/p><\/div>\n<div class=\"card bg-emerald qa\">\n<h3>50) Interview Q&amp;A \u2014 20 Practical Questions (Expanded)<\/h3>\n<p><b>1) Why an AST platform?<\/b> Unified policy, reporting, and developer workflow across SAST\/SCA\/IaC.<\/p>\n<p><b>2) SAST vs SCA?<\/b> Code flows vs dependency advisories\/licenses; both needed.<\/p>\n<p><b>3) Gate strategy?<\/b> Block on <em>new<\/em> High\/Critical; warn on Medium; report Low.<\/p>\n<p><b>4) Reduce false positives?<\/b> Tune presets, model sanitizers, and add targeted suppressions.<\/p>\n<p><b>5) Handle secrets?<\/b> Scan PRs and history; rotate exposed keys; add pre\u2011commit hooks.<\/p>\n<p><b>6) IaC priorities?<\/b> Network exposure, identity permissions, storage encryption.<\/p>\n<p><b>7) Incremental vs full?<\/b> Incremental for PR speed; scheduled full for coverage.<\/p>\n<p><b>8) Custom rules?<\/b> Capture internal frameworks and sinks; version with code.<\/p>\n<p><b>9) Data residency?<\/b> Choose SaaS vs self\u2011managed per compliance needs.<\/p>\n<p><b>10) License compliance?<\/b> Enforce allow\/deny and generate SBOMs.<\/p>\n<p><b>11) Developer buy\u2011in?<\/b> Inline annotations, fast feedback, and training links.<\/p>\n<p><b>12) Prioritization?<\/b> Severity \u00d7 confidence \u00d7 reachability \u00d7 asset criticality.<\/p>\n<p><b>13) Monorepo tips?<\/b> Path filters, per\u2011service projects, caching.<\/p>\n<p><b>14) Measuring success?<\/b> MTTR, new high findings, % repos gated, PR latency.<\/p>\n<p><b>15) Onboarding new repos?<\/b> Baseline scan, set policies, assign owners.<\/p>\n<p><b>16) Handling legacy debt?<\/b> Baseline + backlog epics + time\u2011boxed remediation.<\/p>\n<p><b>17) API usage?<\/b> Automate scans, fetch SARIF, push to BI dashboards.<\/p>\n<p><b>18) Secrets sprawl?<\/b> Move to vaults and short\u2011lived tokens.<\/p>\n<p><b>19) SLAs?<\/b> Critical: 24\u201372h, High: 7d, Medium: 30d (example targets).<\/p>\n<p><b>20) When not to block?<\/b> Low\u2011risk PRs on non\u2011critical services; log and monitor.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Checkmarx Pocket Book \u2014 Uplatz 50 deep-dive flashcards \u2022 Wide layout \u2022 Fewer scrolls \u2022 20+ Interview Q&amp;A \u2022 Readable code examples Section 1 \u2014 Fundamentals 1) What is Checkmarx? <span class=\"readmore\"><a href=\"https:\/\/uplatz.com\/blog\/checkmarx-pocket-book\/\">Read More &#8230;<\/a><\/span><\/p>\n","protected":false},"author":2,"featured_media":4898,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2522,2462],"tags":[],"class_list":["post-4723","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-checkmarx","category-pocket-book"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Checkmarx Pocket Book | Uplatz Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/uplatz.com\/blog\/checkmarx-pocket-book\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Checkmarx Pocket Book | Uplatz Blog\" \/>\n<meta property=\"og:description\" content=\"Checkmarx Pocket Book \u2014 Uplatz 50 deep-dive flashcards \u2022 Wide layout \u2022 Fewer scrolls \u2022 20+ Interview Q&amp;A \u2022 Readable code examples Section 1 \u2014 Fundamentals 1) What is Checkmarx? Read More ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/uplatz.com\/blog\/checkmarx-pocket-book\/\" \/>\n<meta property=\"og:site_name\" content=\"Uplatz Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Uplatz-1077816825610769\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-08-22T09:54:55+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-08-28T02:34:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2025\/08\/27.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1280\" \/>\n\t<meta property=\"og:image:height\" content=\"720\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"uplatzblog\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@uplatz_global\" \/>\n<meta name=\"twitter:site\" content=\"@uplatz_global\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"uplatzblog\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/checkmarx-pocket-book\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/checkmarx-pocket-book\\\/\"},\"author\":{\"name\":\"uplatzblog\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#\\\/schema\\\/person\\\/8ecae69a21d0757bdb2f776e67d2645e\"},\"headline\":\"Checkmarx Pocket Book\",\"datePublished\":\"2025-08-22T09:54:55+00:00\",\"dateModified\":\"2025-08-28T02:34:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/checkmarx-pocket-book\\\/\"},\"wordCount\":2013,\"publisher\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/checkmarx-pocket-book\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/08\\\/27.png\",\"articleSection\":[\"Checkmarx\",\"Pocket Book\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/checkmarx-pocket-book\\\/\",\"url\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/checkmarx-pocket-book\\\/\",\"name\":\"Checkmarx Pocket Book | Uplatz Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/checkmarx-pocket-book\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/checkmarx-pocket-book\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/08\\\/27.png\",\"datePublished\":\"2025-08-22T09:54:55+00:00\",\"dateModified\":\"2025-08-28T02:34:00+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/checkmarx-pocket-book\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/uplatz.com\\\/blog\\\/checkmarx-pocket-book\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/checkmarx-pocket-book\\\/#primaryimage\",\"url\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/08\\\/27.png\",\"contentUrl\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/08\\\/27.png\",\"width\":1280,\"height\":720,\"caption\":\"Checkmarx Pocket Book\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/checkmarx-pocket-book\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Checkmarx Pocket Book\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/\",\"name\":\"Uplatz Blog\",\"description\":\"Uplatz is a global IT Training &amp; Consulting company\",\"publisher\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#organization\",\"name\":\"uplatz.com\",\"url\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/wp-content\\\/uploads\\\/2016\\\/11\\\/Uplatz-Logo-Copy-2.png\",\"contentUrl\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/wp-content\\\/uploads\\\/2016\\\/11\\\/Uplatz-Logo-Copy-2.png\",\"width\":1280,\"height\":800,\"caption\":\"uplatz.com\"},\"image\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/Uplatz-1077816825610769\\\/\",\"https:\\\/\\\/x.com\\\/uplatz_global\",\"https:\\\/\\\/www.instagram.com\\\/\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/7956715?trk=tyah&amp;amp;amp;amp;trkInfo=clickedVertical:company,clickedEntityId:7956715,idx:1-1-1,tarId:1464353969447,tas:uplatz\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#\\\/schema\\\/person\\\/8ecae69a21d0757bdb2f776e67d2645e\",\"name\":\"uplatzblog\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g\",\"caption\":\"uplatzblog\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Checkmarx Pocket Book | Uplatz Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/uplatz.com\/blog\/checkmarx-pocket-book\/","og_locale":"en_US","og_type":"article","og_title":"Checkmarx Pocket Book | Uplatz Blog","og_description":"Checkmarx Pocket Book \u2014 Uplatz 50 deep-dive flashcards \u2022 Wide layout \u2022 Fewer scrolls \u2022 20+ Interview Q&amp;A \u2022 Readable code examples Section 1 \u2014 Fundamentals 1) What is Checkmarx? Read More ...","og_url":"https:\/\/uplatz.com\/blog\/checkmarx-pocket-book\/","og_site_name":"Uplatz Blog","article_publisher":"https:\/\/www.facebook.com\/Uplatz-1077816825610769\/","article_published_time":"2025-08-22T09:54:55+00:00","article_modified_time":"2025-08-28T02:34:00+00:00","og_image":[{"width":1280,"height":720,"url":"https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2025\/08\/27.png","type":"image\/png"}],"author":"uplatzblog","twitter_card":"summary_large_image","twitter_creator":"@uplatz_global","twitter_site":"@uplatz_global","twitter_misc":{"Written by":"uplatzblog","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/uplatz.com\/blog\/checkmarx-pocket-book\/#article","isPartOf":{"@id":"https:\/\/uplatz.com\/blog\/checkmarx-pocket-book\/"},"author":{"name":"uplatzblog","@id":"https:\/\/uplatz.com\/blog\/#\/schema\/person\/8ecae69a21d0757bdb2f776e67d2645e"},"headline":"Checkmarx Pocket Book","datePublished":"2025-08-22T09:54:55+00:00","dateModified":"2025-08-28T02:34:00+00:00","mainEntityOfPage":{"@id":"https:\/\/uplatz.com\/blog\/checkmarx-pocket-book\/"},"wordCount":2013,"publisher":{"@id":"https:\/\/uplatz.com\/blog\/#organization"},"image":{"@id":"https:\/\/uplatz.com\/blog\/checkmarx-pocket-book\/#primaryimage"},"thumbnailUrl":"https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2025\/08\/27.png","articleSection":["Checkmarx","Pocket Book"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/uplatz.com\/blog\/checkmarx-pocket-book\/","url":"https:\/\/uplatz.com\/blog\/checkmarx-pocket-book\/","name":"Checkmarx Pocket Book | Uplatz Blog","isPartOf":{"@id":"https:\/\/uplatz.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/uplatz.com\/blog\/checkmarx-pocket-book\/#primaryimage"},"image":{"@id":"https:\/\/uplatz.com\/blog\/checkmarx-pocket-book\/#primaryimage"},"thumbnailUrl":"https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2025\/08\/27.png","datePublished":"2025-08-22T09:54:55+00:00","dateModified":"2025-08-28T02:34:00+00:00","breadcrumb":{"@id":"https:\/\/uplatz.com\/blog\/checkmarx-pocket-book\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/uplatz.com\/blog\/checkmarx-pocket-book\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/uplatz.com\/blog\/checkmarx-pocket-book\/#primaryimage","url":"https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2025\/08\/27.png","contentUrl":"https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2025\/08\/27.png","width":1280,"height":720,"caption":"Checkmarx Pocket Book"},{"@type":"BreadcrumbList","@id":"https:\/\/uplatz.com\/blog\/checkmarx-pocket-book\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/uplatz.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Checkmarx Pocket Book"}]},{"@type":"WebSite","@id":"https:\/\/uplatz.com\/blog\/#website","url":"https:\/\/uplatz.com\/blog\/","name":"Uplatz Blog","description":"Uplatz is a global IT Training &amp; Consulting company","publisher":{"@id":"https:\/\/uplatz.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/uplatz.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/uplatz.com\/blog\/#organization","name":"uplatz.com","url":"https:\/\/uplatz.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/uplatz.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2016\/11\/Uplatz-Logo-Copy-2.png","contentUrl":"https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2016\/11\/Uplatz-Logo-Copy-2.png","width":1280,"height":800,"caption":"uplatz.com"},"image":{"@id":"https:\/\/uplatz.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Uplatz-1077816825610769\/","https:\/\/x.com\/uplatz_global","https:\/\/www.instagram.com\/","https:\/\/www.linkedin.com\/company\/7956715?trk=tyah&amp;amp;amp;amp;trkInfo=clickedVertical:company,clickedEntityId:7956715,idx:1-1-1,tarId:1464353969447,tas:uplatz"]},{"@type":"Person","@id":"https:\/\/uplatz.com\/blog\/#\/schema\/person\/8ecae69a21d0757bdb2f776e67d2645e","name":"uplatzblog","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g","caption":"uplatzblog"}}]}},"_links":{"self":[{"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/posts\/4723","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/comments?post=4723"}],"version-history":[{"count":2,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/posts\/4723\/revisions"}],"predecessor-version":[{"id":4899,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/posts\/4723\/revisions\/4899"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/media\/4898"}],"wp:attachment":[{"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/media?parent=4723"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/categories?post=4723"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/tags?post=4723"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}