Writing Checkmarx SAST rules

Track: DevSecOps
When: Wed Eve-2
Where: DevSecCon
Organizers Avi Douglen Avi Douglen , Nuno Oliveira
Participants Stu Hirst Stu Hirst , David Cervigni David Cervigni , Toby Shelswell Toby Shelswell , Luis Saiz Luis Saiz
Remote Participants Ernesto Bethencourt Ernesto Bethencourt , Harmeet Singh Harmeet Singh , Sugumaran Uppili Sugumaran Uppili


Hands on session on how to write custom rules for the Checkmarx SAST engine.
In addition to many out-of-the-box queries, Checkmarx supports creating custom queries using its own domain-specific language, CxQL. This allows for very granular queries, as well as complex logic, to enable users to find exactly what we’re looking for in the codebase.


During this session we will explain the querying logic of CxQL, cover the various atomic queries, and dive into some possibilities as well as cover some tips, common mistakes, integration and automation opportunities, and performance optimization.


The target audience for this Session is:
- Developers - AppSec professionals - Security champions - Checkmarx users (or potential users) - Anyone interested in customizing their SAST approach.