Guide

Importing SAST Results from SonarQube and Checkmarx

2 min read

Get the document

Tell us where to send it. The PDF lands in your inbox in under a minute.

About

About this guide

Connect a static analysis vendor, pick a project, and land taint-flow evidence into one deduplicated finding queue.

This guide shows how to bring SonarQube or Checkmarx SAST results into PMAP. You identify your connector archetype, connect the vendor with credentials encrypted at rest, verify it with an inline connection test, and use the project picker to choose the right scan and route its findings to the correct company and project. You also see how SAST differs from a network scan.

Importing SAST Results from SonarQube and Checkmarx
The Integrations marketplace filtered to the SAST category, showing SonarQube, Checkmarx SAST, Checkmarx One, and Fortify tiles with last-tested timestamps.

It is written for application security teams unifying static analysis with the rest of their findings. By the end you can import results through the correlation engine so each real issue is created, updated, or reopened exactly once, confirm that file and line, rule key, taint flow, and code snippet land intact on every finding, schedule recurring imports with cron, wire a CI/CD gate on pull requests, and review the per-severity delta after each wave.

Inside this guide

  • Understand how SAST differs from a network scan and identify your connector archetype.
  • Connect SonarQube or Checkmarx with credentials encrypted at rest and test it inline.
  • Pick the project or scan and route findings with a severity threshold to the right tenant.
  • Run the import through correlation so each issue is created, updated, or reopened once.
  • Confirm taint-flow and code-snippet evidence on every finding.
  • Backfill historical scans on onboarding and schedule recurring imports.
  • Gate pull requests with a CI/CD check and review the per-severity delta.

Before you start

  • A PMAP account with integration create and edit rights, plus finding read access in the target company scope.
  • A reachable SonarQube server or Checkmarx instance and a service account token with read access to the relevant projects.
  • The minimum severity policy you want at ingest, since the integration applies an import_severity_threshold before correlation.
  • The PMAP company and project that imported findings should land in, so multi-tenant routing is unambiguous.
  • An SCA integration if you also want a transitive dependency graph alongside SAST taint flow.

All resources

Keep exploring

Related resources

See it live

Ready to see PMAP in action?

Talk to our team or jump straight into a guided tour of the platform.

We use your email only to set up your guided tour. No marketing drip, no third-party tracking.