Contact Details
wessel.terpstra@vattenfall.com
What problem does this solve?
Summary
The Checkmarx One ADO extension exposes a scan task that synchronously waits for results. The CLI supports pull request annotation via cx utils pr, but the extension does not expose this. This feature request asks for PR decoration to be added as optional inputs to the existing scan task.
Problem
The cx utils pr command posts scan findings as PR comments, surfacing security results directly in the code review workflow. In Azure DevOps, calling this manually is not feasible for extension users: the service connection is intentionally opaque, and the underlying credentials are not exposed to pipeline authors. There is no supported path to PR decoration, despite the CLI fully supporting it.
Why This Matters
Shifting security feedback into the PR review loop is a core value proposition of Checkmarx One. The CLI already supports it; the ADO extension just needs to expose it. For organizations managing many teams across ADO, a built-in supported option is the only viable path — requiring teams to work around an intentionally opaque service connection is not a solution.
Proposed Solution
Since the scan task already waits for results synchronously, PR decoration can happen within the same step immediately after the scan completes. Extend the existing scan task with optional PR decoration inputs:
- Enable PR Decoration — boolean toggle, off by default
- ADO Token —
$(System.AccessToken) or overridable
- PR Number — auto-populated from
$(System.PullRequest.PullRequestId) or overridable
- Repository — auto-populated or overridable
- Severity threshold — optional filter (e.g., High and Critical only)
Importance Level
Important
Additional Information
Idea portal: https://checkmarx.ideas.aha.io/ideas/AST-I-6242
References
Contact Details
wessel.terpstra@vattenfall.com
What problem does this solve?
Summary
The Checkmarx One ADO extension exposes a scan task that synchronously waits for results. The CLI supports pull request annotation via
cx utils pr, but the extension does not expose this. This feature request asks for PR decoration to be added as optional inputs to the existing scan task.Problem
The
cx utils prcommand posts scan findings as PR comments, surfacing security results directly in the code review workflow. In Azure DevOps, calling this manually is not feasible for extension users: the service connection is intentionally opaque, and the underlying credentials are not exposed to pipeline authors. There is no supported path to PR decoration, despite the CLI fully supporting it.Why This Matters
Shifting security feedback into the PR review loop is a core value proposition of Checkmarx One. The CLI already supports it; the ADO extension just needs to expose it. For organizations managing many teams across ADO, a built-in supported option is the only viable path — requiring teams to work around an intentionally opaque service connection is not a solution.
Proposed Solution
Since the scan task already waits for results synchronously, PR decoration can happen within the same step immediately after the scan completes. Extend the existing scan task with optional PR decoration inputs:
$(System.AccessToken)or overridable$(System.PullRequest.PullRequestId)or overridableImportance Level
Important
Additional Information
Idea portal: https://checkmarx.ideas.aha.io/ideas/AST-I-6242
References
utils prdocs: https://docs.checkmarx.com/en/34965-68653-utils.html