NetApp logo
Documentation PortalBack to Self Assist PortalBack
Documentation Portal
Contents

Checkmarx Pipeline Enforcement FAQ - V 1

Below are frequently asked questions regarding Checkmarx (Checkmarx Docs)

Q: Why are we starting to block pipelines with unresolved vulnerabilities?

Protecting NetApp systems and infrastructure from ongoing security threats is a shared responsibility. Checkmarx has been running in "Warning" mode since May 2025 to get developers used to seeing what vulnerabilities exist in their code and to take steps to remediate them. Now that developers have had several months to act on reducing their vulnerabilities, it is time to move to the next phase of the Checkmarx rollout to ensure that we further reduce the number of vulnerable applications deployed in our environment.

Q: The detection date for all vulnerabilities will be reset on Aug 21, 2025. What does that mean?

Part of the enforcement phase of the Checkmarx rollout includes creating ServiceNow Vulnerability tickets when critical and high vulnerabilities are detected during weekly runtime scans. Since this enforcement phase is beginning on Aug 21, 2025, we need to use that date as the baseline to give developers ample time to remediate existing vulnerabilities.

Q: What's the earliest date that my pipeline might get blocked?

Unresolved critical vulnerabilities must be resolved within 30 days, while unresolved high vulnerabilities must be resolved within 60 days. That means Sept 20, 2025 would be the first date that a pipeline would be blocked due to unresolved critical vulnerabilities.

Q: Will my application stop running if my pipeline is blocked?

No! The blocking only applies to NEW production deployments. That said, if a new deployment is necessary to keep an application running, vulnerabilities will need to be remediated or have an approved exception in place to allow the pipeline to proceed.

Q: What if the critical and/or high vulnerabilities detected aren't exploitable?

Follow the process outlined in our documentation to propose that a vulnerability is not exploitable, which requires team lead approval. If approved, the vulnerability will be excluded when evaluating if a pipeline should be blocked.

Q: I have an important deployment coming up and won't be able to remediate the critical or high vulnerabilities in time. What do I do?

Follow the process in our documentation to request an application exception. (Requires VP approval) An approved exception will be valid for a maximum of 90 days to prevent abuse of the exception process.

Q: I still have questions or concerns about this process. Who can I contact?

Send an email to ng-it-devexp@netapp.com and a member of the Development Platform Engineering team will work with you to address your concerns.

CONTENTS