Checkmarx Interview Guide
🟢 Easy (Basics)
1. Checkmarx?
Commercial SAST for code security.
2. SAST vs SCA?
Source analysis vs dependency risk.
3. Integrations?
IDE, CI, PR gating, dashboards.
4. Triage?
Severity/CWE; suppress with rationale.
5. Policies?
Org gates for fail conditions.
🟡 Medium (Hands‑on)
1. Reduce false positives?
Tune rules; custom queries; validate sinks/sources.
2. Scale?
Central policies, training, SLAs.
3. Performance?
Incremental scans; caching.
4. Compliance?
Map to OWASP/CIS/PCI.
5. Workflow?
Create tickets; track MTTR; verify with re‑scan.
🔴 Hard (Advanced)
1. Monorepo?
Selective scans; aggregate results.
2. Embed in SDLC?
PR gates + nightly deep scans.
🧪 Scenario Questions & Answers
1. Too many findings.
Risk‑accept medium temporarily; fix high first.
2. Teams ignore tickets.
Add gates & coaching; sample fixes.
3. Legacy app.
Baseline then iterative remediation.
Generated for quick interview revision — basics, hands-on, advanced, and scenarios.