AS-Checkmarx-SAST-Ingestion Playbook: Loop Optimization, Parameterized DCE/DCR Names, and CRITICAL Severity Support

What Changed

The AS-Checkmarx-SAST-Ingestion Playbook (azuredeploy.json) and its README have been updated with the following operational changes:

Schema Fix – CRITICAL severity now captured: The CheckmarxSASTFindings_CL table schema previously described Severity as (HIGH, MEDIUM, LOW, INFO). The schema description and column definition have been corrected to (CRITICAL, HIGH, MEDIUM, LOW, INFO). Findings at CRITICAL severity were ingested as a string value but the field description was inaccurate – detection logic filtering on known severity tiers should be reviewed to ensure CRITICAL is included.

Configurable DCE/DCR resource names: Previously, the Data Collection Endpoint and Data Collection Rule names were hardcoded as variables (dce-checkmarx-sast-ingestion, dcr-checkmarx-sast-ingestion). They are now exposed as ARM parameters (DataCollectionEndpointName, DataCollectionRuleName) with the same defaults. This prevents name collision failures when deploying multiple ingestion playbooks into the same resource group. The DCR role assignment GUID derivation has been updated accordingly to reference the parameterized name.

Lookback window reduced from 7 to 2 days: The LookbackDays parameter default has dropped from 7 to 2 days for steady-state daily operation. Existing deployments using the default of 7 will not be affected without redeployment, but operators should note this change when planning new deployments or redeployments.

ScanPageSize and BatchSize moved out of deployment parameters: These two values (ScanPageSize: 100, BatchSize: 200) are now baked into the Logic App Initialize_Variables action rather than exposed as deployment parameters. This reflects that they are constrained by the Checkmarx API contract and DCR limits, not by customer choice. They can still be changed via the Logic App Code view – see Post-Deployment Tuning in the README.

Deploy button URL corrected: The README deploy buttons previously pointed to the author external repo (AcceleryNT-Security/AS-Checkmarx-SAST-Ingestion). They now point to the canonical Azure/Azure-Sentinel repository path, ensuring Content Hub deployments reference the correct template.

Affected Files

Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_Deploy_1.png
Playbooks/AS-Checkmarx-SAST-Ingestion/Images/Checkmarx_SAST_Initial_Run_2.png
Playbooks/AS-Checkmarx-SAST-Ingestion/README.md
Playbooks/AS-Checkmarx-SAST-Ingestion/azuredeploy.json