The CxSAST scan enables you to run a static application security test (CxSAST) and an open source analysis (CxOSA) scan as a CLI command. The CxSAST scan is, by default, run in synchronous mode (Scan). This means that the CLI initiates the scan task and the scan results can be viewed in the CLI and in the log file created. In asynchronous mode (AsyncScan), the scan task ends when the scan request reaches the scan queue, as a result the scan results can only be viewed via the CxSAST web application.
- Checkmarx CxSAST/CxOSA installed
- Checkmarx CLI Plugin
-
Synchronous Mode: runCxConsole Scan -v -CxServer -projectName -CxUser -CxPassword -Locationtype -locationpath -Preset -EnableOsa -OsaLocationPath
-
Asynchronous Mode: runCxConsole AsyncScan -v -CxServer -projectName -CxUser -CxPassword -Locationtype -locationpath -Preset -EnableOsa -OsaLocationPath
Apache 2.0 license.
| Key | Mandatory | Description |
|---|---|---|
| -CxServer | Mandatory | IP address or resolvable name of CxSAST web server. |
| -useSSO | Optional | Single Sign-On: Use Windows credentials of current user to log into CxSAST. |
| -CxUser | Mandatory unless -useSSO is used | CxSAST login credentials (username and password) |
| -CxPassword | Mandatory unless -useSSO is used | CxSAST login credentials (username and password) |
| -enableOsa | Optional | Enable open source analysis (CxOSA). -osaLocationPath should be specified or the -LocationType parameter needs to be defined as 'folder' or 'shared' (if -osaLocationPath doesn't exist, use -locationPath). |
| -OsaLocationPath | Optional | Local or network path to sources or source repository branch. May include multiple list of folders (local or shared) separated by comma. |
| -ProjectName | Mandatory | An existing or new project name with full path. If the project doesn't exist, it will be created |
| -LocationType | Mandatory | Source location type. One of: folder, shared, SVN, TFS, Perforce, Git |
| -WorkspaceMode | Optional | When -LocationType parameter is set to Perforce, add this parameter and add the workspace name into -locationPath |
| -LocationPath | Mandatory if -LocationType is folder, SVN, TFS, Perforce or shared | Local or network path to sources or source repository branch. |
| -LocationURL | Mandatory if -Locationtype is any source control system | Source control URL |
| -LocationPort | Optional | Source control system port. Default: 8080 (TFS), 80 (SVN), or 1666 (Perforce). |
| -LocationBranch | Mandatory if -LocationType is GIT | Source GIT branch. |
| -LocationUser | Mandatory if -Locationtype is TFS/Perforce/shared | Source control / network credentials. |
| -LocationPrivateKey <path\file> | Mandatory if -Locationtype is GIT using SSH | GIT SSH key locations. |
| -Preset | Optional | If not provided, will use preset defined in existing project or, for a new project, the default preset. |
| -ForceScan | Optional | Force scan on source code, which has not been changed since the last scan of the same project (not compatible with -Incremental option). |
| -Incremental | Optional | Run incremental scan instead of a full scan. Scans only new and modified files, relative to project's last scan(-Incremental will disable any -ForceScan setting). |
| –LocationPathExclude | Optional | Comma separated list of folder name patterns to exclude from scan. |
| –LocationFilesExclude | Optional | Comma separated list of file name patterns to exclude from scan. |
| -SASTHigh | Optional. Not supported in AsyncScan mode | CxSAST high severity vulnerability threshold. If the number of high vulnerabilities exceeds the threshold, scan will end with an error (see Error/Exit Codes). |
| -SASTMedium | Optional. Not supported in AsyncScan mode | CxSAST medium severity vulnerability threshold. If the number of medium vulnerabilities exceeds the threshold, scan will end with an error (see Error/Exit Codes). |
| -SASTLow | Optional. Not supported in AsyncScan mode | CxSAST low severity vulnerability threshold. If the number of low vulnerabilities exceeds the threshold, scan will end with an error (see Error/Exit Codes). |
| -Configuration | Optional | Code language configuration |
| -Private | Optional | Scan will not be visible to other users. |
| -Log <path\file> | Optional | Log file to be created. |
| -OsaArchiveToExtract | Optional | Comma separated list of file extensions to be extracted in the OSA scan. |
| -OsaFilesInclude | Optional | Comma separated list of file name patterns to exclude from the OSA scan. |
| -OsaFilesExclude | Optional | Comma separated list of file name patterns to exclude from the OSA scan. Exclude extensions by using *., or exclude files by using */. |
| -OsaPathExclude | Optional | Comma separated list of folder path patterns to exclude from the OSA scan. |
| -OsaScanDepth | Optional | Extraction depth of files to include in the OSA scan. |
| -executepackagedependency | Optional | Retrieve all NPM package dependencies before performing OSA scan (see Remarks section). |
| -OSAHigh | Optional. Not supported in AsyncScan mode | CxOSA high severity vulnerability threshold. If the number of high vulnerabilities exceeds the threshold, scan will end with an error (see Error/Exit Codes). |
| -OSAMedium | Optional. Not supported in AsyncScan mode | CxOSA medium severity vulnerability threshold. If the number of medium vulnerabilities exceeds the threshold, scan will end with an error (see Error/Exit Codes). |
| -OSALow | Optional. Not supported in AsyncScan mode | CxOSA low severity vulnerability threshold. If the number of low vulnerabilities exceeds the threshold, scan will end with an error (see Error/Exit Codes). |
| -OsaReportHtml <path\file> | OsaReportHtml has been deprecated and is no longer supported (see Remarks section). | Generate CxOSA HTML report. |
| -OsaReportPDF <path\file> | OsaReportPDF has been deprecated and is no longer supported (see Remarks section). | Generate CxOSA PDF report. |
| -OsaJson <path\file> | Optional. Not supported in AsyncScan mode | Generate CxOSA JSON report. |
| -ReportXML | Optional. Not supported in AsyncScan mode | Name or path to results report, by type. |
| -ReportPDF | Optional. Not supported in AsyncScan mode | Name or path to results report, by type. |
| -ReportCSV | Optional. Not supported in AsyncScan mode | Name or path to results report, by type. |
| -ReportRTF | Optional. Not supported in AsyncScan mode | Name or path to results report, by type. |
| -Comment | Optional. Not supported in AsyncScan mode | Saves a comment with the scan results. |
| -verbose or -v | Optional | Turns on verbose mode. All messages and events will be sent to the console or log file. |
The table below describes CLI Exit/Error codes when a task is executed. The description of codes may help in identifying and troubleshooting issues.
| Code | Description |
|---|---|
| 0 | Completed successfully |
| 1 | Failed to start scan (general error) |
| 2 | Invalid license for SDLC |
| 3 | Invalid license for OSA |
| 4 | Login failed |
| 5 | OSA scan requires an existing project on the server |
| 10 | Failed on threshold SAST HIGH |
| 11 | Failed on threshold SAST Medium |
| 12 | Failed on threshold SAST LOW |
| 13 | Failed on threshold OSA HIGH |
| 14 | Failed on threshold OSA Medium |
| 15 | Failed on threshold OSA Low |
| 19 | Generic threshold failure if both SAST and OSA fail |
| 130 | Canceled by user (Ctrl-C) |