Supported Languages and Package Managers
Checkmarx SCA uses the following methods to identify the 3rd party packages in your project:
File Analysis – Checkmarx SCA identifies all files in your project that may be part of a 3rd party package, and analyzes them in order to determine which packages are being used. This is done by comparing the hashes and metadata of the relevant files (e.g., .jar files for Java, .js files for JS) in the scanned project with the hashes and metadata of packages that are catalogued in our database. As part of this process, compressed files of supported types (.jar, .war, .ear, .zip) are extracted so that the files can be analyzed. This is applied recursively up to four levels of depth.
File Analysis is done for the supported languages/frameworks listed below, using the corresponding file types specified in the table.
Dependency Resolution - Checkmarx SCA resolves dependencies using one of two methods:
Package Manager Resolution (default)
Checkmarx SCA uses package managers to resolve dependencies against customer-defined or public repositories and reconstruct the dependency tree based on manifest files (e.g.,
package.json). These files define the intended dependencies, typically using version ranges.Because this method depends on the state of external repositories at scan time, the resulting dependency tree may differ from what was originally installed. In some cases, this can lead to incomplete or inconsistent dependency reconstruction, especially if package versions have been removed, updated, or resolved differently across environments.
Lock File Resolution
When a lock file is present (e.g.,
package-lock.json,yarn.lock), Checkmarx SCA uses it to determine the exact versions of all resolved dependencies, including transitive dependencies. This provides a deterministic and reproducible view of the dependency tree as it was installed.This method significantly improves accuracy and reduces the risk of missing dependencies or security findings caused by differences in resolution behavior or changes in package availability.
Notice
To ensure accurate and reproducible results, it is strongly recommended to include lock files in SCA scans. Lock files reflect the exact dependency tree used in the application and improve both vulnerability detection and auditability of scan results.
For more information about how Checkmarx SCA scans run using various methods, refer to Understanding How Checkmarx SCA Scans Run Using Various Methods.
Notice
If you are using Checkmarx SCA Resolver, then you need to install the relevant package managers locally. For installation info, see Installing Supported Package Managers for Resolver.
Supported Languages and Package Managers
| JVM Languages: Java, Kotlin, Android, Groovy, Scala Additional Frameworks: Struts, Spring Repository: Maven Central, Sonatype, Apache File Types: .jar Supported Languages for Exploitable Path: Java | ||||
Package Managers | Vulnerability Support | Malicious Package Support | Manifest Files | ||
Maven |
|
|
| ||
Gradle |
|
|
| ||
Ivy |
|
|
| ||
SBT |
|
|
| ||
 | Languages/Frameworks: JavaScript, TypeScript, NodeJS, React, Angular, Apex TipApex is only supported when running the scan using Checkmarx SCA Resolver with the Repository: NPM File Types: .js Supported Languages for Exploitable Path: JavaScript | ||
Package Manager | Vulnerability Support | Malicious Package Support | Manifest Files (Packages marked with |
NPM |
|
|
|
Yarn (and Yarn 2) |
|
|
|
Bower |
|
|
|
1] When a lock file is present in the project, SCA may use it to resolve dependencies. Therefore, it is important to keep the lock file up-to-date with any changes that you make in the manifest file.
| Languages/Frameworks: C#, F#, .NET, .NET Core, WCF, WPF, ASP.NET Repository: NuGet File Types: .dll Supported Languages for Exploitable Path: C# | |||
Package Manager | Vulnerability Support | Malicious Package Support | Manifest Files | |
NuGet |
|
|
| |
| Languages/Frameworks: Python, Django, Flask Repository: PyPi File Types: .egg, .whl Supported Languages for Exploitable Path: Python | |||
Package Manager | Vulnerability Support | Malicious Package Support | Manifest Files (Packages marked with | |
PIP |
|
|
| |
Poetry |
|
|
| |
Setuptools 1] |
|
|
| |
1] Setuptools is supported only when running scans using SCA Resolver.
| Languages/Frameworks: PHP, Dupal Repository: Packagist File Types: none Exploitable Path: Not supported | |||
Package Manager | Vulnerability Support | Malicious Package Support | Manifest Files (Packages marked with | |
Composer |
|
|
| |
| Languages/Frameworks: Swift, Objective c Repository: GitHub File Types: none Exploitable Path: Not supported | |||
Package Manager | Vulnerability Support | Malicious Package Support | Manifest Files (Packages marked with | |
SwiftPm |
|
|
| |
CocoaPods |
|
|
| |
Carthage |
|
|
TipAt least one | |
| Languages/Frameworks: Go Repository: Golang File Types: none Exploitable Path: Not supported | |||
Supported Package Manager | Vulnerability Support | Malicious Package Support | Manifest Files (Packages marked with | |
GoModules |
|
|
| |
| Languages/Frameworks: Ruby Repository: RubyGems File Types: none Exploitable Path: Not supported | |||
Supported Package Manager | Vulnerability Support | Malicious Package Support | Manifest Files (Packages marked with | |
RubyGems |
|
|
| |
Bundler |
|
| ||
| Languages/Frameworks: C, C++ Repository: Conan File Types: .cpp, .c, .h, .hpp, .a, .o, .so Exploitable Path: Not supported TipC++ is supported only for File Analysis (fingerprints), not for package resolution. | |||
Supported Package Manager | Vulnerability Support | Malicious Package Support | Manifest Files | |
none |
|
| none | |
| Languages/Frameworks: Unity Repository:Unity Technologies, Needle-mirror, Open UPM File Types: none Exploitable Path: Not supported | |||
Supported Package Manager | Vulnerability Support | Malicious Package Support | Manifest Files (Packages marked with | |
none |
|
|
| |
| Languages/Frameworks: Dart, Flutter Repository: N/A File Types: none Exploitable Path: Not supported | |||
Supported Package Manager | Vulnerability Support | Malicious Package Support | Manifest Files | |
Pub |
|
|
| |
1] Support of Pub is only for identifying malicious packages. Non-malicious packages are not shown at all in the Packages or Risks tabs.
Container Scans
Checkmarx SCA is capable of scanning Dockerfiles and container images as long as they are hosted in supported registries and they are used in supported ecosystems.
For more info about container scans, see Container Scans.
Supported Registries
Container scans run via SCA Resolver support scanning of images from any registry for which you can run the docker pull command, e.g., DockerHub, Amazon Elastic Container Registry (ECR), Google Container Registry (GCR), Quay, JFrog Container Registry (JCR) etc.
Supported Registries and Ecosystems
Supported Registries
Container scans support scanning of images from any registry for which you can run the docker pull command, e.g., DockerHub, Amazon Elastic Container Registry (ECR), Google Container Registry (GCR), JFrog Container Registry (JCR) etc.
Supported Ecosystems
Debian (dpkg)
Alpine (apk)
C (conan)
C++ (conan)
Dotnet (deps.json)
Go (go.mod, Go binaries)
Java (jar, ear, war, par, sar, native-image)
JavaScript (npm, yarn)
PHP (composer)
Python (wheel, egg, poetry, requirements.txt)
Red Hat (rpm)
Ruby (gem)dpkg