Skip to main content

Installing the DAST CLI in a Pipeline

You can integrate DAST with your favorite CI/CD pipelines. This section explains how the DAST CLI can be installed in a pipeline.

To run a DAST Scan, you need to have an outbound connection to Checkmarx One so we can upload the results. To do so, we must ensure that we can connect to the following IP (for BETA version-> Canary). For more information, please review the Checkmarx One External IPs page.

When running the DAST CLI you have the following available commands/flags available:



Run a DAST API scan.


Generate the autocompletion script for the specified shell.


Generate a DAST scan configuration file.


Help about any command.


Run a DAST Web Scan.


--base-url <string>

CxOne Servers base URL.

--config <string>

Path to the config file.

--environment-id <string>

The ID of the environment previously created in the CxOne Frontend.

--fail-on <string>

Lowest severity in the results to fail the execution of the DAST-CLI (all, low, info, medium, high).

-h, --help

Help for DAST.

--jvm-properties <string> (Default - "-Xmx3G")

Path to the jvm properties file.

--log-level <string> (Default - "info")

Log level.

--output <string>

Path to the output directory.

--proxy-port <string>

Override the host port used for proxying.

--proxy-url <string>

Override the host used for proxying.

--retry-delay <int> (Default - 20)

Time between retries in seconds, use with --retry.

--retry <int> (Default - 3)

Retry requests to AST on connection failure.

--timeout <int> (Default - 10000)

DAST scan timeout in seconds.

--update-interval <int> (Default - 30)

Update interval in seconds.


Print logs to stdout.

The following CI/CD pipelines integrate with DAST: