Skip to main content

Engine Pack Version 9.6.6

CxSAST Engine

Languages & Frameworks

All supported code Languages & Frameworks versions are on the dedicated page Engine Pack Supported Code Languages and Frameworks.

New SAST Engine

Folders and File Exclusions

As a continuation of the improvements for the new SAST engine, which aims to reduce the scan execution time, a new setting has been introduced that excludes a predefined set of folders and files during scans.

This optimization enables quicker identification and resolution of vulnerabilities, enhancing developer productivity by focusing on more relevant code areas to facilitate faster and more frequent deployments.

It is important to note that enabling this option may not be ideal for applications with critical security requirements due to the potential risk of missing vulnerabilities in excluded code areas.

For further details about the list of exclusions, please see File Exclusions Rules.


For SAST on-premises users only: File Exclusion Rules apply to all projects when enabled and are impossible to enable for individual projects.

This setting (PREDEFINED_FILE_EXCLUSIONS_ENABLED) can be enabled in the database:

update [CxDB].[Config].[CxEngineConfigurationKeysMeta] set [DefaultValue] = 'true' where [KeyName] = 'PREDEFINED_FILE_EXCLUSIONS_ENABLED';

or via a configuration file with the following content:

<?xml version="1.0" encoding="windows-1252"?>

Privacy Violation Query Improvements

This engine pack includes performance enhancements to the Privacy Violation query for Java and C# languages.

As a result, query execution time has been reduced by up to 80%.


The Rust support has been improved by adding additional queries.

The following queries are available as part of this version:

  • high_risk_icon.png: Rust_High_Risk

    • Arbitrary_File_Write

    • Dangerous_File_Inclusion

    • LDAP_Injection

    • Observable_Timing_Discrepancy

    • Sensitive_Information_Exposure_in_Cleartext_Channel

    • Stored_LDAP_Injection

    • Unsafe_Archive_Unpacking

  • medium_risk_icon.png: Rust_Medium_Threat

    • HttpOnly_Cookie_Flag_Not_Set

    • Insufficiently_Secure_Password_Storage_Algorithm_Parameters

    • Length_Extension_Attack

    • Parameter_Tampering

    • PCI_Data_Exposure

    • Permission_Manipulation_in_S3

    • Reliance_on_DNS_Lookups_in_a_Decision

    • Secret_Leak

    • Secret_Leak_in_Error_Messages

    • Secret_Leak_in_Files

    • Secret_Leak_in_Logs

    • Secret_Leak_in_URL

    • Secure_Cookie_Flag_Not_Set

    • Uncontrolled_Memory_Allocation

    • Unsafe_Reflection

    • Use_of_Cryptographically_Weak_PRNG

    • Using_Referer_Field_for_Authentication

  • low_risk_icon.png: Rust_Low_Visibility

    • Cookie_Overly_Broad_Path

    • Divide_By_Zero

    • Frameable_Login_Page

    • Improper_Error_Handling

    • Improper_Transaction_Handling

    • Insecure_Value_of_the_SameSite_Cookie_Attribute

    • Integer_Overflow

    • Log_Forging

    • Misconfigured_HSTS

    • Misconfigured_X_Content_Type_Options

    • Missing_Content_Security_Policy

    • Missing_Framing_Policy

    • Missing_HSTS

    • PCI_Data_Exposure_in_Error_Messages

    • PCI_Data_Exposure_in_Files

    • PCI_Data_Exposure_in_Logs

    • PCI_Data_Exposure_in_URL

    • Permissive_Content_Security_Policy

    • Privacy_Violation_in_Error_Messages

    • Privacy_Violation_in_URL

    • Trust_Boundary_Violation_in_Session_Variables

    • Type_Conversion_Error

    • Unchecked_Return_Value_to_NULL_Pointer_Dereference

    • Use_of_Deprecated_API

    • Use_of_Non_Cryptographic_Random

    • Use_of_Unsafe_Keyword

  • Rust_Best_Coding_Practice

    • Input_Path_Not_Canonicalized


Technology Preview features provide early access to upcoming product innovations, enabling you to test functionality and provide feedback during development. However, these features are not fully supported, might not be functionally complete, and are not intended for production use.

As Checkmarx considers making future iterations of Technology Preview features generally available, we will attempt to resolve any issues customers experience when using these features.

Engine .NET update

We have updated the engine component to version .NET 8.

The minimum required version to update to this engine pack is 8.0.3

Critical Severity


Critical severity will be added to the SAST engine's list of severity options in the upcoming major version, 9.7.0.

  • All queries will be revised and their severity adjusted to include Critical severity.

    Details on the affected queries can be found on this page, Queries Severity Revision.

  • The new severity will only be reflected by new scans executed after upgrading to 9.7.0; older scans and their results will be unaffected.