SAST Scanner Parameters

The table below presents all the optional parameters for the SAST scanner and their optional values.

Notice

There is an additional configuration option for filtering, which compliance results to show. This can currently only be configured via REST API. See API documentation.

Parameter	Values	Notes
presetName	All the available SAST Presets that exist in the system	For the full Presets list (including descriptions) go to the following link: Predefined Presets The default preset that is used is ASA Premium
fastScanMode	true / false	By default, the Fast Scan mode is false. For more information, refer to Fast Scan Mode.
Light Queries	true/false	Determines whether the scan should be performed using light queries or standard queries. Light Queries are simplified versions of standard queries focusing on the most urgent vulnerabilities, helping you spot threats faster. For more information, refer to Light Queries. When set to `true`, SAST will scan using light queries, quickly focusing on the most immediate and exploitable weaknesses. When set to `false`, SAST will not scan using light queries; it will scan using standard queries.
incremental	true / false	Determines whether the scan should be performed incrementally or as a full scan. When set to `true`, SAST will only scan the code changes made since the last scan, significantly reducing the scan time and resource usage. When set to `false`, SAST will perform a full scan. Full scans are more comprehensive but take longer to complete and use more resources.
recommendedExclusions	true / false	Determines whether the system should automatically exclude certain files and folders from the scan. When set to `true`, SAST applies predefined exclusions, allowing developers to scan faster and focus on the most relevant code areas. SAST will include all files and directories in the scan when set to `false`.
languageMode	primary / multi	For more information, see: Specifying a Code Language for Scanning Supported Code Languages and Frameworks: Click Engine Pack Versions and Delivery Model. Select the latest EP (Engine Pack) Supported Code Languages and Frameworks. Note By default, the languageMode is Multi.
folder/filter	Allow users to select specific folders or files to include or exclude from the code scanning process.	Including a file type - .java Excluding a file type - !.java Use “,” sign to chain file types for example: .java,.js The parameter also supports including/excluding folders. regex is not supported.
engineVerbose	true / false	true = Enables PRINT_DEBUG mode. false = Enables PRINT_LOG mode.

ASA Premium Preset

ASA Premium Preset is a part of the SAST collection of presets.

This Preset is available only for Checkmarx One. Its usage is described in the table below.

Preset	Usage	Includes vulnerability queries for....
ASA Premium	The ASA Premium preset contains a subset of vulnerabilities that Checkmarx AppSec Accelerator team considers to be the starting point of the Checkmarx AppSec program. The preset might change in future versions. The AppSec Accelerator team will remove old/deprecated queries or include new and improved queries in a continuously manner.	Apex, ASP, CPP, CSharp, Go, Groovy, Java, JavaScript, Kotlin (non-mobile only), Perl, PHP, PLSQL, Python, Ruby, Scala, VB6, VbNet, Cobol, RPG and VbScript coding languages.
ASA Premium Mobile	The ASA Premium Mobile preset is a dedicated preset designed for mobile apps. The ASA Premium Mobile preset contains a subset of vulnerabilities that Checkmarx AppSec Accelerator team considers to be the starting point of the Checkmarx AppSec program. The preset might change in future versions. The AppSec Accelerator team will remove old/deprecated queries or include new and improved queries in a continuously manner.	Apex, ASP, CPP, CSharp, Go, Groovy, Java, JavaScript, Kotlin (non-mobile only), Perl, PHP, PLSQL, Python, Ruby, Scala, VB6, VbNet, Cobol, RPG and VbScript coding languages.

Preset

Usage

Includes vulnerability queries for....

ASA Premium

The ASA Premium preset contains a subset of vulnerabilities that Checkmarx AppSec Accelerator team considers to be the starting point of the Checkmarx AppSec program.

The preset might change in future versions. The AppSec Accelerator team will remove old/deprecated queries or include new and improved queries in a continuously manner.

Apex, ASP, CPP, CSharp, Go, Groovy, Java, JavaScript, Kotlin (non-mobile only), Perl, PHP, PLSQL, Python, Ruby, Scala, VB6, VbNet, Cobol, RPG and VbScript coding languages.

ASA Premium Mobile

The ASA Premium Mobile preset is a dedicated preset designed for mobile apps.

The ASA Premium Mobile preset contains a subset of vulnerabilities that Checkmarx AppSec Accelerator team considers to be the starting point of the Checkmarx AppSec program.

The preset might change in future versions. The AppSec Accelerator team will remove old/deprecated queries or include new and improved queries in a continuously manner.

Apex, ASP, CPP, CSharp, Go, Groovy, Java, JavaScript, Kotlin (non-mobile only), Perl, PHP, PLSQL, Python, Ruby, Scala, VB6, VbNet, Cobol, RPG and VbScript coding languages.

Fast Scan Configuration

Fast Scan configuration aims to find the perfect balance between thorough security tests and the need for quick and actionable results. There’s no need to choose between speed and security. Alongside the Base Preset, we are thrilled to announce a new scan mode designed to speed up the scan: Fast Scan mode.

Fast Scan mode decreases the scanning time of projects up to 90%, making it faster to identify relevant vulnerabilities and enable continuous deployment while ensuring that security standards are followed. This will help developers tackle the most relevant vulnerabilities.

While the Fast Scan configuration identifies the most significant and relevant vulnerabilities, the In-Depth scan mode offers deeper coverage. For the most critical projects with a zero-vulnerability policy, it is advised also to use our In-Depth scan mode

Warning

To expedite the results retrieval, the scanning process has been optimized to reduce the number of stages and flows involved in the scan. With this enhancement, the queries related to Fusion are not executed and results won’t be generated when utilizing this new mode.

You may also notice impact on the API Security scanner results.

Light Queries

Light Queries are simplified versions of existing queries that focus on the most exploitable vulnerabilities. They help you prioritize threats while filtering out uncommon edge cases for clearer analysis. Light Queries are not intended to replace the more robust standard queries but offer an alternative form of analyzing code by focusing on the most immediate threats and readily exploitable weaknesses as quickly as possible. These queries offer a more straightforward way to analyze code, giving you key findings without the complexity. The Light Queries have a more restrictive subset of results regarding inputs and sinks and a broader one regarding sanitizers.

Important

Consider the following when Light Queries are enabled:

The Similarity ID, source, and sync remain unchanged whether or not Light Queries are enabled.
When Light Queries are enabled, the scan results are a subset of those from a standard query (i.e., when Light Queries are disabled).
When scanning with Light Queries enabled, the scan will likely get fewer results.

Supported Languages and Detected Vulnerabilities

Enabling Light Queries

Enable Light Queries under the Account Settings page by setting its value to true. By default, Light Queries are set to false (disabled), and the Allow Override option is enabled.

When creating a new project, on the project settings page, you must enable Light Queries as a rule. To add Light Queries as a rule, perform the following:

Click + Add Rule. The scanner, mode, and value dropdown options appear.
Select SAST, light queries, and true for the scanner, mode, and value dropdowns.
Select Create Project when finished.

To delete a rule, click at the end of the rule's row.

In this section: