IaC Security Scanner Parameters

When configured globally, these parameters will apply to IaC Security scans across all projects. When configured at the project level, they will apply only to IaC Security scans for that project.

The table below presents all the optional parameters and their values.

Notice

CLI flags are submitted on the scan level with the scan create command. API configs can be configured on the account or project level using the Configuration API or on the scan level as part of the request body of the POST /scans API. When using the POST /scans API the scan.config.kics prefix is left out.

Parameter	Values	Notes	CLI	API	Config as Code
Folder/file filter	Allow users to select specific folders or files to include or exclude from the code-scanning process.	Including a file type - .java; .tf Excluding a file type - !.java; !.yaml Use “,” sign to chain file types, for example: .tf,.json for example: .java,.js The parameter also supports including/excluding folders. regex is not supported.	`--iac-security-filter <string>`	scan.config.kics.filter { "key": "scan.config.kics.filter", "value": "*.java", "allowOverride": true }	`filter`
Platforms	Ansible Azure Blueprints AzureResourceManager Buildah CICD CloudFormation CDK Crossplane Docker Docker Compose Dockerfile Google Deployment Manager gRPC Helm Knative Kubernetes OpenAPI Pulumi SAM ServerlessFW Terraform	Notice Configure one or more platforms, separated by a comma. The parameter means you only want to run scans (queries) for those platforms. For example, Ansible, CloudFormation, Dockerfile Warning Any mistake in the platform characters will cause an error.	`--iac-security-platforms <string>, <string>`	scan.config.kics.platforms { "key": "scan.config.kics.platforms", "value": "GRPC", "allowOverride": true }	`platforms`
Preset Name	All the available IaC Security Presets that exist in the system	There are no Checkmarx Default Presets now. For more information on IaC presets, see here. Warning The preset ID for IaC Security must be a valid UUID. Once you create one, you can copy the PresetID from the IaC Presets page.			`presetId`

Parameter

Values

Notes

CLI

API

Config as Code

Folder/file filter

Allow users to select specific folders or files to include or exclude from the code-scanning process.

Including a file type - *.java; .tf
Excluding a file type - !*.java; !.yaml
Use “,” sign to chain file types, for example: .tf,.json
for example: *.java,*.js
The parameter also supports including/excluding folders.
regex is not supported.

--iac-security-filter <string>

scan.config.kics.filter

  {
    "key": "scan.config.kics.filter",
    "value": "*.java",
    "allowOverride": true
  }

filter

Platforms

Ansible
Azure Blueprints
AzureResourceManager
Buildah
CICD
CloudFormation
CDK
Crossplane
Docker
Docker Compose
Dockerfile
Google Deployment Manager
gRPC
Helm
Knative
Kubernetes
OpenAPI
Pulumi
SAM
ServerlessFW
Terraform

Notice

Configure one or more platforms, separated by a comma.

The parameter means you only want to run scans (queries) for those platforms.

For example, Ansible, CloudFormation, Dockerfile

Warning

Any mistake in the platform characters will cause an error.

--iac-security-platforms <string>, <string>

scan.config.kics.platforms

  {
    "key": "scan.config.kics.platforms",
    "value": "GRPC",
    "allowOverride": true
  }

platforms

Preset Name

All the available IaC Security Presets that exist in the system

There are no Checkmarx Default Presets now. For more information on IaC presets, see here.

Warning

The preset ID for IaC Security must be a valid UUID. Once you create one, you can copy the PresetID from the IaC Presets page.

presetId

In this section:

IaC Security Scanner Parameters

Notice

Notice

Warning

Warning

Search results