Skip to main content

Container Security Scanner Parameters

Checkmarx One offers robust filter settings to enhance container security by enabling users to configure their scans for precision and relevance. Below is an overview of the four available filter settings, designed to reduce noise and focus on critical vulnerabilities in your scans.

The following table explains how to configure each type of filter.

Filter name	Description	Syntax	Examples
Private Package Regex Filter	Prevent sensitive private packages from being sent to the cloud for analysis. Exclude packages by package name or file path using regex.	Regex	`^internal-.*` - filters out any package names starting with "internal-"
Folder/file filter	Specify files and folders to be included (allow list) or excluded from (block list) scans.	Including a file type - .java Excluding a file type - !.java Use “,” sign to chain file types for example: .java,.js The parameter also supports including/excluding folders. regex is not supported.	`!.log` - exclude all .log files `.js,*.css` - include only .js and .css files
Image/tag filter	Exclude images by image name and/or tag.	`image-name:image-tag` - exclude by image name and tag `image-name` - exclude by image name `:image-tag` - exclude by image tag Tip You can use wildcard (*) at the beginning, end or both.	`:dev` - to exclude all image tags that end with "dev" `test-image*` - to exclude all images that contain "test-image" in their name
Exclude non-final stages filter	Exclude all images that are not from the final stage of the build process, so that only the final deployable image is scanned. Tip Only supported for Dockerfile images	True - apply filter False - don't apply filter

In this section:

Was this helpful?

Would you like to provide feedback? Just click here to suggest edits.