SCA Configuration Options

The following table shows the configuration options available for the SCA scanner. These configuration options can be applied on the Account > Project > Scan levels. These configurations can be set via the web application (UI), CLI or API, as shown in the table below.

Notice

CLI flags are submitted on the scan level with the scan create command. API configs can be configured on the account or project level using the Configuration API.

Parameter	Values	Notes	CLI	API
Folder/file filter	Allow users to select specific folders or files that they want to include or exclude from the code scanning process.	Including a file type - .java Excluding a file type - !.java Use “,” sign to chain file types. for example: .java,.js The parameter also supports including/excluding folders. regex is not supported.	`--sca-filter <string>`	scan.config.sca.filter
Exploitable Path	Toggle On/Off	When Exploitable Path is activated, scans that use the SCA scanner will identify whether or not there is an exploitable path from your source code to the vulnerable 3rd party package. Learn more about Exploitable Path.	`--sca-exploitable-path <string>`	scan.config.sca.exploitablePath
Exploitable Path Configuration	Radio button selection	The Exploitable Path feature uses queries in the SAST scan of your project to identify exploitable paths to vulnerable 3rd party packages. Therefore, it is always necessary to run a SAST scan on the project in order to get results for Exploitable Path. Whenever you run a Checkmarx One scan with both the SAST and SCA scanners selected, Exploitable Path uses the results of the current SAST scan for analysis. When you run a Checkmarx One scan with only the SCA scanner selected, Checkmarx One can either use results from a previous SAST scan or it can initiate a new SAST scan (using default settings) that runs the Exploitable Path queries. Select one of the following configurations: Use SAST scans for past _ day/s - specify the number of days for which results from a historic SAST scan will be used for Exploitable Path. If no scan was run within the specified period, then a new scan will be triggered. Warning Not fully supported in all environments. The default value of one day may be applied automatically. Do not use existing SAST scans - Whenever you run a Checkmarx One scan with only the SCA scanner selected, a SAST scan will be triggered automatically in order to run the Exploitable Path queries.	`--sca-last-sast-scan-time <integer>` (Default: 1)	scan.config.sca.lastSastScanTime

Parameter

Values

Notes

CLI

API

Folder/file filter

Allow users to select specific folders or files that they want to include or exclude from the code scanning process.

Including a file type - *.java
Excluding a file type - !*.java
Use “,” sign to chain file types.
for example: *.java,*.js
The parameter also supports including/excluding folders.
regex is not supported.

--sca-filter <string>

scan.config.sca.filter

Exploitable Path

Toggle On/Off

When Exploitable Path is activated, scans that use the SCA scanner will identify whether or not there is an exploitable path from your source code to the vulnerable 3rd party package.

Learn more about Exploitable Path.

--sca-exploitable-path <string>

scan.config.sca.exploitablePath

Exploitable Path Configuration

Radio button selection

The Exploitable Path feature uses queries in the SAST scan of your project to identify exploitable paths to vulnerable 3rd party packages. Therefore, it is always necessary to run a SAST scan on the project in order to get results for Exploitable Path.

Whenever you run a Checkmarx One scan with both the SAST and SCA scanners selected, Exploitable Path uses the results of the current SAST scan for analysis. When you run a Checkmarx One scan with only the SCA scanner selected, Checkmarx One can either use results from a previous SAST scan or it can initiate a new SAST scan (using default settings) that runs the Exploitable Path queries. Select one of the following configurations:

Use SAST scans for past _ day/s - specify the number of days for which results from a historic SAST scan will be used for Exploitable Path. If no scan was run within the specified period, then a new scan will be triggered.
Warning
Not fully supported in all environments. The default value of one day may be applied automatically.
Do not use existing SAST scans - Whenever you run a Checkmarx One scan with only the SCA scanner selected, a SAST scan will be triggered automatically in order to run the Exploitable Path queries.

--sca-last-sast-scan-time <integer> (Default: 1)

scan.config.sca.lastSastScanTime

In this section:

SCA Configuration Options

Notice

Warning

Search results