- Checkmarx Documentation
- Checkmarx DAST
- Configuration File
- Configuration File Structure
- Jobs Supported
- passiveScan-config
passiveScan-config
The passive scanner runs against all requests and responses that are generated by the engine or are proxied through it. If you want to configure the passive scan configuration then you should typically do so before running any other jobs. However, you can run this job later, or multiple times, if you want different jobs to use different passive scan configurations.
The job saves the current passive scan configuration when a plan starts and resets it when the plan ends. This is primarily to ensure the scanOnlyInScope setting is not changed - the default is ’true’ for the job but ‘false’ in the GUI.
Note that if you set disableAllRules to true then they will stay disabled when the plan has finished. Automatically re-enabling them when the plan finishes could result in the rules becoming enabled while the passive scan queue is being processed, for example, if the passiveScan-wait job is not used, or if it is used but with the maxDuration option is set.
In versions up to and including 0.16.0 running this job with the default settings would change scanOnlyInScope to ’true’ in the GUI. This has proved confusing as many users use the GUI without setting a scope - when scanOnlyInScope is set to ’true’ and no scope is defined then no passive scan alerts are raised.
Job structure
- type: passiveScan-config
name: "passiveScan-config"
parameters:
scanOnlyInScope: true
enableTags: false
rules: []Possible parameters
- disableAllRules: <Bool> (Default - false)
If true then will disable all rules before applying the settings in the rules section.
- enableTags: <Bool> (Default - false)
Enable passive scan tags - enabling them can impact performance.
- id: <int>
The rule id.
- maxAlertsPerRule: <int> (Default - 10)
Maximum number of alerts to raise per rule.
- maxBodySizeInBytesToScan: <int> (Default - 0 - will scan all messages)
Maximum body size to scan.
- name: <string>
The name of the rule for documentation purposes - this is not required or actually used.
- rules:
A list of one or more passive scan rules and associated settings which override the defaults.
- scanOnlyInScope: <Bool> (Default - true)
Only scan URLs in scope.
- threshold: <string> (Default - Medium)
The Alert Threshold for this rule (Off, Low, Medium, High).
Name | Description | Type / Default |
|---|---|---|
| Maximum number of alerts to raise per rule NotemaxAlertsPerRule is an approximate limit and not a hard limit | Int, default: 10 |
| Only scan URLs in scope | Bool, default: true |
| Maximum body size to scan | Int, default: 0 - will scan all messages |
| Enable passive scan tags, default: false - enabling them can impact performance | Bool, default: false |
| If true then will disable all rules before applying the settings in the rules section | Bool, default: false |
| A list of one or more passive scan rules and associated settings which override the defaults | |
| The rule id | Int |
| The name of the rule for documentation purposes - this is not required or actually used | String |
| The Alert Threshold for this rule | String, default: medium one of Off, Low, Medium, High |