Skip to main content

Configuring Projects Using Config as Code Files

Config as Code feature is designed to provide a third level of configuration for scanning the following:

Config as Code parameters are higher than the same parameter’s configuration via Configuring Project Rules

This means that the Parameters will apply only to the specific Repository or zip Scan in the Project.

Limitations

  • The parameters that can be configured in the Config as Code .yml configuration file are the exact set of parameters we have for the other levels - see Configuring Scanner Default Settings & Configuring Project Rules

  • "Allow override" is selected by default for all the Parameters in all the configuration levels.

  • In case that Allow Override isn’t configured for a specific parameter in the Configuring Project Rules, there won’t be any meaning for the same parameter in the Config as Code .yml configuration file.

  • It isn’t possible to configure the same parameter twice (in any configuration level).

  • Each scanner has a different set of Parameters.

Repository Scans

  1. Create a .checkmarx folder in the relevant Repository.

  2. Inside the .checkmarx folder, create a config.yml file using the below template.

  3. Configure each scanner’s Parameters according to the Scanners Parameters Configuration Options tables below.

  4. Save the file.

ZIP files Scans

  1. Create a zip file.

  2. Create a .checkmarx folder.

  3. Inside the .checkmarx folder, create a config.yml file using the below template.

  4. Configure each scanner’s Parameters according to the Scanners Parameters Configuration Option tables below.

  5. Save the file.

  6. Put the .checkmarx folder inside the zip file main folder. Otherwise the feature will not work.

Creating ZIP files from Repositories

  1. Download a Repository as a zip - The Repository can’t contain a .checkmarx folder inside.

  2. Use the ZIP files Scans procedure to proceed.

config.yml Template

version: 1

# checkmarx-specific related configuration
# every value in this section is optional 
checkmarx: 
  # configure the checkmarx scan parameters for scanning this specific project
  scan:
    # configure the checkmarx scan configurations for scanning this specific project
    configs:
      # configure the SAST related configurations this specific project
      sast:
        # configure the SAST preset name used for this specific project
        presetName: 'ASA Premium' 
        fastScanMode: 'false'
        # configure if this specific project will be run incrementally or will it run a full scan
        incremental: 'false'
        languageMode: 'multi'
        filter: '!*.java,!*.cpp'
        engineVerbose: 'true'
      sca:
        filter: '!*.cpp'
        exploitablePath: 'true'
        lastSastScanTime: '10'
      kics:
        filter: '*.java'
        platforms: 'Ansible,CloudFormation,Dockerfile'
      apisec:
        swaggerFilter: ''

Scanners Parameters Configuration Options

SAST Scanner Parameters

The table below presents all the optional parameters for the SAST scanner, and their optional values.

Notice

There is an additional configuration option for filtering which compliance results to show. This can currently only be configured via REST API, see API documentation.

Parameter

Values

Notes

presetName

All the available SAST Presets that exist in the system

  • For the full Presets list (including descriptions) go to the following link:

    Predefined Presets

  • The default preset that is used is ASA Premium

fastScanMode

true / false

By default, the Fast Scan mode is false.

For more information, refer to Fast Scan Mode

incremental

true / false

Determines whether the scan should be performed incrementally or as a full scan.

  • When set to true, SAST will only scan the code changes made since the last scan, significantly reducing the scan time and resource usage.

  • When set to false, SAST will perform a full scan. Full scans are more comprehensive but take longer to complete and use more resources.

recommendedExclusions

true / false

Determines whether the system should automatically exclude certain files and folders from the scan. This is similar to the predefined rules of SAST.

  • When set to true, SAST applies predefined exclusions, allowing developers to scan faster and focus on the most relevant code areas.

  • When set to false, SAST will include all files and directories in the scan.

languageMode

primary / multi

For more information see:

Specifying a Code Language for Scanning

Supported Code Languages and Frameworks:

Note

By default, the languageMode is Multi.

folder/filter

Allow users to select specific folders or files to include or exclude from the code scanning process.

  • Including a file type - *.java

  • Excluding a file type - !*.java

  • Use “,” sign to chain file types

    for example: *.java,*.js

  • The parameter also supports including/excluding folders.

  • regex is not supported.

engineVerbose

true / false

  • true = Enables PRINT_DEBUG mode.

  • false = Enables PRINT_LOG mode.

ASA Premium Preset

ASA Premium Preset is a part of the SAST collection of presets.

This Preset is available only for Checkmarx One. Its usage is described in the table below.

Preset

Usage

Includes vulnerability queries for....

ASA Premium

The ASA Premium preset contains a subset of vulnerabilities that Checkmarx AppSec Accelerator team considers to be the starting point of the Checkmarx AppSec program.

The preset might change in future versions. The AppSec Accelerator team will remove old/deprecated queries or include new and improved queries in a continuously manner.

Apex, ASP, CPP, CSharp, Go, Groovy, Java, JavaScript, Kotlin (non-mobile only), Perl, PHP, PLSQL, Python, Ruby, Scala, VB6, VbNet, Cobol, RPG and VbScript coding languages.

ASA Premium Mobile

The ASA Premium Mobile preset is a dedicated preset designed for mobile apps.

The ASA Premium Mobile preset contains a subset of vulnerabilities that Checkmarx AppSec Accelerator team considers to be the starting point of the Checkmarx AppSec program.

The preset might change in future versions. The AppSec Accelerator team will remove old/deprecated queries or include new and improved queries in a continuously manner.

Apex, ASP, CPP, CSharp, Go, Groovy, Java, JavaScript, Kotlin (non-mobile only), Perl, PHP, PLSQL, Python, Ruby, Scala, VB6, VbNet, Cobol, RPG and VbScript coding languages.

Fast Scan Mode

The new SAST scanner aims to find the perfect balance between thorough security tests and the need for quick and actionable results. There’s no need to choose between speed and security. Alongside the Base Preset, we are thrilled to announce a new scan mode designed to speed up the scan: Fast Scan mode.

Fast Scan mode decreases the scanning time of projects up to 90%, making it faster to identify relevant vulnerabilities and enable continuous deployment while ensuring that security standards are followed. This will help developers tackle the most relevant vulnerabilities.

While the Fast Scan mode identifies the most significant and relevant vulnerabilities, the In-Depth scan mode offers deeper coverage. For the most critical projects with a zero-vulnerability policy, it is advised also to use our In-Depth scan mode

Warning

To expedite the results retrieval, the scanning process has been optimized to reduce the number of stages and flows involved in the scan. With this enhancement, the queries related to Fusion are not executed and results won’t be generated when utilizing this new mode.

You may also notice impact on the API Security scanner results.

Incremental scans aren't supported in fast scan mode.

IaC Security Scanner Parameters

The parameters that will be defined for the IaC Security scanner will be applied to all the Projects running IaC Security scans.

The table below presents all the optional parameters and their optional values.

Parameter

Values

Notes

Folder/file filter

Allow users to select specific folders or files to include or exclude from the code-scanning process.

  • Including a file type - *.java

  • Excluding a file type - !*.java

  • Use “,” sign to chain file types.

    for example: *.java,*.js

  • The parameter also supports including/excluding folders.

  • regex is not supported.

platforms

  • Ansible 

  • AzureResourceManager

  • Buildah

  • CICD

  • CloudFormation

  • Crossplane 

  • DockerCompose

  • Dockerfile

  • GoogleDeploymentManager

  • GRPC

  • Knative

  • Kubernetes

  • OpenAPI

  • Pulumi

  • ServerlessFW

  • Terraform

Notice

Configure one or more platforms, separated by a comma.

The parameter means that you only want to run scans (queries) for those platforms.

For example: Ansible, CloudFormation, Dockerfile

Warning

Any mistake in the platform characters will cause an error.

SCA Scanner Parameters

The parameters that will be defined for the SCA scanner will be applied for all the Projects that will run SCA scans.

The table below presents all the optional parameters, and their optional values.

Parameter

Values

Notes

Folder/file filter

Allow users to select specific folders or files that they want to include or exclude from the code scanning process.

  • Including a file type - *.java

  • Excluding a file type - !*.java

  • Use “,” sign to chain file types.

    for example: *.java,*.js

  • The parameter also supports including/excluding folders.

  • regex is not supported.

Exploitable Path

Toggle On/Off

When Exploitable Path is activated, scans that use the SCA scanner will identify whether or not there is an exploitable path from your source code to the vulnerable 3rd party package.

Learn more about Exploitable Path.

Exploitable Path Configuration

Radio button selection

The Exploitable Path feature uses queries in the SAST scan of your project to identify exploitable paths to vulnerable 3rd party packages. Therefore, it is always necessary to run a SAST scan on the project in order to get results for Exploitable Path.

Whenever you run a Checkmarx One scan with both the SAST and SCA scanners selected, Exploitable Path uses the results of the current SAST scan for analysis. When you run a Checkmarx One scan with only the SCA scanner selected, Checkmarx One can either use results from a previous SAST scan or it can initiate a new SAST scan (using default settings) that runs the Exploitable Path queries. Select one of the following configurations:

  • Use SAST scans for past _ day/s - specify the number of days for which results from a historic SAST scan will be used for Exploitable Path. If no scan was run within the specified period, then a new scan will be triggered.

    Warning

    Not fully supported in all environments. The default value of one day may be applied automatically.

  • Do not use existing SAST scans - Whenever you run a Checkmarx One scan with only the SCA scanner selected, a SAST scan will be triggered automatically in order to run the Exploitable Path queries.

API Security Scanner Parameters

The parameters that will be defined for the API Security scanner will be applied for all the Projects that will run API Security scans.

The table below presents the optional parameters, and their optional values.

Parameter

Values

Notes

Swagger folder/file filter

Swagger folder path or any folder/file type.

Allow users to select specific folders or files that they want to include or exclude from the code scanning process.

  • Including a file type - *.java

  • Excluding a file type - !*.java

  • Use “,” sign to chain file types.

    For example: *.java,*.js

  • The parameter also supports including/excluding folders.

  • regex is not supported.

In this section: