Skip to main content

Global Settings

Global Settings allow you to configure parameters at the tenant level. These parameters will apply to all applications, projects, and scans in those projects.

The tenant level can be either the lowest or highest level of configuration, depending on the specific parameters.

Open Account Settings

To open the tenant settings, in the main menu select Settings Settings.png > Global Settings.

The Account Settings page is displayed.

GeneralSettings.png

General Settings

General Settings screen contains the following configuration parameters:

  • Global SSH Key (optional) - In case configured, this key will be used for authentication with 3rd party vendors.

  • Skip Submodules (optional) - Enable this option to skip scanning repository submodules during project scans. By default, this option is set to false.

Note

  • Clicking the Trash.png icon will clear the configuration field.

  • Checking the Allow_Override.png checkbox will allow overriding the same parameter in the Project configuration level.

  • By default, "Allow override" is selected for all the parameters in the Tenant settings.

Caution

The item below describes a functionality that is being rolled out in waves. Contact your support agent to find out whether this functionality is currently available in your environment.

  • The options in the Enable Source Code Management section allow you to determine whether whether to immediately delete the entire source code after a scan is completed or to retain code snippets, that is (a few lines before and after the vulnerable line of code).

    • Keep code snippets: When this option is selected, the system retains only the relevant code snippets (a few lines before and after the vulnerable line of code) after the scan is completed. This allows for easy reference to the source code related to any identified vulnerabilities

    • Delete source code: When this option is selected, the entire source code is deleted immediately after the scan is completed.

    Toggling on Enable Source Code Management and selecting one of the options will result in the following:

    • The Incremental Scan option will be disabled, meaning that all scans will always be full scans.

    • The Edit Queries option in the Project page's three-dot menu will be greyed out, and WebAudit will not load.

    • When clicking on a vulnerability finding, you won't be able to see the full source code behind it. The results will be presented without displaying the actual code associated with the findings.

Scanners Settings

Scanners settings include SAST, IaC Security, API Security and SCA scanners.

Important

  • Each scanner has a different set of parameters.

  • It isn’t possible to configure the same parameter twice.

  • Clicking the Trash.png icon will clear the configuration field.

  • Checking the Allow_Override.png checkbox will allow overriding the same parameter in a higher level of configuration.

    For more information see Configuring Project Rules

  • By default, "Allow override" is selected for all the parameters in the Tenant settings.

SAST Scanner Parameters

The parameters that will be defined for the SAST scanner will be applied for all the Projects that will run SAST scans.

The table below presents all the optional parameters, and their optional values.

Parameter

Values

Notes

PresetName

All the available SAST Presets that exist in the system

  • For the full Presets list (including descriptions) go to the following link:

    Predefined Presets

  • The default preset that is used is ASA Premium

Fast scan mode

true / false

By default, the Fast Scan mode is false.

For more information, refer to Fast Scan Mode

Incremental

true / false

Determines whether the scan should be performed incrementally or as a full scan.

  • When set to true, SAST will only scan the code changes made since the last scan, significantly reducing the scan time and resource usage.

  • When set to false, SAST will perform a full scan. Full scans are more comprehensive but take longer to complete and use more resources.

Recommended exclusions

true / false

Determines whether the system should automatically exclude certain files and folders from the scan. This is similar to the predefined rules of SAST.

  • When set to true, SAST applies predefined exclusions, allowing developers to scan faster and focus on the most relevant code areas.

  • When set to false, SAST will include all files and directories in the scan.

LanguageMode

primary / multi

For more information see:

Specifying a Code Language for Scanning

Supported Code Languages and Frameworks:

Note

By default, the languageMode is Multi.

Folder/file filter

Allow users to select specific folders or files that they want to include or exclude from the code scanning process.

  • Including a file type - *.java

  • Excluding a file type - !*.java

  • Use “,” sign to chain file types

    for example: *.java,*.js

  • The parameter also supports including/excluding folders.

  • regex is not supported.

EngineVerbose

true / false

  • true = Enables PRINT_DEBUG mode.

  • false = Enables PRINT_LOG mode.

ASA Premium Preset

ASA Premium Preset is a part of the SAST collection of presets.

This Preset is available only for Checkmarx One. Its usage is described in the table below.

Preset

Usage

Includes vulnerability queries for....

ASA Premium

The ASA Premium preset contains a subset of vulnerabilities that Checkmarx AppSec Accelerator team considers to be the starting point of the Checkmarx AppSec program.

The preset might change in future versions. The AppSec Accelerator team will remove old/deprecated queries or include new and improved queries in a continuously manner.

Apex, ASP, CPP, CSharp, Go, Groovy, Java, JavaScript, Kotlin (non-mobile only), Perl, PHP, PLSQL, Python, Ruby, Scala, VB6, VbNet, Cobol, RPG and VbScript coding languages.

ASA Premium Mobile

The ASA Premium Mobile preset is a dedicated preset designed for mobile apps.

The ASA Premium Mobile preset contains a subset of vulnerabilities that Checkmarx AppSec Accelerator team considers to be the starting point of the Checkmarx AppSec program.

The preset might change in future versions. The AppSec Accelerator team will remove old/deprecated queries or include new and improved queries in a continuously manner.

Apex, ASP, CPP, CSharp, Go, Groovy, Java, JavaScript, Kotlin (non-mobile only), Perl, PHP, PLSQL, Python, Ruby, Scala, VB6, VbNet, Cobol, RPG and VbScript coding languages.

Fast Scan Mode

The new SAST scanner aims to find the perfect balance between thorough security tests and the need for quick and actionable results. There’s no need to choose between speed and security. Alongside the Base Preset, we are thrilled to announce a new scan mode designed to speed up the scan: Fast Scan mode.

Fast Scan mode decreases the scanning time of projects up to 90%, making it faster to identify relevant vulnerabilities and enable continuous deployment while ensuring that security standards are followed. This will help developers tackle the most relevant vulnerabilities.

While the Fast Scan mode identifies the most significant and relevant vulnerabilities, the In-Depth scan mode offers deeper coverage. For the most critical projects with a zero-vulnerability policy, it is advised also to use our In-Depth scan mode

Warning

To expedite the results retrieval, the scanning process has been optimized to reduce the number of stages and flows involved in the scan. With this enhancement, the queries related to Fusion are not executed and results won’t be generated when utilizing this new mode.

You may also notice impact on the API Security scanner results.

Incremental scans aren't supported in fast scan mode.

IaC Security Scanner Parameters

The parameters that will be defined for the IaC Security scanner will be applied to all the Projects running IaC Security scans.

The table below presents all the optional parameters and their optional values.

Parameter

Values

Notes

Folder/file filter

Allow users to select specific folders or files to include or exclude from the code-scanning process.

  • Including a file type - *.java

  • Excluding a file type - !*.java

  • Use “,” sign to chain file types.

    for example: *.java,*.js

  • The parameter also supports including/excluding folders.

  • regex is not supported.

platforms

  • Ansible 

  • AzureResourceManager

  • Buildah

  • CICD

  • CloudFormation

  • Crossplane 

  • DockerCompose

  • Dockerfile

  • GoogleDeploymentManager

  • GRPC

  • Knative

  • Kubernetes

  • OpenAPI

  • Pulumi

  • ServerlessFW

  • Terraform

Notice

Configure one or more platforms, separated by a comma.

The parameter means that you only want to run scans (queries) for those platforms.

For example: Ansible, CloudFormation, Dockerfile

Warning

Any mistake in the platform characters will cause an error.

SCA Scanner Parameters

The parameters that will be defined for the SCA scanner will be applied for all the Projects that will run SCA scans.

The table below presents all the optional parameters, and their optional values.

Parameter

Values

Notes

Folder/file filter

Allow users to select specific folders or files that they want to include or exclude from the code scanning process.

  • Including a file type - *.java

  • Excluding a file type - !*.java

  • Use “,” sign to chain file types.

    for example: *.java,*.js

  • The parameter also supports including/excluding folders.

  • regex is not supported.

Exploitable Path

Toggle On/Off

When Exploitable Path is activated, scans that use the SCA scanner will identify whether or not there is an exploitable path from your source code to the vulnerable 3rd party package.

Learn more about Exploitable Path.

Exploitable Path Configuration

Radio button selection

The Exploitable Path feature uses queries in the SAST scan of your project to identify exploitable paths to vulnerable 3rd party packages. Therefore, it is always necessary to run a SAST scan on the project in order to get results for Exploitable Path.

Whenever you run a Checkmarx One scan with both the SAST and SCA scanners selected, Exploitable Path uses the results of the current SAST scan for analysis. When you run a Checkmarx One scan with only the SCA scanner selected, Checkmarx One can either use results from a previous SAST scan or it can initiate a new SAST scan (using default settings) that runs the Exploitable Path queries. Select one of the following configurations:

  • Use SAST scans for past _ day/s - specify the number of days for which results from a historic SAST scan will be used for Exploitable Path. If no scan was run within the specified period, then a new scan will be triggered.

    Warning

    Not fully supported in all environments. The default value of one day may be applied automatically.

  • Do not use existing SAST scans - Whenever you run a Checkmarx One scan with only the SCA scanner selected, a SAST scan will be triggered automatically in order to run the Exploitable Path queries.

API Security Scanner Parameters

The parameters that will be defined for the API Security scanner will be applied for all the Projects that will run API Security scans.

The table below presents the optional parameters, and their optional values.

Parameter

Values

Notes

Swagger folder/file filter

Swagger folder path or any folder/file type.

Allow users to select specific folders or files that they want to include or exclude from the code scanning process.

  • Including a file type - *.java

  • Excluding a file type - !*.java

  • Use “,” sign to chain file types.

    For example: *.java,*.js

  • The parameter also supports including/excluding folders.

  • regex is not supported.

Filtering Options

Filtering the scanners parameters is based on Glob.

For more information see Glob Tool

For instance:

  • Exclude all java files: !**/*.java

  • Exclude all files inside a folder Test: !**/Test/**

  • Exclude all files under root folder Test: !Test/**

  • Exclude just the files inside a folder leaving all subfolders content: !**/Test/*

  • Exclude all JavaScript minified files: !**/*.min.js

Note

The rules follow the same logic at tenant & project level.

Removing Parameters

Scanners parameters configuration work in hierarchy.

During parameters configuration, the system considers the Tenant level as the highest configuration level followed by Project level, Config as Code and Scan level.

Parameters are inherited from one level to the other, starting from Tenant level.

Removing parameters from a lower configuration level can be performed only by deleting the parameter configuration from the higher configuration level. In this case the parameter won't be presented in the lower configuration level.

In case users edit a parameter in a lower configuration level, a Trash.png icon will appear at the right. Deleting the parameter can't be performed, as the parameter is inherited from the higher configuration level. This behavior is designed to emphasize that the configuration exist at the Tenant level and it is set with "X" value.

In case using the icon, it might appear that the parameter is deleted, but it is not. In case exiting the page and returning, the parameter will be presented again.

Note

When running a scan, the system considers the Scan level as the highest configuration level, followed by Config as Code, Project level and Tenant level.

Code Repository Settings

The Code Repository settings screen enables you to adjust the settings for your code repository integrations. The screen has two sections, Self-Hosted Code Repositories and Organization Settings.

Code_Repository_Settings.png

Self-Hosted Code Repositories

This section shows a list of the self-hosted code repository integrations in your Checkmarx One account. You can edit the configuration of self-hosted code repository instances and you can delete existing instances.

Note

Only users with update-tenant-params permission can edit and delete repo configurations.

To edit a self-hosted configuration:

Notice

If there are existing Checkmarx One Projects associated with this configuration, a warning note explains that changing the configuration will affect those Projects. You can click on the View projects link to view the list of associated Projects.

  1. Hover over the actions menu More_Options.pngat the end of the row of the desired configuration and select Edit.

    A side panel opens showing the current configuration.

    Image_1067.png
  2. Adjust the values as needed.

  3. Click Save.

    The new configuration is applied.

To delete a self-hosted configuration:

Warning

You can only delete a configuration if no projects are associated with it. If there are associated projects, you need to first delete the projects and then delete the configuration. You can access the list of associated projects by hovering on the info icon and then clicking on show projects.

  1. Hover over the actions menu More_Options.pngat the end of the row of the desired configuration and select Delete.

  2. In the confirmation dialog, click Delete Configuration.

Organization Settings

This section shows a list of all the cloud-hosted organizations that have been imported from platforms that support the Monitor New Repositories feature. You can enable/disable the Monitor New Repositories feature for each organization. For additional information about this feature see Monitor New Repositories.

You can ensure that all integration Projects are aligned with the code repos by clicking on Refresh organization data.

To enable/disable Monitor New Repositories:

  1. Adjust the toggle for each organization as desired.

    Image_1074b.png

    Notice

     

  2. Click Save.

Plugins Settings

The following IDE plugin features need to be activated on a tenant wide level in order for individual developers to be able to use them in their IDEs. Activation can be done by a Checkmarx One admin user via the Account Settings > Settings > Plugins tab.

Configuring Plugin Settings

To change the Plugin settings:

  1. Log in to Checkmarx One as an admin user.

  2. Click on the Settings Settings.png > Global Settings

  3. Click on Plugins.

  4. Enable/disable IDE features as needed.

    The setting is applied to all IDEs using this tenant account.

  5. Click Save at the bottom of the page.

    Plugins_Settings.png

IDE Scans

When this feature is activated Checkmarx IDE plugins enable users to run a new Checkmarx One scan on the project that is open in their workspace.

In order to run IDE scans, you must first create a Checkmarx project and run the initial scan using some other method, e.g., web portal, API, CLI etc. and load the scan results in the Visual Studio console. Then, you are able to run subsequent scans on that project from the IDE.

Warning

Before enabling this feature, you should consider the ramifications; since there is a limitation to the number of concurrent scans that you can run based on your license, enabling IDE scans may cause scans triggered by CI/CD pipelines and SCM integrations to be added to the scan queue, causing major delays for those scans.

AI Guided Remediation

When this feature is activated, developers can access AI Guided Remediation in their IDE editor (currently supported for VS Code).

AI Guided Remediation harnesses the power of AI to help you to understand the vulnerabilities in your code, and resolve them quickly and easily. When you initiate an AI chat, we automatically provide the context to GPT so that you can start a conversation about the precise vulnerability instance that you are assessing.

Notice

When sending your IaC files to GPT, we protect your sensitive data by anonymizing all passwords and secrets before the content is sent. The query used for identifying sensitive data can be seen here.