- Checkmarx Documentation
- SAST/SCA Integrations
- CI/CD Plugins
- CLI Plugin
- Configuring Scans with Config-As-Code
Configuring Scans with Config-As-Code
This section explains how to configure the scan using code CLI.
Preparation
Make sure that your source code contains .checkmarx/cx.config .
Use the argument -configascode in the CLI command.
Note
To successfully apply -configascode , OverrideProjectSetting under the dbo.CxComponentConfiguration table in the CxSAST database server must be set to true.
Config-As-Code File Content
Sample of .checkmarx/cx.config
project: fullPath: \"CxServer/GIT_PROJECT\" origin: "cx-cli" sast: configuration: "Default Configuration" excludeFolders: \"_cvs, .svn, .hg, .git, .bzr, bin, obj, backup, node_modules\" includeExcludePattern: \"!**/*.DS_Store, !**/*.ipr, !**/*.iws, !**/*.TEST_SOMETHING, !**/*.bak, !**/*.tmp, !**/*.aac, !**/*.aif, !**/*.iff, !**/*.m3u, !**/*.mid, !**/*.mp3, !**/*.mpa, !**/*.ra, !**/*.wav, !**/*.wma, !**/*.3g2, !**/*.3gp, !**/*.asf, !**/*.asx, !**/*.avi, !**/*.flv, !**/*.mov, !**/*.mp4, !**/*.mpg, !**/*.rm, !**/*.swf, !**/*.vob, !**/*.wmv, !**/*.bmp, !**/*.gif, !**/*.jpg, !**/*.png, !**/*.psd, !**/*.tif, !**/*.jar, !**/*.zip, !**/*.rar, !**/*.exe, !**/*.dll, !**/*.pdb, !**/*.7z, !**/*.gz, !**/*.tar.gz, !**/*.tar, !**/*.ahtm, !**/*.ahtml, !**/*.fhtml, !**/*.hdm, !**/*.hdml, !**/*.hsql, !**/*.ht, !**/*.hta, !**/*.htc, !**/*.htd, !**/*.htmls, !**/*.ihtml, !**/*.mht, !**/*.mhtm, !**/*.mhtml, !**/*.ssi, !**/*.stm, !**/*.stml, !**/*.ttml, !**/*.txn, !**/*.class, !**/*.iml, !**/Checkmarx/Reports/*.*\" high: 3 medium: 1 low: 2 incremental: false preset: "Checkmarx Default" privateScan: false overrideprojectsettings: true enableSASTBranching : false masterBranchProjName : CLI-Integration-Tests-master avoidDuplicateProjectScans : true sca: fileInclude: \”*.dll\” fileExclude: \“!**/*.class,!**/plexus-utils-1.5.6.jar \” pathExclude: \“test*\” high: 3 medium: 3 low: 3
Config-As-Code Keys
Key | Mandatory? | Description |
|---|---|---|
fullPath | Mandatory | An existing or new project name with full path. If the project does not exist, it will be created. Example: fullPath: \"CxServer/GIT_PROJECT\" |
origin | Optional | Add a specific origin in SAST. Example: origin: "cx-cli-M" NoticeIf not specified, the default origin of CLI plugin is used. |
enableSASTBranching | Mandatory | Enable to support branching. By default it should be set to false. |
sast: | ||
configuration | Optional | Code language configuration. Possible values are:
NoticeIf not specified, the configuration in CLI command is used. |
excludeFolders | Comma separated list of folder name patterns to be excluded from scans. For example, exclude all folders whose names start with test and all folder whose names end with log: excludeFolders :\“test*,*log\” NoticeIf not specified, the LocationPathExclude parameter in the CLI command is used. If this parameter is set, it will be added to the default exclusion of the CLI configuration file (cx_console.properties) | |
includeExcludePattern | Optional | Comma separated list of file name patterns to exclude/include from/to scan. For example, exclude all files with '.DS_Store’ an include ‘.java’ extension : \"!**/*.DS_Store, **/*.java\" NoticeIf not specified, the includeexcludepattern parameter in the CLI command is used. If this parameter is set, it will be added to the default exclusion of the CLI configuration file (cx_console.properties). |
high | Optional. Not supported in AsyncScan mode | CxSAST high severity vulnerability threshold. If the number of high vulnerabilities exceeds the threshold, the scan ends with an error. NoticeIf not specified, the SASTHigh parameter in the CLI command is used. |
medium | Optional. Not supported in AsyncScan mode | CxSAST medium severity vulnerability threshold. If the number of high vulnerabilities exceeds the threshold, the scan ends with an error. NoticeIf not specified, the SASTMedium parameter in the CLI command is used. |
low | Optional. Not supported in AsyncScan mode | CxSAST low severity vulnerability threshold. If the number of high vulnerabilities exceeds the threshold, the scan ends with an error. NoticeIf not specified, the SASTLow parameter in the CLI command is used. |
incremental | Optional | Run incremental scan instead of a full scan. Scans only new and modified files, relative to project's last scan. NoticeIf not specified, the Incremental parameter in the CLI command is used. |
preset | Optional | Notice
|
privateScan | Optional | The scan will not be visible to other users. NoticeIf not specified, the private parameter in the CLI command is used. The default value is false. |
overrideprojectsettings | Optional | Disabled (set to true) by default. NoticeThe CLI plugin supports this functionality for CxSAST 9.3 and higher. To enable it, set the flag 'OverrideProjectSetting' under the dbo.CxComponentConfiguration table in the CxSAST database server to false. |
masterBranchProjName | Optional | The master branch uses an existing project name when creating a new branch. This applies only when the enableSASTBranching parameter is true. (When the parameter enableSASTBranching is true this key is mandatory.) |
avoidDuplicateProjectScans | Optional | Enable to avoid duplicate scans for the same project if another scan is already running. |
copybranchtimeoutinseconds | Optional | Enable users to set a timeout for copying branch projects.
|
sca: | ||
fileInclude | Optional | Comma-separated list of file name patterns to include in the CxSCA scan, for example \”*.dll\” only includes dll files. NoticeIf not specified, the ScaFilesInclude parameter in the CLI command is used. |
fileExclude | Optional | Comma separated list of file name patterns to exclude from the CxSCA scan. Exclude extensions by entering !**/*.<extension> or exclude files by entering !**/<file>. Examples: \“!**/*.class\” excludes all files that start with “.class”. Examples: \“!**/plexus-utils-1.5.6.jar\” excludes all files named plexus-utils-1.5.6.jar. NoticeIf not specified, the ScaFilesExclude parameter in the CLI command is used. |
pathExclude | Optional | Comma separated list of folder path patterns to exclude from the CxSCA scan. For example, \“test*\” excludes all folders which start with test prefix. NoticeIf not specified, the ScaPathExclude parameter in the CLI command is used. |
high | Optional. Not supported in AsyncScan mode | CxSCA high severity vulnerability threshold. If the number of high vulnerabilities exceeds the threshold, scan will end with an error. NoticeIf not specified, the ScaHigh parameter in the CLI command is used. |
medium | Optional. Not supported in AsyncScan mode | CxSCA medium severity vulnerability threshold. If the number of medium vulnerabilities exceeds the threshold, scan will end with an error. NoticeIf not specified, the ScaMedium parameter in the CLI command is used. |
low | Optional. Not supported in AsyncScan mode | CxSCA low severity vulnerability threshold. If the number of low vulnerabilities exceeds the threshold, scan will end with an error. NoticeIf not specified, the ScaLow parameter in the CLI command is used. |
origin | Optional | Add specific origin in SAST. For example origin: "cx-cli-M" NoticeIf not specified, the default origin of CLI plugin is used. |
fullPath | Mandatory | An existing or new project name with full path. If the project does not exist, it will be created. Example: fullPath: \"CxServer\GIT_PROJECT\" |
Notice
If the config-as-code is called from the CLI cmd, the parameters in the config file override the CLI arguments.
If the config-as-code argument is called from the CLI cmd, but no cx.config file exists in the source code, an exception is returned.
The config-as-code works with the following folder types:
public GIT
private GIT
shared
folder
When including special characters, such as )(*_ !, as part of string values, these values must be enclosed by \”\”, for example: \“!**/*.class\”
The CLI plugin supports Project Override Settings with CxSAST 9.3 and up. To enable this feature, set the flag 'OverrideProjectSetting' under the dbo.CxComponentConfiguration table in the CxSAST database server to false. The default value is true.
When you run a scan from the CxConsole, “CLI“ is displayed in the Scan Method column of the Scan History tab.