Skip to main content

Jenkins Plugin Overview


The Jenkins plugin for CxSAST is installed in the Jenkins build environment and provides the following:

  • Automatic code scan upon triggered builds, uploading the project's code to CxSAST directly from Jenkins.

  • Ability to run Open Source Analysis (CxOSA) from within Jenkins (v8.1.0 and up) and independently from CxSAST (v8.8.0 and up)

  • Interface for viewing scan results summary and trends in the Jenkins environment.

  • Direct links from within Jenkins to detailed CxSAST scan results and reports.

  • Jenkins APIs can be utilized for addition functionality.

  • Supports Jenkins Pipeline (v8.4.2 and up).

After setting up the plugin, you can configure any Jenkins job with a build step action to activate a CxSAST scan. When a Job scan (build) is activated, Jenkins sends the job's source code to CxSAST, where it is scanned according to the parameters specified in the build step action. The scan results are stored in the CxSAST project specified in the action, and displayed in the Jenkins job.

Open Source Analysis (CxOSA) can be run in cases where open source components are used as part of the development effort. When an CxOSA (build) is activated, Jenkins sends the open source fingerprint (SHA-1 hash plus file extension) to the CxOSA service (up to v8.6.0). Using this fingerprint, the CxOSA service maps the open source libraries, identifies the vulnerabilities, analysis's license risk and compliance, builds the inventory and detects outdated libraries. A comprehensive report can be generated using the CxSAST Web Interface.


Using this plugin, CxSCA can be integrated into development tools, so that open source packages can be automatically scanned during the development process. For example, the Checkmarx Plugin for Jenkins enables CxSCA to be configured as part of the build step, so that if vulnerabilities are discovered the build process can be terminated.

The Checkmarx Jenkins Plugin provides software composition analysis (SCA) based only on the manifest files and fingerprints. This analysis usually involves compressing and sending only the manifest files, configuration files, file names, and fingerprint data to the CxSCA cloud. The source code is not sent to the cloud.

If a CxSCA agent is deployed, the Jenkins plugin-based pipeline can be configured to include source code in a compressed file shared to the CxSCA Agent.

For additional information on


You are unable to start using CxSCA unless the CLOUD SERVICES AGREEMENT has been viewed and accepted.


Jenkins uses a core library with better compatibility and increased result accuracy. A new capability extracts dependencies resolving manifest files in customer side:

  • (CxOSA v8.9.0 and up): Support scanning of Python requirements.xml file

  • (CxOSA v8.9.0 and up): Support scanning of NuGet .nuspec file

  • (CxOSA v8.7.0 and up): Support scanning of the NPM package.json

  • (CxOSA v8.7.0 and up): Support scanning of Maven pom.xml files

For all Maven and NPM configuration files, Cx Manager downloads the necessary packages, calculate metadata, and submitting them to Cloud engine. Repositories must be accessible to the manager. For requirements prior to installing the plugin and scanning, refer to the Prerequisites section under Installing and Configuring the Jenkins Plugin.


You are unable to start using CxOSA unless the end user license agreement (EULA) has been viewed and accepted.