Skip to main content

Configuring the CxSAST Bamboo Plugin Global Settings

Once you installed the CxSAST Bamboo Plugin, you can define various default parameters, referred to as global settings that you may apply as defaults when configuring a scan.

To configure default (global) settings:

In the Navigation pane of the Atlassian Bamboo, scroll down to MANAGE APPS and select Checkmarx Plugin.
The Checkmarx Plugin Default Configuration dialog appears.
In the Checkmarx Plugin Default Configuration dialog, define the parameters listed in the table below. These parameters are the global settings once you complete and save the configuration.
Once you finished, click <Save>. The global settings are set. The Checkmarx Plugin Default Configuration dialog appears.

Parameter	Description
Checkmarx Server
Server URL	Enter the Checkmarx Server URL or IP address with or without port, for example http://<server-name>, https://<ip address>:port
Username	Enter a login username.
Password	Enter a login password.
Enable Proxy	Check to enable a project scan via a proxy server.
<Connect to Server>	Click <Connect to Server> and wait until the credentials are validated and the Success status is indicated.
Checkmarx Scan CxSAST
Folder Exclusion	Define a comma separated list of folders to exclude from the scan. Entries in this list are automatically converted to exclude wildcard patterns and appended to the full pattern list provided in the Include/Exclude Wildcard Patterns section.
Include / Exclude Wildcard Patterns	Define the include/exclude wildcard patterns as explained in the instructions under the field
Scan Timeout In Minutes	Define the scan timeout threshold.
Dependency Scan
Enable Dependency Scan	Check to enable packages from various dependency managers, such as NPM, Nugget, Python and others to being scanned. Notice NPM, Nuget and/or Python must be installed on every Bamboo worker and/or orchestrator instance running the job in order to use this option.
Include/Exclude Wildcard Patterns	Define the include/exclude wildcard patterns as explained in the instructions under the field. Notice Available only, if Enable Dependency Scan is checked.
Folder Exclusion	Define a comma separated list of folders to exclude from the scan. Entries in this list are automatically converted to exclude wildcard patterns and appended to the full pattern list provided in the Include/Exclude Wildcard Patterns section. Notice Available only, if Enable Dependency Scan is checked.
Use CxOSA Dependency Scanner	Select Use CxOSA Dependency Scanner to enable and configure CxOSA scans.
Use CxSCA Dependency Scanner	Select Use CxSCA Dependency Scanner to enable and configure CxSCA scans.
Checkmarx Scan CxOSA	These parameters show, if Use CxOSA Dependency Scanner has been selected.
OSA Archive Include Wildcard Patterns	Define the included wildcard patterns as explained in the instructions under the field.
Execute Dependency Managers 'Install Packages' Command before Scan	Check to enable packages from various dependency managers, such as NPM, Nugget, Go and others being scanned as part of the CxOSA scan. Notice NPM, Nuget and/or Python must be installed on every Bamboo worker and/or orchestrator instance running the job in order to use this option.
Checkmarx Scan CxSCA	These parameters show, if Use CxSCA Dependency Scanner has been selected.
CxSCA Web API URL	Enter the URL of the server that interacts with CxSCA using API calls, for example https://api-sca.company.com .
Access Control Server URL	Enter the URL of the server that hosts the Access Control portal used to access CxSCA, for example https://platform.company.com .
CxSCA Web App URL	Enter the URL of the web based application that serves as the CxSCA user interface, for example https://sca.company.com. Entering this URL generates a link to a page with CxSCA scan results. If this option is not entered, no such link is generated.
Account	Enter the CxSCA customer account.
CxSCA User	Enter the CxSCA user name.
CxSCA Password	Enter the CxSCA password.
<Connect to Server>	Click to connect to the CxSCA server.
Enable SCA Resolver	Enable the SCA resolver utility to perform dependency resolution. For additional information on this utility, refer to Checkmarx SCA Resolver.
SCA Resolver Path	When using the SCA Resolver utility, define the path to the SCA Resolver folder where ScaResolve.exe resides. Depending on your operating system, the path to ScaResolver is, for example, C:\Users\Installations\ScaResolver-win64 or /opt/ScaResolver-linux64. Note This option is available only if Enable SCA Resolver is checked. The plugin will automatically determine values for mandatory arguments to ScaResolver to perform Dependency Resolution and Exploitable Path. These arguments are: -s: Path to the source code -n: Project name -r: Path to the evidence file on the local host. This is the location where the evidence file must reside. The path can be a directory or an absolute path. If a directory is provided, result files are created inside a new sub directory to avoid overwrites in a parallel execution scenario. The plugin will also automatically determine the values for the following Exploitable Path parameters: --sast-result-path: The path where exploitable path results will be stored. --cxuser: SAST Server username --cxpassword: Password for SAST Server user name --cxserver: SAST server URL --cxprojectname: Name of the SAST project to be used to fetch exploitable path results --sast-result-path and and -r/ –resolver-result-path can be overridden. It can be either a directory or an absolute path. Dependency resolution output and exploitable path results will be saved in the .cxsca-results.json and .cxsca-sast-results.json files respectively. The SCA Resolver Additional Parameters” fields can supply any additional ScaResolver parameters other than the ones described above. For example, to change the log level of ScaResolver, the following value can be provided in this field: --log-level Debug The syntax of the ScaResolver parameter must be exactly what the ScaResolver tool expects. The SCA Resolver configuration settings can be defined globally and overridden at the Plan level.
Control Checkmarx Scan
Enable Synchronous Mode	If checked, the Checkmarx build step waits for a running Checkmarx scan to complete, then retrieves the scan results and optionally checks vulnerability thresholds. If cleared, the build step completes after submitting the scan job to the Checkmarx server.
Enable Projects Policy Enforcement	If checked, the build is marked as as failed or unstable, if the projects policy is violated. Policies are assigned to a project from within CxSAST. Notice Available only, if Enable Synchronous Mode is checked.
Enable CxSAST Vulnerability Thresholds	If checked, you may define thresholds for low, medium and high severity vulnerabilities above which the build is considered as failed. If cleared, no thresholds are defined. Notice Available only, if Enable Synchronous Mode is checked.
CxSAST Critical	Set the threshold for critical severity. Note Available only if Enable CxSAST Vulnerability Thresholds is checked and if CxSAST Server is 9.7 version and above.
CxSAST High	Set the threshold for high severity. Notice Available only, if Enable Synchronous Mode and Enable CxSAST Vulnerability Thresholdsare checked.
CxSAST Medium	Set the threshold for medium severity thresholds. Notice Available only, if Enable Synchronous Mode and Enable CxSAST Vulnerability Thresholdsare checked.
CxSAST Low	Set the threshold for low severity thresholds. Notice Available only, if Enable Synchronous Mode and Enable CxSAST Vulnerability Thresholdsare checked.
Enable Dependency Scan Vulnerability Thresholds	If checked, you may define thresholds for low, medium, and high severity vulnerabilities in addition to the defined dependencies. Crossing the defined thresholds causes the build to be considered failed. If cleared, no thresholds are defined.
Dependency scan critical severity vulnerabilities threshold	Set the threshold for Critical severity thresholds. Notice Available only if Enable Synchronous Mode and Enable Dependency Scan Vulnerability Thresholds are checked. Available only if CxSCA Dependency Scanner is enabled.
Dependency scan high severity vulnerabilities threshold	Set the threshold for high severity thresholds. Notice Available only, if Enable Synchronous Mode and Enable Dependency Scan Vulnerability Thresholdsare checked.
Dependency scan medium severity vulnerabilities threshold	Set the threshold for medium severity thresholds. Notice Available only, if Enable Synchronous Mode and Enable Dependency Scan Vulnerability Thresholdsare checked.
Dependency scan low severity vulnerabilities threshold	Set the threshold for low severity thresholds. Notice Available only, if Enable Synchronous Mode and Enable Dependency Scan Vulnerability Thresholdsare checked.
Deny new Checkmarx Projects Creation	If checked, no new projects are created in Checkmarx and existing projects cannot be assigned to a different team.
Hide Results	The security scan results are hidden from all jobs and build if checked.

In this section:

Was this helpful?

Would you like to provide feedback? Just click here to suggest edits.