CLI Plugin - Changelog

Added support for *.jsx files.

Added support for submitting a repo access token for SCS Scorecard scans as an environment variable. See Repository Health (OSSF Scorecard)

Fixed issue that when scanning an existing project, the --application-name flag was overriding the associated applications. Now, that flag is ignored for existing projects.

Fixed issue when running a scan with --resubmit flag on a project that hadn't been scanned previously. Now, in that situation the scan will use the default configuration.

Added support for pull request decoration, using the utils pr command, for Bitbucket (both cloud and self-hosted). For more info, see here.

Fixed issue that when running SCA Resolver via CLI, the temporary files weren't being deleted at the end of the process.

Fixed issue that new ASCA scanner wasn't running for some licensed users.

Added support for pull request decoration, using the utils pr command, for Azure DevOps (both cloud and self-hosted) as well as for GitHub and GitLab self-hosted (in addition to existing support for GitHub and GitLab cloud). For more info, see here.

Added support for the new Software Supply Chain Security (SCS) module, which enables running Secret Detection and Repository Health scans on your projects. For more info, see Software Supply Chain Security.

Added support for *.rs (Rust source code) files.

Improved scan times for scans run via IDE plugins.

Fixed issue that using the --project-groups flag with the scan create command on an existing project was changing the groups assigned to that project. Now, that flag can only affect newly created projects but not existing projects.

General improvements and bug fixes

General improvements and bug fixes

We now exclude node_modules files by default. This improves scan times for scans run via the VS Code plugin.

Fixed issue that failed scans had been returning wrong exit code

Added support for critical severity level

We now support container-security as an independent scanner. To run container scans you now need to submit container-security under --scan-types. You can also scan specific images, using the --container-images flag, see here.

Added a new flag --sca-hide-dev-test-dependencies to the results show command. This enables filtering dev and test dependencies from reports that are generated.

Implemented container signing for Docker images in our application in order to ensure image authenticity and integrity.

Added support for comma character in project name.

General improvements and bug fixes

The Policy Violations section is now included in the response only when there is at least one violation.

The name of the Vorpal scanner was changed to ASCA.

Fix issue that GitLab dashboard display was failing when no vulnerabilities were discovered.

The CLI no longer creates PR decoration for async scans.

Fixed issue that multiple project branches were being created when branch names included spaces.

Fixed issue that users with group related permissions weren't able to create and scan a new project using the scan create command.

Fixed problem with generating SBOM reports.

Remediated IaC vulnerabilities that we identified in our CLI application.

Added error message when upload fails, suggesting adding domain to allow list.

Fixed issue that threshold for api-security wasn't identifying threshold violations.

Fixed error that was occurring when a symbolic link points to a folder and shares a common path with the folder it points to.

General improvements and bug fixes

Added support for generating SCA reports in gl-sca format for display in Security Dashboard (in addition to existing support for gl-sast). For more details about the GitLab integration, see Checkmarx One GitLab Integration.

Added the option to the set the "state" filter as exclude_not_exploitable, in order to show all states other than not_exploitable. This filter can be used with the results show command as well as with scan create.

Added pyproject.toml and poetry.lock, which are analyzed by the SCA scanner, to the list of automatically included files.

Added details of partial scan completion (specific scanners) to the console response.

Fixed issue that PDF reports with large amounts of data were failling due to timeout.

Fixed issue that API requests with a lot of filter items were failing because of URL length limitations.

General improvements and bug fixes

General improvements and bug fixes

The CLI is now signed with the Checkmarx digital signature, indicating that this is an official Checkmarx product. This enables the signed CLI to bypass firewalls on Windows computers that previously blocked the unsigned CLI.

We now exclude certain irrelevant folders (.vs, .vscode, .idea) from the scan.

Fixed issue that setting SCA thresholds was causing errors in certain edge cases.

We have improved the precision of the exit codes in order to give a more clear picture of which particular scanners failed. We have also created a new command, results exit-code, for retrieving information about the completion status for a particular scan in Checkmarx One, as well as details about failures of specific scan engines.

Fixed issue with GitLab Security Dashboard integration failing when no vulnerabilities are identified.

Fixed issue that some scans were failing when new project created under an application.

Added validation for valid user input when setting a threshold.

Fixed issue that was causing errors for log command.

Improved the content and graphic presentation of the PDF scan report (generated using results show or scan create commands with --report-format pdf). Learn about the improved scan report here.

Added a new flag, --sast-fast-scan, for running SAST scans in fast scan mode.

Fixed issue with "About this vulnerability" links

Fixed problem generating logs using the scan logs command.

Added missing package managers for sca-realtime scans.

Fixed issue that contributor-count was failing for Azure DevOps when a repo was disabled.

Added a new flag --application-name to the scan create and project create commands. This enables users to assign the project to a specific application.

Note: This is only effective when creating a new project and assigning it to an existing application.

Added Directory.Packages.props to the list of included files (when creating the zip archive for scanning).

General improvements and bug fixes

Added policy violations to PR/MR decoration shown in GitHub Actions.

We now encode the Client ID and Secret.

Improved the presentation of the AI Guided Remediation response.

Removed sca option from the scan log command to accurately indicate that SCA isn't supported for this command.

Remediated vulnerabilities that we identified in our project.

We added a new feature that identifies vulnerabilities with matching sub-flows, which enables prioritization of fixes that will resolve multiple vulnerabilities with a single fix. In order to retrieve this data, you need to add the --sast-redundancy flag to the results show command. When this is run, a new field data.redundancy is shown for each vulnerability indicating which vulnerability should be prioritized as fix and which ones should be considered redundant.

Fixed issue that sarif output had been failing when there were no SAST results.

We added AI Guided Remediation for SAST vulnerabilities. Use the chat sast command to submit details about a specific vulnerability instance to OpenAI and receive detailed remediation recommendations, including a code snippet that can be used for the remediation.

Added file extension *.cmp to the list of included files (when creating the zip archive for scanning).

Added the uniqueConrtibutorEmail field to the response to contributor-count in debug mode. For GitHub and Azure DevOps, we now use email (as opposed to username) as the unique identifier for counting distinct users.

Fixed issue that submitting --groups via CLI was interfering with project configuration (e.g., removing designation of primary branch).

Fixed issue that sarif reports had been failing when no vulnerabilities were identified.

Made the summary HTML report responsive in order to improve display on narrow screens.

Fixed problem with the link to view reports for the recently added gl-sast report format.

Fixed problem that resultsJson report was always showing total count as zero.

General improvements and bug fixes

Added a new utils command, pr gitlab, to decorate GitLab pull requests with results from Checkmarx One scans. For more info, see pr gitlab.

Added a new report format gl-sast for generating reports for the SAST scanner in GitLab. This can be submitted for--report-format in the scan create and results show commands.

Fixed issue that result filters weren't being applied properly to the results summary.

We now sort results by severity from high to low (instead of low to high). This ensures that even in edge cases that exceed the supported number of results (10k), the most important results won't be missed.

Fixed issue that requesting report status had been causing PDF reports to fail.

In debug mode, the CLI version is now shown in the logs.

Fixed issue that when --sca-exploitable-path was submitted as false you were nonetheless required to run the SAST scanner.

Fixed issue that running contributor count on an empty repo had been causing an error.

Fixed issue that when checking for policy violations times out it had been causing the CLI to return a fail status.

Fixed issue that PDF reports hadn't been including SCA results unless specified explicitly.

Fixed issue with creating a summaryJson report for a scan that hasn't yet completed. Instead of returning an error, the report is now created with a label indicating that the scan hadn't completed..

Fixed issue with async scans.

Updated code to GO version 1.21.1 in order to remediate a vulnerability.

We now return an unlimited number of results in the results summary (had been limited to 10k).

Fixed issue regarding incomplete contributor count results for BitBucket, Azure DevOps, GitHub and GitLab. This was accomplished using retires and timeout flags to overcome rate limits. We also added pagination for Azure DevOps.

Added global flag --ignore-proxy for ignoring proxies, so that all Checkmarx One CLI commands run directly from the local machine. Alternatively, this can be done by setting the environment variable "CX_IGNORE_PROXY" as true.

Fixed issue that contributors count for Azure DevOps hadn't been returning complete results.

Added Podfile and Podfile.lock to the list of included files (when creating the zip archive for scanning).

Fixed issue that had been causing KICS Realtime scans to fail.

Fixed issue that HTML output wasn't being shown properly for results that contain HTML content.

Stopped showing the Policy Violation header in the console results for projects that don't have any associated policies.

Added information about violated policies to the scan results. This information is shown in the console summary as well as in the Summary HTML and Markdown reports. These results are shown both for scan create and results show commands.

For policies that are configured to "break build", when the policy is violated the scan will fail. (The --ignore-policy flag can be used to prevent policies from causing the scan to fail.

Added the mask command under utils. This command is used to return the secrets identified in a file and show how they will be masked when the file is sent to ChatGPT using the chat command. See mask

By default, the scan create command now runs scans only on the scanners that are licensed for your account (in order to avoid unnecessary failures).

Fixed issue that risk management using the triage command hadn't been working for IaC Security risks.

For scans run using kics-realtime, when no results are found, instead of showing the scan as failed we now show it as a successful scan with no results.

Increased the interval between retries when generating SBOM reports.

Fixed issue with generating SBOM reports.

Fixed issue that SCA Realtime scanner wasn't identifying vulnerabilities in Python projects due to use of incorrect package manager.

Fixed issue that the default limit no longer overrides the specified value when limit is set manually.

Added ”AI Guided Remediation”, which harnesses the power of AI to help you to understand the vulnerabilities in your code, and resolve them quickly and easily.

Increased the default limit for projects returned using the project list command to 10,000. (This enables Checkmarx One to effectively verify whether a project with the specified name already exists when a scan is initiated via CLI/plugin.)

Enabled SBOM reports for all tenant accounts.

When a scanner ran successfully but didn't find any risks, the results now show correctly "0" risks as opposed to "N/A" which had been shown previously.

Added the ability to generate SBOM reports. SBOMs can be generated using CycloneDX or SPDX format. SPDX reports are output in JSON format, and CycloneDX can be output as JSON or xml. This can be done using the scan create or results show command.

Fixed issue related to HTML summary output.

When a kics-realtime scan completes successfully and doesn't find any IaC securtiy vulnerabilities, the results are now correctly returned showing "0" IaC security vulnerabilities.

The contributor count for BitBucket now counts only contributors who have contributed in the past 90 days, as expected.

Added error handling for SCA Realtime scanner.

We added a new environment variable, CX_HTTP_PROXY, which can be used to designate a specialized proxy for Checkmarx One. When this is used, it overrides the proxy specified in your general HTTP_PROXY variable.

We increased the number of branches returned using the project branches command from 20 to 1,000.

You can now designate a scan as a "Private Package" and assign a package version to it using the addtional_params options. Once a private package has been scanned, info about the risks affecting that package will be identified by SCA when that package version is used in any of your projects. You can download an article about private packages here.

We added the --sca-exploitable-path flag to the additional_params options. This enables you to designate whether or not Exploitable Path will run on this particular scan. When used, this overrides the designation made in the project settings.

We also added a flag --sca-last-sast-scan-time, which enables you to specify the number of days that SAST scan results are considered valid for use in Exploitable Path (i.e., if there is no current SAST scan, how many days prior to the current SCA scan will Checkmarx One look for a SAST scan to use for analyzing Exploitable Path.)

Improved memory usage when uploading zip files.

Added file extensions go.mod, go.sum, *.dart, and *.plist to the list of included files (when creating the zip archive for scanning).

Fixed issue that was causing index out of range errors for the contributors count command.

Fixed issue that SCA results weren't being included in sarif reports.

When tags and/or groups are specified in the scan create command, those values now override the tags and groups that were previously assigned to the project.

Fixed issue that spaces and capital letters had been interfering with Threshold functionality.

Fixed problem with generating sarif reports.

Fixed issue that debug logs were showing URLs that contained sensitive data.

Fixed issue that SCA vulnerabilities marked as "Not Exploitable" were being included in the scan summary data. (Current behavior for all scanners is that "Not Exploitable" vulnerabilities are not included in the scan summary.)

Added additional options for pdf format reports. When running the results show command or the scan create command with --report-format set to pdf, you can now:

Added the option to generate reports in markdown format using the --report-format flag.

Added the --sca-realtime command, which enables running an SCA scan on the contents of a folder. The SCA realtime scan is similar to the KICS realtime scan in the fact that it is a free tool which does not require a Checkmarx account. The results are returned in the response body as a JSON object.

Fixed issue that SCA results weren't being included in sarif reports.

Added support for installing the CLI on Arch Linux ARM systems.

Added option to generate reports in PDF format.

The default value for scan timeout was changed from 5 seconds to 30 seconds.

All references to AST have been changed to refer to the new product name "Checkmarx One".

We now validate for licensed scanners (engines). When a scan is run using default settings, all licensed scanners are used. When the --scan-types flag is used and a non-licensed scanner is specified, an error message is returned.

Fixed issues causing mistakes in breakdown of results by scanner.

Fixed issue that was causing some dockerfiles to not be identified.

Improved handling of API Security results.

The KICS scanner is now referred to in Checkmarx One as "IaC Security". All mentions of the scanner and the vulnerabilities identified by it, now refer to IaC Security.

The API Security scanner is now supported for use via the CLI. When running the scan create command, you can now add api_security to the list of scanners under --scan-types.

Scan results now differentiate between regular SCA vulnerabilities and Supply Chain Security (SCS) risks. In addition, a distinction is now made between direct dependencies and transitive dependencies.

Added support for Bitbucket Server for the contributor-count command, see bitbucket-server.

Added support for identifying "supply chain" vulnerabilities.

Added an additional sanitization to the logs, by removing the proxy value.

Added specific error messages when a user doesn't have a container engine (e.g., Docker) installed and running.

The CLI now extracts the base-uri from the API Key, making it unnecessary to submit the base-uri indipendantly.

We added a new command for retrieving tenant settings via the CLI.

Fixed issue that auto remediation had been failing for projects that didn't contain dev dependencies.

Fixed issues with SCA results handling.

Dangling symbolic links no longer cause the scan to fail. Now a warning is returned.

Fixed issue handling errors when extracting credentials from an API key.

We added a new pr command for decorating pull requests with results from Checkmarx One scans that were triggered by that pull request. The pull request comments show a list of new vulnerabilities that were introduced by the code changes as well a list of vulnerabilities that were fixed by the code changes. See pr

All documentation links now point to the new Checkmarx documentation portal at https://checkmarx.com/resource/documentation.

When running SCA Resolver for a Checkmarx One scan, if SCA Resolver fails, detailed error logs from SCA Resolver are now shown in the CLI response.

Fixed issues caused by mistaken column numbering (i.e., 0 or negative values).

Added additional details to the SCA results.

For the KICS remediation utility, we added the option to remediate all vulnerabilities in the project. See kics

Added additional info to the SCA results, including the association between the vulnerabilities and the open-source packages to which they apply.

When running KICS commands, there is a requirement to have Docker running locally. We now have a dedicated error message for this issue.

Accumulation of unneeded zip files had been causing issues in Jenkins. We now delete zip files that are no longer in use.

Added a new utils command, learn-more, for getting additional info about a specific vulnerability. Submit this command with a query-id (obtained from scan results) indicating the vulnerability for which you want additional info. See learn-more

Added a new utils command, remediation sca, for automatically replacing a vulnerable package version with a non-vulnerable version. Add arguments specifying the precise package that you would like to remediate. See sca

Added a new utils command, remediation kics, for automatically remediating KICS vulnerabilities. You can remediate all vulnerabilities, or you can submit identifying details about the specific vulnerabilities that you would like to remediate. See kics

Added a new scan create command, kics-platforms, to specify which platforms to run the kics scan on. See Flags

The default value for the interval before retry was increased to 20 sec.

A scan report is now generated when a scan fails because of a threshold violation.

The branch name in the summary URL is now encoded.

Return more precise results for KICS real-time scanner.

Created a unified build for all MacOS versions.

Added a new command for running a KICS scan as a standalone tool in your local environment. To run the scan, you are required to provide the file source. You can also add additional KICS parameters. See sca-realtime

Updated the content of the summary that is shown when a scan is run. The following changes were made:

The deprecated command result was removed from the list of commands shown in the help menu.

Added support for Azure 2019 for the contributor-count command.

You can now add filters to the scan create command (to exclude files/folders from the scan) separately for each specific scanner. The flags for the new filters are: --sast-filter <string>, --iac-security-filter <string>, --sca-filter <string>.

NOTE The existing flag --file-filter , which sets filters for the entire scan (for all scanners) is still in use.

You can now add an ssh key to the project create command, using the flag --ssh-key <string> with the path to the ssh private key.

You can now add an ssh key to the scan create command, using the flag --ssh-key <string> with the path to the ssh private key.

Added the scanId field to the results json file.

Added support for file filters for scans run on zip files.

Reduced size of CLI Docker image.

Fixed an issue in the project create and scan create commands, that adding a group with a space in the name (e.g., "Product Development") had been causing an error.

SAST and KICS vulnerabilities for which the state has been set as “Not Exploitable” are no longer included in the vulnerabilities counts in the results summary.

Added additional details to sarif output.

The time returned for “Created At” is now given according to the local timezone where the scan was run.

The user-count utility was renamed as contributor-count. Also, username was added to the --debug logs.

Added a utility command to determine the number of unique contributing developers for the past 90 days for BitBucket, Azure DevOps and Gitlab repos.

Created a utility command to determine the number of unique contributing developers for the past 90 days for GitHub repos.

Added a new command ./cx results codebashing [flags] for retrieving a link to the relevant Codebashing lesson for a vulnerability.

Added new --sca-resolver-params flag to the scan create command.

Removed the default preset.

The old result command has been deprecated.

Renamed the results command as results show command.

Fixed a problem with proxy connections.

An error is now generated when project name is empty.

Fixed the help text for the threshold flag.

Fixed the help text for the result command to include state filters.

Fixed the help text for the SCA Resolver flag.

In the scan create command, we renamed the format flag as scan-info-format.

The results output for SAST vulnerabilities now includes a brief description of the vulnerability.

Added the --scan-timeout <int> flag to the scan create command, enabling users to specify a time limit after which the scan will fail and terminate.

Added an new type of report, SummaryJSON. This creates a JSON file with a summary of the vulnerabilities of each severity level.

Fixed a problem with the permissions for accessing the configure command folder.

Added the ability to triage scan results and modify the ‘state’, ‘severity’ and ‘comments’ predicates accordingly.

Added a CLI command for triaging results.

Added --threshold flag to a scan create command. This enables you to set thresholds that will cause the scan to fail. Thresholds are set separately for each type of scanner using the following format: <engine>-<severity>=<limit>.

Fixed Sonar results output for a scan that contains only one SAST vulnerability. Removed SCA vulnerabilities from Sonar output.

Return exit code 1 if “auth register” command fails.

Added automatic retry for scans upon initial connection failure using flags:

Users can now add tags and assign the scan to a Checkmarx One “group” (for user management) as part of the scan create command.

Integration tests now have 80% coverage.

Branch flag is now required.

The flag for running scans in asynchronous mode was changed from --nowait to --async.

When installing the CLI through homebrew, brew install checkmarx/ast-cli/ast-cli, auto-completion is done automatically.

Added a new “utils logs” command - The utils logs command provides the option to select which scan logs can be printed to the CLI screen.

The possible options are: SAST, KICS.

Added a new “result” command - The result command enables the ability to retrieve scan results in AST.

The results are downloaded to a file. The following file formats are supported:

json, sarif, summaryHTML, summaryConsole

Add SCA resolver module - The CLI can resolve local packages for CxSCA scan type.

Added result flags to scan create command.

Added default file filters.

Minor improvements.

Added result summary (Critical, High, Medium ,Low) to scan create command output.

Added result command to the main commands menu.

Added the following sub-commands to the new results command:

Added --tags flag to scan create command.

This should be a comma separated list of tags like this: --tags myTagA,myTagB or --tags myTagA.

It is also possible to include (key:value) pairs in tags like this: --tags myTag:42,myTagB:hello,myTagC.

Removed the -w shortcut for the scan create --nowait command.

Added --branch flag to scan create command.

This indicates which branch is being scanned.

If the --source flag is a GIT repository path, this value will also update AST which branch to pull the code from.

Removed unsupported sub-commands from the utils command:

Added the utils env command to echo out current AST environment variables.

Fixed --nowait environment message spelling error.

Correct scan cancel --help menu grammar.

removed --repo-url flag from project create command.

Removed SAST_manager option from utils health-check command.

Updated auth register command output to display a clearer error message when user enters bad credentials.

Modified several commands output tables according to the following:

Resolved the behavior that some incorrect commands weren't displaying the expected help messages.

Added a new auth validate command.

The scan sub-commands (show, delete and cancel) required Scan ID values be passed as an additional flag.

These commands were updated to accept the --scan-id flag.

The project sub-commands (show, delete) required Project ID values be passed as an additional flag.

These commands were updated to accept the --project-id flag.

Added support for multi-tenancy

Added environment variable CX_TENANT

Added global CLI argument (--tenant)

Added tenant name to the configure command menu.

Added tenant support for the register command.

scan create command:

result command:

Updated CircleCI with the following:

project create command:

Resolve the following vulnerabilities detected by Checkmarx:

Preset name didn’t allow overriding.

scan create command:

Renamed global parameter (--secret) to (--client-secret)

Removed the BFL command

Renamed environment variable CX_SECRET to CX_CLIENT_SECRET

Added configure set option (cx_base_auth_uri)

utils configure set command:

configure show command:

Error when URL ending with / is encountered has been fixed

CLI was storing JWT in (credentials.json) file. It has been removed and now the JWT is only stored in memory and reset between runs.

Update golang from 1.16.3-alpine3.13 to 1.16.4-alpine3.13

Added support for KICS and SCA scans.

Added support incremental scans for SAST, KICS and SCA.