Authentication for Checkmarx One CLI
In order to submit CLI commands you need to be authenticated for your Checkmarx One account. The required authentication parameters can be submitted as part of the CLI command or via Config or Environment variables, see Using Checkmarx One CLI Variables. Authentication can be done either via an OAuth2 Client or an API Key.
Required Parameters
The following parameters are required for authentication, depending on the method being used.
cx_apikey
Notice
The CLI automatically extracts all relevant account info (Base URL, Auth URL, Tenant name) from the API Key. You can use arguments to submit these values explicitly, overriding the extracted values. However, this is generally not recommended.
cx_base_uri
cx_base_auth_uri
cx_tenant
cx_client_id
cx_client_secret
Generating an API Key
You can generate an API Key by logging in to Checkmarx One and generating a new API Key, as described below. Alternatively, an API Key can be generated using the Authentication API.
![]() |
GIF - How to generate an API Key
To Log in to Checkmarx One:
Open the URL for your environment.
Log in to your Checkmarx One account by entering your Tenant Account, Username and Password.
Notice
The roles (permissions) assigned to the API Key are inherited from the user account that generates the key. Therefore, if you want to enable admin rights for your integrations, make sure to log in to an admin account.
To generate an API Key via Checkmarx One:
Log in to the Checkmarx One web portal and select
Identity and Access Management in the main navigation.
The IAM portal opens.
In the main navigation, click API Keys, then click on the Create Key button.
A new key is created with the permissions of the current user assigned to it.
Copy the key and save it in a place where you will be able to retrieve it for future use.
Notice
Once you close the window, you will no longer be able to access this API Key.
Notice
You can obtain a curl for submitting the request for an access token, by clicking on Show details and copying the content.
Creating an OAuth2 Client for Checkmarx One Integrations
You can create an OAuth2 Client by logging in to Checkmarx One and creating a new client.
![]() |
GIF - How to create an OAuth2 Client for use with plugins
To Log in to Checkmarx One:
Open the URL for your environment.
Log in to your Checkmarx One account by entering your Tenant Account, Username and Password.
Notice
To create an OAuth2 Client, you need to be signed in as an admin user.
To create an OAuth2 Client:
Log in to Checkmarx One and click on the
Identity and Access Management icon in the Menu panel.
In the Identity and Access Management console, click Oauth Clients and then click Create Client.
In the Client ID field, enter a descriptive name for Client (e.g. AzureDevOps_Client for the AzureDevOps plugin), and then click Create client.
The Client Settings screen is shown.
Copy the Client ID for use in the plugin configuration.
Click on the Regenerate button for the Secret,
In the dialog that opens, copy the Secret for use in the plugin configuration, and then click Ok to close the dialog
You can configure the following optional settings:
Under Settings, you can add a Name and Description for the Client.
Under Groups, you can assign the Client to one or more groups.
Under Role Mapping > AST roles, search for either ast-admin or ast-scanner and click Add in the relevant row to add the role to the client.
Click Save Client.