Skip to main content

Checkmarx SCA Plugin for JFrog


The Checkmarx SCA plugin for JFrog Artifactory runs a Checkmarx SCA scan on each of your Jfrog artifacts, and uses the scan results to enrich the properties shown in the JFrog Artifactory UI. This integrates scanning of artifacts into your DevOps workflow, providing easy visibility into possible risks that could make your applications vulnerable.

You can set a risk threshold so that artifacts with risks of a specified severity level will automatically be blocked from download.

When you install the plugin, Checkmarx scans all artifacts currently in your Artifactory. In addition, each time that an artifact is downloaded the plugin runs a Checkmarx SCA scan on that item. In order to avoid redundant scanning of the same artifact, a cache mechanism is used to reuse scan results for a fixed period of time (default: 6 hr).


Main Features

  • Free tool, no Checkmarx account required

  • View risks in artifact properties

  • Block download of vulnerable artifacts


  • This plugin is supported only for Self-Hosted instances of JFrog

  • Tested and approved for JFrog Artifactory v7


This is a free tool provided by Checkmarx for all JFrog users, and does not require the user to submit credentials for a Checkmarx SCA account.

Supported Package Managers

Bower, CocoaPods, Composer, Go, Gradle, Ivy, Maven, Npm, Nuget, Pypi, Sbt

Installing and Configuring the Plugin

  1. Download the plugin using one of the above links.

  2. Extract the archive.

    The extracted folder contains the following items:

    • cxsca-security-plugin.groovy


    • lib > sca-artifactory-plugin.jar

  3. By default, when an artifact is reused within 6 hours the scan data from the cache is reused instead of triggering a new scan. If you would like to adjust the time span, use the following procedure.

    1. Open the file.

    2. In the line, replace 21600with the desired time span for using the cache (in seconds).


      The minimum acceptable value for cache expiration is 1800 (30 min.).

  4. You can set a risk threshold so that artifacts with risks of the specified severity level (or above) will be blocked from download. To set a threshold, use the following procedure.

    1. Open the file.

    2. In the line, replace nonewith the desired threshold, options are low, medium or high.


      Each artifact that has one or more risks of the specified severity level or above will be blocked from download. You can override the threshold for specific artifacts when needed, see below.

  5. Put all of the contents of the extracted archive into ${ARTIFACTORY_HOME}/var/etc/artifactory/plugins.

  6. If your JFrog instance is not configured to reload plugins automatically (this is the default configuration), then you will need to manually reload the plugins (e.g., POST http://<JFrogURL>/artifactory/api/plugins/reload).

  7. Log in to your JFrog Artifactory instance and navigate to the System Logs to check that Checkmarx SCA has been installed successfully. The logs should show:


Overriding Thresholds

If you have set a threshold for blocking downloads, you can override this threshold for specific artifacts.


Once you have overridden the threshold, users will be able to download this artifact despite its containing risks of any severity level.

To override the threshold:

  1. Open the properties tab for the desired artifact.

  2. Add a property CxSCA.IgnoreRiskThreshold and set the value to true.


Event Logs

By default the plugin logs are written to the general system logs file. By default the log level is set as INFO.

You can configure the logs to be sent to a dedicated Checkmarx log file. You can also change the log level.

To create a dedicated log file:

  1. Open the ${ARTIFACTORY_HOME}/var/etc/artifactory/logback.xml) file.

  2. Append the following snippet to the file in order to create a dedicated log file.

    <appender name="CXSCA" class="ch.qos.logback.core.rolling.RollingFileAppender">
      <rollingPolicy class="org.jfrog.common.logging.logback.rolling.FixedWindowWithDateRollingPolicy">
      <triggeringPolicy class="org.jfrog.common.logging.logback.triggering.SizeAndIntervalTriggeringPolicy">
      <encoder class="ch.qos.logback.core.encoder.LayoutWrappingEncoder">
        <layout class="org.jfrog.common.logging.logback.layout.BackTracePatternLayout">   
          <pattern>%date{yyyy-MM-dd'T'HH:mm:ss.SSS, UTC}Z [jfrt ] [%-5p] [%-16X{uber-trace-id}] [%-30.30(%c{3}:%L)] [%-20.20thread] - %m%n</pattern>
  3. If you would also like to change the log level, add the following code to the file:

    <logger name="" additivity="false" level="DEBUG">
      <appender-ref ref="CXSCA"/>


The log level can be set as INFO (default), DEBUG or WARN.

Checkmarx Artifact Properties

Once the plugin is enabled and a package has been scanned by Checkmarx SCA, the following properties are added to the properties tab of the artifact.

Property Name



The total number of vulnerabilities.


The total number of low severity vulnerabilities.


The total number of medium severity vulnerabilities.


The total number of high severity vulnerabilities.


The overall risk score of the package, from 0 (low) to 10 (high).


The overall risk level of the package. Possible values are: High, Medium, Low, None


The date and time of the most recent scan was run.