Supported Languages and Package Managers

How SCA Works

Checkmarx SCA uses the following methods to identify the 3rd party packages in your project:

File Analysis – Checkmarx SCA identifies all files in your project that may be part of a 3^rd party package, and analyzes them in order to determine which packages are being used. This is done by comparing the hashes and metadata of the relevant files (e.g., .jar files for Java, .js files for JS) in the scanned project with the hashes and metadata of packages that are catalogued in our database.
File Analysis is done for the supported languages/frameworks listed below, using the corresponding file types specified in the table.
Dependency Resolution - Checkmarx SCA uses package managers to resolve the dependencies against customer-defined or public repositories and extract the dependency trees.
Dependency Resolution is done using the supported package managers listed below and the corresponding manifest files specified in the table.

Supported Languages and Package Managers

Notice

If you are using Checkmarx SCA Resolver, then you need to install the relevant package managers locally. For installation info, see Installing Supported Package Managers for Resolver.

Java

JVM Languages: Java, Kotlin, Android, Groovy, Scala

Additional Frameworks: Struts, Spring

Repository: Maven Central, Sonatype, Apache

File Types: .jar

Supported Package Managers

Exploitable Path

Supply Chain Security (SCS)

Manifest Files (Packages marked with (blue star) are required)

Maven

pom.xml

Gradle

build.gradle , build.gradle.kts

Ivy

none

SBT

build.sbt

NodeJS

	Languages/Frameworks: JavaScript, TypeScript, React, Angular, Apex Tip Apex is only supported when running the scan using Checkmarx SCA Resolver with the `--extract-archives resource` argument, see Checkmarx SCA Resolver Configuration Arguments. Repository: NPM File Types: .js
Supported Package Managers	Exploitable Path	Supply Chain Security (SCS)	Manifest Files (Packages marked with are required)
NPM			`package.json` , `package-lock.json`
Yarn (and Yarn 2)			`package.json` , `yarn.lock`
Bower			`bower.json`

.NET

Languages/Frameworks: C#, F#, .NET, .NET Core, WCF, WPF, ASP.NET, C++

Repository: NuGet

File Types: .dll

Supported Package Managers

Exploitable Path

Supply Chain Security (SCS)

Manifest Files (Packages marked with (blue star) are required)

NuGet

*.csproj , packages.config

Python

Languages/Frameworks: Python, Django, Flask

Repository: PyPi

File Types: none

Supported Package Managers

Exploitable Path

Supply Chain Security (SCS)

Manifest Files (Packages marked with (blue star) are required)

PIP

requirements.txt, requirements-*.txt, requirement.txt, requirement-*.txt

Setup.py

Poetry

pyproject.toml (blue star) , poetry.lock

Setup.cfg

PHP

Languages/Frameworks: PHP, Dupal

Repository: Packagist

File Types: none

Supported Package Managers

Exploitable Path

Supply Chain Security (SCS)

Manifest Files (Packages marked with (blue star) are required)

Composer

composer.json (blue star) , composer.lock

iOS

Languages/Frameworks: Swift, Objective c

Repository: GitHub

File Types: none

Supported Package Managers

Exploitable Path

Supply Chain Security (SCS)

Manifest Files (Packages marked with (blue star) are required)

SwiftPm

Package.swift

CocoaPods

Podfile (blue star) , Podfile.lock

Carthage

Cartfile (blue star) , Cartfile.private, Cartfile.resolved

Tip

At least one .private or .resolved file must be included.

Go

Languages/Frameworks: Go

Repository: Golang

File Types: none

Supported Package Managers

Exploitable Path

Supply Chain Security (SCS)

Manifest Files (Packages marked with (blue star) are required)

GoModules

go.mod (blue star) , go.sum

Ruby

Languages/Frameworks: Ruby

Repository: RubyGems

File Types: none

Supported Package Managers

Exploitable Path

Supply Chain Security (SCS)

Manifest Files (Packages marked with (blue star) are required)

RubyGems

Gemfile (blue star) , Gemfile.lock

Bundler

C++

Languages/Frameworks: C, C++

Repository: GitHub, Conan, Central

File Types: .cpp, .c, .h, .hpp, .a, .o, .so

Tip

C++ is supported only for File Analysis (fingerprints), not for package resolution.

Supported Package Managers

Exploitable Path

Supply Chain Security (SCS)

Manifest Files (Packages marked with (blue star) are required)

none

Unity

Languages/Frameworks: Unity

Repository:Unity Technologies, Needle-mirror, Open UPM

File Types: none

Supported Package Managers

Exploitable Path

Supply Chain Security (SCS)

Manifest Files (Packages marked with (blue star) are required)

none

manifest.json (blue star) , packages.json

Container Scans

Checkmarx SCA is capable of scanning Dockerfiles and container images as long as they are hosted in supported registries and they are used in supported ecosystems.

For more info about container scans, see Container Scans.

Supported Registries

Container scans run via SCA Resolver support scanning of images from any registry for which you can run the docker pull command, e.g., DockerHub, Amazon Elastic Container Registry (ECR), Google Container Registry (GCR), Quay, JFrog Container Registry (JCR) etc.

Supported Ecosystems

Debian (dpkg)
Alpine (apk)
C (conan)
C++ (conan)
Dotnet (deps.json)
Go (go.mod, Go binaries)
Java (jar, ear, war, par, sar, native-image)
JavaScript (npm, yarn)
PHP (composer)
Python (wheel, egg, poetry, requirements.txt)
Red Hat (rpm)
Ruby (gem)dpkg

In this section:

Supported Languages and Package Managers

How SCA Works

Supported Languages and Package Managers

Notice

Java

NodeJS

Tip

.NET

Python

PHP

iOS

Tip

Go

Ruby

C++

Tip

Unity

Container Scans

Supported Registries

Supported Ecosystems

Search results