Checkmarx SCA Resolver Configuration Arguments
Most Checkmarx SCA Resolver configuration parameters can be submitted either as command line arguments or by editing the configuration.yml file.
Notice
Certain parameters must be submitted via the config file. Therefore, it is mandatory to include the configuration.yml file (which is included in the Checkmarx SCA Resolver download) in the same folder as the ScaResolver binary.
Note
The info provided on this page relates to running Resolver as a standalone tool. If you are running Resolver via an external platform such as the Checkmarx One CLI tool or plugins, or the CxSAST/CxSCA CLI tool or plugins, then only Offline arguments can be used. In addition, the mandatory arguments differ for different platforms. See the relevant SAST/SCA Integrations documentation for details.
Configuration.yml file Specifications
Warning
As of version 2.0, Configuration.ini
format is no longer supported. It is now mandatory to include the Configuration.yml
file containing your config data.
The configuration file must be located in the same folder as the ScaResolver binary.
The configuration file has the format of KeyName: Value.
The file must follow the yaml file format specification.
Configuration Arguments - Tables and Samples
The following tables describe the supported arguments that can be used in Resolver. You can submit --help
to get the list of supported parameters.
Config | Argument Name | Config file key | Description | Used in mode | Default value |
---|---|---|---|---|---|
Account | -a| --account | Account | Your SCA account a name. | Online, Upload | - |
Authentication Server URL2 | --authentication-server-url | AuthenticationServerUrl | The URL of the SCA Access Control server. | Online, Upload | |
Path to save container results | --containers-result-path | ContainersResultPath | Specify the path to the directory/file where the containers results will be saved (for future upload). TipMandatory for container scans, | Offline | - |
Path to read container results | --containers-result-path | ContainersResultPath | Specify the path to the file of the saved containers results that you are uploading. TipMandatory for container scans. | Upload | - |
Logs Directory3] | --logs-path | LogsDirectory | The default name assigned the logs directory. | logs | |
Project Name | -n| --project-name | ProjectName | To scan an existing SCA Project, enter the Project name. Alternatively, you can enter a new Project name in order to create a new Project in SCA. | All | - |
Password1] | -p| --password | Password | The password for your SCA user account. TipYou can configure a custom Environment Variable to use for the password. This is preferable to including a password in clear text in the config file. | Online, Upload | - |
Path to save ScaResolver results | -r|--resolver-result-path | ResolverResultPath | Specify the path to the directory/file where the resolver results will be saved (for future upload). | Offline | - |
Path to read ScaResolver results | -r|--resolver-result-path | ResolverResultPath | Specify the path to the file of the saved resolver results that you are uploading. | Upload | - |
SCA Application URL3] | --sca-app-url | ScaAppUrl | The URL of the SCA web application. | Online, Upload | |
Server URL2] | --server-url | ServerUrl | The URL of the SCA API server. | Online, Upload | |
Scan Path | -s| --scan-path | N/A | Path to the folder to be scanned. NoteThis must be the path to a local folder that contains the source code, not to a zip archive or a code repository. | Online, Offline | - |
Provider name1] | --sso-provider | SsoProviderName | The name of your SSO provider. Alternatively, you can give the name of your Master Access Control instance. For more info see SAML Authentication for Checkmarx SCA Resolver | Online, Upload | - |
Username1] | -u| --username | Username | Your username for the SCA account. | Online, Upload | - |
1] Authentication is done either using your Checkmarx SCA credentials, or via your SSO provider. Therefore, you are required to submit either -u| --username
and -p| --password
or --sso-provider
but not both.
2] The default values for Server URL and Authentication Server URL are preconfigured in the config file, making it unnecessary to submit these arguments in the CLI.
3] The default value for Logs Directory is preconfigured in the config file. There is no argument for adjusting this value in the CLI.
Samples using mandatory arguments:
Linux/MacOS
./ScaResolver -s /home/jack/src/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!'
Windows
./ScaResolver.exe -s C:\home\jack\src\MyApp -n MyApp -a Checkmarx -u jack -p "demo123!"
Config | Argument Name | Config file key | Description | Used in mode | Default value |
---|---|---|---|---|---|
Break on manifest failure | --break-on-manifest-failure | BreakOnManifestFailure | When this flag is used, the scan will fail and error code 9 will be returned when resolution fails for one or more of the manifest files. | Online, Offline | False |
Bypass exit code | --bypass-exitcode | BypassExitCode | If set as “true”, exit code will be overridden and set as 0, enabling it to pass through the CI/CD pipeline. | All | False |
Change configuration file | -c| --config-path | N/A | Changes the cofig file used for the scan. | All | Configuration.yml |
Path to cache containers image | --containers-cache-path | ContainersImagesCacheDirectory | Path to the directory where containers images cache will be written. TipOnly used when containers scan is enabled. | Online, Offline | Cache |
Save containers result output | --containers-result-path | N/A | Save containers results, which is helpful for troubleshooting. You need to specify the path to the directory where you want the output to be saved. | Online | None |
Disable parameters sanitization | --disable-parameter-sanitization | DisableParameterSanitization | Disable package managers additional parameters sanitization. | Online, Offline | False |
Excludes | -e| --excludes | ExcludePatterns | Specify file and folder patterns to be excluded from the zip file that will be scanned. See examples below. TipUsing this argument adds to the list of exclusions, it does not override the default exclusions. | Online, Offline | Default excluded folders: node_modules, bower_components, .git, vendor, Carthage |
Extensions to be extracted | --extract-archives | N/A | Submit comma separated archives extensions to be extracted. TipWhen you use the argument to add custom file types, that overrides the default types. If you want these types to be extracted, you must include them in the comma separated list. | Online, Offline | “.zip, .ear, .war” |
Extraction depth level | --extract-depth | N/A | The depth level of file extraction. TipIncreasing the depth level increases the accuracy of the results, but it also significantly increase the scan time. TipThis flag is relevant only for packages identified by unpacking archive files (e.g., .jars, .wars etc.), not for those identified via manifest files. | Online, Offline | 1 |
Gradle Dev Scopes | --gradle-dev-scopes | N/A | Gradle user defined dev dependencies scopes. | Online, Offline | None |
Gradle Exclude Scopes | --gradle-exclude-scopes | N/A | Gradle dependencies excluded scopes. | Online, Offline | None |
Gradle Excluded Submodules | --gradle-ignore-modules | N/A | Ignore Gradle sub-modules. | Online, Offline | None |
Gradle Include Modules | --gradle-include-modules | N/A | Gradle include only desired project submodules. | Online, Offline | None |
Gradle Include Scopes | --gradle-include-scopes | N/A | Gradle dependencies included scopes. | Online, Offline | None |
Gradle Plugin Scopes | --gradle-plugin-scopes | N/A | Gradle user defined plugin scopes. | Online, Offline | None |
Help | --help | N/A | Shows a list of supported arguments for SCA Resolver in the console output. | All | N/A |
Ignore Dev Dependencies | --ignore-dev-dependencies | IgnoreDevDependencies | Ignores dev dependencies in the pre-scan stage. | Online, Offline | False |
Images to scan | --images | N/A | Specify the container images to be scanned as a comma separated list. TipWhen this flag is used, the | Online, Offline | None |
Path to save Ivy reports | --ivy-report-files-dir | N/A | Specify the TipIf this flag is used, the “Ivy report target” flag must also be set. | Online, Offline | False |
Ivy report target | --ivy-report-target | N/A | Specify the TipIf this flag is used, the “Path to save Ivy reports” flag must also be set. | Online, Offline | False |
Log Level | --log-level | LogLevel | This value sets the lowest threshold for log messages. Enter one of the following enum values: Verbose, Debug, Information, Warning, Error, Fatal | All | Information |
Path to project’s manifest | --manifests-path | ManifestsPath | When this argument is set, the manifest file in the specified path is uploaded to Checkmarx SCA Cloud. | Upload | When this flag isn’t used, no manifest file is uploaded. |
Maximum attempts to check scan status | N/A | ScanReportMaxRetries | The maximum number of requests sent to check the status of the scan. | All | 2147483647 |
Time between scan report requests | N/A | ScanReportWaitForFinishDelayInSeconds | Time in seconds before resending request for the scan’s risk-report. | Online, Upload | 5 |
Version of pipdeptree | N/A | PipDepTreeVersion | Specify the version of pipdeptree to be used for package resolution. | Online, Offline | None |
Additional Manifest Patterns | N/A | AdditionalManifestPatterns | Allows the user to specify additional patterns to detect as manifest. TipCurrently supported only for pip. Syntax: AdditionalManifestPatterns: pip: - example-*.txt | Online, Offline | N/A |
Version of Graphviz | N/A | GraphvizVersion | Specify the version of Graphviz to be used for package resolution. | Online, Offline | N/A |
Custom NetRc path | --netrc-path | NetRcPath | Specify the path to the NetRc file to be used. | Online, Offline | None |
Disable manifest upload | --no-upload-manifest | N/A | When this argument is set, the manifest files are not uploaded to Checkmarx SCA Cloud. TipPreventing manifest upload doesn’t interfere with the effectiveness of the scan, but it may limit Checkmarx SCA’s ability to suggest precise mitigation actions. | Online | False (i.e., manifest files are uploaded) |
Path to nuget CLI executable | --nugetcli-path | NugetCliPat | Specify the path to nuget CLI executable to be used. | Online, Offline | False |
Disable default exclusions | --override-default-excludes | OverrideDefaultExcludes | When this is set, the only folders and files that are excluded are those specified in the | Online, Offline | false |
Private dependency name (BETA) | --private-dependency-name | PrivateDependencyName | The name of the private package. This flag must be used in conjuction with TipYou can designate a scan as a "Private Package" and assign a package version to it. Once a private package has been scanned, info about the risks affecting that package will be identified by SCA when that package version is used in any of your projects. You can download an article about private packages here. | Online, Offline | False |
Private dependency type (BETA) | --private-dependency-type | PrivateDependencyType | The package manager used for accessing the private package. For example, Go, Nuget, Npm, maven etc. TipThe complete list of supported types is available via the Resolver help command. | Online, Offline | False |
Private dependency version (BETA) | --private-dependency-version | PrivateDependencyVersion | The version of the package. | Online, Offline | False |
Add tags to project | --project-tags | N/A | Comma separated tags to be assigned to the project. Tags can be simple string or key:value. | Online, Upload | None |
Proxy | --proxies | N/A | The proxy to be used for making internet requests. You can enter comma separated proxies for HTTP and HTTPS. You can also include authentication credentials for HTTPS. See You | Online, Offline | None |
Python version | --python-version | PythonVersion | Specify the Python version to be used for package resolution. Enter one of the following enum values: V2 or V3 | Online, Offline | V3 |
Quiet mode | -q| --quiet | N/A | When this flag is used, logs aren't returned to the console output. However, the logs are still written to the log files. | Online | False |
Save resolved dependency output | --save-evidence-path | N/A | Saves evidence of the resolved dependencies, which is helpful for troubleshooting. You need to specify the path to the directory where you want the output to be saved. | Online | None |
Run containers scan | --scan-containers | N/A | Scan the Dockerfiles in your project to identify the container images used in your project. See Container Scans TipRequires installation of Syft v0.83.0 on the machine where you are running Resolver. Download here | Online, Offline | False |
Add tags to scan | --scan-tags | N/A | Comma separated tags to be assigned per scan. Tags can be simple string or key:value. | Online, Upload | None |
Severity Threshold | --severity-threshold | SeverityThreshold | The vulnerability severity level from which to return an error exit code. Enter one of the following enum values: Low, Medium, High or None (do not test) | Online, Upload | None |
Project Teams | -t| --project-teams | N/A | Comma separated list of teams to assign to a newly created project. If the project exists, this is ignored. The full team hierarchy should be given, e.g: Team path should be prefixed by forward slash: | Online, Upload | Project will be accessible to all users |
Version | -v| --version | N/A | Prints the version to console output. | All | N/A |
Samples using some optional arguments:
Linux/MacOS
./ScaResolver -s /home/jack/src/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!' --log-level Debug --save-evidence-path ./evidences.json --extract-archives zip,ear --extract-depth 3 --gradle-exclude-scopes api,testCompile
Windows
./ScaResolver.exe -s C:\home\jack\src\MyApp -a Checkmarx -u jack -p “demo123!” --log-level Debug --save-evidence-path ./evidences.json --extract-archives zip,ear --extract-depth 3 --gradle-exclude-scopes api,testCompile
Sample of folder exclusions:
Notice
The syntax shown below excludes only folders with the precise name that is specified. If you would like to exclude all folders that have the specified string anywhere in the file path, then you need to omit the backslashes, like this: *project2*
.
Linux/MacOS
./ScaResolver -s /home/jack/src/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!' -e '*\project2\*,*\project 3\*'
Windows
./ScaResolver.exe -s C:\home\jack\src\MyApp -a Checkmarx -u jack -p “demo123!” -e "*\project2\*,*\project 3\*"
Sample of file exclusions:
Linux/MacOS
./ScaResolver -s /home/jack/src/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!' -e '*.ext1,*file name.ext2'
Windows
./ScaResolver.exe -s C:\home\jack\src\MyApp -a Checkmarx -u jack -p “demo123!” -e "*.ext1,*file name.ext2"
Sample of tags:
Linux/MacOS
./ScaResolver -s /home/jack/src/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!' --project-tags "Dev" --scan-tags "version:0.2"-e '*.ext1,*file name.ext2'
Windows
./ScaResolver.exe -s C:\home\jack\src\MyApp -a Checkmarx -u jack -p “demo123!” --project-tags "Dev" --scan-tags "version:0.2"
Sample of private packages:
Linux/MacOS
./ScaResolver -s /home/jack/src/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!' --private-dependency-name 'my-private-package' --private-dependency-version '1.0.0' --private-dependency-type 'Npm'
Windows
./ScaResolver.exe -s C:\home\jack\src\MyApp -a Checkmarx -u jack -p “demo123!” --private-dependency-name 'my-private-package' --private-dependency-version '1.0.0' --private-dependency-type 'Npm'
Notice
The custom parameters enable you to add additional parameters to the scan command. They do not override the package manager flag commands that are built into the Checkmarx SCA Resolver.
Config | Argument Name | Config file key | Description | Used in mode |
---|---|---|---|---|
Gradle Custom Parameters | --gradle-parameters | None | Parameters to be appended to Gradle package manager directly | Online, Offline |
Bower Custom Parameters | --bower-parameters | None | Parameters to be appended to bower package manager directly | Online, Offline |
Composer Custom Parameters | --composer-parameters | None | Parameters to be appended to composer package manager directly | Online, Offline |
Lerna Custom Parameters | --lerna-parameters | None | Parameters to be appended to lerna package manager directly | Online, Offline |
NPM Custom Parameters | --npm-parameters | None | Parameters to be appended to npm package manager directly | Online, Offline |
Nuget Custom Parameters | --nuget-parameters | None | Parameters to be appended to nuget package manager directly | Online, Offline |
Pip Custom Parameters | --pip-parameters | None | Parameters to be appended to pip package manager directly | Online, Offline |
Sbt Custom Parameters | --sbt-parameters | None | Parameters to be appended to sbt package manager directly | Online, Offline |
Yarn Custom Parameters | --yarn-parameters | None | Parameters to be appended to yarn package manager directly | Online, Offline |
Maven Custom Parameters | --maven-parameters | None | Parameters to be appended to maven package manager directly | Online, Offline |
Ivy Custom Parameters | --ivy-parameters | None | Parameters to be appended to Ivy package manager directly | Online, Offline |
CocoaPods Custom Parameters | --cocoapods-parameters | None | Parameters to be appended to CocoaPods package manager directly | Online, Offline |
Poetry Custom Parameters | --poetry-parameters | None | Parameters to be passed to Poetry package manager directly | Online, Offline |
Notice
All custom parameters are not mandatory.
Sample using custom arguments:
Linux/MacOS
./ScaResolver -s /home/jack/src/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!' --gradle-parameters='-pUSERNAME=abc -pPASSWORD=cba'
Windows
./ScaResolver.exe -s C:\home\jack\src\MyApp -n MyApp -a Checkmarx -u jack -p “demo123!” --gradle-parameters="-pUSERNAME=abc -pPASSWORD=cba"
Config | Argument Name | Config file key | Description | Enums | Used in mode | Default value |
---|---|---|---|---|---|---|
Report Path | --report-path | None | Specify the path to the location where the Report will be saved. | - | Online, Upload | reports |
Report Type | --report-type | None | You can use this flag to generate a report. There are two types of reports:
|
| Online, Upload | None |
Report Content | --report-content | None | Specify the type of content that will be included in the report. |
| Online, Upload | All |
Report Extension | --report-extension | None | Specify the file type of report. Note: You can specify multiple (comma separated) extension types in order to generate files of each type. Note: CycloneDx reports must be in Json or Xml format. |
| Online, Upload | Json |
Risk Report sample:
Linux/MacOS
./ScaResolver -s /Users/DemoUser/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!' --report-extension Pdf,Json,Csv --report-type Risk
Windows
./ScaResolver.exe -s C:\Users\DemoUser\MyApp -n MyApp -a Checkmarx -u jack -p "demo123!" --report-extension Pdf,Json,Csv --report-type Risk
You can generate an SBOM Report in json or xml format when running a scan using Checkmarx SCA Resolver (version 1.5.52+).
SBOM Report sample:
Linux/MacOS
./ScaResolver -s /Users/DemoUser/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!' --report-extension Xml,Json --report-type CycloneDx
Windows
./ScaResolver.exe -s C:\Users\DemoUser\MyApp -n MyApp -a Checkmarx -u jack -p "demo123!" --report-extension Xml,Json --report-type CycloneDx
To run a scan using the Exploitable Path feature, in addition to the regular mandatory arguments, you also need to add the following arguments, see Exploitable Path (BETA).
Note
Attributes marked as Mandatory in this table, are mandatory only when running an Exploitable Path scan. When running an Exploitable Path scan in Upload mode, you can either include the attributes that specify the account and Project info or the path to the result file.
Config | Argument Name | Config file key | Description | Mandatory | Used in | Default value |
---|---|---|---|---|---|---|
SAST Authentication server username | --cxuser | SastUserName | Your username for the SAST Authentication server | YES | All | - |
SAST Authentication server password | --cxpassword | SastPassword | Your password for the SAST Authentication server | YES | All | - |
SAST Project ID | --cxprojectid | SastProjectId | The ProjectId of the Project that you created in SAST for running the SCA Exploitable Path feature. | Either the Project ID or the Project name is mandatory. | All | - |
SAST Project name | --cxprojectname | SastProjectName | The Project name of the Project that you created in SAST for running the SCA Exploitable Path feature. | Either the Project ID or the Project name is mandatory. | All | - |
SAST Server endpoint | --cxserver | SastServer | Your CxServer endpoint. e.g., https://checkmarxServer/ | YES | All | - |
Path to save SAST results | --sast-result-path | SastResultPath | Specify the path to the directory/file where the SAST results will be saved (for future upload). | YES (for Offline mode) | Offline | false |
Path to read SAST results | --sast-result-path | SastResultPath | Specify the path to the file of the saved SAST results that you are uploading. | For Upload mode, either this attribute with the path to the result file or info about the account and Project is mandatory. | Upload | false |
Time period to check for SAST results | N/A | OldResultsThresholdMinutes | The time period for which SAST results will be checked. If multiple results exist, the most recent will be used. Note: there is no CLI argument for this parameter, so it must be set in the config file. | NO | All | 144000 |
Timeout for sending request to SAST | N/A | EngineResultsReceiveTimeOutMinutes | Maximum time to wait to send the request to the SAST engine. | NO | All | 2 min. |
Timeout for receiving response from SAST | N/A | EngineResultsReceiveTimeOutMinutes | Maximum time to wait to receive the results from the SAST engine. | NO | All | 15 min. |
Sample using Exploitable Path:
Linux/MacOS
./ScaResolver -s /home/jack/src/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!' --cxuser bob --cxpassword 'demoabc!' --cxprojectname DemoCxProject --cxserver 'https://checkmarxServer'
Windows
./ScaResolver.exe -s C:\home\jack\src\MyApp -a Checkmarx -u jack -p "demo123!" --cxuser bob --cxpassword "demoabc!" --cxprojectname DemoCxProject --cxserver "https://checkmarxServer"