Skip to main content

Checkmarx SCA Resolver Configuration Arguments

Most Checkmarx SCA Resolver configuration parameters can be submitted either as command line arguments or by editing the configuration.yml file.

Notice

Certain parameters must be submitted via the config file. Therefore, it is mandatory to include the configuration.yml file (which is included in the Checkmarx SCA Resolver download) in the same folder as the ScaResolver binary.

Note

The info provided on this page relates to running Resolver as a standalone tool. If you are running Resolver via an external platform such as the Checkmarx One CLI tool or plugins, or the CxSAST/CxSCA CLI tool or plugins, then only Offline arguments can be used. In addition, the mandatory arguments differ for different platforms. See the relevant SAST/SCA Integrations documentation for details.

Configuration.yml file Specifications

Warning

As of version 2.0, Configuration.ini format is no longer supported. It is now mandatory to include the Configuration.yml file containing your config data.

The configuration file must be located in the same folder as the ScaResolver binary.

The configuration file has the format of KeyName: Value.

The file must follow the yaml file format specification.

Configuration Arguments - Tables and Samples

The following tables describe the supported arguments that can be used in Resolver. You can submit --help to get the list of supported parameters.

Argument

Name

Config file key

Description

Used in mode

Default value

-a| --account

Account

Account

Your SCA account a name.

Online, Upload

-

--authentication-server-url

Authentication Server URL1

AuthenticationServerUrl

The URL of the SCA Access Control server.

Online, Upload

https://platform.checkmarx.net

--logs-path

Logs Directory2]

LogsDirectory

The default name assigned the logs directory.

logs

-p| --password

Password3]

Password

The password for your SCA user account.

Tip

You can configure a custom Environment Variable to use for the password. This is preferable to including a password in clear text in the config file.

Online, Upload

-

--containers-result-path

Path to read container results

ContainersResultPath

Specify the path to the file of the saved containers results that you are uploading.

Tip

Mandatory for container scans.

Upload

-

-r|--resolver-result-path

Path to read ScaResolver results

ResolverResultPath

Specify the path to the file of the saved resolver results that you are uploading.

Upload

-

--containers-result-path

Path to save container results

ContainersResultPath

Specify the path to the directory/file where the containers results will be saved (for future upload).

Tip

Mandatory for container scans, --scan-containers.

Offline

-

-r|--resolver-result-path

Path to save ScaResolver results

ResolverResultPath

Specify the path to the directory/file where the resolver results will be saved (for future upload).

Offline

-

-n| --project-name

Project Name

ProjectName

To scan an existing SCA Project, enter the Project name. Alternatively, you can enter a new Project name in order to create a new Project in SCA.

All

-

--sso-provider

Provider name3]

SsoProviderName

The name of your SSO provider. Alternatively, you can give the name of your Master Access Control instance. For more info see SAML Authentication for Checkmarx SCA Resolver

Online, Upload

-

--sca-app-url

SCA Application URL3]

ScaAppUrl

The URL of the SCA web application.

Online, Upload

https://sca.checkmarx.net

-s| --scan-path

Scan Path

N/A

Path to the folder to be scanned.

Note

This must be the path to a local folder that contains the source code, not to a zip archive or a code repository.

Online, Offline

-

--server-url

Server URL1]

ServerUrl

The URL of the SCA API server.

Online, Upload

https://api-sca.checkmarx.net

-u| --username

Username3]

Username

Your username for the SCA account.

Online, Upload

-

1] The default values for Server URL and Authentication Server URL are preconfigured in the config file, making it unnecessary to submit these arguments in the CLI.

2] The default value for Logs Directory is preconfigured in the config file. There is no argument for adjusting this value in the CLI.

3] Authentication is done either using your Checkmarx SCA credentials, or via your SSO provider. Therefore, you are required to submit either -u| --username and -p| --password or --sso-provider but not both.

Samples using mandatory arguments:

Linux/MacOS

./ScaResolver -s /home/jack/src/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!'

Windows

./ScaResolver.exe -s C:\home\jack\src\MyApp -n MyApp -a Checkmarx -u jack -p "demo123!"

Argument

Name

Config file key

Description

Used in mode

Default value

N/A

Additional Manifest Patterns

AdditionalManifestPatterns

Allows the user to specify additional patterns to detect as manifest.

Tip

Currently supported only for pip.

Syntax:

AdditionalManifestPatterns:  
  pip: 
    - example-*.txt

Online, Offline

N/A

--project-tags

Add tags to project

N/A

Comma separated tags to be assigned to the project. Tags can be simple string or key:value.

Online, Upload

None

--scan-tags

Add tags to scan

N/A

Comma separated tags to be assigned per scan. Tags can be simple string or key:value.

Online, Upload

None

--break-on-manifest-failure

Break on manifest failure

BreakOnManifestFailure

When this flag is used, the scan will fail and error code 9 will be returned when resolution fails for one or more of the manifest files.

Online, Offline

False

--bypass-exitcode

Bypass exit code

BypassExitCode

If set as “true”, exit code will be overridden and set as 0, enabling it to pass through the CI/CD pipeline.

All

False

-c| --config-path

Change configuration file

N/A

Changes the cofig file used for the scan.

All

Configuration.yml

--netrc-path

Custom NetRc path

NetRcPath

Specify the path to the NetRc file to be used.

Online, Offline

None

--override-default-excludes

Disable default exclusions

OverrideDefaultExcludes

When this is set, the only folders and files that are excluded are those specified in the --excludes flag.

Online, Offline

false

--no-upload-manifest

Disable manifest upload

N/A

When this argument is set, the manifest files are not uploaded to Checkmarx SCA Cloud.

Tip

Preventing manifest upload doesn’t interfere with the effectiveness of the scan, but it may limit Checkmarx SCA’s ability to suggest precise mitigation actions.

Online

False (i.e., manifest files are uploaded)

--disable-parameter-sanitization

Disable parameters sanitization

DisableParameterSanitization

Disable package managers additional parameters sanitization.

Online, Offline

False

-e| --excludes

Excludes

ExcludePatterns

Specify file and folder patterns to be excluded from the zip file that will be scanned.

See examples below.

Tip

Using this argument adds to the list of exclusions, it does not override the default exclusions.

Online, Offline

Default excluded folders:

node_modules,

bower_components,

.git,

vendor,

Carthage

--extract-archives

Extensions to be extracted

N/A

Submit comma separated archives extensions to be extracted.

Tip

When you use the argument to add custom file types, that overrides the default types. If you want these types to be extracted, you must include them in the comma separated list.

Online, Offline

“.zip, .ear, .war”

--extract-depth

Extraction depth level

N/A

The depth level of file extraction.

Tip

Increasing the depth level increases the accuracy of the results, but it also significantly increase the scan time.

Tip

This flag is relevant only for packages identified by unpacking archive files (e.g., .jars, .wars etc.), not for those identified via manifest files.

Online, Offline

1

--gradle-dev-scopes

Gradle Dev Scopes

N/A

Gradle user defined dev dependencies scopes.

Online, Offline

None

--gradle-ignore-modules

Gradle Excluded Submodules

N/A

Ignore Gradle sub-modules.

Online, Offline

None

--gradle-exclude-scopes

Gradle Exclude Scopes

N/A

Gradle dependencies excluded scopes.

Online, Offline

None

--gradle-include-modules

Gradle Include Modules

N/A

Gradle include only desired project submodules.

Online, Offline

None

--gradle-include-scopes

Gradle Include Scopes

N/A

Gradle dependencies included scopes.

Online, Offline

None

--gradle-plugin-scopes

Gradle Plugin Scopes

N/A

Gradle user defined plugin scopes.

Online, Offline

None

--help

Help

N/A

Shows a list of supported arguments for SCA Resolver in the console output.

All

N/A

--ignore-dev-dependencies

Ignore Dev Dependencies

IgnoreDevDependencies

Ignores dev dependencies in the pre-scan stage.

Online, Offline

False

--ignore-test-dependencies

Ignore Test Dependencies

IgnoreTestDependencies

Ignores test dependencies in the pre-scan stage

Online, Offline

False

--images

Images to scan

N/A

Specify the container images to be scanned as a comma separated list.

Tip

When this flag is used, the --scan-containers flag is also required.

Online, Offline

None

--ivy-report-target

Ivy report target

N/A

Specify the target name for the target for writing reports when resolving dependencies in Ivy.

Tip

If this flag is used, the “Path to save Ivy reports” flag must also be set.

Online, Offline

False

--log-level

Log Level

LogLevel

This value sets the lowest threshold for log messages.

Enter one of the following enum values:

Verbose, Debug, Information, Warning, Error, Fatal

All

Information

N/A

Maximum attempts to check scan status

ScanReportMaxRetries

The maximum number of requests sent to check the status of the scan.

All

2147483647

--containers-cache-path

Path to cache containers image

ContainersImagesCacheDirectory

Path to the directory where containers images cache will be written.

Tip

Only used when containers scan is enabled.

Online, Offline

Cache

--nugetcli-path

Path to nuget CLI executable

NugetCliPat

Specify the path to nuget CLI executable to be used.

Online, Offline

False

--manifests-path

Path to project’s manifest

ManifestsPath

When this argument is set, the manifest file in the specified path is uploaded to Checkmarx SCA Cloud.

Upload

When this flag isn’t used, no manifest file is uploaded.

--ivy-report-files-dir

Path to save Ivy reports

N/A

Specify the todir for writing reports when resolving dependencies in Ivy.

Tip

If this flag is used, the “Ivy report target” flag must also be set.

Online, Offline

False

--private-dependency-name

Private dependency name (BETA)

PrivateDependencyName

The name of the private package.

This flag must be used in conjuction with --private-dependency-version and --private-dependency-type.

Tip

You can designate a scan as a "Private Package" and assign a package version to it. Once a private package has been scanned, info about the risks affecting that package will be identified by SCA when that package version is used in any of your projects. You can download an article about private packages here.

Online, Offline

False

--private-dependency-type

Private dependency type (BETA)

PrivateDependencyType

The package manager used for accessing the private package. For example, Go, Nuget, Npm, maven etc.

Tip

The complete list of supported types is available via the Resolver help command.

Online, Offline

False

--private-dependency-version

Private dependency version (BETA)

PrivateDependencyVersion

The version of the package.

Online, Offline

False

-t| --project-teams

Project Teams

N/A

Comma separated list of teams to assign to a newly created project. If the project exists, this is ignored.

The full team hierarchy should be given, e.g: /CxServer/Team01/Team01a

Team path should be prefixed by forward slash: /

Online, Upload

Project will be accessible to all users

--proxies

Proxy

N/A

The proxy to be used for making internet requests. You can enter comma separated proxies for HTTP and HTTPS. You can also include authentication credentials for HTTPS. See Proxy Scans

Online, Offline

None

--python-version

Python version

PythonVersion

Specify the Python version to be used for package resolution.

Enter one of the following enum values:

V2 or V3

Online, Offline

V3

-q| --quiet

Quiet mode

N/A

When this flag is used, logs aren't returned to the console output. However, the logs are still written to the log files.

Online

False

--scan-containers

Run containers scan

N/A

Scan the Dockerfiles in your project to identify the container images used in your project. See Container Scans

Tip

Requires installation of Syft v0.83.1 on the machine where you are running Resolver. Download here

Online, Offline

False

--containers-result-path

Save containers result output

N/A

Save containers results, which is helpful for troubleshooting. You need to specify the path to the directory where you want the output to be saved.

Tip

In Offline mode, this is a mandatory parameter. It is also mandatory when scanning via Checkmarx One CLI. For Checkmarx One CLI, the path must be set as <base_folder_path>/.cxsca-container-results.json.

  • <base_folder_path> must be identical to the value given for -s.

  • The precise file name .cxsca-container-results.json must be used.

Online

None

--save-evidence-path

Save resolved dependency output

N/A

Saves evidence of the resolved dependencies, which is helpful for troubleshooting. You need to specify the path to the directory where you want the output to be saved.

Online

None

--severity-threshold

Severity Threshold

SeverityThreshold

The vulnerability severity level from which

to return an error exit code. Enter one of the following enum values: Low, Medium, High or None (do not test)

Online, Upload

None

N/A

Time between scan report requests

ScanReportWaitForFinishDelayInSeconds

Time in seconds before resending request for the scan’s risk-report.

Online, Upload

5

Version

N/A

Prints the version to console output.

All

N/A

N/A

Version of Graphviz

GraphvizVersion

Specify the version of Graphviz to be used for package resolution.

Online, Offline

N/A

N/A

Version of pipdeptree

PipDepTreeVersion

Specify the version of pipdeptree to be used for package resolution.

Online, Offline

None

Samples using some optional arguments:

Linux/MacOS

./ScaResolver -s /home/jack/src/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!' --log-level Debug --save-evidence-path ./evidences.json --extract-archives zip,ear --extract-depth 3 --gradle-exclude-scopes api,testCompile

Windows

./ScaResolver.exe -s C:\home\jack\src\MyApp -a Checkmarx -u jack -p “demo123!” --log-level Debug --save-evidence-path ./evidences.json --extract-archives zip,ear --extract-depth 3 --gradle-exclude-scopes api,testCompile

Sample of folder exclusions:

Notice

The syntax shown below excludes only folders with the precise name that is specified. If you would like to exclude all folders that have the specified string anywhere in the file path, then you need to omit the backslashes, like this: *project2*.

Linux/MacOS

./ScaResolver -s /home/jack/src/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!' -e '*\project2\*,*\project 3\*'

Windows

./ScaResolver.exe -s C:\home\jack\src\MyApp -a Checkmarx -u jack -p “demo123!” -e "*\project2\*,*\project 3\*"

Sample of file exclusions:

Linux/MacOS

./ScaResolver -s /home/jack/src/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!' -e '*.ext1,*file name.ext2'

Windows

./ScaResolver.exe -s C:\home\jack\src\MyApp -a Checkmarx -u jack -p “demo123!” -e "*.ext1,*file name.ext2"

Sample of tags:

Linux/MacOS

./ScaResolver -s /home/jack/src/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!' --project-tags "Dev" --scan-tags "version:0.2"-e '*.ext1,*file name.ext2'

Windows

./ScaResolver.exe -s C:\home\jack\src\MyApp -a Checkmarx -u jack -p “demo123!” --project-tags "Dev" --scan-tags "version:0.2"

Sample of private packages:

Linux/MacOS

./ScaResolver -s /home/jack/src/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!' --private-dependency-name 'my-private-package' --private-dependency-version '1.0.0' --private-dependency-type 'Npm'

Windows

./ScaResolver.exe -s C:\home\jack\src\MyApp -a Checkmarx -u jack -p “demo123!” --private-dependency-name 'my-private-package' --private-dependency-version '1.0.0' --private-dependency-type 'Npm'

Notice

The custom parameters enable you to add additional parameters to the scan command. They do not override the package manager flag commands that are built into the Checkmarx SCA Resolver.

Argument

Name

Config file key

Description

Used in mode

--bower-parameters

Bower Custom Parameters

None

Parameters to be appended to bower package manager directly

Online, Offline

--cocoapods-parameters

CocoaPods Custom Parameters

None

Parameters to be appended to CocoaPods package manager directly

Online, Offline

--composer-parameters

Composer Custom Parameters

None

Parameters to be appended to composer package manager directly

Online, Offline

--gradle-parameters

Gradle Custom Parameters

None

Parameters to be appended to Gradle package manager directly

Online, Offline

--ivy-parameters

Ivy Custom Parameters

None

Parameters to be appended to Ivy package manager directly

Online, Offline

--lerna-parameters

Lerna Custom Parameters

None

Parameters to be appended to lerna package manager directly

Online, Offline

--maven-parameters

Maven Custom Parameters

None

Parameters to be appended to maven package manager directly

Online, Offline

--npm-parameters

NPM Custom Parameters

None

Parameters to be appended to npm package manager directly

Online, Offline

--nuget-parameters

Nuget Custom Parameters

None

Parameters to be appended to nuget package manager directly

Online, Offline

--pip-parameters

Pip Custom Parameters

None

Parameters to be appended to pip package manager directly

Online, Offline

--poetry-parameters

Poetry Custom Parameters

None

Parameters to be passed to Poetry package manager directly

Online, Offline

--sbt-parameters

Sbt Custom Parameters

None

Parameters to be appended to sbt package manager directly

Online, Offline

--yarn-parameters

Yarn Custom Parameters

None

Parameters to be appended to yarn package manager directly

Online, Offline

Notice

All custom parameters are not mandatory.

Sample using custom arguments:

Linux/MacOS

./ScaResolver -s /home/jack/src/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!' --gradle-parameters='-pUSERNAME=abc -pPASSWORD=cba'

Windows

./ScaResolver.exe -s C:\home\jack\src\MyApp -n MyApp -a Checkmarx -u jack -p “demo123!” --gradle-parameters="-pUSERNAME=abc -pPASSWORD=cba"

Argument

Name

Config file key

Description

Enums

Used in mode

Default value

--report-content

Report Content

None

Specify the type of content that will be included in the report.

  • All

  • Packages

  • Vulnerabilities

  • Licenses

Online, Upload

All

--report-extension

Report Extension

None

Specify the file type of report.

Note: You can specify multiple (comma separated) extension types in order to generate files of each type.

Note: CycloneDx reports must be in Json or Xml format.

  • Json

  • Xml

  • Csv (saved as zip with multiple Csv files)

  • Pdf

Online, Upload

Json

--report-path

Report Path

None

Specify the path to the location where the Report will be saved.

-

Online, Upload

reports

--report-type

Report Type

None

You can use this flag to generate a report. There are two types of reports:

  • Risk Report - A comprehensive report of the risks identified by Checkmarx SCA.

  • CycloneDx - A Software Bill of Materials (SBOM) report using the CycloneDx format.

  • Risk

  • CycloneDx

  • None

Online, Upload

None

Risk Report sample:

Linux/MacOS

./ScaResolver -s /Users/DemoUser/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!' --report-extension Pdf,Json,Csv --report-type Risk

Windows

./ScaResolver.exe -s C:\Users\DemoUser\MyApp -n MyApp -a Checkmarx -u jack -p "demo123!" --report-extension Pdf,Json,Csv --report-type Risk

You can generate an SBOM Report in json or xml format when running a scan using Checkmarx SCA Resolver (version 1.5.52+).

SBOM Report sample:

Linux/MacOS

./ScaResolver -s /Users/DemoUser/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!' --report-extension Xml,Json --report-type CycloneDx

Windows

./ScaResolver.exe -s C:\Users\DemoUser\MyApp -n MyApp -a Checkmarx -u jack -p "demo123!" --report-extension Xml,Json --report-type CycloneDx

To run a scan using the Exploitable Path feature, in addition to the regular mandatory arguments, you also need to add the following arguments, see Exploitable Path (BETA).

Note

Attributes marked as Mandatory in this table, are mandatory only when running an Exploitable Path scan. When running an Exploitable Path scan in Upload mode, you can either include the attributes that specify the account and Project info or the path to the result file.

Argument

Name

Config file key

Description

Mandatory

Used in

Default value

--sast-result-path

Path to read SAST results

SastResultPath

Specify the path to the file of the saved SAST results that you are uploading.

For Upload mode, either this attribute with the path to the result file or info about the account and Project is mandatory.

Upload

false

--sast-result-path

Path to save SAST results

SastResultPath

Specify the path to the directory/file where the SAST results will be saved (for future upload).

YES (for Offline mode)

Offline

false

--cxpassword

SAST Authentication server password

SastPassword

Your password for the SAST Authentication server

YES

All

-

--cxuser

SAST Authentication server username

SastUserName

Your username for the SAST Authentication server

YES

All

-

--cxprojectid

SAST Project ID

SastProjectId

The ProjectId of the Project that you created in SAST for running the SCA Exploitable Path feature.

Either the Project ID or the Project name is mandatory.

All

-

--cxprojectname

SAST Project name

SastProjectName

The Project name of the Project that you created in SAST for running the SCA Exploitable Path feature.

Either the Project ID or the Project name is mandatory.

All

-

--cxserver

SAST Server endpoint

SastServer

Your CxServer endpoint.

e.g., https://checkmarxServer/

YES

All

-

N/A

Timeout for receiving response from SAST

EngineResultsReceiveTimeOutMinutes

Maximum time to wait to receive the results from the SAST engine.

NO

All

15 min.

N/A

Timeout for sending request to SAST

EngineResultsReceiveTimeOutMinutes

Maximum time to wait to send the request to the SAST engine.

NO

All

2 min.

N/A

Time period to check for SAST results

OldResultsThresholdMinutes

The time period for which SAST results will be checked. If multiple results exist, the most recent will be used.

Tip

Exploitable Path is based on results from the most recent full SAST scan of the project, results from incremental scans aren't considered.

Tip

There is no CLI argument for this parameter, so it must be set in the config file.

NO

All

1 day

Sample using Exploitable Path:

Linux/MacOS

./ScaResolver -s /home/jack/src/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!' --cxuser bob --cxpassword 'demoabc!' --cxprojectname DemoCxProject --cxserver 'https://checkmarxServer'

Windows

./ScaResolver.exe -s C:\home\jack\src\MyApp -a Checkmarx -u jack -p "demo123!" --cxuser bob --cxpassword "demoabc!" --cxprojectname DemoCxProject --cxserver "https://checkmarxServer"