Skip to main content

Checkmarx SCA Resolver Changelog

Version 2.7.2 Download Links:

Version 2.7.2 sha256sum Checksum Links

Download the relevant checksum file to verify the integrity and authenticity of your SCA Resolver download.

The following links enable you to always download the latest version of Resolver.

Use the relevant link to download the checksum for the "latest" version of Resolver.

Improvements in Version 2.6.9 (Mar 21, 2024)

  • Added support for extracting .gz archives that contain .tar folder using the --extract-archives flag.

Previous Versions




Changes from last version


(Mar 21, 2024)

  • For Gradle,

    • Fixed exception during project detection

    • Fixed issue that scans were being duplicated


(Feb 29, 2024)

  • Fixed a critical bug when saving results to a file path that already exists.


(Feb 19, 2024)

  • Fixed bug introduced in the previous version that zip creation failed when the scanned folder didn't contain any manifest files.


(Feb 12, 2024)

  • Added a flag --ignore-test-dependencies for ignoring test dependencies.

  • For Nuget, added support for VBNet projects.

  • Fixed exception during the FolderAnalyzer step.

  • For Ivy, fixed a bug when build.xml does not have a target node.


(Dec 22, 2023)

  • For Gradle, the processing of wildcards on Gradle multi-module scans has been improved.

  • For Python, pip is no longer presented as a dependency for all Python projects.


(Nov 23, 2023)

  • Fixed issue that the MacOS artifact hadn't been published in prior versions (2.4.8, 2.5.2 and 2.5.11).


(Nov 22, 2023)

  • We now only create a reports folder when the user actually generates a report.

  • Fixed the fingerprint calculation for JavaScript files.

  • For container scans, updated ImageResolver to version 3.0.31, which includes the following updates:

    • We now scan yaml files, enabling detection of images inside docker-compose files and helm charts. This dramatically increases our coverage for detecting container images.


      If you prefer to exclude these files from a scan, you can do so using the command --excludes "*.yaml".

    • Improved detection of Java and IOS package inside images.

    • Enabled running container scans via Checkmarx One CLI.

      This is done by using SCA Resolver in the CLI command, and setting the Resolver params as follows:

      • --scan-containers

      • --containers-result-path <base_folder_path>/.cxsca-container-results.json


        <base_folder_path> must be identical to the value given for -s.

        The precise file name .cxsca-container-results.json must be used.

      Learn more about running container scans here


(Nov 7, 2023)

  • We now sanitize the parameters passed to the package managers. We also added a flag, --disable-parameter-sanitization (and a config parameter), in case you would like to disable this feature.

  • Added a flag, --logs-path, for passing the logs directory name in the CLI command (in addition to existing support for setting it in the config file).

  • For container scans, we added a flag, --containers-cache-path (and a config parameter), for setting the path to the directory where the container images cache is written.

  • For CocoaPods, fixed the error that caused the scan to fail when the lock file parse failed for a dependency.


(Oct 12, 2023)

  • For Yarn, scripts that are defined on package.json are now ignored.

  • For Swift, lock file version 2 is now supported.


(Sep 13, 2023)

  • Improved parsing support for CLI custom arguments.


(Aug 23, 2023)

  • For Container Scans, updated ImageResolver to version 3.0.7, which includes the following updates:

    • In order to run container scans via Resolver, you are now required to have Syft version 0.83.0 installed on your local machine.

    • Added support for Podman (in addtion to Docker).

    • It is no longer required to have Docker installed in order to run container scans on public images. However, if you are scanning private images, then you need to have Docker or Podman installed, and you need to be authenticated for the relevant image registry, e.g., Jfrog, ECR, GCR, Nexus etc.

    • Improved process for identifying packages and vulnerabilities, yielding more comprehensive results


Aug 4, 2023)

  • When multi-module projects cause manifest files to be duplicated in the results, we now merge the results from both manifests so that the scan can complete successfully.

  • For Poetry, added the flag --poetry-parameters for adding custom parameters for Poetry.

  • For Python:

    • When there is a problem resolving the dependencies from a manifest file, we now correctly show a failure for the resolution of that manifest file.

    • Added support for pyenv configuration.

  • For Gradle, fixed issue that despite the --gradle-include-modules flag being used, non-included modules were still being scanned.

  • For NPM, improved the method for resolving workspaces, so that it is no longer necessary to change the content of the package-lock file.


(Jul 12, 2023)

  • Fixed a bug related with exploitable path that the file was being generated in an incorrect format.


(Jul 5, 2023)

  • Improved file handling of large results files.

  • For PIP, Graphviz is now used instead of the pipdeptree tool.


(Jun 7, 2023)

  • For Nuget, improved detection of package versions used by the framework at runtime.

  • For Bower, Improved dependency resolution.


(May 23, 2023)

  • Syft is now used automatically whenever the --scan-container flag is used. The --use-syft flag is no longer in use.


    This is a breaking change. If you have pipelines that use the --use-syft flag, it needs to be removed.


    For syft to run on your scans, you need to have it installed on the machine that is running Resolver, see Prerequisites.

  • For PIP:

    • Added a new argument for including custom manifest files for resolution.

    • Improved detection of the Python version installed on the system.

  • For Gradle, dependencies that were ignored by the package manager are now ignored by Resolver.

  • For NPM, the problem with the decision to run commands for NPM6 or NPM7 has been fixed.

  • Fixed "out of memory" issues that were occurring in some edge cases.


(May 9, 2023)

  • For Gradle, added support for dynamic submodule declaration.

  • ImageResolver updated to version 2.0.47.


(Apr 19, 2023)

  • Added support for Unity package manager. For more information, see Unity Package Manager Dependency Resolver.

  • For Bower, fixed issue that dependency resolution was failing when latest version ("*") was specified.

  • For Ivy, fixed issue that unused versions were being resolved despite the fact that a newer version had been specified in the manifest file.

  • ImageResolver updated to version 2.0.43.


(Apr 13, 2023)

  • Added support for authentication via Master Access Control, see Master Access Control Authentication for Checkmarx SCA Resolver.

  • For Sbt, stack overflow is fixed when building the dependency tree.

  • For Gradle, when a submodule is duplicated in a project we now resolve the package only once.

  • ImageResolver was updated to version 2.0.41.


(Feb 28, 2023)

  • We have stopped supporting Configuration.ini. It is a requirement to use the Configuration.yml file when running the new version of Resolver.


    This is a breaking change which makes the new version of Resolver incompatible with previous versions.

  • We now get all passwords from environment variables.

  • Users can now specify a custom path to the NetRc file to be used for authentication.

  • For Java, improved the Java version detection for openjdk11 on Windows.

  • For Bower, improved dependency resolution.


(Feb 3, 2023)

  • For Sbt, fixed an issue that led Sbt package resolution to fail when the plugins file exists and has content.

  • For Go, fixed an issue that led Go package resolution to fail when there was a vendor folder present.

  • User permissions are now checked before updating the project.


(Jan 4, 2023)

  • Parameter values are now case insensitive.

  • Added a new flag to cause the scan to fail and return exit code 9 when resolution fails for one or more of the manifest files.

  • For PIP, fixed problem with the file path when using the -r flag inside a requirements.txt file.


(Dec 21, 2022)

  • For Maven, improved log messages.

  • For Poetry, added support for version 1.2.

  • For Container Scans, updated ImageResolver to version 2.0.1, which includes the following updates:

    • For Dockerfile, we now support scanning of base images from private repositories.

    • Scanning built images using Syft is now fully supported, even when pulling images from private repositories.


(Nov 23, 2022)

  • We changed the format of the configuration file from .ini to .yml.


    We temporarily continue to support .ini format. However, once version 2.0 is released (scheduled for end of February) this format won't be supported. Please make sure to migrate the configuration files in all of your environments to the yaml format by that time.

  • Added Syft integration. Use the --use-syft flag in order to use Syft for container image resolution.

  • Uses image resolver version 1.0.11.

  • Enable adding tags to projects (--project-tags) and scans (--scan-tags).

  • The project teams flag (-t | --project-teams) flag can now be used to update the teams assigned to an existing project. (Previously, it could only assign teams to a new project.)


(Oct 25, 2022)

  • For container scan:

    • Uses image resolver version 1.0.7.

    • Added support for resolution of image files without using Dockerfile.

  • For Carthage, added authentication for private repositories based on .netrc file.

  • For Gradle, improved sub-module resolution.

  • For Python, users are now able to specify the version of pipdeptree to be used.


  • For Python, Resolver now has a consistent behavior for installing pipdeptree. For Python 2, it installs version 2.2.1; for Python 3 it installs 2.3.1.  

  • For Gradle:

    • Added support for project method in settings.gradle.

    • Resolver now ignores the IncludeBuild method in gradle.settings file. 

    • Improved the way we get the Gradle wrapper version from the distribution URL.  


  • Container Scan - Resolver now scans containers via a dedicated Container CLI. When you extract the downloaded archive, it now contains an additional executable ImageResolverCli.exe.


    The new architecture does not affect the functionality in any way. When you extract the downloaded archive, it now contains an image resolver executable (in addition to the Resolver executable).


  • For Gradle, improved results by preventing Gradle from resolving multiple projects simultaneously.

  • For Python:

    • Added support for Poetry package manager

    • Added support for PIP to resolve dependencies from the following files: pyproject.toml, setup.cfg and

  • For Composer, we now attempt to resolve dependencies without running the install command.


For NPM, fixed bug related to workspaces.


  • Added the --Sca-app-url flag for specifying the url of the web application. Previously this could only be done via the config file.

  • Added the ability to include the password in the config file. Previously this could only be done via the CLI command.


    It isn't recommended to include a password in clear text in the config file. Instead, you can use an environment variable for the password. Resolver first checks for an environment variable of the specified name, and uses the plain text value only if no variable is found.

  • Added the --override-default-excludes flag, for disabling the default file exclusions.


Jul 6, 2022

  • For Yarn, general improvements in dependency resolution.

  • For NPM, added support for NPM workspaces.

  • Fixed problems caused by duplicate values for environment variables by overriding saved values when a new value is submitted.


Jun 30, 2022

  • Fixed issues for SAML authentication on MacOS.

  • For NPM, added support for NPM 8.

  • Added the ability to skip file analysis when the file is in use.


Jun 8, 2022

  • For Ivy, added the option to specify the target name and todir, which determine where the reports are written to when resolving dependencies in Ivy.

  • For Gradle, minor improvements.


  • We now provide a sha256sum file for each SCA Resolver download, enabling users to verify the integrity and authenticity of the SCA Resolver.

  • Added support for resolving Git repositories in Carthage.

  • Added support for Yarn lock version 2.

  • Fixed problem that KTS files weren’t being resolved for Gradle multi module projects.

  • Fixed issue with folder excludes, so that when a folder is excluded, all files inside the folder and all of its sub-folders are excluded.

  • In order to prevent scan failures, we no longer change the gradlew and gradlew.bat line endings.


  • Container Scan - added support for container images hosted on Microsoft Container Registry (MCR) (e.g., See Container Scans

  • Exploitable Path - you can now use the "--proxies" flag with Exploitable Path scans in order to send the traffic through a proxy.

  • Added additional Debug logs for commands that are taking too long to execute.


  • Container Scan - added support for build arguments in Dockerfile FROM statements using a .env_cxsca-container-build-args file . For more information, see Container Scans

  • Performance improvements for Pip, Sbt, Maven, Bower, Gradle

  • For MacOS - fixed path for virtual environment in Pip



  • We now allow scanning with SAST using offline mode and then uploading the SAST results file using upload mode.

  • For Gradle:

    • Improved multi-module resolution. The origin of dependencies is now specified by the corresponding module.

    • Added support for flat multi-module project structure.


  • Improved security by fixing path traversal problem when creating logs file.

  • Improved efficiency on Container scans by avoiding redundant requests to download images. This is done by downloading images to a unique file in the project root.

  • For Carthage, fixed documentation for using GitHub API for resolution. See Installing Supported Package Managers for Resolver | Limitations

  • For Sbt, improved method for finding dependency graph.

  • For Gradle, fixed the error that caused the default JVM arguments to be used in Checkmarx SCA Resolver. Now these arguments are ignored.


  • For NuGet, users can now specify the path to the NuGet CLI executable that they would like to use.

  • For Sbt, improved the Sbt multi-module support when using coursier to resolve the dependencies.


  • When Checkmarx SCA Resolver runs a scan with Exploitable Path, the Project settings are automatically updated to activate Exploitable Path on the Project level. (Previously, EP needed to be activated for the Project before it could be run in Checkmarx SCA Resolver.)

  • For sbt, we no longer change the .sbtopts file in order to force dependency resolution through Ivy. Dependencies will be resolved using the customer’s sbt resolver.


  • For Composer, no longer generates autoload files when installing the dependencies.

  • For Bower:

    • Improved identification of direct dependencies.

    • Removed the project being scanned from the results.

  • For sbt:

    • Changed the command used to identify if sbt is installed to sbt --script-version.

    • Improved dependency resolution in solutions with multiple projects.

  • For Carthage, minor improvements in dependency resolution.


  • For Carthage, minor improvement in Carthage resolution.

  • For Carthage, we implemented a client balancer to support more Github tokens.

  • Container Scan - Checkmarx SCA Resolver is now capable of scanning containers (i.e., Docker image files) on which your source code runs. Checkmarx SCA identifies each of the Docker files being used, extracts all layers of each image file and identifies the packages used by each layer. To run the containers scan, you need to add the --scan-containers flag to the run command.


  • For Gradle, the "-Dorg.gradle.jvmargs=-Xmx1g" parameter is no longer used by default in the command executed by gradle. If you would like to add this parmeter, you can do so using the following custom gradle parameter --gradle-parameters '-Dorg.gradle.jvmargs=-Xmx1g'.

  • Nuget projects can now be resolved through Nuget CLI when resolution through dotnet is not available.

  • For Yarn, parsing of the yarn.lock files now allows properties inside quotation marks.


  • General improvements for NPM/Lerna

  • The “--ignore-dev-dependencies” flag now supports ignoring dev dependencies for Yarn

  • Improved error message when a project is assigned to a team that is not accessible or does not exist


  • Windows binaries are now signed by Checkmarx

  • Added ability to export an SBOM report (CycloneDx format)

  • Improved package resolution for Carthage

  • Fixed issues with package manager proxies

  • Fixed container scan default namespace for dockerhub


  • Nuget scans now support multiple “nuget.config” files in a project.

  • The Checkmarx SCA Resolver installation files are created using a new method that adds the necessary dependencies to the zip for execution.


  • Added proxy support for the following package managers (in addition to those added in 1.5.38):

    • PIP

    • Nuget

    • SwiftPM

    • SBT

    • Carthage

  • Fixed issue so that disabling code uploads no longer interferes with Resolver’s ability to send scan results to the cloud.


  • Added support for providing a proxy to be used for requests. It is supported for the following package managers:

    • Maven

    • Ivy

    • Bower

    • Composer

    • Gradle

    • NPM

    • Yarn

    • CocoaPods

  • For Ivy, Checkmarx SCA Resolver no longer creates temporary folder

  • Added support for scanning projects using SwiftPM

  • Added support for scanning projects using CocoaPods

  • Added support for scanning projects using Carthage


  • Resolver now identifies “test” dependencies by path

  • For Gradle wrapper projects, fixed issue for handling packages when the system doesn’t have Gradle installed

  • Fixed issue that the “extract compressed folder” feature had been deleting paths that were previously extracted


  • Adjusted the default exclusion patterns to more precisely match the desired folder names

  • For NPM, can now handle invalid file exceptions

  • For Ivy, now copies all files to a temporary folder


  • For Gradle, general improvements

  • For Ivy, general improvements

  • Improved scan performance for large projects


  • For Gradle, fixed handling of orphan packages

  • For Ivy, added ability to pass custom parameter


  • For Gradle, added flag to only include desired submodules

  • For Gradle, fixed submodule identification

  • Fixed issue with scans failing when policy violation couldn’t be evaluated

  • Checkmarx SCA Resolver version is now always included in logs

  • Added a flag to bypass Checkmarx SCA Resolver exit code when an error occurs


  • For Gradle, added flag to tag dependency group as plugin, and other general improvements

  • For Nuget, fixed exception when package.config is empty

  • For NPM, added support for Shrinkwrap files

  • For Yarn, improved workspace search

  • For Composer, general improvements

  • Fixed deserialization exception in “Upload” mode

  • Fixed async error handling for “create scan”

  • The auto-generated file for “Offline” mode now uses new naming conventions

  • General improvements in Checkmarx SCA Resolver UX


  • Checkmarx SCA Resolver now uses the "--all" flag to force npm to list all dependencies (i.e., revert to version 6 results)

  • For Yarn, general improvements

  • Added support for Ivy package manager


New features in 1.5.4

  • There is now an option to run Checkmarx SCA Resolver in “Offline” mode. When a scan is run in “Offline” mode, it can then be run in “Upload” mode at a later time to execute the scan.

  • When you run a scan using Checkmarx SCA Resolver, you can now set flags to export a comprehensive Risk Report of the scan results in json, xml, csv, or pdf format.

Improvements and bug fixes in 1.5.4

  • Improved result parser for Bower

  • Can now handle the exception when trying to extract compressed files that require a password

  • Fixed bug causing scan to get stuck when Maven was not available

  • Pip now resolves Python requirement files which contain an '-r' flag

  • Fixed log name to include the local timezone of the machine (as opposed to showing UTC)


  • Added ability to pass custom parameters Maven

  • Fixed password leak to log

  • Fixed argument parsing while replacing '_' with '-'

  • For npm, transitives of dev dependencies are now tagged as dev


  • Added a flag to ignore submodules in Gradle

  • For Gradle, we now detect settings.gradle.kts files

  • For Nuget, we now ignore project references inside of .csproj files

  • For PIP, we now detect files with the following file names: “requirement-*.txt” and “requirements-*.txt”

  • For Composer, the vendor folder is now ignored by the scanner

  • Logs are now saved in ScaResolver path by project name unless a fully qualified path is configured in the "LogsDirectory" configuration


  • For Exploitable Path scans, users now have the option of providing the SAST Project name instead of the Project ID

  • Added Gradle dependency parser customizations

    • Exclude scopes - include all scopes other than the specified exclusions

    • Include scopes - include only the specified scopes

    • Dev scopes - mark specific scopes to be analyzed as dev dependencies


  • Added ability to pass custom parameters to Bower, Composer, Lerna, NPM, Nuget, Pip, Sbt, and Yarn project scans

  • Added ability to disable upload of manifest files

  • SCA scans now extract compressed files of type .zip, .war, .ear. Also, the user can add a flag to specify custom file types for extraction.

  • For Exploitable Path scans, the config file key "OldResultsThresholdMinutes" was added, enabling users to customize the time period for which SAST results are checked. By default, this is now set a

  • Changed "Invalid SAST settings" to warning level instead of error

  • Improved Gradle dev-dependencies detection

  • Fixed NPM package-lock.json display error

  • Fixed errors causing scan failures in Gradle, Bower and Maven


  • Added support of the “Exploitable Path” feature for SAST users. This enables you to identify whether or not there is an exploitable path from your source code to a specific open source vulnerability, see Exploitable Path.

  • Added support for Checkmarx SCA “Policies”. This enables you to cause builds to break whenever the specified threshold of security threats is detected, see Policy Management.

  • Added the ability to pass custom parameters to Gradle project scans

  • Fixed BOM issue in composer.json file


  • NPM: Fixed a package relationship issue

  • Gradle:

    • Improved Gradle robustness

    • Improved Dev Dependencies

  • CLI: Added a flag to exclude Dev Dependencies in a pre-scan stage (e.g., -i or --ignore-dev-dependencies)


  • Fixed an identification metadata (metrics)


  • Using a more generic method for grabbing the Gradle wrapper version

  • Improved npm robustness in the Linux CLI

  • Support for the Gradle findProject directive


  • Fixed a failure in the Gradle wrapper when using a Gradle download URL from a non-official Gradle site.

  • Fixed a bug that occurred when running Gradle under Windows.

  • Fixed a bug that occurred when running NuGet under Windows.


  • Various bug fixes implemented.


  • Dependency resolution now supports Python requirement.txt files.

  • Dependency resolution now supports Nuget packages.config manifest files.

  • Added support for specifying the Python version in the configuration.

  • Several bug fixes implemented for the dependency resolution.


  • Minor dependency resolution bug fixes

  • -v shows the version


  • Rename to SCA resolver. Printing ScanID and showing URL to the risk report.