Skip to main content

Network and TLS Configuration

Using TLS Protocol

You can configure the SCA Agent communications for using TLS by doing the following:

  1. Edit the .env configuration file, as follows:

    • Set TLS=true.

    • Set TRANSFER_PROTOCOL=https.

    • Set TRAEFIK_PORT=443.

    • Set EXTERNAL_HOSTNAME=IP_address_of_your_host_computer.

    • Recommended to expose the SCA Agent with the default TLS port by setting EXTERNAL_PORT=443.

  2. Provide a valid certificate and private key, as follows:

    • Add a cert.crt file with a valid certificate and a key.key file with a valid private key, to the <sca-agent>/volumes/traefik/ssl directory.


We recommend replacing the placeholder files cert.crt and key.key with new files with the same names that contain valid content. If you choose to change the file names, you will need to adjust the configuration accordingly.

Adding Trusted Certificates

If your domain uses an internal CA and the remote repositories that you use to build your project are exposed using TLS, you will need to provide the relevant trusted certs to the Checkmarx SCA Agent, as follows:

  • Drop your .crt file in the <sca-agent>/volumes/trusted-certs folder. There are no limitations regarding the file name.


If your repository uses HTTPS with internal CA, unless the above procedure is done the Agent won't be able to build your project and you will receive only partial or no results.

Changing the Subnet Value

If you change the “subnet” value in the docker-compose.yml file, then you must apply same value in <sca-agent>/volumes/traefik/https/traefik-dynamic-https.yml or <sca-agent>/volumes/traefik/http/traefik-dynamic-http.yml, in scaAgentNetWhitelist:> ipWhiteList: > sourceRange: - <THE_SUBNET>.