Skip to main content

Masking Sensitive Information Using a Database Query Executor

In some cases, scan results may contain sensitive information such as passwords or credit card information etc. To avoid such information to leak out, Checkmarx is providing a database query executor utility that allows users to mask such information using CLI commands as listed in this section.


  • Before running this utility, we strongly recommend to stop all CxIAST services (Access Control and CxIAST Manager) to avoid access attempts while running this application.

  • The scripts may take a long time to execute.

help (-h or --help)

This parameter displays all available options in CLI mode:

java -jar db-query-executor.jar -h

Generate an example config file (-c or --config-file)

This parameter creates a config properties file with all the required parameters:

java -jar db-query-executor.jar -c <output_file_name>

Run scripts (-f or --file)

To execute this application, you have to declare all the parameters in a config property file:

  • The JDBC's connection string

  • The scripts to be executed

java -jar db-query-executor.jar -f <properties_file_path>

Check the required properties below:

  • conn (string) - JDBC connection string - refer to Building the connection URL - JDBC Driver for SQL Server for additional information;

    Example: jdbc:sqlserver://localhost\SQLEXPRESS:1403;username=USER;password=PASSWD;databaseName=MY_DATABASE

  • scripts.passwords (boolean) - a flag to define, if the password script should be executed

  • (boolean) - a flag to define, if the credit card script should be executed

At least one of these scripts should be defined as true.

As mentioned previously, it is possible to use the config file generator (-c or --config-file parameter) to generate the required property file.