Creating and Configuring a SAST Project
Notice
Starting with version 9.4, Checkmarx SAST lets users choose how to handle multiple full and public scans of the same project being queued. For additional information, refer to the instructions on Advanced Actions
below.
To create a SAST project, do the following:
Select Project & Scans >Create New Project.
Configure the following General project properties:
Project Name - indicates the source code to be scanned and tracked. Project names cannot include the following characters: : ? ! / * " < > | ; & # $ ^
Preset - set of queries to be run on the code scan.
Default includes a set of queries recommended by Checkmarx for most projects.
Select the preset that best matches your application, for example, for an Android project select Android. For a full list of executed queries, see the Vulnerability Queries section in the release notes.
Configuration - determines the scan configuration. The configurations differ in how the projects are scanned, in terms of which languages are scanned and which flow calculations are used. For information about how to change default configurations, see Configuring CxSAST Scan Flow Processes. Select one of the following standard configurations:
Improved Scan Flow will scan the primary language (for example, Java, C#, and Python) with the most files and all secondary languages (for example, JavaScript, PL-SQL, and VBScript). For example, a project with 100 Java files, 50 Python files, and 60 JavaScript files, will have only the Java and JavaScript scanned. The new Improved Scan Flow is similar to the older Default Configuration, but the Improved Scan Flow will only calculate the flow for the queries that were specified, significantly reducing the flow calculations duration and memory consumption. When SAST version 9.4 is installed, the Improved Scan Flow is the default.
Multi-language Scan will scan all languages including multiple primary languages. If the same project with 100 Java files, 50 Python files, and 60 JavaScript files is scanned, all languages – Java, Python, and JavaScript will be scanned.
Default Configuration will scan the primary language (for example, Java, C#, and Python) with the most files and all secondary languages (for example, JavaScript, PL-SQL, and VBScript). For example, a project with 100 Java files, 50 Python files, and 60 JavaScript files, will have only the Java and JavaScript scanned. This is no longer the default.
Team - determines who will be able to view your project and its scan results. Available options depend on the permissions of the logged-on user. Selecting CxServer allows access only to the server Administrator. If you're working as a single user, keep the default option.
Click <Next>. You are asked for the location of the source code.
Specify one of the following source code Location properties:
Note
SAST does not scan two files with the same name or files with special characters that are not supported in Windows.
Local - Click <Select> to browse to a local file that contains the code. Future scans of the project are also performed via local upload (see Managing Projects and Running Scans). For issues related to scanning large files, see Managing Large Files.
Shared - project code that is maintained on a network server accessible from the SAST Server. Click <Select>, provide your Windows domain credentials in order for SAST to access the network (username format: domain_name\user name), and select one or more network folders containing the project code.
Note that zipped source code is not supported for shared location scans. Extract the content of the zip file before scanning.
Source Control - project code that is maintained in either TFS , SVN , GIT, or PerForce source control systems. Click <Select> (see Configuring the Connection to a Source Control System).
In cases where the project's source control location is defined as Git, the Git branch name is included under the Source Control field.
Files inside a zip file that are located inside a repository are not sent for scanning. Extract the content of the zip file to the repository before scanning.
Source Pulling - an extension to the Shared option above, Source Pulling first activates a custom-created script, which can pull source code from one or more repositories of a source control system into the specified Shared location, and only then will the scan be initiated on the pulled source code. This script must be previously configured in the SAST Windows client application, as described in Configuring Pre & Post Scan Action. The timeout for waiting for the script to finish is 15 minutes, which is typically more than enough time. Note that network and shared dialogs might not work on Localhost.
Optionally, you can exclude certain folders or files from the scan process. For details about the correct syntax, see Excluding Files from Scans.
Click <Count Lines> to display the number of lines in the current project. Note that the Java Script is enhanced during the scan process. The real count of lines might therefore be larger than the result displayed by clicking Count Lines.
Click Next>. The following steps of the wizard are optional. You can click <Finish> to skip them.
Note
Scheduling is not applicable to a Local source code location, since the SAST Server cannot automatically access the local source. You will need to periodically manually upload a new zip file.
If required, configure the following scan execution Scheduling properties:
None - no schedule, you have to manually run the scan.
Now - defines an immediate scan.
By Schedule - define an automatic weekly scan according to the specified time.
Run on Weekdays - define on which day to run the periodic scan.
Run Time - define at what time to run the periodic scan.
Note
To support continuous integration development methodology, it is recommended to schedule periodic scanning of source files, so they can be checked after modifications. This can be automated via the CLI in the Build file, but it does not have to be done this way because SAST scans source code and does not require building or compiling the source code.
Click <Next> to configure additional advanced options.
Configure the following Advanced Action properties:
Send pre-scan email to - define to which email address to send a pre-scan notification.
Send post-scan email to - define to which email address to send a post-scan notification.
Send scan failure email to - define to which email address to send a scan failure notification.
Run post scan action - define which post scan action to run (see Configuring an Executable Action).
To set a condition when the post scan action will run, enable the Run only if the scan has new results with a minimal severity of option and select the severity level from the drop-down list. By defining this rule, the post scan action will be triggered only after a successful scan found new vulnerabilities that did not appear in the previous successful scan. Note that
Optionally, additional arguments to the post scan action can be specified in the Post scan action arguments field. By having this option, you can set arguments that are project specific. These arguments can be added to those specified at the post scan action level.
Issue Tracking Settings - define to which issue tracking system to integrate (see Configuring JIRA Integration Settings).
Parallel Scan Cancellation Mode- define what to do when you queue additional scans of the same project while the previous ones are still in the queue.
KeepAll - process all the scans.
KeepOld - process the first scan you started and cancel the newer ones.
KeepNew - process the newest scan and cancel the previous ones.
To apply the selected option to the same code only, select Identical Code Only.
To apply the selected option to scans already in process, select Include Scans in Process .
Note
The Parallel Scan Cancellation Mode functionality only affects full and public scans.
Click <Next> to define custom fields.
Configure the Custom Field properties according to the available custom fields (see Custom Field Management).
Click <Next> to configure data retention.
Configure the Data Retention properties:
Number of latest scans to keep - Define the number of latest scans to be kept (see Data Retention Management).
Click <Finish> and check the scan status (see The Queue).
Scan Path Filter: Including and Excluding Files and Folders
Overview
Previously, you could only specify the exclusion of files and folders. Now, you have more flexibility and can filter files and folders for a specific project's scans by specifying what to include and exclude in your filtering. Inclusion and exclusion using a comma-separated list of Glob/Nant patterns. If the list starts with an exclusion (‘!’), all files will be included and filtered according to the list. If the list starts with an inclusion, no files will be included, and the filter will add files according to the list. Since there will only be one PathFilter input for both files and folders, you must add a ‘/’ at the end of a folder’s name to specify it.
Note
This feature is exclusive to SAST version 9.6.0 and up.
"!**/*.xml, !**/*.png" - Scan all files except for XML and png type files"**/*.java" - Scan only Java files"**/*.java,!/somefolder/" - Scan only java files except if they are in the folder "somefolder" (and all its descendant folders)More examples:
Not setting any filter will scan all files (this can only be set in the UI, not REST API).
Note
A valid path filter is one where there is no exclude pattern after an include pattern.
There are 3 valid options:
Only excludes
Only includes
Both, but excludes (!) must precede "with includes" and "without includes". For example:
- Valid - “abc, abc.abc, !a*.bc“
- Invalid - “abc, !abc.abc, a*.bc”
Portal
New Project Page:
Comma-separated list of Filesets (groups of files) to include/exclude. Wildcards are supported
Example: **/*.class matches all .class files in the directory tree, while !**/*.class excludes those files".
Projects Page (edit):
