Skip to main content

Forcing Scans for Environmental Changes

Overview

Typically, when a scan is triggered in a schedule or from an API call, the source code files are compared to the previous scan. If no code changes are detected the scan is skipped, and all results are copied from the previous scan.

However, even if there are no changes to the code, there might be changes to the environment or configuration that could affect the scan results.

For example, frequently customers make environmental changes because of version upgrades and new security policies. The results from the environmental changes would not be reflected in scans submitted afterwards because there are no code changes. This creates confusion and in some cases violates the security policies.

The new feature allows scans to be triggered even when the changes do not directly affect the code.

Projects are scanned after the following environmental changes (which could impact the results even without any code changes):

  • Queries added or removed from a preset that is associated with a project

  • Queries modified in a preset that is associated with a project

  • Exclusion setting changes for a project

  • Engine configuration setting changes for a project

  • Upgraded Checkmarx SAST Engine Pack version

For the above changes, a full scan is triggered in the following situations:

  • Scheduled scan

  • Invoked from API

  • Any other situation where a scan can be triggered

As a result, post scan action are always run even when there are non-code changes.

Note: Incremental scans continue to check for no code change scenarios.

Details

Every time a configuration changes, the date of that action is stored in a database. Once all the following criteria are met, an engine scan will be forced:

  1. A scan is triggered (via schedule, an API call, or any other method)

  2. The date of the last scan (“LastScanDate“ in dbo.Projects) is smaller than the date of one of the configuration change dates, or the last forced scan requested date (invoked from from API).

Change type

Triggered by

Effected Column

Feature Flag

EnginePack upgrade

dbo.EnginePacks → UpdatedTime changed

ForceScanWhenNoCodeChanges_EnginePackUpgrade

Query is modified

dbo.QueryVersion →When a query associated to preset is updated in audit

dbo.Presets → QueriesUpdatedTime

ForceScanWhenNoCodeChanges_QueriesChanged

Preset’s query association has changed

dbo.Preset_Details → A query was added or removed from preset

dbo.Presets → QueriesUpdatedTime

ForceScanWhenNoCodeChanges_QueriesChanged

Project settings change

dbo.Projects → ConfigurationId changed

dbo.Projects → ConfigurationIdUpdatedTime

ForceScanWhenNoCodeChanges_ProjectSettingsChanged

Project settings change

dbo.Projects → PresetId changed

dbo.Projects → PresetIdUpdatedTime

ForceScanWhenNoCodeChanges_ProjectSettingsChanged

Project settings change

dbo.Projects → ExcludeFilesPatterns changed

dbo.Projects → ExcludeFilesPatternsUpdatedTime

ForceScanWhenNoCodeChanges_ProjectSettingsChanged

Project settings change

dbo.Projects → ExcludeFoldersPatterns changed

dbo.Projects → ExcludeFoldersPatternsUpdatedTime

ForceScanWhenNoCodeChanges_ProjectSettingsChanged

Bypass of “no code changes” scenario have been requested for a project

Invoked from API

dbo.Projects ForceScanOnNoCodeChangesRequestedTime

New APIs

Version: 4.0

Request: [POST] /projects/{id}/forceScanOnNoCodeChanges

{id}: Id of the project

(no parameters and no content)

Description

Set specific project’s next scheduled scan to bypass “no code changes” scenario

The API will update a the database field ForceScanOnNoCodeChangesRequestedTime in the table "projects" with the current timestamp.

Return values

  • 200 OK

  • 404 Not Found

    • Error message: Resource not found

    • Reasons

      • Project not found

  • 403 Forbidden

    • Error message: Access Denied/Forbidden

    • Reasons

      • User does not have the relevant role enabled

      • User does not have permission to modify the project

Permissions

At least one of the roles below is required:

  • save-project

  • update-project

  • save-sast-scan

Additionally, the user initiating the API request must have permission to edit the relevant project (the project must be visible to him in the SAST Web Portal).

New feature flags

New feature flags were added to the CxComponentConfiguration table, by default in “Enabled” state ('true').

Engine scan will be forced for each of the following scenarios:

  1. ForceScanWhenNoCodeChanges_EnginePackUpgrade = true and, the engine pack version was upgraded after the last scan date of the project.

  2. ForceScanWhenNoCodeChanges_ProjectSettingsChanged = true and, one of the relevant project settings changed after the last scan date of the project.

  3. ForceScanWhenNoCodeChanges_QueriesChanged= true and, one of the relevant project’s queries changed after the last scan date of the project.

Logging

  • Print to JobsManager’s log file in any case where a scan was forced due to a configuration change.

  • API method print logs in failed/success scenario

  • API method print audit trail logs in post request