Skip to main content

Configuring Projects

Open Project Settings

In the Applications and Projects home page, click on Actions icon →Project Settings.

Open_Imported_Project_Settings.png

General Settings

Project Settings General screen contains the Project’s basic settings.

The screen includes the following configuration fields:

  • Project Name - The name of the project that you assigned.

  • Groups (Optional) - Assign groups to a project. This setting is optional.

    Once a group is assigned to a project, all the group members will be able to perform actions in the project (scan source codes, view results, etc.)

  • Project Tags (Optional) - Assign tags to a project.

    • Tags are very useful for projects filtering purposes.

    • Tags have no dependencies in any other component, and it is possible to configure any required value.

    • Tags are not shared across projects.

      For example: Projects A and B contain Test tag. Upon a change in project A tag, project B will not be affected and will remain with the same Test tag.

    • Tags can be used for overriding Jira feedback app fields values. For additional information see Fields Override.

    • Tags can be configured in two different formats:

      • key - <string>

      • key:value - <key string:value string>

    • Tags values can be updated by clicking the tag and updating its value.

    Important

    There is a limitation of 250 characters per tag. the characters calculation is for the entire tag string (key or key:value)

  • Repository URL - The repository URL from which the source code for this project is scanned by default. This value can be added when creating a Manual Scan project that scans coder from a Repository URL.

  • Token - The default token for private repository URLs.

  • SSH - Create and add your SSH key.

  • Set Criticality Level - Set the Project criticality level (manual configuration).

    The Criticality level is included in the Project Overview page.

    This option has 5 levels:

    • 1 - None

    • 2 - Low

    • 3 - Medium (Default)

    • 4 - High

    • 5 - Critical

    Project_Settings.png

Project Rules

Project Rules allow the user to set parameters on the Project level.

Project configuration parameters are higher than the same parameter’s configuration via Configuring Scanner Default Settings.

This means that the parameters will apply to all the scans in the project.

Limitations

  • API Security does not support project rules at present.

  • Parameters that are configured via Configuring Scanner Default Settings are inherited to the Project Settings only, if the user configured them to Allow Override.

  • In case that Allow Override isn’t enabled for a specific parameter in the Configuring Scanner Default Settings, it won’t appear as an option on the Project Settings level.

  • "Allow override" is selected by default for all the rules under Project Settings.

  • It isn’t possible to configure the same parameter twice (in any configuration level).

  • Each scanner has a different set of parameters.

Notice

Global Settings:

Tenant_Settings_Config.png

Inherited Settings:

inherited_Settings.png

If a greyed-out defaultConfig.xml file appears in the Project Settings, it indicates that customized settings for the default configuration were implemented at the tenant level with the intention of improving scan results or to assist in troubleshooting issues. Once these settings are established, they are automatically applied to every project. For additional information, reach out to support or contact your Product Account Manager (PAM) directly.

To add a new rule click + Add Rule.

Scanners Parameters Configuration Options

SAST Scanner Parameters

All the Parameters that will be defined for the SAST scanner will be applied for all the Projects that will run SAST scans.

The table below presents all the optional Parameters, and their optional values.

Parameter

Values

Notes

presetName

All the available SAST Presets that exist in the system

  • For the full Presets list (including descriptions) go to the following link:

    Predefined Presets

  • The default preset that is used is ASA Premium

Fast scan mode

true / false

By default, the Fast Scan mode is false.

For more information, refer to Fast Scan Mode

incremental

true / false

LanguageMode

primary / multi

For more information see:

Specifying a Code Language for Scanning

Supported Code Languages and Frameworks:

Note

By default, the languageMode is Multi.

Folder/file filter

Allow users to select specific folders or files that they want to include or exclude from the code scanning process.

  • Including a file type - *.java

  • Excluding a file type - !*.java

  • Use “,” sign to chain file types

    for example: *.java,*.js

engineVerbose

true / false

  • true = Enables PRINT_DEBUG mode.

  • false = Enables PRINT_LOG mode.

ASA Premium Preset

ASA Premium Preset is a part of the SAST collection of presets.

This Preset is available only for Checkmarx One. Its usage is described in the table below.

Preset

Usage

Includes vulnerability queries for....

ASA Premium

The ASA Premium preset contains a subset of vulnerabilities that Checkmarx AppSec Accelerator team considers to be the starting point of the Checkmarx AppSec program.

The preset might change in future versions. The AppSec Accelerator team will remove old/deprecated queries or include new and improved queries in a continuously manner.

Apex, ASP, CPP, CSharp, Go, Groovy, Java, JavaScript, Kotlin (non-mobile only), Perl, PHP, PLSQL, Python, Ruby, Scala, VB6, VbNet, Cobol, RPG and VbScript coding languages.

ASA Premium Mobile

The ASA Premium Mobile preset is a dedicated preset designed for mobile apps.

The ASA Premium Mobile preset contains a subset of vulnerabilities that Checkmarx AppSec Accelerator team considers to be the starting point of the Checkmarx AppSec program.

The preset might change in future versions. The AppSec Accelerator team will remove old/deprecated queries or include new and improved queries in a continuously manner.

Apex, ASP, CPP, CSharp, Go, Groovy, Java, JavaScript, Kotlin (non-mobile only), Perl, PHP, PLSQL, Python, Ruby, Scala, VB6, VbNet, Cobol, RPG and VbScript coding languages.

Fast Scan Mode

The new SAST scanner aims to find the perfect balance between thorough security tests and the need for quick and actionable results. There’s no need to choose between speed and security. Alongside the Base Preset, we are thrilled to announce a new scan mode designed to speed up the scan: Fast Scan mode.

Fast Scan mode decreases the scanning time of projects up to 90%, making it faster to identify relevant vulnerabilities and enable continuous deployment while ensuring that security standards are followed. This will help developers tackle the most relevant vulnerabilities.

While the Fast Scan mode identifies the most significant and relevant vulnerabilities, the In-Depth scan mode offers deeper coverage. For the most critical projects with a zero-vulnerability policy, it is advised also to use our In-Depth scan mode

Warning

To expedite the results retrieval, the scanning process has been optimized to reduce the number of stages and flows involved in the scan. With this enhancement, the queries related to Fusion are not executed and results won’t be generated when utilizing this new mode.

You may also notice impact on the API Security scanner results.

IaC Security Scanner Parameters

All the Parameters that will be defined for the IaC Security scanner will be applied for all the Projects that will run IaC Security scans.

The table below presents all the optional Parameters, and their optional values.

Parameter

Values

Notes

filter

Any file type

  • Including a file type - *.java

  • Excluding a file type - !*.java

  • Use “,” sign to chain file types.

    for example: *.java,*.js

  • The parameter also supports including/excluding folders.

  • regex is not supported.

platforms

Ansible / CloudFormation / Dockerfile / Kubernetes / Terraform

Notice

Configure one/more platforms, separated with a comma.

The parameter means that you only want to run scans (queries) for those platforms.

For example: Ansible,CloudFormation,Dockerfile

Warning

Any mistake in the the platform characters will cause an error

SCA Scanner Parameters

All the Parameters that will be defined for the SCA scanner will be applied for all the Projects that will run SCA scans.

The table below presents all the optional Parameters, and their optional values.

Parameter

Values

Notes

filter

Any file type

  • Including a file type - *.java

  • Excluding a file type - !*.java

  • Use “,” sign to chain file types.

    for example: *.java,*.js

  • The parameter also supports including/excluding folders.

Exploitable Path

Toggle On/Off

When Exploitable Path is activated, scans that use the SCA scanner will identify whether or not there is an exploitable path from your source code to the vulnerable 3rd party package.

Learn more about Exploitable Path.

Exploitable Path Configuration

Radio button selection

The Exploitable Path feature uses queries in the SAST scan of your project to identify exploitable paths to vulnerable 3rd party packages. Therefore, it is always necessary to run a SAST scan on the project in order to get results for Exploitable Path.

Whenever you run a Checkmarx One scan with both the SAST and SCA scanners selected, Exploitable Path uses the results of the current SAST scan for analysis. When you run a Checkmarx One scan with only the SCA scanner selected, Checkmarx One can either use results from a previous SAST scan or it can initiate a new SAST scan (using default settings) that runs the Exploitable Path queries. Select one of the following configurations:

  • Use SAST scans for past _ day/s - specify the number of days for which results from a historic SAST scan will be used for Exploitable Path. If no scan was run within the specified period, then a new scan will be triggered.

    Warning

    Not fully supported in all environments. The default value of one day may be applied automatically.

  • Do not use existing SAST scans - Whenever you run a Checkmarx One scan with only the SCA scanner selected, a SAST scan will be triggered automatically in order to run the Exploitable Path queries.

Filtering Options

Filtering the scanners parameters is based on Glob.

For more information see Glob Tool

For instance:

  • Exclude all java files: !**/*.java

  • Exclude all files inside a folder Test: !**/Test/**

  • Exclude all files under root folder Test: !Test/**

  • Exclude just the files inside a folder leaving all subfolders content: !**/Test/*

  • Exclude all JavaScript minified files: !**/*.min.js

Note

The rules follow the same logic at tenant & project level.

Removing Parameters

Scanners parameters configuration work in hierarchy.

During parameters configuration, the system considers the Tenant level as the highest configuration level followed by Project level, Config as Code and Scan level.

Parameters are inherited from one level to the other, starting from Tenant level.

Removing parameters from a lower configuration level can be performed only by deleting the parameter configuration from the higher configuration level. In this case the parameter won't be presented in the lower configuration level.

In case users edit a parameter in a lower configuration level, a Trash.png icon will appear at the right. Deleting the parameter can't be performed, as the parameter is inherited from the higher configuration level. This behavior is designed to emphasize that the configuration exist at the Tenant level and it is set with "X" value.

In case using the icon, it might appear that the parameter is deleted, but it is not. In case exiting the page and returning, the parameter will be presented again.

Note

When running a scan, the system considers the Scan level as the highest configuration level, followed by Config as Code, Project level and Tenant level.

Webhooks

Webhooks configuration provides the user the ability to send post scan events to an external notification service.

The notifications include the triggered scans Success / Failed statuses.

An example about when each webhook event occurs and what the payload contains can be found in here.

To add a new Webhook click Add_Wbhook.png

The screen includes the following configuration fields:

Note

Mandatory fields are marked with red_asterix.png

  • Name - Webhook service name.

  • Active.png - Set the Webhook to be in active state.

  • Payload URL - Webhook service URL.

  • Secret (Optional) - Webhook service secret.

  • Events - Set which scan events will be sent to the Webhook notification service (Completed/Failed scans).

    Note

    • It is possible to configure one or more events.

    • Mandatory fields are marked with red_asterix.png

Click Add

Webhooks_Tab.png

Code Repository Settings

The Imported Project Settings screen allows you to update the settings for any SCM imported Project.

Note

Importing projects is not supported for API Security at present.

Update Scanners

  1. In the Applications and Projects home page, click More_Options.pngand then Settings.pngProject Settings. The Projects Settings dialog appears.

    Open_Imported_Project_Settings.png

  2. In the Project Settings screen click Code Repository

    Imported_Project_Settings.png

  3. Update the relevant scanner(s) and click Save

    For example:

    Update_Scanners.png

Note

Protected Branches are the repository branches that are configured to be scanned.

For additional information about Protected Branches see About Protected Branches

Deactivate Automatic Scans

By default automatic scans are activated for Push, and Pull requests.

To deactivate the option, uncheck the Push, Pull request option and click Save

Deactivate_Automatic_Scans.png

Refresh Repository Permission

In case that you want to refresh the repository permission, click Refresh repository permission.

Refresh_Repository_Permissions.png

A confirmation screen appear. To confirm and continue, click Re-import Project.

6431441048.png

Feedback Profile

Feedback Profile screen allows you to update the settings for any Feedback Profile that is created and assigned to a Checkmarx One Project.

For more information see Update an Assigned Profile

In this section: