Skip to main content

Configuring Projects Using Config as Code Files

Config as Code feature is designed to provide a third level of configuration for scanning the following:

Config as Code parameters are higher than the same parameter’s configuration via Configuring Project Rules

This means that the Parameters will apply only to the specific Repository or zip Scan in the Project.

Limitations

  • The parameters that can be configured in the Config as Code .yml configuration file are the exact set of parameters we have for the other levels - see Configuring Scanner Default Settings & Configuring Project Rules

  • "Allow override" is selected by default for all the Parameters in all the configuration levels.

  • In case that Allow Override isn’t configured for a specific parameter in the Configuring Project Rules, there won’t be any meaning for the same parameter in the Config as Code .yml configuration file.

  • It isn’t possible to configure the same parameter twice (in any configuration level).

  • Each scanner has a different set of Parameters.

Repository Scans

  1. Create a .checkmarx folder in the relevant Repository.

  2. Inside the .checkmarx folder, create a config.yml file using the below template.

  3. Configure each scanner’s Parameters according to the Scanners Parameters Configuration Options tables below.

  4. Save the file.

ZIP files Scans

  1. Create a zip file.

  2. Create a .checkmarx folder.

  3. Inside the .checkmarx folder, create a config.yml file using the below template.

  4. Configure each scanner’s Parameters according to the Scanners Parameters Configuration Option tables below.

  5. Save the file.

  6. Put the .checkmarx folder inside the zip file main folder. Otherwise the feature will not work.

Creating ZIP files from Repositories

  1. Download a Repository as a zip - The Repository can’t contain a .checkmarx folder inside.

  2. Use the ZIP files Scans procedure to proceed.

config.yml Template

version: 1

# checkmarx-specific related configuration
# every value in this section is optional 
checkmarx: 
  # configure the checkmarx scan parameters for scanning this specific project
  scan:
    # configure the checkmarx scan configurations for scanning this specific project
    configs:
      # configure the SAST related configurations this specific project
      sast:
        # configure the SAST preset name used for this specific project
        presetName: 'Checkmarx Default'
         # configure if this specific project will be run incrementally or will it run a full scan 
        incremental: 'false'
        languageMode: 'multi'
        filter: '!*.java,!*.cpp'
        engineVerbose: 'true'
      sca:
        filter: '!*.cpp'
      kics:
        filter: '*.java'
        platforms: 'Ansible,CloudFormation,Dockerfile'

Scanners Parameters Configuration Options

SAST Scanner Parameters

All the Parameters that will be defined for the SAST scanner will be applied for all the Projects that will run SAST scans.

The table below presents all the optional Parameters, and their optional values.

Parameter

Values

Notes

presetName

All the available SAST Presets that exist in the system including ASA Premium Preset preset.

For the additional Presets list (including descriptions) go to the following link:

Predefined Presets

filter

Any file type

  • Including a file type - *.java

  • Excluding a file type - !*.java

  • Use “,” sign to chain file types

    for example: *.java,*.js

  • The parameter also supports including/excluding folders

languageMode

primary / multi

For more information see:

Specifying a Code Language for Scanning

Supported Code Languages and Frameworks:

engineVerbose

true / false

  • true = Enables PRINT_DEBUG mode

  • false = Enables PRINT_LOG mode

incremental

true / false

ASA Premium Preset

ASA Premium Preset is a part of the SAST collection of presets.

This Preset is available only for Checkmarx One. Its usage is described in the table below:

Preset

Usage

Includes vulnerability queries for....

ASA Premium

The ASA Premium preset contains a subset of vulnerabilities that Checkmarx AppSec Accelerator team considers to be the starting point of the Checkmarx AppSec program.

The preset might change in future versions. The AppSec Accelerator team will remove old/deprecated queries or include new and improved queries in a continuously manner.

Apex, ASP, CPP, CSharp, Go, Groovy, Java, JavaScript, Kotlin (non-mobile only), Perl, PHP, PLSQL, Python, Ruby, Scala, VB6, VbNet, Cobol, RPG and VbScript coding languages.

ASA Premium Mobile

The ASA Premium Mobile preset is a dedicated preset designed for mobile apps.

The ASA Premium preset contains a subset of vulnerabilities that Checkmarx AppSec Accelerator team considers to be the starting point of the Checkmarx AppSec program.

The preset might change in future versions. The AppSec Accelerator team will remove old/deprecated queries or include new and improved queries in a continuously manner.

Apex, ASP, CPP, CSharp, Go, Groovy, Java, JavaScript, Kotlin (non-mobile only), Perl, PHP, PLSQL, Python, Ruby, Scala, VB6, VbNet, Cobol, RPG and VbScript coding languages.

KICS Scanner Parameters

All the Parameters that will be defined for the KICS scanner will be applied for all the Projects that will run KICS scans.

The table below presents all the optional Parameters, and their optional values.

Parameter

Values

Notes

filter

Any file type

  • Including a file type - *.java

  • Excluding a file type - !*.java

  • Use “,” sign to chain file types

    for example: *.java,*.js

  • The parameter also supports including/excluding folders

platforms

Ansible / CloudFormation / Dockerfile / Kubernetes / Terraform

Notice

It is possible to configure one/more values, separated with a comma.

For example: Ansible,CloudFormation,Dockerfile

Warning

Any mistake in the the platform characters will cause an error

SCA Scanner Parameters

All the Parameters that will be defined for the SCA scanner will be applied for all the Projects that will run SCA scans.

The table below presents all the optional Parameters, and their optional values.

Parameter

Values

Notes

filter

Any file type

  • Including a file type - *.java

  • Excluding a file type - !*.java

  • Use “,” sign to chain file types

    for example: *.java,*.js

  • The parameter also supports including/excluding folders