Scan Limitations
Limitation
Checkmarx One supports repositories clone using SSH and HTTPS protocols.
Cloning using HTTPS protocol:
If the repository is private a token needs to be provided.
If the code contains submodules, the submodules also need to use HTTPS.
If any of the submodules is private the same key needs to grant access to the private submodule.
For security reasons, no token will be sent to submodules on a different SCM.
For example: scanning a GitHub repository with a GitLab submodule will only work if the submodule under GitLab is public.
Cloning using SSH protocol:
A key needs to be introduced to access the repository.
If the code contains submodules using SSH, the same SSH key needs to grant access to the submodules.
If the code contains submodules using HTTPS, they should be public.
The sub-module's address in .gitmodules file contains 1 or more info like the one bellow. The URL part can be a HTTPS or SSH.
[submudule "src/MongoDB"] path = src/MongoDB url = [email protected]:docker-library/mongo.git
There is a 10M LOC (Line of Code) limitation for repository/zip files scans. In case that the source file contains more than the limit permits we block the scan and an error message is displayed.
API Security currently supports Java - Spring 2.x and C# - ASP.NET 4.x Web API only.
Error Message
In case that the below error message appears during the scan, it usually means that the scan was triggered using HTTPS but a SSH submodule was found. So, the scan needs to use SSH protocol instead of HTTPS.
fetch-sources clone 'branch' failed, provided value:master : error creating SSH agent: "SSH agent requested but SSH_AUTH_SOCK not-specified"
Workaround
Changing the submodule's address inside .gitmodules file to HTTPS format, resolves the issue, but generally the best and accepted solution would be to use SSH.