Skip to main content

Scan Limitations

Limitation

  • Checkmarx One supports repositories clone using SSH and HTTPS protocols.

    • Cloning using HTTPS protocol:

      • If the repository is private a token needs to be provided.

      • If the code contains submodules, the submodules also need to use HTTPS.

      • If any of the submodules is private the same key needs to grant access to the private submodule.

      • For security reasons, no token will be sent to submodules on a different SCM.

        For example: scanning a GitHub repository with a GitLab submodule will only work if the submodule under GitLab is public.

    • Cloning using SSH protocol:

      • A key needs to be introduced to access the repository.

      • If the code contains submodules using SSH, the same SSH key needs to grant access to the submodules.

      • If the code contains submodules using HTTPS, they should be public.

  • The sub-module's address in .gitmodules file contains 1 or more info like the one bellow. The URL part can be a HTTPS or SSH.

    [submudule "src/MongoDB"]
        path = src/MongoDB
        url = [email protected]:docker-library/mongo.git
  • There is a 10M LOC (Line of Code) limitation for repository/zip files scans. In case that the source file contains more than the limit permits we block the scan and an error message is displayed.

  • API Security currently supports Java - Spring 2.x and C# - ASP.NET 4.x Web API only.

Error Message

In case that the below error message appears during the scan, it usually means that the scan was triggered using HTTPS but a SSH submodule was found. So, the scan needs to use SSH protocol instead of HTTPS.

fetch-sources clone 'branch' failed, provided value:master : error creating SSH agent: "SSH agent requested but SSH_AUTH_SOCK not-specified"

Workaround

Changing the submodule's address inside .gitmodules file to HTTPS format, resolves the issue, but generally the best and accepted solution would be to use SSH.