Skip to main content

scan

The scan command enables the ability to manage scans in Checkmarx One.

Usage

./cx scan [command] [flags]

Note

--scan-timeout flag does not work with the --async flag.

As a scan is initiated in asynchronous mode using --async flag, Checkmarx One CLI does not wait for the result and completes the scan.

Flags

Name

Default

Description

--help, -h

help for the scan command

scan cancel

The cancel command enables the ability to cancel one or more running scans in Checkmarx One.

Usage

./cx scan cancel --scan-id <scan ID> [flags]

Flags

Name

Default

Description

--help, -h

help for the cancel command

--scan-id <string>

One or more scan IDs to cancel

For example: <scan-id>,<scan-id>,...

Examples

Retrieving all the scan ID’s statuses

[email protected]:/AST$ ./cx.exe scan list

Scan ID                              Project ID                           Status    Created at Tags Initiator                    Origin             
-------                              ----------                           ------    ---------- ---- ---------                    ------             
29a2b1e6-87c9-43b9-9d38-2d8165b390e1 df277b49-f1ef-4b5e-8cc4-0b66a2d1414a Running   08-27-21   []   user                         ASTCLI 2.0.0-rc.21

Canceling a running scan

[email protected]:/AST$ ./cx.exe scan cancel --scan-id 29a2b1e6-87c9-43b9-9d38-2d8165b390e1

Retrieving all the scan ID’s statuses (After the cancellation)

[email protected]:/AST$ ./cx.exe scan list

Scan ID                              Project ID                           Status    Created at Tags Initiator                    Origin             
-------                              ----------                           ------    ---------- ---- ---------                    ------                               
29a2b1e6-87c9-43b9-9d38-2d8165b390e1 df277b49-f1ef-4b5e-8cc4-0b66a2d1414a Canceled   08-27-21   []   user                          ASTCLI 2.0.0-rc.21 

Note

To cancel several scans, use the Space character between the scan ID’s.

For example:

Canceling several running scans

[email protected]:/AST$ ./cx.exe scan cancel --scan-id <scan_id1>,<scan_id2>

scan create

The scan create command enables the ability to create and run a new scan in Checkmarx One.

Usage

./cx scan create [flags]

Supported scan files extensions / files

The scan create command provides the ability to scan the following options:

  • A compressed .zip file

  • A repository URL

  • A local source directory

  • A set of file extensions / a set of file names (Mentioned in the list below)

Notice

In case that a folder containing several files is being scanned, it might be that the folder contains unsupported file formats, therefore they won’t be scanned.

To include the unsupported file formats, use the --file-include flag to add them to the scan.

For more details see Scan with Inclusion of Unsupported File Formats

Scan files extension / files list

File Filters

Notice

--file-filter flag usage refers to the --file-include flag - Both work in synergy.

By default, the scan create command considers the --file-include flag arguments (whether used or not), or in other words the supported scan files extensions / files list, and on top of it the --file-filter flag functionality.

Warning

--file-filter flag will work only if the scanned source code is a directory or a zip file (not a GIT repository). However, this limitation does not apply when using the filter flags for specific scanners, see Filters for Specific Scanners.

--file-filter flag provides the ability to filter the scanned file list according to the following:

  • Including files, files extensions.

  • Excluding files, files extensions and folders.

Supported Functionalities:

  • Provide wildcard support by using the * sign.

    For example - *.html

  • Provides the ability to exclude files, files extensions, and folders. This is being performed by using the ! sign.

    For example - !*.html,!src

    Notice

    To exclude files, files extensions, and folders using the ! sign, use the argument in single quotes.

    For example:

    --file-filter '!mycompany.jar'

    For more details see Scan with Exclusion of Specific File or File Type

  • Provides the ability to include files and files extensions.

    For example:

    • t* → Will include all the files starting with “t”.

    • *.txt → Will include all the files with “.txt” extension.

Limitations:

  • Doesn’t support a full path.

    For example - java/src1/test.txt

  • .git folders and sub-folders can't be excluded

Filters for Specific Scanners

Filters applied using --file-filter apply to all scanners run in the scan. There is an alternative method that can be used to apply filters to a specific scanner.

Notice

The filters for specific scanners can be used for all types of scans (directory, zip file or GIT repo).

The following flags are used to apply filters to SAST, KICS and SCA scanners respectively: --sast-filter, --kics-filter, --sca-filter. You can use these flags to specify file types for inclusion, e.g., *.java

or for exclusion, e.g., !*.java.

Note

If you would like to include only files inside specific folders, you need to first do a global exclude and then you can specify the folders to include.

For example:

--sast-filters !**/**,Folder01/**,**/Folder02/** would cause the SAST scanner to run only on files inside “Folder01” and “Folder02”.

Notice

For additional details about the syntax used for these filters, see Flags table. Learn more about glob patterns syntax here.

Checkmarx SCA Resolver

Checkmarx SCA Resolver is an on-prem utility that enables you to resolve and extract dependencies and fingerprints from your source code and send them to the Checkmarx SCA cloud platform for risk analysis.

Note

Checkmarx SCA Resolver enables you to run a comprehensive SCA scan without the need to send your actual source code to the cloud. It also enables you to scan private (local) dependencies that aren’t accessible to the Checkmarx SCA cloud platform.

In order to use the SCA Resolver with the Checkmarx One CLI, you need to download the Checkmarx SCA Resolver separately in a location that the Checkmarx One CLI can find. Find the latest download at Checkmarx SCA Resolver Download and Installation.

To use the SCA Resolver, you need to add the --sca-resolver flag to your command line with an argument of the location. For examples, refer to the below example Checkmarx SCA Resolver.

To add additional arguments to Checkmarx SCA Resolver, use the flag --sca-resolver-params with any additional arguments that you need. If necessary to use spaces and/or quotes, wrap the arguments in double quotes and use single quotes inside the value. For a complete list of SCA Resolver configuration arguments, see Checkmarx SCA Resolver Configuration Arguments.

Notice

Only arguments that can be used in Offline mode can be applied to scans run via the Checkmarx One CLI Tool and plugins.

For more information about using SCA Resolver in Checkmarx One CI/CD integrations, see Using SCA Resolver in Checkmarx One CI/CD Integrations.

Threshold

Thresholds built into the CLI allow users to return scan failures if a certain threshold of vulnerability severities are found in a scan. Users can break builds on the scan failure or just review the message displayed in the CLI output.

The threshold option supports a shorthand syntax with the format being a semi-colon separated list of key-value pairs.

The format for thresholds is <engine>-<severity>=<limit>

See the Flags table below for all the options for the threshold Parameters.

Flags

Name

Default

Description

--async

Do not wait for scan completion

--branch <string>, -b <string>

Branch to scan

--file-filter <string>, -f <string>

N/A

Source file filtering pattern. Refer to File Filters

--file-include <string>

N/A

Comma separated list of additional file extensions to be included in the scan

For example: *.java2,file.txt

--file-source <string> , -s <string>

N/A

The path to the compressed zip file, the path to the folder or the repository URL to scan

--filter <string>

  • Filter the list of results

  • Use ';' as the delimiter for arrays

  • Available filters are:

    scan-id, limit, offset, sort, include-nodes, node-ids, query, group, status, severity, state

  • Options for severity, state, status:

    • severity - High, Medium, Low, Info (Info is only for SAST scanner)

    • state - TO_VERIFY, NOT_EXPLOITABLE, PROPOSED_NOT_EXPLOITABLE, CONFIRMED, URGENT, IGNORED, NOT_IGNORED

    • status - NEW, RECURRENT, FIXED

--help, h

N/A

help for the create command

--output-name <string>

"cx_result"

Output file name

--output-path <string>

"."

Output Path

--project-groups <string>

List of groups associated to projects

For example: (groupA,groupB)

--project-name <string>

Name of the project. When using the --project-name flag, the Project name must be written between quotes if there is a space in the project name.

For example: “Test1”, “Test 1”

--project-tags <string>

List of tags to associate to projects

For example: (tagA,tagB:val, etc)

--report-format <string>

summaryConsole

  • Report output format

  • Select one of the following:

    json, summaryHTML, summaryJSON, summaryConsole, sarif, sonar

--sast-incremental

Perform an Incremental SAST scan

--sast-preset-name <string>

The name of the Checkmarx preset to use

--sca-resolver <string>

N/A

Input path to CxSCA Resolver to locally resolve SCA project dependencies

--sca-resolver-params <string>

N/A

Additional arguments to use with CxSCA Resolver. The arguments can be found here. The SCA Resolver runs in offline mode, only arguments compatible with this mode will work

--scan-info-format <string>

list

  • Selects the scan info output format

  • Select one of the following formats:

    list, table, json

--scan-types <string>

sast, kics, sca

Scan engines to be performed on the code

For example: (sast, kics, sca)

--scan-timeout <int>

Cancel the scan and fail after the timeout in minutes

--tags <string>

List of tags associated to scans

For example: (tagA,tagB:val,etc)

--threshold <string>

  • Threshold count of severity of scan results based on the engine.

  • Threshold Format:

    <engine>-<severity>=<limit>

  • Options for engine:

    • sast, sca, kics

  • Options for severity:

    • severity - High, Medium, Low, Info (Info is only for SAST engine)

  • limit - A number equals to or greater than 1

  • More than one threshold can be defined (multiple engines) and they should be separated by a semi-colon.

--wait-delay <int>

5 seconds

Polling wait time (seconds) to get scan status

--ssh-key <string>

Path to ssh private key

--sast-filter <string>

Filter option specific to SAST engine or scan

  • Including a file type - *.java

  • Excluding a file type - !*.java

  • Use “,” sign to chain file types

    for example: *.java,*.js

  • The parameter also supports including/excluding folders.

--kics-filter <string>

Filter option specific to Kics engine or scan

  • Including a file type - *.java

  • Excluding a file type - !*.java

  • Use “,” sign to chain file types

    for example: *.java,*.js

  • The parameter also supports including/excluding folders.

--sca-filter <string>

Filter option specific to SCA engine or scan

  • Including a file type - *.java

  • Excluding a file type - !*.java

  • Use “,” sign to chain file types

    for example: *.java,*.js

  • The parameter also supports including/excluding folders.

--kics-platforms <string>,<string>

Specify the platforms that you would like the KICS scan to run on.

Tip

When this flag is used, it overrides your account's default settings.

--resubmit

false

Apply the configurations used in the most recent scan in this project branch to the current scan.

Tip

When an argument in the current scan differs from the configuration of the previous scan, the argument in the current scan takes precedence.

Examples

Scan a GIT Repository

./cx scan create --project-name <Project Name> -s <Repository URL> --branch <branch name>
[email protected]:/AST$ ./cx scan create --project-name demo -s https://github.com/my-org/my-repo --branch main

Scan ID    : e1cf8f32-445a-46e2-8941-223a7f1b90e8
Project ID : 9f47d3d7-76f2-418b-9513-e3e02cc5cbb9
Status     : Running
Created at : 08-27-21
Tags       : []
Initiator  : admin
Origin     : ASTCLI 2.0.0

wait for scan to complete e1cf8f32-445a-46e2-8941-223a7f1b90e8 Running
Scan status:  Running
Scan status:  Running
Scan status:  Running
Scan status:  Running
Scan status:  Running
Scan status:  Running
Scan Finished with status:  Completed

         Created At: 2021-08-27, 14:13:39
               Risk: High Risk
         Project ID: 9f47d3d7-76f2-418b-9513-e3e02cc5cbb9
            Scan ID: e1cf8f32-445a-46e2-8941-223a7f1b90e8
       Total Issues: 3
        High Issues: 1
      Medium Issues: 1
         Low Issues: 1

Scan Without Waiting

./cx scan create --project-name <Project Name> --sources <Repository URL> --branch <branch name> --async
[email protected]:/AST$ ./cx scan create --project-name demo --sources https://github.com/my-org/my-repo --branch main --async

Scan ID    : a2f45c91-18ba-4d69-a748-972d0ecc1453
Project ID : 9f47d3d7-76f2-418b-9513-e3e02cc5cbb9
Status     : Running
Created at : 08-27-21
Tags       : []
Initiator  : org_admin
Origin     : ASTCLI 2.0.0-rc.21

Scan Only Specific Scan Types

./cx scan create --project-name <Project Name> -s <Repository URL> --branch <branch name> --scan-types <scan types>
[email protected]:/AST$ ./cx scan create --project-name demo -s https://github.com/my-org/my-repo --branch main --scan-types kics

Scan ID    : 7eb83ed3-5734-4428-92a2-4819fc6c490f
Project ID : 9f47d3d7-76f2-418b-9513-e3e02cc5cbb9
Status     : Running
Created at : 08-27-21
Tags       : []
Initiator  : admin
Origin     : ASTCLI 2.0.0

wait for scan to complete 7eb83ed3-5734-4428-92a2-4819fc6c490f Running
Scan status:  Running
Scan Finished with status:  Completed

         Created At: 2021-08-27, 14:17:29
               Risk:
         Project ID: 9f47d3d7-76f2-418b-9513-e3e02cc5cbb9
            Scan ID: 7eb83ed3-5734-4428-92a2-4819fc6c490f
       Total Issues: 0
        High Issues: 0
      Medium Issues: 0
         Low Issues: 0

Checkmarx SCA Resolver

./cx scan create --project-name <Project Name> --sources <path> --branch <branch name> --sca-resolver <path-to-resolver> --sca-resolver-params <additional-resolver-arguments>
[email protected]:/AST$ ./cx scan create --project-name demo --scan-types sast,sca --sources /project-src --sca-resolver /sca/sca-resolver --sca-resolver-params "-q -e 'my file'" --async

Using SCA resolver: /sca/sca-resolver
Writing logs to /sca/sca-resolver/demo

2021-09-09T21:35:12-07:00 Information    Program "Tool version: 1.5.42"
2021-09-09T21:35:13-07:00 Information    Program "Starting scan from: /project-src"
2021-09-09T21:35:17-07:00 Information    Program "Scan Id: a89088fe-1bb8-4294-a85c-57771f18538f"

Included:  /project-src/pom.xml
Included:  /project-src/main.java
Included SCA Results:  cxsca-results.json
Zip size:  0.06MB

Scan ID    : a2f45c91-18ba-4d69-a748-972d0ecc1453
Project ID : 9f47d3d7-76f2-418b-9513-e3e02cc5cbb9
Status     : Running
Created at : 08-27-21
Tags       : []
Initiator  : service-account
Origin     : ASTCLI 2.0.0

Scan a Source Directory

./cx scan create -s <path> --branch <branch name> --project-name <Project Name>
[email protected]:~/ast-cli$ ./cx scan create -s ./Source-Folder/ --branch main --project-name Test111


Scan ID    : c9f084f4-ebed-4ef5-9526-70f342ea09ea
Project ID : d7b56888-8407-4e9b-ae5b-7fc43233a497
Status     : Running
Created at : 09-13-21
Tags       : []
Initiator  : service-account
Origin     : ASTCLI 2.0.0

wait for scan to complete c9f084f4-ebed-4ef5-9526-70f342ea09ea Running
Scan status:  Running

Scan with Inclusion of Unsupported File Formats

./cx scan create -s <path> --branch <branch name> --project-name <Project Name> --file-include <string>
[email protected]:~/ast-cli$ ./cx scan create -s ./Source-Folder/ --branch main --project-name Test111 --file-include sample.txt,*.myextension
Included:  ./Source-Folder/python.myextension
Included:  ./Source-Folder/sample.txt
Included:  ./Source-Folder/test.java

Scan ID    : a3289df8-75f6-4fd4-92ec-c72bac667a2a
Project ID : d7b56888-8407-4e9b-ae5b-7fc43233a497
Status     : Running
Created at : 09-13-21
Tags       : []
Initiator  : service-account
Origin     : ASTCLI 2.0.0

wait for scan to complete a3289df8-75f6-4fd4-92ec-c72bac667a2a Running
Scan status:  Running

Scan with Exclusion of Specific File or File Type

./cx scan create -s <path> --branch <branch name> --project-name <Project Name> --file-filter <string>
[email protected]:~/ast-cli$ ./cx scan create -s scan_files/ --branch main --project-name Test111 --file-filter '!*mycompany*.jar'
Included:  scan_files/external.jar
Included:  scan_files/file.html
Included:  scan_files/file.java
Excluded:  scan_files/mycompany.jar


Scan ID    : deb5266c-4f0c-407c-ad29-168a0807bb7b
Project ID : d7b56888-8407-4e9b-ae5b-7fc43233a497
Status     : Running
Created at : 09-14-21
Tags       : []
Initiator  : service-account
Origin     : ASTCLI 2.0.0

wait for scan to complete deb5266c-4f0c-407c-ad29-168a0807bb7b Running

Scan with Exclusion of a Specific Folder

./cx scan create -s <path> --branch <branch name> --project-name <Project Name> --file-filter <folder name>
[email protected]:~/ast-cli$ ./cx scan create -s scan_files/ --branch main --project-name Test111 --file-filter '!main'
Included:  scan_files/external.jar
Included:  scan_files/file.html
Included:  scan_files/file.java
Excluded:  scan_files/main


Scan ID    : deb5266c-4f0c-407c-ad29-168a0807bb7b
Project ID : d7b56888-8407-4e9b-ae5b-7fc43233a497
Status     : Running
Created at : 04-20-22
Tags       : []
Initiator  : service-account
Origin     : ASTCLI 2.0.0

wait for scan to complete deb5266c-4f0c-407c-ad29-168a0807bb7b Running

Scan with Configured threshold

./cx scan create --project-name <Project Name> -s <path> --branch <branch name> --threshold <engine>-<severity>=<limit>
[email protected]:/ast-cli$ ./cx scan create --project-name myproject -s my_file.zip --branch main --threshold sast-high=1

Scan ID    : bdab6a9e-eb90-4cab-8783-5c3a2a052b31
Project ID : 49e6d565-933b-4a55-8d08-ec026ddcd7e2
Status     : Running
Created at : 01-26-22
Branch     : main
Tags       : []
Initiator  : org_admin
Origin     : ASTCLI 2.0.10

2022/01/26 11:24:20 Wait for scan to complete bdab6a9e-eb90-4cab-8783-5c3a2a052b31 Running
2022/01/26 11:24:26 Scan status:  Running
2022/01/26 11:24:31 Scan status:  Running
2022/01/26 11:24:36 Scan status:  Running
2022/01/26 11:24:42 Scan status:  Running
2022/01/26 11:24:47 Scan status:  Running
2022/01/26 11:24:52 Scan status:  Running
2022/01/26 11:24:57 Scan status:  Running
2022/01/26 11:25:03 Scan status:  Running
2022/01/26 11:25:08 Scan status:  Running
2022/01/26 11:25:13 Scan Finished with status:  Completed

         Created At: 2022-01-26, 11:24:20
               Risk: High Risk
         Project ID: 49e6d565-933b-4a55-8d08-ec026ddcd7e2
            Scan ID: bdab6a9e-eb90-4cab-8783-5c3a2a052b31
       Total Issues: 28
        High Issues: 3
      Medium Issues: 11
         Low Issues: 14
        Kics Issues: 18
      CxSAST Issues: 9
       CxSCA Issues: 1
2022/01/26 11:25:14 Threshold check finished with status Failed : sast-high: Limit = 1, Current = 2 |

scan delete

The delete command enables the ability to delete one or more scans in Checkmarx One.

Usage

./cx scan delete --scan-id <scan ID>

Flags

Name

Default

Description

--help, -h

help for the delete command

--scan-id

one or more scan IDs to delete

For example: <scan-id>,<scan-id>,...

Examples

Retrieving all the scan ID’s

[email protected]:/AST$ ./cx.exe scan list

Scan ID                              Project ID                           Status    Created at Tags Initiator Origin             
-------                              ----------                           ------    ---------- ---- --------- ------             
7eb83ed3-5734-4428-92a2-4819fc6c490f 9f47d3d7-76f2-418b-9513-e3e02cc5cbb9 Completed 08-27-21   []   org_admin ASTCLI 2.0.0-rc.21

Deleting a scan

[email protected]:/AST$ ./cx.exe scan delete --scan-id 7eb83ed3-5734-4428-92a2-4819fc6c490f

Retrieving all the scan ID’s (After the deletion)

[email protected]:/AST$ ./cx.exe scan list

Scan ID                              Project ID                           Status    Created at Tags Initiator Origin             
-------                              ----------                           ------    ---------- ---- --------- ------ 

Note

To cancel several scans, use the Space character between the scan ID’s.

For example:

Deleting several scans

./cx.exe scan delete --scan-id 7eb83ed3-5734-4428-92a2-4819fc6c490f,a2f45c91-18ba-4d69-a748-972d0ecc1453

scan list

The list command provides a list of all the scans in Checkmarx One.

Usage

./cx scan list [flags]

Flags

Name

Default

Description

--filter <string>

  • Filter scans lists.

  • Use the “;” sign as the delimiter for arrays.

  • Available filters are:

    limit, offset, scan-ids, tags-keys, tags-values, statuses, project-id, from-date, to-date

--format <string>

table

  • Selects the output format.

  • Select one of the following formats:

    json, list, table

---help, -h

help for the list command

Examples

Using the scan list command with --format flag

[email protected]:/AST$ ./cx.exe scan list --format table

Scan ID                              Project ID                           Status    Created at Tags Initiator Origin             
-------                              ----------                           ------    ---------- ---- --------- ------             
a2f45c91-18ba-4d69-a748-972d0ecc1453 9f47d3d7-76f2-418b-9513-e3e02cc5cbb9 Completed 08-27-21   []   org_admin ASTCLI 2.0.0-rc.21
[email protected]:/AST$ ./cx.exe scan list --format list

Scan ID    : a2f45c91-18ba-4d69-a748-972d0ecc1453
Project ID : 9f47d3d7-76f2-418b-9513-e3e02cc5cbb9
Status     : Completed
Created at : 08-27-21
Tags       : []
Initiator  : org_admin
Origin     : ASTCLI 2.0.0-rc.21

scan show

The show command enables the ability to show information about a requested scan in Checkmarx One.

Usage

./cx scan show --scan-id <scan id> [flags]

Flags

Name

Default

Description

--format <string>

table

  • Selects the output format

  • Select one of the following formats:

    json, list, table

--scan-id <string>

Scan ID to show

--help, -h

help for the show command

Examples

Retrieving all the scan ID’s

[email protected]:/AST$ ./cx.exe scan list

Scan ID                              Project ID                           Status    Created at Tags Initiator Origin             
-------                              ----------                           ------    ---------- ---- --------- ------                 
a2f45c91-18ba-4d69-a748-972d0ecc1453 9f47d3d7-76f2-418b-9513-e3e02cc5cbb9 Completed 08-27-21   []   org_admin ASTCLI 2.0.0-rc.21 

Using the scan show command with --format flag

[email protected]:/AST$ ./cx.exe scan show --scan-id a2f45c91-18ba-4d69-a748-972d0ecc1453 --format table

Scan ID                              Project ID                           Status    Created at Tags Initiator Origin             
-------                              ----------                           ------    ---------- ---- --------- ------             
a2f45c91-18ba-4d69-a748-972d0ecc1453 9f47d3d7-76f2-418b-9513-e3e02cc5cbb9 Completed 08-27-21   []   org_admin ASTCLI 2.0.0-rc.21
[email protected]:/AST$ ./cx.exe scan show --scan-id a2f45c91-18ba-4d69-a748-972d0ecc1453 --format list

Scan ID    : a2f45c91-18ba-4d69-a748-972d0ecc1453
Project ID : 9f47d3d7-76f2-418b-9513-e3e02cc5cbb9
Status     : Completed
Created at : 08-27-21
Tags       : []
Initiator  : org_admin
Origin     : ASTCLI 2.0.0-rc.21

scan tags

The tags command enables the ability to provide a list of all the available tags in Checkmarx One.

Usage

./cx scan tags [flags]

Flags

Name

Default

Description

--help, -h

help for the tags command

Examples

Using the tags command

[email protected]:~/ast-cli$ ./cx scan tags
{"main":[""]}

scan workflow

The workflow command enables the ability to provide information about a requested scan workflow in Checkmarx One.

Usage

./cx scan workflow --scan-id <scan id> [flags]

Flags

Name

Default

Description

--scan-id <string>

Scan ID to workflow

--format <string>

table

  • Selects the output format.

  • Select one of the following formats:

    json, list, table

---help, -h

help for the show command

Examples

Retrieving all the scan ID’s

[email protected]:/AST$ ./cx.exe scan list

Scan ID                              Project ID                           Status    Created at Tags Initiator Origin             
-------                              ----------                           ------    ---------- ---- --------- ------                   
a2f45c91-18ba-4d69-a748-972d0ecc1453 9f47d3d7-76f2-418b-9513-e3e02cc5cbb9 Completed 08-27-21   []   org_admin ASTCLI 2.0.0-rc.21 

Using the workflow command with --format flag

[email protected]:/AST$ ./cx.exe scan workflow --scan-id a2f45c91-18ba-4d69-a748-972d0ecc1453 --format table

Source                         Timestamp                      Info                                                   
------                         ---------                      ----                                                   
scans                          2021-08-27T14:15:46.843323175Z Scan created                                           
scans                          2021-08-27T14:15:46.996620259Z Scan Running                                           
fetch-sources-default          2021-08-27T14:15:47.068Z       fetch-sources-default started                          
fetch-sources-default          2021-08-27T14:15:47.082Z       fetch-sources-default in progress                      
fetch-sources-default          2021-08-27T14:15:48.061Z       fetch-sources-default ended                            
config-as-code-default         2021-08-27T14:15:48.101Z       config-as-code-default started                         
config-as-code-default         2021-08-27T14:15:48.304Z       config-as-code-default checkmarx config file not found 
config-as-code-default         2021-08-27T14:15:48.346Z       config-as-code-default ended                           
kics-runner-default            2021-08-27T14:15:48.415Z       kics-runner-default started                            
kics-runner-default            2021-08-27T14:15:48.425Z       kics-runner-default Start scan files download          
sca-runner-default             2021-08-27T14:15:48.429Z       sca-runner-default started                             
fetch-queries-default          2021-08-27T14:15:48.43Z        fetch-queries-default started                          
sca-runner-default             2021-08-27T14:15:48.449Z       sca-runner-default Start scan files download           
kics-runner-default            2021-08-27T14:15:48.583Z       kics-runner-default Finished scan files download       
kics-runner-default            2021-08-27T14:15:48.597Z       kics-runner-default Start scan execution               
sca-runner-default             2021-08-27T14:15:48.637Z       sca-runner-default Finished scan files download        
sca-runner-default             2021-08-27T14:15:48.671Z       sca-runner-default Start scan execution                
fetch-queries-default          2021-08-27T14:15:48.975Z       fetch-queries-default ended                            
sast-scan-inc-default          2021-08-27T14:15:49.014Z       sast-scan-inc-default started                          
sast-scan-inc-default          2021-08-27T14:15:49.262Z       sast-scan-inc-default ended                            
sast-rm-default                2021-08-27T14:15:49.307Z       sast-rm-default started                                
sast-results-inc-default       2021-08-27T14:15:49.307Z       sast-results-inc-default started                       
sast-rm-default                2021-08-27T14:15:49.406Z       sast-rm-default Queued in sast resource manager        
sast-results-inc-default       2021-08-27T14:15:49.443Z       sast-results-inc-default ended                         
kics-runner-default            2021-08-27T14:15:51.285Z       kics-runner-default Finished scan execution            
kics-runner-default            2021-08-27T14:15:51.297Z       kics-runner-default Start results publish              
kics-runner-default            2021-08-27T14:15:51.311Z       kics-runner-default Finished results publish           
kics-runner-default            2021-08-27T14:15:51.331Z       kics-runner-default Start engine log publish           
kics-runner-default            2021-08-27T14:15:51.368Z       kics-runner-default Finished engine log publish        
kics-runner-default            2021-08-27T14:15:51.413Z       kics-runner-default ended                              
collect-logs-default           2021-08-27T14:15:51.464Z       collect-logs-default started                           
kics-results-processor-default 2021-08-27T14:15:51.464Z       kics-results-processor-default started                 
collect-logs-default           2021-08-27T14:15:51.613Z       collect-logs-default ended                             
kics-results-processor-default 2021-08-27T14:15:52.306Z       kics-results-processor-default ended                   
sca-runner-default             2021-08-27T14:16:20.583Z       sca-runner-default Finished scan execution             
sca-runner-default             2021-08-27T14:16:20.596Z       sca-runner-default Start results publish               
sca-runner-default             2021-08-27T14:16:20.62Z        sca-runner-default Finished results publish            
sca-runner-default             2021-08-27T14:16:20.664Z       sca-runner-default ended                               
sca-packages-processor-default 2021-08-27T14:16:20.716Z       sca-packages-processor-default started                 
sca-results-processor-default  2021-08-27T14:16:20.717Z       sca-results-processor-default started                  
sca-packages-processor-default 2021-08-27T14:16:20.924Z       sca-packages-processor-default ended                   
sca-results-processor-default  2021-08-27T14:16:21.246Z       sca-results-processor-default ended                    
sast-rm-default                2021-08-27T14:16:21.833Z       sast-rm-default ended                                  
collect-logs-default           2021-08-27T14:16:21.882Z       collect-logs-default started                           
sast-results-events-default    2021-08-27T14:16:21.883Z       sast-results-events-default started                    
collect-logs-default           2021-08-27T14:16:22.068Z       collect-logs-default ended                             
sast-results-events-default    2021-08-27T14:16:24.982Z       sast-results-events-default ended                      
scans                          2021-08-27T14:16:25.056678542Z Scan Completed                       
[email protected]:/AST$./cx.exe scan workflow --scan-id a2f45c91-18ba-4d69-a748-972d0ecc1453 --format list

Source    : scans
Timestamp : 2021-08-27T14:15:46.843323175Z
Info      : Scan created

Source    : scans
Timestamp : 2021-08-27T14:15:46.996620259Z
Info      : Scan Running

Source    : fetch-sources-default
Timestamp : 2021-08-27T14:15:47.068Z
Info      : fetch-sources-default started

Source    : fetch-sources-default
Timestamp : 2021-08-27T14:15:47.082Z
Info      : fetch-sources-default in progress

Source    : fetch-sources-default
Timestamp : 2021-08-27T14:15:48.061Z
Info      : fetch-sources-default ended

Source    : config-as-code-default
Timestamp : 2021-08-27T14:15:48.101Z
Info      : config-as-code-default started

Source    : config-as-code-default
Timestamp : 2021-08-27T14:15:48.304Z
Info      : config-as-code-default checkmarx config file not found

Source    : config-as-code-default
Timestamp : 2021-08-27T14:15:48.346Z
Info      : config-as-code-default ended

Source    : kics-runner-default
Timestamp : 2021-08-27T14:15:48.415Z
Info      : kics-runner-default started

Source    : kics-runner-default
Timestamp : 2021-08-27T14:15:48.425Z
Info      : kics-runner-default Start scan files download

Source    : sca-runner-default
Timestamp : 2021-08-27T14:15:48.429Z
Info      : sca-runner-default started

Source    : fetch-queries-default
Timestamp : 2021-08-27T14:15:48.43Z
Info      : fetch-queries-default started

Source    : sca-runner-default
Timestamp : 2021-08-27T14:15:48.449Z
Info      : sca-runner-default Start scan files download

Source    : kics-runner-default
Timestamp : 2021-08-27T14:15:48.583Z
Info      : kics-runner-default Finished scan files download

Source    : kics-runner-default
Timestamp : 2021-08-27T14:15:48.597Z
Info      : kics-runner-default Start scan execution

Source    : sca-runner-default
Timestamp : 2021-08-27T14:15:48.637Z
Info      : sca-runner-default Finished scan files download

Source    : sca-runner-default
Timestamp : 2021-08-27T14:15:48.671Z
Info      : sca-runner-default Start scan execution

Source    : fetch-queries-default
Timestamp : 2021-08-27T14:15:48.975Z
Info      : fetch-queries-default ended

Source    : sast-scan-inc-default
Timestamp : 2021-08-27T14:15:49.014Z
Info      : sast-scan-inc-default started

Source    : sast-scan-inc-default
Timestamp : 2021-08-27T14:15:49.262Z
Info      : sast-scan-inc-default ended

Source    : sast-rm-default
Timestamp : 2021-08-27T14:15:49.307Z
Info      : sast-rm-default started

Source    : sast-results-inc-default
Timestamp : 2021-08-27T14:15:49.307Z
Info      : sast-results-inc-default started

Source    : sast-rm-default
Timestamp : 2021-08-27T14:15:49.406Z
Info      : sast-rm-default Queued in sast resource manager

Source    : sast-results-inc-default
Timestamp : 2021-08-27T14:15:49.443Z
Info      : sast-results-inc-default ended

Source    : kics-runner-default
Timestamp : 2021-08-27T14:15:51.285Z
Info      : kics-runner-default Finished scan execution

Source    : kics-runner-default
Timestamp : 2021-08-27T14:15:51.297Z
Info      : kics-runner-default Start results publish

Source    : kics-runner-default
Timestamp : 2021-08-27T14:15:51.311Z
Info      : kics-runner-default Finished results publish

Source    : kics-runner-default
Timestamp : 2021-08-27T14:15:51.331Z
Info      : kics-runner-default Start engine log publish

Source    : kics-runner-default
Timestamp : 2021-08-27T14:15:51.368Z
Info      : kics-runner-default Finished engine log publish

Source    : kics-runner-default
Timestamp : 2021-08-27T14:15:51.413Z
Info      : kics-runner-default ended

Source    : collect-logs-default
Timestamp : 2021-08-27T14:15:51.464Z
Info      : collect-logs-default started

Source    : kics-results-processor-default
Timestamp : 2021-08-27T14:15:51.464Z
Info      : kics-results-processor-default started

Source    : collect-logs-default
Timestamp : 2021-08-27T14:15:51.613Z
Info      : collect-logs-default ended

Source    : kics-results-processor-default
Timestamp : 2021-08-27T14:15:52.306Z
Info      : kics-results-processor-default ended

Source    : sca-runner-default
Timestamp : 2021-08-27T14:16:20.583Z
Info      : sca-runner-default Finished scan execution

Source    : sca-runner-default
Timestamp : 2021-08-27T14:16:20.596Z
Info      : sca-runner-default Start results publish

Source    : sca-runner-default
Timestamp : 2021-08-27T14:16:20.62Z
Info      : sca-runner-default Finished results publish

Source    : sca-runner-default
Timestamp : 2021-08-27T14:16:20.664Z
Info      : sca-runner-default ended

Source    : sca-packages-processor-default
Timestamp : 2021-08-27T14:16:20.716Z
Info      : sca-packages-processor-default started

Source    : sca-results-processor-default
Timestamp : 2021-08-27T14:16:20.717Z
Info      : sca-results-processor-default started

Source    : sca-packages-processor-default
Timestamp : 2021-08-27T14:16:20.924Z
Info      : sca-packages-processor-default ended

Source    : sca-results-processor-default
Timestamp : 2021-08-27T14:16:21.246Z
Info      : sca-results-processor-default ended

Source    : sast-rm-default
Timestamp : 2021-08-27T14:16:21.833Z
Info      : sast-rm-default ended

Source    : collect-logs-default
Timestamp : 2021-08-27T14:16:21.882Z
Info      : collect-logs-default started

Source    : sast-results-events-default
Timestamp : 2021-08-27T14:16:21.883Z
Info      : sast-results-events-default started

Source    : collect-logs-default
Timestamp : 2021-08-27T14:16:22.068Z
Info      : collect-logs-default ended

Source    : sast-results-events-default
Timestamp : 2021-08-27T14:16:24.982Z
Info      : sast-results-events-default ended

Source    : scans
Timestamp : 2021-08-27T14:16:25.056678542Z
Info      : Scan Completed                  

scan logs

The logs command prints the application logs for a single scan type.

The optional scan types are:

  • sast

  • kics

Usage

./cx scan logs --scan-id <scan Id> --scan-type <scan type>

Flags

Name

Default

Description

---help, -h

help for the logs command

--scan-id <string>

Scan ID to retrieve log for

--scan-type <string>

Scan type to pull logs for

Optional scan types: sast, kics

Examples

Retrieving the scan IDs

[email protected]:~/ast-cli$ ./cx scan list

Scan ID                              Project ID                           Status    Created at Tags Initiator                                                        Origin                 
-------                              ----------                           ------    ---------- ---- ---------                                                        ------                 
f36b063a-84ca-4c4f-ad22-debacdd588aa d7b56888-8407-4e9b-ae5b-7fc43233a497 Completed 09-26-21   []   org_admin                                                        Chrome 93.0.4577.63    
7efdc589-c8e1-436b-8980-4a907839a5d0 2924669e-f021-4fca-8d18-6b9d00881c1a Completed 09-26-21   []                                                                    grpc-java-netty 1.35.0 
b9794f15-b5a1-4565-9156-cab11ab016df 2924669e-f021-4fca-8d18-6b9d00881c1a Completed 09-26-21   []                                                                    grpc-java-netty 1.35.0 
b8ba8ba6-27fc-46a0-a38a-3009dbfcff8c 4f746998-d127-413f-9c45-4c1c83593015 Completed 09-23-21   []                                                                    grpc-java-netty 1.35.0 
66004e49-8c81-4152-88eb-d69431dd6fa4 d6fe8ab4-becd-49ff-987f-ec5ee02cc614 Completed 09-22-21   []   org_admin                                                        Chrome 93.0.4577.82    
eea14385-b044-4e3e-b6aa-348167166d79 9ddad1d7-4332-4673-b741-3235be8cd194 Completed 09-22-21   []   org_admin                                                        Chrome 93.0.4577.63    
d79e99cc-01d6-4480-929e-73cbea97594b 2924669e-f021-4fca-8d18-6b9d00881c1a Completed 09-19-21   []                                                                    grpc-java-netty 1.35.0 
c4898668-da14-4b53-92f2-f4ffa65545a2 eec7e339-6385-49f1-bde2-8f6929dcecbe Completed 09-19-21   []                                                                    grpc-java-netty 1.35.0 
f1351cdb-6fd7-4d2d-a08c-cae53f9b5cd8 eec7e339-6385-49f1-bde2-8f6929dcecbe Completed 09-19-21   []                                                                    grpc-java-netty 1.35.0 
b0f9c8b4-f678-428a-b03f-83a26fa8bc19 c91820cf-947b-4007-8e41-3d3ff341d4d5 Completed 09-19-21   []                                                                    grpc-java-netty 1.35.0 
6f614cdb-be03-4470-a798-0392db5a8cba c91820cf-947b-4007-8e41-3d3ff341d4d5 Completed 09-19-21   []                                                                    grpc-java-netty 1.35.0 
230e1342-3a45-436d-b61c-ec14ec2fea0b c91820cf-947b-4007-8e41-3d3ff341d4d5 Completed 09-19-21   []                                                                    grpc-java-netty 1.35.0 
ac4583a7-e119-4fd8-a8f2-16c454c2dfa3 9ae9cf0d-d732-48d1-b3e0-41b3042d272c Completed 09-16-21   []   org_admin                                                        Chrome 93.0.4577.82    
deb5266c-4f0c-407c-ad29-168a0807bb7b d7b56888-8407-4e9b-ae5b-7fc43233a497 Completed 09-14-21   []   service-account-ast-plugins-64fde34e-01d9-4cd3-a97e-c26894b0341f ASTCLI 2.0.0-rc.23     
e93991b9-a1a3-4ed3-ada4-5407a31ccc77 d7b56888-8407-4e9b-ae5b-7fc43233a497 Failed    09-14-21   []   service-account-ast-plugins-64fde34e-01d9-4cd3-a97e-c26894b0341f ASTCLI 2.0.0-rc.23     
0bb6916b-33c7-40bd-a5ec-af9aa0e50c7e d7b56888-8407-4e9b-ae5b-7fc43233a497 Completed 09-14-21   []   service-account-ast-plugins-64fde34e-01d9-4cd3-a97e-c26894b0341f ASTCLI 2.0.0-rc.23     
8429d707-a63a-4a5a-b67f-615938333e88 d7b56888-8407-4e9b-ae5b-7fc43233a497 Completed 09-14-21   []   service-account-ast-plugins-64fde34e-01d9-4cd3-a97e-c26894b0341f ASTCLI 2.0.0-rc.23     
93ea54b3-ec22-4741-b756-5c69bb5686ef d7b56888-8407-4e9b-ae5b-7fc43233a497 Completed 09-14-21   []   service-account-ast-plugins-64fde34e-01d9-4cd3-a97e-c26894b0341f ASTCLI 2.0.0-rc.23     
5d923419-fd93-4bde-b3ec-d21bdfd73b2a d7b56888-8407-4e9b-ae5b-7fc43233a497 Completed 09-14-21   []   service-account-ast-plugins-64fde34e-01d9-4cd3-a97e-c26894b0341f ASTCLI 2.0.0-rc.23     
c9f084f4-ebed-4ef5-9526-70f342ea09ea d7b56888-8407-4e9b-ae5b-7fc43233a497 Completed 09-13-21   []   service-account-ast-plugins-64fde34e-01d9-4cd3-a97e-c26894b0341f ASTCLI 2.0.0-rc.23     

Retrieving the logs for SAST scan type

[email protected]:~/ast-cli$ ./cx scan logs --scan-id f36b063a-84ca-4c4f-ad22-debacdd588aa --scan-type sast
26/09/2021 13:05:42,602 [1] INFO  Available memory: 12347 Used memory: 56 Elapsed Time: 00:00:00.1241647 [Unspecified] -
Product version: 9.4.0.0-202107110128-Release
Used memory: 56Mb
OS: Unix 5.4.129.63
Current Directory: /app/Engine

Processor Count: 3
CLR Version: 3.1.18
Executable PID: 19
Executable Location: /usr/share/dotnet/dotnet
Process ID: 19
/ 96 GB Free
/proc 0 GB Free
/dev 0 GB Free
/dev/pts 0 GB Free
/sys 0 GB Free
/sys/fs/cgroup 7 GB Free
/sys/fs/cgroup/systemd 0 GB Free
/sys/fs/cgroup/freezer 0 GB Free
/sys/fs/cgroup/net_cls,net_prio 0 GB Free
/sys/fs/cgroup/memory 0 GB Free
/sys/fs/cgroup/perf_event 0 GB Free
/sys/fs/cgroup/devices 0 GB Free
/sys/fs/cgroup/cpu,cpuacct 0 GB Free
/sys/fs/cgroup/blkio 0 GB Free
/sys/fs/cgroup/hugetlb 0 GB Free
/sys/fs/cgroup/pids 0 GB Free
/sys/fs/cgroup/cpuset 0 GB Free
/dev/mqueue 0 GB Free
/etc/podinfo 7 GB Free
/dev/shm 0 GB Free
/run/secrets/kubernetes.io/serviceaccount 7 GB Free
/proc/bus 0 GB Free
/proc/fs 0 GB Free
/proc/irq 0 GB Free
/proc/sys 0 GB Free
/proc/acpi 7 GB Free
/sys/firmware 7 GB Free

Disk Speed: 526 Ticks per one request
New Disk Speed: 292 Ticks per one request
64Bit platform
PROCESSOR IDENTIFIER: Intel(R) Xeon(R) Platinum 8275CL CPU @ 3.00GHz
Core Speed: 3.6GHz
Product: Checkmarx SAST Engine
-       Main Version:
-       Hotfix Version:
-       Path:
Current Product dll's version list:
___________________________________
Assembly name:                 File version:
ASP.dll                        9.4.0.0-202107110125-Release
CSharp.dll                     9.4.0.0-202107110125-Release
DataCollections.dll            9.4.0.0-202107110128-Release
EngineFacade.dll               9.4.0.0-202107110128-Release
Flowgraphs.dll                 9.4.0.0-202107110128-Release
Plugin.dll                     9.4.0.0-202107110125-Release
Query.dll                      9.4.0.0-202107110128-Release
CxWrm.dll                      9.4.0.0-202107110128-Release
====================================================


26/09/2021 13:05:42,628 [1] INFO  Available memory: 12265 Used memory: 127 Elapsed Time: 00:00:01.7149099 [Unspecified] - Initializing scan input
26/09/2021 13:05:42,645 [1] INFO  Available memory: 12265 Used memory: 128 Elapsed Time: 00:00:01.7321179 [Startup] - Current Engine Configuration from DefaultConfig.xml:
_____________________________
IMPORTANT_FILE_ONLY_SCAN*=true
SMALL_PROJECT_BORDER*=3000000

Retrieving the logs for KICS scan type

[email protected]:~/ast-cli$ ./cx scan logs --scan-id f36b063a-84ca-4c4f-ad22-debacdd588aa --scan-type kics
1:03PM | DEBUG | console.scan()
1:03PM | INFO  | Scanning with Keeping Infrastructure as Code Secure v1.3.3
1:03PM | DEBUG | Looking for queries in executable path and in current work directory
1:03PM | DEBUG | helpers.GetDefaultQueryPath()
1:03PM | DEBUG | helpers.GetExecutableDirectory()
1:03PM | DEBUG | Queries found in /app/kics-deployment/assets/queries
1:03PM | INFO  | Loading queries of type: dockerfile, ansible
1:03PM | DEBUG | source.NewFilesystemSource()
1:03PM | DEBUG | storage.NewMemoryStorage()
1:03PM | DEBUG | engine.NewInspector()
1:03PM | INFO  | Inspector initialized, number of queries=289
1:03PM | INFO  | Query execution timeout=1m0s
1:03PM | DEBUG | provider.NewFileSystemSourceProvider()
1:03PM | DEBUG | parser.NewBuilder()
1:03PM | DEBUG | resolver.Add()
1:03PM | DEBUG | resolver.Build()
1:03PM | DEBUG | service.StartScan()
1:03PM | DEBUG | service.StartScan()
1:03PM | DEBUG | engine.Inspect()
1:03PM | DEBUG | engine.Inspect()
1:03PM | DEBUG | model.CreateSummary()
1:03PM | DEBUG | console.resolveOutputs()
1:03PM | DEBUG | helpers.PrintResult()
1:03PM | INFO  | Files scanned: 4
1:03PM | INFO  | Parsed files: 4
1:03PM | INFO  | Queries loaded: 289
1:03PM | INFO  | Queries failed to execute: 0
1:03PM | INFO  | Inspector stopped
1:03PM | DEBUG | console.printOutput()
1:03PM | DEBUG | Output formats provided [json]
1:03PM | DEBUG | helpers.ValidateReportFormats()
1:03PM | DEBUG | helpers.GenerateReport()
1:03PM | INFO  | Results saved to file /tmp/953972639/results.json fileName:results.json
1:03PM | INFO  | Scan duration: 3318ms

kics-realtime

The scan kics-realtime command enables the ability to create and run a new kics scan locally using a container.

Usage

./cx scan kics-realtime [flags]

Supported scan files extensions / technologies

The scan kics-realtime command provides the ability to scan individual files that are supported by the KICS tool (mentioned in the list below).

kics-realtime supports scanning multiple technologies, namely :

  • Ansible

  • Azure Resource Manager

  • CDK

  • CloudFormation

  • Azure Blueprints

  • Docker

  • Docker Compose

  • gRPC

  • Helm

  • Kubernetes

  • OpenAPI

  • Google Deployment Manager

  • SAM

  • Terraform

 

Notice

For more details please check KICS official documentation https://docs.kics.io/latest/platforms/

Additional Parameters

--additional-params flag provides the ability to send additional scan options supported by KICS. Should follow comma separated format.

Notice

More information about the additional scan options/flags supported by KICS in their official documentation

https://docs.kics.io/latest/commands/

Warning

The report format and output path cannot be overridden, even if explicitly setting those flags in the additional-params.

Flags

Name

Default

Description

--file <string> (required)

N/A

Path to input file

--engine<string>

docker

Name for the container engine to run KICS.

--additional-params <string>,<string>

N/A

Comma separated additional scan options supported by KICS.

Examples

Scanning a file

./cx scan kics-realtime --file <FILE PATH>
[email protected]:/AST$ ./cx scan kics-realtime /home/Dockerfile

{"kics_version":"v1.5.6","total_counter":2,"queries":[{"query_name":"Missing User Instruction","query_id":"fd54f200-402c-4333-a5a4-36ef6709af2f","severity":"HIGH","platform":"Dockerfile","category":"Build Process","description":"A user should be specified in the dockerfile, otherwise the image will run as root","query_url":"https://docs.docker.com/engine/reference/builder/#user","files":[{"file_name":"../../path/d.dockerfile","similarity_id":"07841372d54f621706540de0f41d702dc8598f681a44bc19f55feb4cdce61e76","line":1,"issue_type":"MissingAttribute","search_key":"FROM={{openjdk:11.0.1-jre-slim-stretch}}","search_line":0,"search_value":"","expected_value":"The 'Dockerfile' contains the 'USER' instruction","actual_value":"The 'Dockerfile' does not contain any 'USER' instruction"}]},{"query_name":"Healthcheck Instruction Missing","query_id":"b03a748a-542d-44f4-bb86-9199ab4fd2d5","severity":"LOW","platform":"Dockerfile","category":"Insecure Configurations","description":"Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working","query_url":"https://docs.docker.com/engine/reference/builder/#healthcheck","files":[{"file_name":"../../path/d.dockerfile","similarity_id":"5c3e1823b979a8cb04a5293f368fa8134175da78011f4d144c19f45177aa65e9","line":1,"issue_type":"MissingAttribute","search_key":"FROM={{openjdk:11.0.1-jre-slim-stretch}}","search_line":0,"search_value":"","expected_value":"Dockerfile contains instruction 'HEALTHCHECK'","actual_val

Scanning a file with a specific engine

./cx scan kics-realtime --file <FILE PATH> --engine <ENGINE NAME>
[email protected]:/AST$ ./cx scan kics-realtime /home/Dockerfile --engine podman

{"kics_version":"v1.5.6","total_counter":2,"queries":[{"query_name":"Missing User Instruction","query_id":"fd54f200-402c-4333-a5a4-36ef6709af2f","severity":"HIGH","platform":"Dockerfile","category":"Build Process","description":"A user should be specified in the dockerfile, otherwise the image will run as root","query_url":"https://docs.docker.com/engine/reference/builder/#user","files":[{"file_name":"../../path/d.dockerfile","similarity_id":"07841372d54f621706540de0f41d702dc8598f681a44bc19f55feb4cdce61e76","line":1,"issue_type":"MissingAttribute","search_key":"FROM={{openjdk:11.0.1-jre-slim-stretch}}","search_line":0,"search_value":"","expected_value":"The 'Dockerfile' contains the 'USER' instruction","actual_value":"The 'Dockerfile' does not contain any 'USER' instruction"}]},{"query_name":"Healthcheck Instruction Missing","query_id":"b03a748a-542d-44f4-bb86-9199ab4fd2d5","severity":"LOW","platform":"Dockerfile","category":"Insecure Configurations","description":"Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working","query_url":"https://docs.docker.com/engine/reference/builder/#healthcheck","files":[{"file_name":"../../path/d.dockerfile","similarity_id":"5c3e1823b979a8cb04a5293f368fa8134175da78011f4d144c19f45177aa65e9","line":1,"issue_type":"MissingAttribute","search_key":"FROM={{openjdk:11.0.1-jre-slim-stretch}}","search_line":0,"search_value":"","expected_value":"Dockerfile contains instruction 'HEALTHCHECK'","actual_val

Scanning a file with additional parameters

./cx scan kics-realtime --file <FILE PATH> --engine <ENGINE NAME>
[email protected]:/AST$ ./cx scan kics-realtime /home/Dockerfile --engine podman --additional-params -v, --exclude-results,fec62a97d569662093dbb9739360942f

{"kics_version":"v1.5.6","total_counter":2,"queries":[{"query_name":"Missing User Instruction","query_id":"fd54f200-402c-4333-a5a4-36ef6709af2f","severity":"HIGH","platform":"Dockerfile","category":"Build Process","description":"A user should be specified in the dockerfile, otherwise the image will run as root","query_url":"https://docs.docker.com/engine/reference/builder/#user","files":[{"file_name":"../../path/d.dockerfile","similarity_id":"07841372d54f621706540de0f41d702dc8598f681a44bc19f55feb4cdce61e76","line":1,"issue_type":"MissingAttribute","search_key":"FROM={{openjdk:11.0.1-jre-slim-stretch}}","search_line":0,"search_value":"","expected_value":"The 'Dockerfile' contains the 'USER' instruction","actual_value":"The 'Dockerfile' does not contain any 'USER' instruction"}]},{"query_name":"Healthcheck Instruction Missing","query_id":"b03a748a-542d-44f4-bb86-9199ab4fd2d5","severity":"LOW","platform":"Dockerfile","category":"Insecure Configurations","description":"Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working","query_url":"https://docs.docker.com/engine/reference/builder/#healthcheck","files":[{"file_name":"../../path/d.dockerfile","similarity_id":"5c3e1823b979a8cb04a5293f368fa8134175da78011f4d144c19f45177aa65e9","line":1,"issue_type":"MissingAttribute","search_key":"FROM={{openjdk:11.0.1-jre-slim-stretch}}","search_line":0,"search_value":"","expected_value":"Dockerfile contains instruction 'HEALTHCHECK'","actual_val

Scanning a file in debug mode

./cx scan kics-realtime --file <FILE PATH> --engine <ENGINE NAME> --debug
[email protected]:/AST$ ./cx scan kics-realtime /home/Dockerfile --engine podman --additional-params -v, --exclude-results,fec62a97d569662093dbb9739360942f --debug

2022/07/06 10:33:06 CLI Configuration:
2022/07/06 10:33:06               cx_client_secret: 
2022/07/06 10:33:06                      cx_apikey: 
2022/07/06 10:33:06                      cx_branch: 
2022/07/06 10:33:06                      cx_tenant: organization
2022/07/06 10:33:06                     http_proxy: 
2022/07/06 10:33:06                   cx_client_id: 
2022/07/06 10:33:06                     cx_timeout: 5
2022/07/06 10:33:06                    cx_base_uri: 
2022/07/06 10:33:06               cx_base_auth_uri: 
2022/07/06 10:33:06             cx_proxy_auth_type: basic
2022/07/06 10:33:06 Starting kics container
2022/07/06 10:33:06 The report format and output path cannot be overridden.
2022/07/06 10:33:08 
                   .0MO.                                    
                   OMMMx                                    
                   ;NMX;                                    
                    ...           ...              ....     
WMMMd     cWMMM0.  KMMMO      ;xKWMMMMNOc.     ,xXMMMMMWXkc.
WMMMd   .0MMMN:    KMMMO    :XMMMMMMMMMMMWl   xMMMMMWMMMMMMl
WMMMd  lWMMMO.     KMMMO   xMMMMKc...'lXMk   ,MMMMx   .;dXx 
WMMMd.0MMMX;       KMMMO  cMMMMd        '    'MMMMNl'       
WMMMNWMMMMl        KMMMO  0MMMN               oMMMMMMMXkl.  
WMMMMMMMMMMo       KMMMO  0MMMX                .ckKWMMMMMM0.
WMMMMWokMMMMk      KMMMO  oMMMMc              .     .:OMMMM0
WMMMK.  dMMMM0.    KMMMO   KMMMMx'    ,kNc   :WOc.    .NMMMX
WMMMd    cWMMMX.   KMMMO    kMMMMMWXNMMMMMd .WMMMMWKO0NMMMMl
WMMMd     ,NMMMN,  KMMMO     'xNMMMMMMMNx,   .l0WMMMMMMMWk, 
xkkk:      ,kkkkx  okkkl        ;xKXKx;          ;dOKKkc    


Scanning with Keeping Infrastructure as Code Secure v1.5.6


Preparing Scan Assets: DoneExecuting queries: [-------------------------------------------->___________________________] 62.03%Executing queries: [------------------------------------------------------------->__________] 84.81%Executing queries: [-----------------------------------------------------------------------] 100.00%
Files scanned: 1
Parsed files: 1
Queries loaded: 48
Queries failed to execute: 0

------------------------------------

Healthcheck Instruction Missing, Severity: LOW, Results: 1
Description: Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
Platform: Dockerfile

        [1]: ../../path/d.dockerfile:1

                001: FROM openjdk:11.0.1-jre-slim-stretch
                002: 


Missing User Instruction, Severity: HIGH, Results: 1
Description: A user should be specified in the dockerfile, otherwise the image will run as root
Platform: Dockerfile

        [1]: ../../path/d.dockerfile:1

                001: FROM openjdk:11.0.1-jre-slim-stretch
                002: 



Results Summary:
HIGH: 1
MEDIUM: 0
LOW: 1
INFO: 0
TOTAL: 2

Results saved to file /path/results.json
Scan duration: 975.245001ms
A new version 'v1.5.11' of KICS is available, please consider updating
Generating Reports: Done
{"kics_version":"v1.5.6","total_counter":2,"queries":[{"query_name":"Missing User Instruction","query_id":"fd54f200-402c-4333-a5a4-36ef6709af2f","severity":"HIGH","platform":"Dockerfile","category":"Build Process","description":"A user should be specified in the dockerfile, otherwise the image will run as root","query_url":"https://docs.docker.com/engine/reference/builder/#user","files":[{"file_name":"../../path/d.dockerfile","similarity_id":"07841372d54f621706540de0f41d702dc8598f681a44bc19f55feb4cdce61e76","line":1,"issue_type":"MissingAttribute","search_key":"FROM={{openjdk:11.0.1-jre-slim-stretch}}","search_line":0,"search_value":"","expected_value":"The 'Dockerfile' contains the 'USER' instruction","actual_value":"The 'Dockerfile' does not contain any 'USER' instruction"}]},{"query_name":"Healthcheck Instruction Missing","query_id":"b03a748a-542d-44f4-bb86-9199ab4fd2d5","severity":"LOW","platform":"Dockerfile","category":"Insecure Configurations","description":"Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working","query_url":"https://docs.docker.com/engine/reference/builder/#healthcheck","files":[{"file_name":"../../path/d.dockerfile","similarity_id":"5c3e1823b979a8cb04a5293f368fa8134175da78011f4d144c19f45177aa65e9","line":1,"issue_type":"MissingAttribute","search_key":"FROM={{openjdk:11.0.1-jre-slim-stretch}}","search_line":0,"search_value":"","expected_value":"Dockerfile contains instruction 'HEALTHCHECK'","actual_value":"Dockerfile doesn't contain instruction 'HEALTHCHECK'"}]}],"severity_counters":{"HIGH":1,"INFO":0,"LOW":1,"MEDIUM":0}}
2022/07/06 10:33:08 Removing folder in temp