scan
The scan command enables the ability to manage scans in Checkmarx One.
Usage
./cx scan [command] [flags]
Note
--scan-timeout flag does not work with the --async flag.
As a scan is initiated in asynchronous mode using --async flag, Checkmarx One CLI does not wait for the result and completes the scan.
Flags
Name | Default | Description |
|---|---|---|
--help, -h | help for the scan command |
scan cancel
The cancel command enables the ability to cancel one or more running scans in Checkmarx One.
Usage
./cx scan cancel --scan-id <scan ID> [flags]
Flags
Name | Default | Description |
|---|---|---|
--help, -h | help for the cancel command | |
--scan-id <string> | One or more scan IDs to cancel For example: <scan-id>,<scan-id>,... |
Examples
Retrieving all the scan ID’s statuses
[email protected]:/AST$ ./cx.exe scan list Scan ID Project ID Status Created at Tags Initiator Origin ------- ---------- ------ ---------- ---- --------- ------ 29a2b1e6-87c9-43b9-9d38-2d8165b390e1 df277b49-f1ef-4b5e-8cc4-0b66a2d1414a Running 08-27-21 [] user ASTCLI 2.0.0-rc.21
Canceling a running scan
[email protected]:/AST$ ./cx.exe scan cancel --scan-id 29a2b1e6-87c9-43b9-9d38-2d8165b390e1
Retrieving all the scan ID’s statuses (After the cancellation)
[email protected]:/AST$ ./cx.exe scan list Scan ID Project ID Status Created at Tags Initiator Origin ------- ---------- ------ ---------- ---- --------- ------ 29a2b1e6-87c9-43b9-9d38-2d8165b390e1 df277b49-f1ef-4b5e-8cc4-0b66a2d1414a Canceled 08-27-21 [] user ASTCLI 2.0.0-rc.21
Note
To cancel several scans, use the Space character between the scan ID’s.
For example:
Canceling several running scans
[email protected]:/AST$ ./cx.exe scan cancel --scan-id <scan_id1>,<scan_id2>
scan create
The scan create command enables the ability to create and run a new scan in Checkmarx One.
Usage
./cx scan create [flags]
Scanning Source Code
The scan create command provides the ability to scan the following options for scanning your source code:
A compressed .zip archive
A repository URL
A local source directory
A set of file extensions / a set of file names (Mentioned in the list below)
Scan Process
When a scan is run using multiple scanners, all scanners run in parallel.
When multiple scans are run in your account, the number of concurrent scans is specified in your account's license. This info is available under Account Settings > License > License Plan Summary. When the limit is exceeded, the scans are added to a queue which runs on a "first in first out" basis.
Notice
In case that a folder containing several files is being scanned, it might be that the folder contains unsupported file formats, therefore they won’t be scanned.
To include the unsupported file formats, use the --file-include flag to add them to the scan.
For more details see Scan with Inclusion of Unsupported File Formats
File Filters
Notice
--file-filter flag usage refers to the --file-include flag - Both work in synergy.
By default, the scan create command considers the --file-include flag arguments (whether used or not), or in other words the supported scan files extensions / files list, and on top of it the --file-filter flag functionality.
Warning
--file-filter flag will work only if the scanned source code is a directory or a zip file (not a GIT repository). However, this limitation does not apply when using the filter flags for specific scanners, see Filters for Specific Scanners.
--file-filter flag provides the ability to filter the scanned file list according to the following:
Including files, files extensions.
Excluding files, files extensions and folders.
Supported Functionalities:
Provide wildcard support by using the * sign.
For example -
*.htmlProvides the ability to exclude files, files extensions, and folders. This is being performed by using the ! sign.
For example -
!*.html,!srcNotice
To exclude files, files extensions, and folders using the ! sign, use the argument in single quotes.
For example:
--file-filter '!mycompany.jar'For more details see Scan with Exclusion of Specific File or File Type
Provides the ability to include files and files extensions.
For example:
t* → Will include all the files starting with “t”.
*.txt → Will include all the files with “.txt” extension.
Limitations:
Doesn’t support a full path.
For example -
java/src1/test.txt.gitfolders and sub-folders can't be excluded
Filters for Specific Scanners
Filters applied using --file-filter apply to all scanners run in the scan. There is an alternative method that can be used to apply filters to a specific scanner.
Notice
The filters for specific scanners can be used for all types of scans (directory, zip file or GIT repo).
The following flags are used to apply filters to SAST, IaC Security and SCA scanners respectively: --sast-filter, --iac-security-filter, --sca-filter. You can use these flags to specify file types. The following are some examples of how these flags can be used:
for inclusion -
--sast-filter *.java,for exclusion -
--sast-filter !*.javaor--sca-filter !**\Dockerfile
Note
If you would like to include only files inside specific folders, you need to first do a global exclude and then you can specify the folders to include.
For example:
--sast-filter !**/**,Folder01/**,**/Folder02/** would cause the SAST scanner to run only on files inside “Folder01” and “Folder02”.
Notice
For additional details about the syntax used for these filters, see Flags table. Learn more about glob patterns syntax here.
Checkmarx SCA Resolver
Checkmarx SCA Resolver is an on-prem utility that enables you to resolve and extract dependencies and fingerprints from your source code and send them to the Checkmarx SCA cloud platform for risk analysis.
Note
Checkmarx SCA Resolver enables you to run a comprehensive SCA scan without the need to send your actual source code to the cloud. It also enables you to scan private (local) dependencies that aren’t accessible to the Checkmarx SCA cloud platform.
In order to use the SCA Resolver with the Checkmarx One CLI, you need to download the Checkmarx SCA Resolver separately in a location that the Checkmarx One CLI can find. Find the latest download at Checkmarx SCA Resolver Download and Installation.
To use the SCA Resolver, you need to add the --sca-resolver flag to your command line with an argument of the location. For examples, refer to the below example Checkmarx SCA Resolver.
To add additional arguments to Checkmarx SCA Resolver, use the flag --sca-resolver-params with any additional arguments that you need. If necessary to use spaces and/or quotes, wrap the arguments in double quotes and use single quotes inside the value. For a complete list of SCA Resolver configuration arguments, see Checkmarx SCA Resolver Configuration Arguments.
Notice
Only arguments that can be used in Offline mode can be applied to scans run via the Checkmarx One CLI Tool and plugins.
For more information about using SCA Resolver in Checkmarx One CI/CD integrations, see Using SCA Resolver in Checkmarx One CI/CD Integrations.
Threshold
Configuring thresholds enables users to specify a threshold of vulnerability severities that, when found in a scan, will cause Checkmarx One to return a fail code for the scan. Users can then configure pipelines to break builds upon scan failure, so that scans that hit the threshold will break the build.
The threshold option supports a shorthand syntax with the format being a semi-colon separated list of key-value pairs.
The format for thresholds is <engine>-<severity>=<limit>
Options for engine: sast, iac-security, sca, api-security
Options for severity: High, Medium, Low, Info (Info is only for SAST engine)
Options for limit: A number equal to or greater than 1
More than one threshold can be defined for each engine and thresholds can be set for multiple engines. Multiple thresholds should be separated by a semi-colon. An OR operator is applied, so that if any one of the thresholds is reached the scan will fail.
For example, to set the threshold for SAST as 10 high severity or 20 medium severity vulnerabilities, and for SCA as 10 high severity vulnerabilities, use the following syntax:
--threshold "sast-high=10; sast-medium=20; sca-high=10"
Reports
You can generate reports for the scan results as part of the scan create command.
Notice
You can also generate reports for previous scans using the results show command.
There are two main types of reports:
Scan summary report - gives a summary of the scan results, including the number of risks of various types and severity levels that were identified by the scan. This type of report is available in HTML, json, console and markdown format.
Complete scan report - a comprehensive report showing details about each of the risks identified in the scan. This type of report can be generated in json, sarif or sonar format.
You can also generate PDF reports, for which you can specify which sections you would like to include in the report. In addition, for PDF reports, you can specify one or more email recipients who will receive an email with a download link for the report.
To generate a report as part of the scan create command, add the --report-format flag, specifying the format you would like to generate.
For PDF reports, use the following flags to specify email recipients and to specify which sections to include in the report.
./cx scan create --project-name <Project Name> -s <path> --branch <branch name> --report format pdf --report-pdf-email <recipient_email> --report-pdf-options <specify_sections>
For information about the content of scan reports, see Scan Reports.
Flags
Name | Default | Description |
|---|---|---|
--async | Do not wait for scan completion | |
--branch <string>, -b <string> | Branch to scan | |
--file-filter <string>, -f <string> | N/A | Source file filtering pattern. Refer to File Filters |
--file-include <string> | N/A | Comma separated list of additional file extensions to be included in the scan For example: *.java2,file.txt |
--file-source <string> , -s <string> | N/A | The path to the compressed zip file, the path to the folder or the repository URL to scan |
--filter <string> |
| |
--help, h | N/A | help for the create command |
--iac-security-filter <string> | Filter option specific to IaC Security sca
| |
--iac-security-platforms <string>,<string> | Specify the platforms that you would like the IaC Security scan to run on. TipWhen this flag is used, it overrides your account's default settings. | |
--output-name <string> | "cx_result" | Output file name |
--output-path <string> | "." | Output Path |
--project-groups <string> | List of groups associated to projects For example: (groupA,groupB) TipThis flag only works when creating a new project. For an existing project, it won't update the groups. | |
--project-name <string> | Name of the project. When using the --project-name flag, the Project name must be written between quotes if there is a space in the project name. For example: Test, Test1, “Test 1” | |
--project-private-package NOT FULLY SUPPORTED YET | false | You can designate a scan as a "Private Package" and assign a package version to it. Once a private package has been scanned, info about the risks affecting that package will be identified by SCA when that package version is used in any of your projects. You can download an article about private packages here. True = designate as private package False = not a private package When using this flag, you should also specify the package version using |
--project-tags <string> | List of tags to associate to projects For example: (tagA,tagB:val, etc) | |
--report-format <string> | summaryConsole | Report output format Select one of the following: json, summaryHTML, summaryJSON, summaryConsole, sarif, sonar, markdown or PDF TipReport formats json, sarif, and sonar generate complete scan reports. Report formats summaryHTML, summaryJSON, summaryConsole and markdow generate summary reports. |
--report-pdf-email <string> | Specify email recipients who will receive the pdf report. Multiple emails are separated by a ",". TipThis flag can only be used when | |
--report-pdf-options <string> | ScanSummary, ExecutiveSummary, ScanResults | Specify the sections that will be included in the pdf format report. TipThis flag can only be used when Available sections are: Sast, Sca, Iac-Security, Api-Security, ScanSummary, ExecutiveSummary, ScanResults Tip
|
--resubmit |
| Apply the configurations used in the most recent scan in this project branch to the current scan. TipWhen an argument in the current scan differs from the configuration of the previous scan, the argument in the current scan takes precedence. |
--sast-filter <string> | Filter option specific to SAST engine or scan
| |
--sast-incremental | Perform only an Incremental SAST scan (as opposed to a full scan). | |
--sast-preset-name <string> | The name of the Checkmarx preset to use | |
--sca-exploitable-path | According to your project settings configuration | Enable/disable the Exploitable Path feature for this scan. True = enabled False = disabled Learn more about Exploitable Path |
--sca-filter <string> | Filter option specific to SCA engine or scan
| |
--sca-last-sast-scan-time | 1 | Specify the number of days that SAST scan results are considered valid for use in Exploitable Path (i.e., if there is no current SAST scan, how many days prior to the current SCA scan will Checkmarx One look for a SAST scan to use for analyzing Exploitable Path.) Options: integer ≥ 1 WarningThe |
--sca-private-package-version NOT FULLY SUPPORTED YET | False | When you designate a scan as a private package using the --project-private-package flag, you should also specify the package version using this flag. e.g., 0.1.1 You can download an article about private packages here. |
--sca-resolver <string> | N/A | Input path to CxSCA Resolver to locally resolve SCA project dependencies |
--sca-resolver-params <string> | N/A | Additional arguments to use with CxSCA Resolver. The arguments can be found here. The SCA Resolver runs in offline mode, only arguments compatible with this mode will work |
--scan-info-format <string> | list |
|
--scan-timeout <int> | Cancel the scan and fail after the timeout in minutes | |
--scan-types <string> | sast, iac-security, sca, api-security | Scan engines to be performed on the code For example: (sast,iac-security,sca,api-security) |
--ssh-key <string> | Path to ssh private key | |
--tags <string> | List of tags associated to scans For example: (tagA,tagB:val,etc) | |
--threshold <string> | Threshold count of severity of scan results based on the engine. The threshold format is:
For more information, see Threshold. | |
--wait-delay <int> | 5 seconds | Polling wait time (seconds) to get scan status |
Examples
Scan a GIT Repository
./cx scan create --project-name <Project Name> -s <Repository URL> --branch <branch name>
[email protected]:/AST$ ./cx scan create --project-name demo -s https://github.com/my-org/my-repo --branch main Scan ID : e1cf8f32-445a-46e2-8941-223a7f1b90e8 Project ID : 9f47d3d7-76f2-418b-9513-e3e02cc5cbb9 Status : Running Created at : 08-27-21 Tags : [] Initiator : admin Origin : ASTCLI 2.0.0 wait for scan to complete e1cf8f32-445a-46e2-8941-223a7f1b90e8 Running Scan status: Running Scan status: Running Scan status: Running Scan status: Running Scan status: Running Scan status: Running Scan Finished with status: Completed Created At: 2021-08-27, 14:13:39 Risk: High Risk Project ID: 9f47d3d7-76f2-418b-9513-e3e02cc5cbb9 Scan ID: e1cf8f32-445a-46e2-8941-223a7f1b90e8 Total Issues: 3 High Issues: 1 Medium Issues: 1 Low Issues: 1
Scan Without Waiting
./cx scan create --project-name <Project Name> --sources <Repository URL> --branch <branch name> --async
[email protected]:/AST$ ./cx scan create --project-name demo --sources https://github.com/my-org/my-repo --branch main --async Scan ID : a2f45c91-18ba-4d69-a748-972d0ecc1453 Project ID : 9f47d3d7-76f2-418b-9513-e3e02cc5cbb9 Status : Running Created at : 08-27-21 Tags : [] Initiator : org_admin Origin : ASTCLI 2.0.0-rc.21
Scan Only Specific Scan Types
./cx scan create --project-name <Project Name> -s <Repository URL> --branch <branch name> --scan-types <scan types>
[email protected]:/AST$ ./cx scan create --project-name demo -s https://github.com/my-org/my-repo --branch main --scan-types iac-security Scan ID : 7eb83ed3-5734-4428-92a2-4819fc6c490f Project ID : 9f47d3d7-76f2-418b-9513-e3e02cc5cbb9 Status : Running Created at : 08-27-21 Tags : [] Initiator : admin Origin : ASTCLI 2.0.0 wait for scan to complete 7eb83ed3-5734-4428-92a2-4819fc6c490f Running Scan status: Running Scan Finished with status: Completed Created At: 2021-08-27, 14:17:29 Risk: Project ID: 9f47d3d7-76f2-418b-9513-e3e02cc5cbb9 Scan ID: 7eb83ed3-5734-4428-92a2-4819fc6c490f Total Issues: 0 High Issues: 0 Medium Issues: 0 Low Issues: 0
Checkmarx SCA Resolver
./cx scan create --project-name <Project Name> --sources <path> --branch <branch name> --sca-resolver <path-to-resolver> --sca-resolver-params <additional-resolver-arguments>
[email protected]:/AST$ ./cx scan create --project-name demo --scan-types sast,sca --sources /project-src --sca-resolver /sca/sca-resolver --sca-resolver-params "-q -e 'my file'" --async Using SCA resolver: /sca/sca-resolver Writing logs to /sca/sca-resolver/demo 2021-09-09T21:35:12-07:00 Information Program "Tool version: 1.5.42" 2021-09-09T21:35:13-07:00 Information Program "Starting scan from: /project-src" 2021-09-09T21:35:17-07:00 Information Program "Scan Id: a89088fe-1bb8-4294-a85c-57771f18538f" Included: /project-src/pom.xml Included: /project-src/main.java Included SCA Results: cxsca-results.json Zip size: 0.06MB Scan ID : a2f45c91-18ba-4d69-a748-972d0ecc1453 Project ID : 9f47d3d7-76f2-418b-9513-e3e02cc5cbb9 Status : Running Created at : 08-27-21 Tags : [] Initiator : service-account Origin : ASTCLI 2.0.0
Scan a Source Directory
./cx scan create -s <path> --branch <branch name> --project-name <Project Name>
[email protected]:~/ast-cli$ ./cx scan create -s ./Source-Folder/ --branch main --project-name Test111 Scan ID : c9f084f4-ebed-4ef5-9526-70f342ea09ea Project ID : d7b56888-8407-4e9b-ae5b-7fc43233a497 Status : Running Created at : 09-13-21 Tags : [] Initiator : service-account Origin : ASTCLI 2.0.0 wait for scan to complete c9f084f4-ebed-4ef5-9526-70f342ea09ea Running Scan status: Running
Scan with Inclusion of Unsupported File Formats
./cx scan create -s <path> --branch <branch name> --project-name <Project Name> --file-include <string>
[email protected]:~/ast-cli$ ./cx scan create -s ./Source-Folder/ --branch main --project-name Test111 --file-include sample.txt,*.myextension Included: ./Source-Folder/python.myextension Included: ./Source-Folder/sample.txt Included: ./Source-Folder/test.java Scan ID : a3289df8-75f6-4fd4-92ec-c72bac667a2a Project ID : d7b56888-8407-4e9b-ae5b-7fc43233a497 Status : Running Created at : 09-13-21 Tags : [] Initiator : service-account Origin : ASTCLI 2.0.0 wait for scan to complete a3289df8-75f6-4fd4-92ec-c72bac667a2a Running Scan status: Running
Scan with Exclusion of Specific File or File Type
./cx scan create -s <path> --branch <branch name> --project-name <Project Name> --file-filter <string>
[email protected]:~/ast-cli$ ./cx scan create -s scan_files/ --branch main --project-name Test111 --file-filter '!*mycompany*.jar' Included: scan_files/external.jar Included: scan_files/file.html Included: scan_files/file.java Excluded: scan_files/mycompany.jar Scan ID : deb5266c-4f0c-407c-ad29-168a0807bb7b Project ID : d7b56888-8407-4e9b-ae5b-7fc43233a497 Status : Running Created at : 09-14-21 Tags : [] Initiator : service-account Origin : ASTCLI 2.0.0 wait for scan to complete deb5266c-4f0c-407c-ad29-168a0807bb7b Running
Scan with Exclusion of a Specific Folder
./cx scan create -s <path> --branch <branch name> --project-name <Project Name> --file-filter <folder name>
[email protected]:~/ast-cli$ ./cx scan create -s scan_files/ --branch main --project-name Test111 --file-filter '!main' Included: scan_files/external.jar Included: scan_files/file.html Included: scan_files/file.java Excluded: scan_files/main Scan ID : deb5266c-4f0c-407c-ad29-168a0807bb7b Project ID : d7b56888-8407-4e9b-ae5b-7fc43233a497 Status : Running Created at : 04-20-22 Tags : [] Initiator : service-account Origin : ASTCLI 2.0.0 wait for scan to complete deb5266c-4f0c-407c-ad29-168a0807bb7b Running
Scan with Configured threshold
./cx scan create --project-name <Project Name> -s <path> --branch <branch name> --threshold <engine>-<severity>=<limit>
[email protected]:/ast-cli$ ./cx scan create --project-name myproject -s my_file.zip --branch main --threshold sast-high=1 Scan ID : bdab6a9e-eb90-4cab-8783-5c3a2a052b31 Project ID : 49e6d565-933b-4a55-8d08-ec026ddcd7e2 Status : Running Created at : 01-26-22 Branch : main Tags : [] Initiator : org_admin Origin : ASTCLI 2.0.10 2022/01/26 11:24:20 Wait for scan to complete bdab6a9e-eb90-4cab-8783-5c3a2a052b31 Running 2022/01/26 11:24:26 Scan status: Running 2022/01/26 11:24:31 Scan status: Running 2022/01/26 11:24:36 Scan status: Running 2022/01/26 11:24:42 Scan status: Running 2022/01/26 11:24:47 Scan status: Running 2022/01/26 11:24:52 Scan status: Running 2022/01/26 11:24:57 Scan status: Running 2022/01/26 11:25:03 Scan status: Running 2022/01/26 11:25:08 Scan status: Running 2022/01/26 11:25:13 Scan Finished with status: Completed Created At: 2022-01-26, 11:24:20 Risk: High Risk Project ID: 49e6d565-933b-4a55-8d08-ec026ddcd7e2 Scan ID: bdab6a9e-eb90-4cab-8783-5c3a2a052b31 Total Issues: 28 High Issues: 3 Medium Issues: 11 Low Issues: 14 IaC Security Issues: 18 CxSAST Issues: 9 CxSCA Issues: 1 2022/01/26 11:25:14 Threshold check finished with status Failed : sast-high: Limit = 1, Current = 2 |
Scan with report sent to email recipient
./cx scan create --project-name <Project Name> -s <path> --branch <branch name> --report format pdf --report-pdf-email <recipient_email> --report-pdf-options <specify_sections>
[email protected]:/ast-cli$ ./cx scan create --project-name EliCLIDemo -s C:\Users\elip.DM\Downloads\juice-shop.zip --branch main --report-format pdf --report-pdf-email [email protected] --report-pdf-options ExecutiveSummary Scan ID : 6f3d1073-3bae-4573-b215-70d2cd8e3ed1 Project ID : d8164fef-5f0d-40bd-8810-9c65be508a7e Project Name : EliCLIDemo Status : Running Created at : 02-28-23 Branch : main Tags : [] Type : Full Timeout : NONE Initiator : eli Origin : ASTCLI 2.0.42 Engines : [ sast kics sca apisec] 2023/02/28 13:39:46 Wait for scan to complete 6f3d1073-3bae-4573-b215-70d2cd8e3ed1 Running 2023/02/28 13:39:52 Scan status: Running 2023/02/28 13:48:14 Scan Finished with status: Completed 2023/02/28 13:48:19 Sending PDF report to: [[email protected]] Scan Summary: Created At: 2023-02-28, 13:39:46 Project Name: EliCLIDemo Scan ID: 6f3d1073-3bae-4573-b215-70d2cd8e3ed1 Results Summary: Risk Level: High Risk ----------------------------------- API Security - Total Detected APIs: 0 Total Results: 490 ----------------------------------- | High: 69 | | Medium: 147 | | Low: 267 | | Info: 7 | ----------------------------------- | IAC-SECURITY: 80 | | SAST: 353 | | APIS WITH RISK: 0 | | SCA: 57 | ----------------------------------- Checkmarx One - Scan Summary & Details: https://eu.ast.checkmarx.net/projects/d8164fef-5f0d-40bd-8810-9c65be508a7e/scans?id=6f3d1073-3bae-4573-b215-70d2cd8e3ed1&branch=main
scan delete
The delete command enables the ability to delete one or more scans in Checkmarx One.
Usage
./cx scan delete --scan-id <scan ID>
Flags
Name | Default | Description |
|---|---|---|
--help, -h | help for the delete command | |
--scan-id | one or more scan IDs to delete For example: <scan-id>,<scan-id>,... |
Examples
Retrieving all the scan ID’s
[email protected]:/AST$ ./cx.exe scan list Scan ID Project ID Status Created at Tags Initiator Origin ------- ---------- ------ ---------- ---- --------- ------ 7eb83ed3-5734-4428-92a2-4819fc6c490f 9f47d3d7-76f2-418b-9513-e3e02cc5cbb9 Completed 08-27-21 [] org_admin ASTCLI 2.0.0-rc.21
Deleting a scan
[email protected]:/AST$ ./cx.exe scan delete --scan-id 7eb83ed3-5734-4428-92a2-4819fc6c490f
Retrieving all the scan ID’s (After the deletion)
[email protected]:/AST$ ./cx.exe scan list Scan ID Project ID Status Created at Tags Initiator Origin ------- ---------- ------ ---------- ---- --------- ------
Note
To cancel several scans, use the Space character between the scan ID’s.
For example:
Deleting several scans
./cx.exe scan delete --scan-id 7eb83ed3-5734-4428-92a2-4819fc6c490f,a2f45c91-18ba-4d69-a748-972d0ecc1453
scan list
The scan list command provides a list of all the scans in your Checkmarx One account.
Usage
./cx scan list [flags]
Flags
Name | Default | Description |
|---|---|---|
--filter <string> |
| |
--format <string> | table | The output format for the response. Possible values are |
---help, -h | help for the list command |
Pagination
This command uses pagination. By default it returns the first 20 results (i.e., limit=20,offset=0). Use limit to adjust the maximum number of results to return and offset to specify the number of results to skip before starting to return results. You can use offset=0 and limit=0 to get all results.
Example: The following command returns records 21-30
./cx scan list --filter "limit=10,offset=20"
Applying Filters
You can limit results by filtering by various scan attributes such as scan IDs, project ID, scan tags, scan status and date range.
Filters are applied using the following syntax:
./cx scan list --filter "attributeA=value1,attributeB=value1;value2;value3,..."
Example: The following command returns records for all scans run on specific projects, based on project ID.
./cx scan list --filter "project-id=f761f24b-fbcc-4502-acef-7fa3f2de38ed"
When multiple filter attributes are used, an AND operator is applied between attributes. When multiple values are given for an attribute, an OR operator is used between values.
Example: The following command returns records for all scans with the tag key "product" and a tag value of either "AppA", "AppB" or "AppC" that were run since Jan 1, 2023.
./cx scan list --filter "tags-keys=product,tags-values=AppA;AppB;AppC,from-date=2023-01-01T00:00:00Z,limit=0"
Examples
Using the scan list command with --format flag
[email protected]:/AST$ ./cx scan list --format table Scan ID Project ID Status Created at Tags Initiator Origin ------- ---------- ------ ---------- ---- --------- ------ a2f45c91-18ba-4d69-a748-972d0ecc1453 9f47d3d7-76f2-418b-9513-e3e02cc5cbb9 Completed 08-27-21 [] org_admin ASTCLI 2.0.0-rc.21
[email protected]:/AST$ ./cx scan list --format list Scan ID : a2f45c91-18ba-4d69-a748-972d0ecc1453 Project ID : 9f47d3d7-76f2-418b-9513-e3e02cc5cbb9 Status : Completed Created at : 08-27-21 Tags : [] Initiator : org_admin Origin : ASTCLI 2.0.0-rc.21
scan show
The show command enables the ability to show information about a requested scan in Checkmarx One.
Usage
./cx scan show --scan-id <scan id> [flags]
Flags
Name | Default | Description |
|---|---|---|
--format <string> | table | The output format for the response. Possible values are |
--scan-id <string> | Scan ID to show | |
--help, -h | help for the show command |
Examples
Retrieving all the scan ID’s
[email protected]:/AST$ ./cx.exe scan list Scan ID Project ID Status Created at Tags Initiator Origin ------- ---------- ------ ---------- ---- --------- ------ a2f45c91-18ba-4d69-a748-972d0ecc1453 9f47d3d7-76f2-418b-9513-e3e02cc5cbb9 Completed 08-27-21 [] org_admin ASTCLI 2.0.0-rc.21
Using the scan show command with --format flag
[email protected]:/AST$ ./cx.exe scan show --scan-id a2f45c91-18ba-4d69-a748-972d0ecc1453 --format table Scan ID Project ID Status Created at Tags Initiator Origin ------- ---------- ------ ---------- ---- --------- ------ a2f45c91-18ba-4d69-a748-972d0ecc1453 9f47d3d7-76f2-418b-9513-e3e02cc5cbb9 Completed 08-27-21 [] org_admin ASTCLI 2.0.0-rc.21
[email protected]:/AST$ ./cx.exe scan show --scan-id a2f45c91-18ba-4d69-a748-972d0ecc1453 --format list Scan ID : a2f45c91-18ba-4d69-a748-972d0ecc1453 Project ID : 9f47d3d7-76f2-418b-9513-e3e02cc5cbb9 Status : Completed Created at : 08-27-21 Tags : [] Initiator : org_admin Origin : ASTCLI 2.0.0-rc.21
scan tags
The tags command enables the ability to provide a list of all the available tags in Checkmarx One.
Tags can be also used for overriding Jira feedback app fields values. For additional information see:
Usage
./cx scan tags [flags]
Flags
Name | Default | Description |
|---|---|---|
--help, -h | help for the tags command |
Examples
Using the tags command
[email protected]:~/ast-cli$ ./cx scan tags {"main":[""]}
scan workflow
The workflow command enables the ability to provide information about a requested scan workflow in Checkmarx One.
Usage
./cx scan workflow --scan-id <scan id> [flags]
Flags
Name | Default | Description |
|---|---|---|
--scan-id <string> | Scan ID to workflow | |
--format <string> | table | The output format for the response. Possible values are |
---help, -h | help for the show command |
Examples
Retrieving all the scan ID’s
[email protected]:/AST$ ./cx.exe scan list Scan ID Project ID Status Created at Tags Initiator Origin ------- ---------- ------ ---------- ---- --------- ------ a2f45c91-18ba-4d69-a748-972d0ecc1453 9f47d3d7-76f2-418b-9513-e3e02cc5cbb9 Completed 08-27-21 [] org_admin ASTCLI 2.0.0-rc.21
Using the workflow command with --format flag
[email protected]:/AST$ ./cx.exe scan workflow --scan-id a2f45c91-18ba-4d69-a748-972d0ecc1453 --format table Source Timestamp Info ------ --------- ---- scans 2021-08-27T14:15:46.843323175Z Scan created scans 2021-08-27T14:15:46.996620259Z Scan Running fetch-sources-default 2021-08-27T14:15:47.068Z fetch-sources-default started fetch-sources-default 2021-08-27T14:15:47.082Z fetch-sources-default in progress fetch-sources-default 2021-08-27T14:15:48.061Z fetch-sources-default ended config-as-code-default 2021-08-27T14:15:48.101Z config-as-code-default started config-as-code-default 2021-08-27T14:15:48.304Z config-as-code-default checkmarx config file not found config-as-code-default 2021-08-27T14:15:48.346Z config-as-code-default ended kics-runner-default 2021-08-27T14:15:48.415Z kics-runner-default started kics-runner-default 2021-08-27T14:15:48.425Z kics-runner-default Start scan files download sca-runner-default 2021-08-27T14:15:48.429Z sca-runner-default started fetch-queries-default 2021-08-27T14:15:48.43Z fetch-queries-default started sca-runner-default 2021-08-27T14:15:48.449Z sca-runner-default Start scan files download kics-runner-default 2021-08-27T14:15:48.583Z kics-runner-default Finished scan files download kics-runner-default 2021-08-27T14:15:48.597Z kics-runner-default Start scan execution sca-runner-default 2021-08-27T14:15:48.637Z sca-runner-default Finished scan files download sca-runner-default 2021-08-27T14:15:48.671Z sca-runner-default Start scan execution fetch-queries-default 2021-08-27T14:15:48.975Z fetch-queries-default ended sast-scan-inc-default 2021-08-27T14:15:49.014Z sast-scan-inc-default started sast-scan-inc-default 2021-08-27T14:15:49.262Z sast-scan-inc-default ended sast-rm-default 2021-08-27T14:15:49.307Z sast-rm-default started sast-results-inc-default 2021-08-27T14:15:49.307Z sast-results-inc-default started sast-rm-default 2021-08-27T14:15:49.406Z sast-rm-default Queued in sast resource manager sast-results-inc-default 2021-08-27T14:15:49.443Z sast-results-inc-default ended kics-runner-default 2021-08-27T14:15:51.285Z kics-runner-default Finished scan execution kics-runner-default 2021-08-27T14:15:51.297Z kics-runner-default Start results publish kics-runner-default 2021-08-27T14:15:51.311Z kics-runner-default Finished results publish kics-runner-default 2021-08-27T14:15:51.331Z kics-runner-default Start engine log publish kics-runner-default 2021-08-27T14:15:51.368Z kics-runner-default Finished engine log publish kics-runner-default 2021-08-27T14:15:51.413Z kics-runner-default ended collect-logs-default 2021-08-27T14:15:51.464Z collect-logs-default started kics-results-processor-default 2021-08-27T14:15:51.464Z kics-results-processor-default started collect-logs-default 2021-08-27T14:15:51.613Z collect-logs-default ended kics-results-processor-default 2021-08-27T14:15:52.306Z kics-results-processor-default ended sca-runner-default 2021-08-27T14:16:20.583Z sca-runner-default Finished scan execution sca-runner-default 2021-08-27T14:16:20.596Z sca-runner-default Start results publish sca-runner-default 2021-08-27T14:16:20.62Z sca-runner-default Finished results publish sca-runner-default 2021-08-27T14:16:20.664Z sca-runner-default ended sca-packages-processor-default 2021-08-27T14:16:20.716Z sca-packages-processor-default started sca-results-processor-default 2021-08-27T14:16:20.717Z sca-results-processor-default started sca-packages-processor-default 2021-08-27T14:16:20.924Z sca-packages-processor-default ended sca-results-processor-default 2021-08-27T14:16:21.246Z sca-results-processor-default ended sast-rm-default 2021-08-27T14:16:21.833Z sast-rm-default ended collect-logs-default 2021-08-27T14:16:21.882Z collect-logs-default started sast-results-events-default 2021-08-27T14:16:21.883Z sast-results-events-default started collect-logs-default 2021-08-27T14:16:22.068Z collect-logs-default ended sast-results-events-default 2021-08-27T14:16:24.982Z sast-results-events-default ended scans 2021-08-27T14:16:25.056678542Z Scan Completed
[email protected]:/AST$./cx.exe scan workflow --scan-id a2f45c91-18ba-4d69-a748-972d0ecc1453 --format list Source : scans Timestamp : 2021-08-27T14:15:46.843323175Z Info : Scan created Source : scans Timestamp : 2021-08-27T14:15:46.996620259Z Info : Scan Running Source : fetch-sources-default Timestamp : 2021-08-27T14:15:47.068Z Info : fetch-sources-default started Source : fetch-sources-default Timestamp : 2021-08-27T14:15:47.082Z Info : fetch-sources-default in progress Source : fetch-sources-default Timestamp : 2021-08-27T14:15:48.061Z Info : fetch-sources-default ended Source : config-as-code-default Timestamp : 2021-08-27T14:15:48.101Z Info : config-as-code-default started Source : config-as-code-default Timestamp : 2021-08-27T14:15:48.304Z Info : config-as-code-default checkmarx config file not found Source : config-as-code-default Timestamp : 2021-08-27T14:15:48.346Z Info : config-as-code-default ended Source : kics-runner-default Timestamp : 2021-08-27T14:15:48.415Z Info : kics-runner-default started Source : kics-runner-default Timestamp : 2021-08-27T14:15:48.425Z Info : kics-runner-default Start scan files download Source : sca-runner-default Timestamp : 2021-08-27T14:15:48.429Z Info : sca-runner-default started Source : fetch-queries-default Timestamp : 2021-08-27T14:15:48.43Z Info : fetch-queries-default started Source : sca-runner-default Timestamp : 2021-08-27T14:15:48.449Z Info : sca-runner-default Start scan files download Source : kics-runner-default Timestamp : 2021-08-27T14:15:48.583Z Info : kics-runner-default Finished scan files download Source : kics-runner-default Timestamp : 2021-08-27T14:15:48.597Z Info : kics-runner-default Start scan execution Source : sca-runner-default Timestamp : 2021-08-27T14:15:48.637Z Info : sca-runner-default Finished scan files download Source : sca-runner-default Timestamp : 2021-08-27T14:15:48.671Z Info : sca-runner-default Start scan execution Source : fetch-queries-default Timestamp : 2021-08-27T14:15:48.975Z Info : fetch-queries-default ended Source : sast-scan-inc-default Timestamp : 2021-08-27T14:15:49.014Z Info : sast-scan-inc-default started Source : sast-scan-inc-default Timestamp : 2021-08-27T14:15:49.262Z Info : sast-scan-inc-default ended Source : sast-rm-default Timestamp : 2021-08-27T14:15:49.307Z Info : sast-rm-default started Source : sast-results-inc-default Timestamp : 2021-08-27T14:15:49.307Z Info : sast-results-inc-default started Source : sast-rm-default Timestamp : 2021-08-27T14:15:49.406Z Info : sast-rm-default Queued in sast resource manager Source : sast-results-inc-default Timestamp : 2021-08-27T14:15:49.443Z Info : sast-results-inc-default ended Source : kics-runner-default Timestamp : 2021-08-27T14:15:51.285Z Info : kics-runner-default Finished scan execution Source : kics-runner-default Timestamp : 2021-08-27T14:15:51.297Z Info : kics-runner-default Start results publish Source : kics-runner-default Timestamp : 2021-08-27T14:15:51.311Z Info : kics-runner-default Finished results publish Source : kics-runner-default Timestamp : 2021-08-27T14:15:51.331Z Info : kics-runner-default Start engine log publish Source : kics-runner-default Timestamp : 2021-08-27T14:15:51.368Z Info : kics-runner-default Finished engine log publish Source : kics-runner-default Timestamp : 2021-08-27T14:15:51.413Z Info : kics-runner-default ended Source : collect-logs-default Timestamp : 2021-08-27T14:15:51.464Z Info : collect-logs-default started Source : kics-results-processor-default Timestamp : 2021-08-27T14:15:51.464Z Info : kics-results-processor-default started Source : collect-logs-default Timestamp : 2021-08-27T14:15:51.613Z Info : collect-logs-default ended Source : kics-results-processor-default Timestamp : 2021-08-27T14:15:52.306Z Info : kics-results-processor-default ended Source : sca-runner-default Timestamp : 2021-08-27T14:16:20.583Z Info : sca-runner-default Finished scan execution Source : sca-runner-default Timestamp : 2021-08-27T14:16:20.596Z Info : sca-runner-default Start results publish Source : sca-runner-default Timestamp : 2021-08-27T14:16:20.62Z Info : sca-runner-default Finished results publish Source : sca-runner-default Timestamp : 2021-08-27T14:16:20.664Z Info : sca-runner-default ended Source : sca-packages-processor-default Timestamp : 2021-08-27T14:16:20.716Z Info : sca-packages-processor-default started Source : sca-results-processor-default Timestamp : 2021-08-27T14:16:20.717Z Info : sca-results-processor-default started Source : sca-packages-processor-default Timestamp : 2021-08-27T14:16:20.924Z Info : sca-packages-processor-default ended Source : sca-results-processor-default Timestamp : 2021-08-27T14:16:21.246Z Info : sca-results-processor-default ended Source : sast-rm-default Timestamp : 2021-08-27T14:16:21.833Z Info : sast-rm-default ended Source : collect-logs-default Timestamp : 2021-08-27T14:16:21.882Z Info : collect-logs-default started Source : sast-results-events-default Timestamp : 2021-08-27T14:16:21.883Z Info : sast-results-events-default started Source : collect-logs-default Timestamp : 2021-08-27T14:16:22.068Z Info : collect-logs-default ended Source : sast-results-events-default Timestamp : 2021-08-27T14:16:24.982Z Info : sast-results-events-default ended Source : scans Timestamp : 2021-08-27T14:16:25.056678542Z Info : Scan Completed
scan logs
The logs command prints the application logs for a single scan type.
The optional scan types are:
sast
kics
Usage
./cx scan logs --scan-id <scan Id> --scan-type <scan type>
Flags
Name | Default | Description |
|---|---|---|
---help, -h | help for the logs command | |
--scan-id <string> | Scan ID to retrieve log for | |
--scan-type <string> | Scan type to pull logs for Optional scan types: sast, kics |
Examples
Retrieving the scan IDs
[email protected]:~/ast-cli$ ./cx scan list Scan ID Project ID Status Created at Tags Initiator Origin ------- ---------- ------ ---------- ---- --------- ------ f36b063a-84ca-4c4f-ad22-debacdd588aa d7b56888-8407-4e9b-ae5b-7fc43233a497 Completed 09-26-21 [] org_admin Chrome 93.0.4577.63 7efdc589-c8e1-436b-8980-4a907839a5d0 2924669e-f021-4fca-8d18-6b9d00881c1a Completed 09-26-21 [] grpc-java-netty 1.35.0 b9794f15-b5a1-4565-9156-cab11ab016df 2924669e-f021-4fca-8d18-6b9d00881c1a Completed 09-26-21 [] grpc-java-netty 1.35.0 b8ba8ba6-27fc-46a0-a38a-3009dbfcff8c 4f746998-d127-413f-9c45-4c1c83593015 Completed 09-23-21 [] grpc-java-netty 1.35.0 66004e49-8c81-4152-88eb-d69431dd6fa4 d6fe8ab4-becd-49ff-987f-ec5ee02cc614 Completed 09-22-21 [] org_admin Chrome 93.0.4577.82 eea14385-b044-4e3e-b6aa-348167166d79 9ddad1d7-4332-4673-b741-3235be8cd194 Completed 09-22-21 [] org_admin Chrome 93.0.4577.63 d79e99cc-01d6-4480-929e-73cbea97594b 2924669e-f021-4fca-8d18-6b9d00881c1a Completed 09-19-21 [] grpc-java-netty 1.35.0 c4898668-da14-4b53-92f2-f4ffa65545a2 eec7e339-6385-49f1-bde2-8f6929dcecbe Completed 09-19-21 [] grpc-java-netty 1.35.0 f1351cdb-6fd7-4d2d-a08c-cae53f9b5cd8 eec7e339-6385-49f1-bde2-8f6929dcecbe Completed 09-19-21 [] grpc-java-netty 1.35.0 b0f9c8b4-f678-428a-b03f-83a26fa8bc19 c91820cf-947b-4007-8e41-3d3ff341d4d5 Completed 09-19-21 [] grpc-java-netty 1.35.0 6f614cdb-be03-4470-a798-0392db5a8cba c91820cf-947b-4007-8e41-3d3ff341d4d5 Completed 09-19-21 [] grpc-java-netty 1.35.0 230e1342-3a45-436d-b61c-ec14ec2fea0b c91820cf-947b-4007-8e41-3d3ff341d4d5 Completed 09-19-21 [] grpc-java-netty 1.35.0 ac4583a7-e119-4fd8-a8f2-16c454c2dfa3 9ae9cf0d-d732-48d1-b3e0-41b3042d272c Completed 09-16-21 [] org_admin Chrome 93.0.4577.82 deb5266c-4f0c-407c-ad29-168a0807bb7b d7b56888-8407-4e9b-ae5b-7fc43233a497 Completed 09-14-21 [] service-account-ast-plugins-64fde34e-01d9-4cd3-a97e-c26894b0341f ASTCLI 2.0.0-rc.23 e93991b9-a1a3-4ed3-ada4-5407a31ccc77 d7b56888-8407-4e9b-ae5b-7fc43233a497 Failed 09-14-21 [] service-account-ast-plugins-64fde34e-01d9-4cd3-a97e-c26894b0341f ASTCLI 2.0.0-rc.23 0bb6916b-33c7-40bd-a5ec-af9aa0e50c7e d7b56888-8407-4e9b-ae5b-7fc43233a497 Completed 09-14-21 [] service-account-ast-plugins-64fde34e-01d9-4cd3-a97e-c26894b0341f ASTCLI 2.0.0-rc.23 8429d707-a63a-4a5a-b67f-615938333e88 d7b56888-8407-4e9b-ae5b-7fc43233a497 Completed 09-14-21 [] service-account-ast-plugins-64fde34e-01d9-4cd3-a97e-c26894b0341f ASTCLI 2.0.0-rc.23 93ea54b3-ec22-4741-b756-5c69bb5686ef d7b56888-8407-4e9b-ae5b-7fc43233a497 Completed 09-14-21 [] service-account-ast-plugins-64fde34e-01d9-4cd3-a97e-c26894b0341f ASTCLI 2.0.0-rc.23 5d923419-fd93-4bde-b3ec-d21bdfd73b2a d7b56888-8407-4e9b-ae5b-7fc43233a497 Completed 09-14-21 [] service-account-ast-plugins-64fde34e-01d9-4cd3-a97e-c26894b0341f ASTCLI 2.0.0-rc.23 c9f084f4-ebed-4ef5-9526-70f342ea09ea d7b56888-8407-4e9b-ae5b-7fc43233a497 Completed 09-13-21 [] service-account-ast-plugins-64fde34e-01d9-4cd3-a97e-c26894b0341f ASTCLI 2.0.0-rc.23
Retrieving the logs for SAST scan type
[email protected]:~/ast-cli$ ./cx scan logs --scan-id f36b063a-84ca-4c4f-ad22-debacdd588aa --scan-type sast 26/09/2021 13:05:42,602 [1] INFO Available memory: 12347 Used memory: 56 Elapsed Time: 00:00:00.1241647 [Unspecified] - Product version: 9.4.0.0-202107110128-Release Used memory: 56Mb OS: Unix 5.4.129.63 Current Directory: /app/Engine Processor Count: 3 CLR Version: 3.1.18 Executable PID: 19 Executable Location: /usr/share/dotnet/dotnet Process ID: 19 / 96 GB Free /proc 0 GB Free /dev 0 GB Free /dev/pts 0 GB Free /sys 0 GB Free /sys/fs/cgroup 7 GB Free /sys/fs/cgroup/systemd 0 GB Free /sys/fs/cgroup/freezer 0 GB Free /sys/fs/cgroup/net_cls,net_prio 0 GB Free /sys/fs/cgroup/memory 0 GB Free /sys/fs/cgroup/perf_event 0 GB Free /sys/fs/cgroup/devices 0 GB Free /sys/fs/cgroup/cpu,cpuacct 0 GB Free /sys/fs/cgroup/blkio 0 GB Free /sys/fs/cgroup/hugetlb 0 GB Free /sys/fs/cgroup/pids 0 GB Free /sys/fs/cgroup/cpuset 0 GB Free /dev/mqueue 0 GB Free /etc/podinfo 7 GB Free /dev/shm 0 GB Free /run/secrets/kubernetes.io/serviceaccount 7 GB Free /proc/bus 0 GB Free /proc/fs 0 GB Free /proc/irq 0 GB Free /proc/sys 0 GB Free /proc/acpi 7 GB Free /sys/firmware 7 GB Free Disk Speed: 526 Ticks per one request New Disk Speed: 292 Ticks per one request 64Bit platform PROCESSOR IDENTIFIER: Intel(R) Xeon(R) Platinum 8275CL CPU @ 3.00GHz Core Speed: 3.6GHz Product: Checkmarx SAST Engine - Main Version: - Hotfix Version: - Path: Current Product dll's version list: ___________________________________ Assembly name: File version: ASP.dll 9.4.0.0-202107110125-Release CSharp.dll 9.4.0.0-202107110125-Release DataCollections.dll 9.4.0.0-202107110128-Release EngineFacade.dll 9.4.0.0-202107110128-Release Flowgraphs.dll 9.4.0.0-202107110128-Release Plugin.dll 9.4.0.0-202107110125-Release Query.dll 9.4.0.0-202107110128-Release CxWrm.dll 9.4.0.0-202107110128-Release ==================================================== 26/09/2021 13:05:42,628 [1] INFO Available memory: 12265 Used memory: 127 Elapsed Time: 00:00:01.7149099 [Unspecified] - Initializing scan input 26/09/2021 13:05:42,645 [1] INFO Available memory: 12265 Used memory: 128 Elapsed Time: 00:00:01.7321179 [Startup] - Current Engine Configuration from DefaultConfig.xml: _____________________________ IMPORTANT_FILE_ONLY_SCAN*=true SMALL_PROJECT_BORDER*=3000000
Retrieving the logs for KICS scan type
[email protected]:~/ast-cli$ ./cx scan logs --scan-id f36b063a-84ca-4c4f-ad22-debacdd588aa --scan-type kics 1:03PM | DEBUG | console.scan() 1:03PM | INFO | Scanning with Keeping Infrastructure as Code Secure v1.3.3 1:03PM | DEBUG | Looking for queries in executable path and in current work directory 1:03PM | DEBUG | helpers.GetDefaultQueryPath() 1:03PM | DEBUG | helpers.GetExecutableDirectory() 1:03PM | DEBUG | Queries found in /app/kics-deployment/assets/queries 1:03PM | INFO | Loading queries of type: dockerfile, ansible 1:03PM | DEBUG | source.NewFilesystemSource() 1:03PM | DEBUG | storage.NewMemoryStorage() 1:03PM | DEBUG | engine.NewInspector() 1:03PM | INFO | Inspector initialized, number of queries=289 1:03PM | INFO | Query execution timeout=1m0s 1:03PM | DEBUG | provider.NewFileSystemSourceProvider() 1:03PM | DEBUG | parser.NewBuilder() 1:03PM | DEBUG | resolver.Add() 1:03PM | DEBUG | resolver.Build() 1:03PM | DEBUG | service.StartScan() 1:03PM | DEBUG | service.StartScan() 1:03PM | DEBUG | engine.Inspect() 1:03PM | DEBUG | engine.Inspect() 1:03PM | DEBUG | model.CreateSummary() 1:03PM | DEBUG | console.resolveOutputs() 1:03PM | DEBUG | helpers.PrintResult() 1:03PM | INFO | Files scanned: 4 1:03PM | INFO | Parsed files: 4 1:03PM | INFO | Queries loaded: 289 1:03PM | INFO | Queries failed to execute: 0 1:03PM | INFO | Inspector stopped 1:03PM | DEBUG | console.printOutput() 1:03PM | DEBUG | Output formats provided [json] 1:03PM | DEBUG | helpers.ValidateReportFormats() 1:03PM | DEBUG | helpers.GenerateReport() 1:03PM | INFO | Results saved to file /tmp/953972639/results.json fileName:results.json 1:03PM | INFO | Scan duration: 3318ms
sca-realtime
The scan sca-realtime command is used to create and run a new sca scan on the contents of a folder. The SCA realtime scan is a free feature which does not require a Checkmarx account. Anyone can download the CLI tool and run this command without need for authentication. The results are returned in the response body as a JSON object.
Warning
Even for users with a Checkmarx account, the realtime scan results are not synced with the user's Checkmarx account.
For info about which languages and package managers are supported for the SCA scanner, see SCA Scanner - Supported Languages and Package Managers.
Warning
In order for this tool to be effective, you need to install all relevant package managers on your local environment, see Installing Supported Package Managers for Resolver.
Usage
./cx scan sca-realtime [flags]
Flags
Name | Default | Description |
|---|---|---|
--project-dir <string>, -p <string> (required) | N/A | Path to the project folder on which the SCA scan will run. WarningThis must point to a regular project folder and NOT a zip archive. |
Examples
Scanning a folder
./cx scan sca-realtime --project-dir C:\goatlin
Running SCA Realtime...
{"results":[{"type":"Regular","scaType":"vulnerability","label":"sca","severity":"HIGH","description":"This affects the package mpath before 0.8.4. A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOf(parts[i]) !== -1 returns -1 if parts[i] is ['__proto__']. This is because the method that has been called if the input is an array is Array.prototype.indexOf() and not String.prototype.indexOf(). They behave differently depending on the type of the input.","data":{"nodes":[{"line":0,"column":0,"fileName":"packages\\services\\api\\package.json"}],"packageData":[{"type":"Advisory","url":"https://github.com/advisories/GHSA-p92x-r36w-9395"},{"type":"Pull request","url":"https://github.com/aheckmann/mpath/pull/13"}],"packageIdentifier":"mpath","scaPackageData":{"fixLink":"https://devhub.checkmarx.com/cve-details/CVE-2021-23438","supportsQuickFix":false,"isDirectDependency":false,"typeOfDependency":""}},"comments":{},"vulnerabilityDetails":{"cweId":"CVE-2021-23438","cvssScore":9.800000190734863,"cveName":"CVE-2021-23438","cvss":{"version":4,"attackVector":"NETWORK","availability":"HIGH","confidentiality":"HIGH","attackComplexity":"LOW","integrityImpact":"HIGH","scope":"UNCHANGED","privilegesRequired":"NONE","userInteraction":"NONE"}}},{"type":"Regular","scaType":"vulnerability","label":"sca","severity":"MEDIUM","description":"lib/utils.js in mquery before 3.2.3 allows a pollution attack because a special property (e.g., __proto__) can be copied during a merge or clone operation.","data":{"nodes":[{"line":0,"column":0,"fileName":"packages\\services\\api\\package.json"}],"packageData":[{"type":"Advisory","url":"https://github.com/advisories/GHSA-45q2-34rf-mr94"}],"packageIdentifier":"mquery","scaPackageData":{"fixLink":"https://devhub.checkmarx.com/cve-details/CVE-2020-35149","supportsQuickFix":false,"isDirectDependency":false,"typeOfDependency":""}},"comments":{},"vulnerabilityDetails":{"cweId":"CVE-2020-35149","cvssScore":5.300000190734863,"cveName":"CVE-2020-35149","cvss":{"version":2,"attackVector":"NETWORK","availability":"NONE","confidentiality":"NONE","attackComplexity":"LOW","integrityImpact":"LOW","scope":"UNCHANGED","privilegesRequired":"NONE","userInteraction":"NONE"}}},{"type":"Regular","scaType":"vulnerability","label":"sca","severity":"MEDIUM","description":"The mergeClone function in the node.js mquery package before 3.2.5 is vulnerable to prototype pollution.","data":{"nodes":[{"line":0,"column":0,"fileName":"packages\\services\\api\\package.json"}],"packageData":[{"type":"Disclosure","url":"https://www.huntr.dev/bounties/1-npm-mquery"}],"packageIdentifier":"mquery","scaPackageData":{"fixLink":"https://devhub.checkmarx.com/cve-details/Cxc8ffd605-ddff","supportsQuickFix":false,"isDirectDependency":false,"typeOfDependency":""}},"comments":{},"vulnerabilityDetails":{"cweId":"Cxc8ffd605-ddff","cvssScore":5.300000190734863,"cveName":"Cxc8ffd605-ddff","cvss":{"version":2,"attackVector":"NETWORK","availability":"NONE","confidentiality":"NONE","attackComplexity":"LOW","integrityImpact":"LOW","scope":"UNCHANGED","privilegesRequired":"NONE","userInteraction":"NONE"}}},{"type":"Disputed","scaType":"vulnerability","label":"sca","severity":"MEDIUM","description":"The package `body-parser` is vulnerable to prototype pollution, as it does no sanitation to the values received via the incoming JSON data. A remote attacker can inject a `__proto__` object to the application, which would successfully be parsed on the server side. This affects the integrity of the application.\n\n","data":{"nodes":[{"line":0,"column":0,"fileName":"packages\\services\\api\\package.json"}],"packageData":[{"type":"Other","url":"https://gist.github.com/rgrove/3ea9421b3912235e978f55e291f19d5d/revisions"},{"type":"Issue","url":"https://github.com/expressjs/body-parser/issues/347"}],"packageIdentifier":"body-parser","scaPackageData":{"fixLink":"https://devhub.checkmarx.com/cve-details/Cx14b19a02-387a","supportsQuickFix":false,"isDirectDependency":false,"typeOfDependency":""}},"comments":{},"vulnerabilityDetails":{"cweId":"Cx14b19a02-387a","cvssScore":6.5,"cveName":"Cx14b19a02-387a","cvss":{"version":2,"attackVector":"NETWORK","availability":"LOW","confidentiality":"NONE","attackComplexity":"LOW","integrityImpact":"LOW","scope":"UNCHANGED","privilegesRequired":"NONE","userInteraction":"NONE"}}},{"type":"Regular","scaType":"vulnerability","label":"sca","severity":"LOW","description":"The package `bluebird` is vulnerable to memory leak, when running the function longStackTraces() with the flag `--expose_gc`. This causes a significant increase in the memory usage, affecting the server's availability.","data":{"nodes":[{"line":0,"column":0,"fileName":"packages\\services\\api\\package.json"}],"packageData":[{"type":"Issue","url":"https://github.com/petkaantonov/bluebird/issues/1080"}],"packageIdentifier":"bluebird","scaPackageData":{"fixLink":"https://devhub.checkmarx.com/cve-details/Cxda14f253-4e52","supportsQuickFix":false,"isDirectDependency":false,"typeOfDependency":""}},"comments":{},"vulnerabilityDetails":{"cweId":"Cxda14f253-4e52","cvssScore":3.700000047683716,"cveName":"Cxda14f253-4e52","cvss":{"version":2,"attackVector":"NETWORK","availability":"LOW","confidentiality":"NONE","attackComplexity":"HIGH","integrityImpact":"NONE","scope":"UNCHANGED","privilegesRequired":"NONE","userInteraction":"NONE"}}},{"type":"Regular","scaType":"vulnerability","label":"sca","severity":"HIGH","description":"Mongoose before 5.12.2 is vulnerable to prototype pollution.","data":{"nodes":[{"line":0,"column":0,"fileName":"packages\\services\\api\\package.json"}],"packageData":[{"type":"Issue","url":"https://github.com/Automattic/mongoose/issues/10035"},{"type":"Pull request","url":"https://github.com/Automattic/mongoose/pull/10053"}],"packageIdentifier":"mongoose","scaPackageData":{"fixLink":"https://devhub.checkmarx.com/cve-details/Cxba0aa4f8-fd76","supportsQuickFix":false,"isDirectDependency":false,"typeOfDependency":""}},"comments":{},"vulnerabilityDetails":{"cweId":"Cxba0aa4f8-fd76","cvssScore":7.5,"cveName":"Cxba0aa4f8-fd76","cvss":{"version":2,"attackVector":"NETWORK","availability":"NONE","confidentiality":"HIGH","attackComplexity":"LOW","integrityImpact":"NONE","scope":"UNCHANGED","privilegesRequired":"NONE","userInteraction":"NONE"}}},{"type":"Regular","scaType":"vulnerability","label":"sca","severity":"HIGH","description":"Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Mongoose versions prior to 6.4.6 are vulnerable to Prototype Pollution. The \"Schema.path()\" and \"Schema.add()\" function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.","data":{"nodes":[{"line":0,"column":0,"fileName":"packages\\services\\api\\package.json"}],"packageData":[{"type":"Advisory","url":"https://github.com/advisories/GHSA-f825-f98c-gj3g"},{"type":"Disclosure","url":"https://huntr.dev/bounties/055be524-9296-4b2f-b68d-6d5b810d1ddd"},{"type":"Issue","url":"https://github.com/Automattic/mongoose/issues/12085"},{"type":"Release Note","url":"https://github.com/Automattic/mongoose/releases/tag/6.4.6"}],"packageIdentifier":"mongoose","scaPackageData":{"fixLink":"https://devhub.checkmarx.com/cve-details/CVE-2022-2564","supportsQuickFix":false,"isDirectDependency":false,"typeOfDependency":""}},"comments":{},"vulnerabilityDetails":{"cweId":"CVE-2022-2564","cvssScore":9.800000190734863,"cveName":"CVE-2022-2564","cvss":{"version":2,"attackVector":"NETWORK","availability":"HIGH","confidentiality":"HIGH","attackComplexity":"LOW","integrityImpact":"HIGH","scope":"UNCHANGED","privilegesRequired":"NONE","userInteraction":"NONE"}}},{"type":"Regular","scaType":"vulnerability","label":"sca","severity":"HIGH","description":"The qs package as used in Express through 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an \"__ proto__ key\" can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as \"a[__proto__]=b\u0026a[__proto__]\u0026a[length]=100000000\". This vulnerability affects qs versions through 6.2.3, 6.3.0 through 6.3.2, 6.4.0, 6.5.0 through 6.5.2, 6.6.0, 6.7.0 through 6.7.2, 6.8.0 through 6.8.2, 6.9.0 through 6.9.6 and 6.10.0 through 6.10.2 (and therefore Express 4.17.3, which has \"deps: [email protected]\" in its release description, is not vulnerable).","data":{"nodes":[{"line":0,"column":0,"fileName":"packages\\services\\api\\package.json"}],"packageData":[{"type":"Advisory","url":"https://github.com/advisories/GHSA-hrpp-h998-j3pp"},{"type":"Disclosure","url":"https://github.com/n8tz/CVE-2022-24999"},{"type":"Release Note","url":"https://github.com/expressjs/express/releases/tag/4.17.3"},{"type":"Pull request","url":"https://github.com/ljharb/qs/pull/428"}],"packageIdentifier":"qs","scaPackageData":{"fixLink":"https://devhub.checkmarx.com/cve-details/CVE-2022-24999","supportsQuickFix":false,"isDirectDependency":false,"typeOfDependency":""}},"comments":{},"vulnerabilityDetails":{"cweId":"CVE-2022-24999","cvssScore":7.5,"cveName":"CVE-2022-24999","cvss":{"version":1,"attackVector":"NETWORK","availability":"HIGH","confidentiality":"NONE","attackComplexity":"LOW","integrityImpact":"NONE","scope":"UNCHANGED","privilegesRequired":"NONE","userInteraction":"NONE"}}},{"type":"Regular","scaType":"vulnerability","label":"sca","severity":"HIGH","description":"In NPM `debug`, the `enable` function accepts a regular expression from user input without escaping it. Arbitrary regular expressions could be injected to cause a Denial of Service attack on the user's browser, otherwise known as a ReDoS (Regular Expression Denial of Service). This is a different issue than CVE-2017-16137.","data":{"nodes":[{"line":0,"column":0,"fileName":"packages\\services\\api\\package.json"}],"packageData":[{"type":"Issue","url":"https://github.com/debug-js/debug/issues/737"},{"comment":"Roadmap that mentions issue","type":"Other","url":"https://github.com/debug-js/debug/issues/656"},{"type":"POC/Exploit","url":"https://github.com/brunodays/POCs/blob/master/debug/POC.md"}],"packageIdentifier":"debug","scaPackageData":{"fixLink":"https://devhub.checkmarx.com/cve-details/Cx8bc4df28-fcf5","supportsQuickFix":false,"isDirectDependency":false,"typeOfDependency":""}},"comments":{},"vulnerabilityDetails":{"cweId":"Cx8bc4df28-fcf5","cvssScore":7.5,"cveName":"Cx8bc4df28-fcf5","cvss":{"version":4,"attackVector":"NETWORK","availability":"HIGH","confidentiality":"NONE","attackComplexity":"LOW","integrityImpact":"NONE","scope":"UNCHANGED","privilegesRequired":"NONE","userInteraction":"NONE"}}},{"type":"Regular","scaType":"vulnerability","label":"sca","severity":"MEDIUM","description":"The package debug is vulnerable to memory leakage when instance is created inside a function. The function `debug` in the file `common.js` does not free up used memory unless there's a call to `destroy()` function. This affects the availability.","data":{"nodes":[{"line":0,"column":0,"fileName":"packages\\services\\api\\package.json"}],"packageData":[{"type":"Issue","url":"https://github.com/visionmedia/debug/issues/678"},{"type":"Pull request","url":"https://github.com/visionmedia/debug/pull/740"},{"type":"Pull request","url":"https://github.com/visionmedia/debug/pull/699"}],"packageIdentifier":"debug","scaPackageData":{"fixLink":"https://devhub.checkmarx.com/cve-details/Cx65603961-769c","supportsQuickFix":false,"isDirectDependency":false,"typeOfDependency":""}},"comments":{},"vulnerabilityDetails":{"cweId":"Cx65603961-769c","cvssScore":5.300000190734863,"cveName":"Cx65603961-769c","cvss":{"version":2,"attackVector":"NETWORK","availability":"LOW","confidentiality":"NONE","attackComplexity":"LOW","integrityImpact":"NONE","scope":"UNCHANGED","privilegesRequired":"NONE","userInteraction":"NONE"}}},{"type":"Regular","scaType":"vulnerability","label":"sca","severity":"HIGH","description":"NPM `debug` prior to 4.3.0 has a Memory Leak when creating `debug` instances inside a function which can have a significant impact in the Availability. This happens since the function `debug` in the file `src/common.js` does not free up used memory.","data":{"nodes":[{"line":0,"column":0,"fileName":"packages\\services\\api\\package.json"}],"packageData":[{"type":"Issue","url":"https://github.com/visionmedia/debug/issues/678"},{"type":"Pull request","url":"https://github.com/visionmedia/debug/pull/740"},{"type":"POC/Exploit","url":"https://github.com/MarioTeixeiraCx/POCs/blob/main/POC.md"}],"packageIdentifier":"debug","scaPackageData":{"fixLink":"https://devhub.checkmarx.com/cve-details/Cx89601373-08db","supportsQuickFix":false,"isDirectDependency":false,"typeOfDependency":""}},"comments":{},"vulnerabilityDetails":{"cweId":"Cx89601373-08db","cvssScore":7.5,"cveName":"Cx89601373-08db","cvss":{"version":3,"attackVector":"NETWORK","availability":"HIGH","confidentiality":"NONE","attackComplexity":"LOW","integrityImpact":"NONE","scope":"UNCHANGED","privilegesRequired":"NONE","userInteraction":"NONE"}}},{"type":"Regular","scaType":"vulnerability","label":"sca","severity":"HIGH","description":"In NPM `debug`, the `enable` function accepts a regular expression from user input without escaping it. Arbitrary regular expressions could be injected to cause a Denial of Service attack on the user's browser, otherwise known as a ReDoS (Regular Expression Denial of Service). This is a different issue than CVE-2017-16137.","data":{"nodes":[{"line":0,"column":0,"fileName":"packages\\services\\api\\package.json"}],"packageData":[{"type":"Issue","url":"https://github.com/debug-js/debug/issues/737"},{"comment":"Roadmap that mentions issue","type":"Other","url":"https://github.com/debug-js/debug/issues/656"},{"type":"POC/Exploit","url":"https://github.com/brunodays/POCs/blob/master/debug/POC.md"}],"packageIdentifier":"debug","scaPackageData":{"fixLink":"https://devhub.checkmarx.com/cve-details/Cx8bc4df28-fcf5","supportsQuickFix":false,"isDirectDependency":false,"typeOfDependency":""}},"comments":{},"vulnerabilityDetails":{"cweId":"Cx8bc4df28-fcf5","cvssScore":7.5,"cveName":"Cx8bc4df28-fcf5","cvss":{"version":4,"attackVector":"NETWORK","availability":"HIGH","confidentiality":"NONE","attackComplexity":"LOW","integrityImpact":"NONE","scope":"UNCHANGED","privilegesRequired":"NONE","userInteraction":"NONE"}}},{"type":"Regular","scaType":"vulnerability","label":"sca","severity":"MEDIUM","description":"The package debug is vulnerable to memory leakage when instance is created inside a function. The function `debug` in the file `common.js` does not free up used memory unless there's a call to `destroy()` function. This affects the availability.","data":{"nodes":[{"line":0,"column":0,"fileName":"packages\\services\\api\\package.json"}],"packageData":[{"type":"Issue","url":"https://github.com/visionmedia/debug/issues/678"},{"type":"Pull request","url":"https://github.com/visionmedia/debug/pull/740"},{"type":"Pull request","url":"https://github.com/visionmedia/debug/pull/699"}],"packageIdentifier":"debug","scaPackageData":{"fixLink":"https://devhub.checkmarx.com/cve-details/Cx65603961-769c","supportsQuickFix":false,"isDirectDependency":false,"typeOfDependency":""}},"comments":{},"vulnerabilityDetails":{"cweId":"Cx65603961-769c","cvssScore":5.300000190734863,"cveName":"Cx65603961-769c","cvss":{"version":2,"attackVector":"NETWORK","availability":"LOW","confidentiality":"NONE","attackComplexity":"LOW","integrityImpact":"NONE","scope":"UNCHANGED","privilegesRequired":"NONE","userInteraction":"NONE"}}},{"type":"Regular","scaType":"vulnerability","label":"sca","severity":"HIGH","description":"NPM `debug` prior to 4.3.0 has a Memory Leak when creating `debug` instances inside a function which can have a significant impact in the Availability. This happens since the function `debug` in the file `src/common.js` does not free up used memory.","data":{"nodes":[{"line":0,"column":0,"fileName":"packages\\services\\api\\package.json"}],"packageData":[{"type":"Issue","url":"https://github.com/visionmedia/debug/issues/678"},{"type":"Pull request","url":"https://github.com/visionmedia/debug/pull/740"},{"type":"POC/Exploit","url":"https://github.com/MarioTeixeiraCx/POCs/blob/main/POC.md"}],"packageIdentifier":"debug","scaPackageData":{"fixLink":"https://devhub.checkmarx.com/cve-details/Cx89601373-08db","supportsQuickFix":false,"isDirectDependency":false,"typeOfDependency":""}},"comments":{},"vulnerabilityDetails":{"cweId":"Cx89601373-08db","cvssScore":7.5,"cveName":"Cx89601373-08db","cvss":{"version":3,"attackVector":"NETWORK","availability":"HIGH","confidentiality":"NONE","attackComplexity":"LOW","integrityImpact":"NONE","scope":"UNCHANGED","privilegesRequired":"NONE","userInteraction":"NONE"}}}],"totalCount":14,"scanID":""}tbdkics-realtime
The scan kics-realtime command is used to create and run a new sca scan locally using a container. The SCA realtime scan is a free feature which does not require a Checkmarx account. Anyone can download the CLI tool and run this command without need for authentication. The results are returned in the response body as a JSON object.
Warning
Even for users with a Checkmarx account, the realtime scan results are not synced with the user's Checkmarx account.
Usage
./cx scan kics-realtime [flags]
Supported scan files extensions / technologies
The scan kics-realtime command provides the ability to scan individual files that are supported by the KICS tool (mentioned in the list below).
kics-realtime supports scanning multiple technologies, namely :
Ansible
Azure Resource Manager
CDK
CloudFormation
Azure Blueprints
Docker
Docker Compose
gRPC
Helm
Kubernetes
OpenAPI
Google Deployment Manager
SAM
Terraform
Notice
For more details please check KICS official documentation https://docs.kics.io/latest/platforms/
Additional Parameters
--additional-params flag provides the ability to send additional scan options supported by KICS. Should follow comma separated format.
Notice
More information about the additional scan options/flags supported by KICS in their official documentation
Warning
The report format and output path cannot be overridden, even by explicitly setting those flags in the additional-params.
Flags
Name | Default | Description |
|---|---|---|
--file <string> (required) | N/A | Path to input file |
--engine<string> | docker | Name for the container engine to run KICS. |
--additional-params <string>,<string> | N/A | Comma separated additional scan options supported by KICS. |
Examples
Scanning a file
./cx scan kics-realtime --file <FILE PATH> [email protected]:/AST$ ./cx scan kics-realtime /home/Dockerfile {"kics_version":"v1.5.6","total_counter":2,"queries":[{"query_name":"Missing User Instruction","query_id":"fd54f200-402c-4333-a5a4-36ef6709af2f","severity":"HIGH","platform":"Dockerfile","category":"Build Process","description":"A user should be specified in the dockerfile, otherwise the image will run as root","query_url":"https://docs.docker.com/engine/reference/builder/#user","files":[{"file_name":"../../path/d.dockerfile","similarity_id":"07841372d54f621706540de0f41d702dc8598f681a44bc19f55feb4cdce61e76","line":1,"issue_type":"MissingAttribute","search_key":"FROM={{openjdk:11.0.1-jre-slim-stretch}}","search_line":0,"search_value":"","expected_value":"The 'Dockerfile' contains the 'USER' instruction","actual_value":"The 'Dockerfile' does not contain any 'USER' instruction"}]},{"query_name":"Healthcheck Instruction Missing","query_id":"b03a748a-542d-44f4-bb86-9199ab4fd2d5","severity":"LOW","platform":"Dockerfile","category":"Insecure Configurations","description":"Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working","query_url":"https://docs.docker.com/engine/reference/builder/#healthcheck","files":[{"file_name":"../../path/d.dockerfile","similarity_id":"5c3e1823b979a8cb04a5293f368fa8134175da78011f4d144c19f45177aa65e9","line":1,"issue_type":"MissingAttribute","search_key":"FROM={{openjdk:11.0.1-jre-slim-stretch}}","search_line":0,"search_value":"","expected_value":"Dockerfile contains instruction 'HEALTHCHECK'","actual_val
Scanning a file with a specific engine
./cx scan kics-realtime --file <FILE PATH> --engine <ENGINE NAME> [email protected]:/AST$ ./cx scan kics-realtime /home/Dockerfile --engine podman {"kics_version":"v1.5.6","total_counter":2,"queries":[{"query_name":"Missing User Instruction","query_id":"fd54f200-402c-4333-a5a4-36ef6709af2f","severity":"HIGH","platform":"Dockerfile","category":"Build Process","description":"A user should be specified in the dockerfile, otherwise the image will run as root","query_url":"https://docs.docker.com/engine/reference/builder/#user","files":[{"file_name":"../../path/d.dockerfile","similarity_id":"07841372d54f621706540de0f41d702dc8598f681a44bc19f55feb4cdce61e76","line":1,"issue_type":"MissingAttribute","search_key":"FROM={{openjdk:11.0.1-jre-slim-stretch}}","search_line":0,"search_value":"","expected_value":"The 'Dockerfile' contains the 'USER' instruction","actual_value":"The 'Dockerfile' does not contain any 'USER' instruction"}]},{"query_name":"Healthcheck Instruction Missing","query_id":"b03a748a-542d-44f4-bb86-9199ab4fd2d5","severity":"LOW","platform":"Dockerfile","category":"Insecure Configurations","description":"Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working","query_url":"https://docs.docker.com/engine/reference/builder/#healthcheck","files":[{"file_name":"../../path/d.dockerfile","similarity_id":"5c3e1823b979a8cb04a5293f368fa8134175da78011f4d144c19f45177aa65e9","line":1,"issue_type":"MissingAttribute","search_key":"FROM={{openjdk:11.0.1-jre-slim-stretch}}","search_line":0,"search_value":"","expected_value":"Dockerfile contains instruction 'HEALTHCHECK'","actual_val
Scanning a file with additional parameters
./cx scan kics-realtime --file <FILE PATH> --engine <ENGINE NAME> [email protected]:/AST$ ./cx scan kics-realtime /home/Dockerfile --engine podman --additional-params -v, --exclude-results,fec62a97d569662093dbb9739360942f {"kics_version":"v1.5.6","total_counter":2,"queries":[{"query_name":"Missing User Instruction","query_id":"fd54f200-402c-4333-a5a4-36ef6709af2f","severity":"HIGH","platform":"Dockerfile","category":"Build Process","description":"A user should be specified in the dockerfile, otherwise the image will run as root","query_url":"https://docs.docker.com/engine/reference/builder/#user","files":[{"file_name":"../../path/d.dockerfile","similarity_id":"07841372d54f621706540de0f41d702dc8598f681a44bc19f55feb4cdce61e76","line":1,"issue_type":"MissingAttribute","search_key":"FROM={{openjdk:11.0.1-jre-slim-stretch}}","search_line":0,"search_value":"","expected_value":"The 'Dockerfile' contains the 'USER' instruction","actual_value":"The 'Dockerfile' does not contain any 'USER' instruction"}]},{"query_name":"Healthcheck Instruction Missing","query_id":"b03a748a-542d-44f4-bb86-9199ab4fd2d5","severity":"LOW","platform":"Dockerfile","category":"Insecure Configurations","description":"Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working","query_url":"https://docs.docker.com/engine/reference/builder/#healthcheck","files":[{"file_name":"../../path/d.dockerfile","similarity_id":"5c3e1823b979a8cb04a5293f368fa8134175da78011f4d144c19f45177aa65e9","line":1,"issue_type":"MissingAttribute","search_key":"FROM={{openjdk:11.0.1-jre-slim-stretch}}","search_line":0,"search_value":"","expected_value":"Dockerfile contains instruction 'HEALTHCHECK'","actual_val
Scanning a file in debug mode
./cx scan kics-realtime --file <FILE PATH> --engine <ENGINE NAME> --debug [email protected]:/AST$ ./cx scan kics-realtime /home/Dockerfile --engine podman --additional-params -v, --exclude-results,fec62a97d569662093dbb9739360942f --debug 2022/07/06 10:33:06 CLI Configuration: 2022/07/06 10:33:06 cx_client_secret: 2022/07/06 10:33:06 cx_apikey: 2022/07/06 10:33:06 cx_branch: 2022/07/06 10:33:06 cx_tenant: organization 2022/07/06 10:33:06 http_proxy: 2022/07/06 10:33:06 cx_client_id: 2022/07/06 10:33:06 cx_timeout: 5 2022/07/06 10:33:06 cx_base_uri: 2022/07/06 10:33:06 cx_base_auth_uri: 2022/07/06 10:33:06 cx_proxy_auth_type: basic 2022/07/06 10:33:06 Starting kics container 2022/07/06 10:33:06 The report format and output path cannot be overridden. 2022/07/06 10:33:08 .0MO. OMMMx ;NMX; ... ... .... WMMMd cWMMM0. KMMMO ;xKWMMMMNOc. ,xXMMMMMWXkc. WMMMd .0MMMN: KMMMO :XMMMMMMMMMMMWl xMMMMMWMMMMMMl WMMMd lWMMMO. KMMMO xMMMMKc...'lXMk ,MMMMx .;dXx WMMMd.0MMMX; KMMMO cMMMMd ' 'MMMMNl' WMMMNWMMMMl KMMMO 0MMMN oMMMMMMMXkl. WMMMMMMMMMMo KMMMO 0MMMX .ckKWMMMMMM0. WMMMMWokMMMMk KMMMO oMMMMc . .:OMMMM0 WMMMK. dMMMM0. KMMMO KMMMMx' ,kNc :WOc. .NMMMX WMMMd cWMMMX. KMMMO kMMMMMWXNMMMMMd .WMMMMWKO0NMMMMl WMMMd ,NMMMN, KMMMO 'xNMMMMMMMNx, .l0WMMMMMMMWk, xkkk: ,kkkkx okkkl ;xKXKx; ;dOKKkc Scanning with Keeping Infrastructure as Code Secure v1.5.6 Preparing Scan Assets: DoneExecuting queries: [-------------------------------------------->___________________________] 62.03%Executing queries: [------------------------------------------------------------->__________] 84.81%Executing queries: [-----------------------------------------------------------------------] 100.00% Files scanned: 1 Parsed files: 1 Queries loaded: 48 Queries failed to execute: 0 ------------------------------------ Healthcheck Instruction Missing, Severity: LOW, Results: 1 Description: Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working Platform: Dockerfile [1]: ../../path/d.dockerfile:1 001: FROM openjdk:11.0.1-jre-slim-stretch 002: Missing User Instruction, Severity: HIGH, Results: 1 Description: A user should be specified in the dockerfile, otherwise the image will run as root Platform: Dockerfile [1]: ../../path/d.dockerfile:1 001: FROM openjdk:11.0.1-jre-slim-stretch 002: Results Summary: HIGH: 1 MEDIUM: 0 LOW: 1 INFO: 0 TOTAL: 2 Results saved to file /path/results.json Scan duration: 975.245001ms A new version 'v1.5.11' of KICS is available, please consider updating Generating Reports: Done {"kics_version":"v1.5.6","total_counter":2,"queries":[{"query_name":"Missing User Instruction","query_id":"fd54f200-402c-4333-a5a4-36ef6709af2f","severity":"HIGH","platform":"Dockerfile","category":"Build Process","description":"A user should be specified in the dockerfile, otherwise the image will run as root","query_url":"https://docs.docker.com/engine/reference/builder/#user","files":[{"file_name":"../../path/d.dockerfile","similarity_id":"07841372d54f621706540de0f41d702dc8598f681a44bc19f55feb4cdce61e76","line":1,"issue_type":"MissingAttribute","search_key":"FROM={{openjdk:11.0.1-jre-slim-stretch}}","search_line":0,"search_value":"","expected_value":"The 'Dockerfile' contains the 'USER' instruction","actual_value":"The 'Dockerfile' does not contain any 'USER' instruction"}]},{"query_name":"Healthcheck Instruction Missing","query_id":"b03a748a-542d-44f4-bb86-9199ab4fd2d5","severity":"LOW","platform":"Dockerfile","category":"Insecure Configurations","description":"Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working","query_url":"https://docs.docker.com/engine/reference/builder/#healthcheck","files":[{"file_name":"../../path/d.dockerfile","similarity_id":"5c3e1823b979a8cb04a5293f368fa8134175da78011f4d144c19f45177aa65e9","line":1,"issue_type":"MissingAttribute","search_key":"FROM={{openjdk:11.0.1-jre-slim-stretch}}","search_line":0,"search_value":"","expected_value":"Dockerfile contains instruction 'HEALTHCHECK'","actual_value":"Dockerfile doesn't contain instruction 'HEALTHCHECK'"}]}],"severity_counters":{"HIGH":1,"INFO":0,"LOW":1,"MEDIUM":0}} 2022/07/06 10:33:08 Removing folder in temp