utils
The utils
command enables the ability to perform Checkmarx One utility functions.
Usage
./cx utils [command]
Flags
Name | Default | Description |
---|---|---|
---help, -h | help for the health-check command |
completion
The completion
command enables the ability to perform CLI command auto completion.
The auto completion supports 4 command line types: bash, zsh, fish, and powershell.
Notice
Auto completion enabling is valid only for the current session.
In case that the session is closed you need to configure it again.
Usage
./cx utils completion --shell [bash|zsh|fish|powershell]
Flags
Name | Default | Description |
---|---|---|
--shell, -s | The type of shell [bash/zsh/fish/powershell] | |
---help, -h | help for the health-check command |
Examples
Bash Auto Completion
To configure auto completions for each session, execute the following:
# load and export a set of Environment Variables for the completion command: $ source <(./cx utils completion -s bash)
# Load completion for each Linux session: $ ./cx utils completion -s bash > /etc/bash_completion.d/cx
To configure auto completions for each session, execute the following:
# load and export a set of Environment Variables for the completion command: $ source <(./cx utils completion -s bash)
# Load completion for each MAC session: $ ./cx utils completion -s bash > /usr/local/etc/bash_completion.d/cx
zsh Auto Completion
To configure auto completions for each session, execute the following:
# Enable auto completion for the environment: $ echo "autoload -U compinit; compinit" >> ~/.zshrc
# To load auto completion for each session, execute once: $ ./cx utils completion -s zsh > "${fpath[1]}/_cx"
# start a new shell for this setup to take effect
fish Auto Completion
To configure auto completions for each session, execute the following:
# Configure auto completion: $ ./cx utils completion -s fish | source
# To load auto completion for each session, execute once: $ ./cx utils completion -s fish > ~/.config/fish/completions/cx.fish
PowerShell Auto Completion
# load and export a set of Environment Variables for the completion command: $ PS> .\cx.exe utils completion -s powershell | Out-String | Invoke-Expression
# To load auto completion for each session, execute: $ PS> .\cx.exe utils completion -s powershell > cx.ps1
# source this file from your PowerShell profile
env
The env
command presents the configured environment variables.
Usage
./cx utils env [flags]
Flags
Name | Default | Description |
---|---|---|
---help, -h | help for the env command |
Examples
Using the env command
[email protected]:~/ast-cli$ ./cx utils env Detected Environment Variables: cx_proxy_auth_type: cx_client_id: cx_client_secret: cx_apikey: cx_branch: cx_timeout: cx_base_uri: cx_tenant: http_proxy: sca_resolver: cx_base_auth_uri:
contributor-count
The contributor-count
command enables users to count unique contributors from different SCM repositories, for the past 90 days.
Usage
./cx utils contributor-count [command]
Flags
Name | Default | Description |
---|---|---|
--help, -h | help for the contributor-count command |
Global Flags
The contributor-count
family of commands does not support all global flags. The following flags are supported.
Flag | Default | Description |
---|---|---|
--proxy <string> | Proxy server to send communication through | |
--proxy-auth-type <string> | Proxy authentication type (basic or ntlm) | |
--proxy-ntlm-domain <string> | Window domain when using NTLM proxy | |
--timeout <string> | 5 Seconds | Timeout for network activity |
--debug | Debug mode returns detailed logs, including the username of each of the contributors and the repos to which they contributed. |
github
The github
command presents the unique contributors for the provided GitHub repositories or organizations. Contributors are found by visiting all repositories and comparing the author
property of each commit. Bots are counted as contributors if their commits do not have “type” as “Bot” (dependabot is correctly excluded). Contributors who commit with different names in git configurations will be counted as different contributors.
Notice
This command returns a breakdown of unique contributors per repo as well as the total number of unique contributors. When a particular user contributes to several different repos, this is counted as a single contributor for the total count. Therefore, the total count will not necessarily be equal to the sum of the individual repos.
Usage
./cx utils contributor-count github [flags]
Flags
Name | Default | Description |
---|---|---|
--format <string> | table | The output format for the response. Possible values are |
--help, -h | Help for the github command | |
--orgs <strings> | List of organizations to scan for contributors. Comma separated list. | |
--repos <strings> | List of repositories to scan for contributors. Comma separated list. | |
--token <string> | GitHub OAuth token. Requires “Repo” scope and organization SSO authorization, if enforced by the organization. | |
--url <string> | API base URL |
Examples
PS C:\Users\ast-cli> cx utils contributor-count github --orgs checkmarx --token <token> Name UniqueContributors ---- ------------------ ... Checkmarx/ast-cli 1 Checkmarx/kics 2 ... Total unique contributors N
PS C:\Users\ast-cli> cx utils contributor-count github --repos ast-cli,kics --orgs checkmarx --token <token> Name UniqueContributors ---- ------------------ Checkmarx/ast-cli 1 Checkmarx/kics 2 Total unique contributors 3
azure
The azure
command presents the unique contributors for the provided Azure DevOps repositories, projects, and organizations.
Notice
This command returns a breakdown of unique contributors per repo as well as the total number of unique contributors. When a particular user contributes to several different repos, this is counted as a single contributor for the total count. Therefore, the total count will not necessarily be equal to the sum of the individual repos.
Usage
./cx utils contributor-count azure [flags]
Flags
Name | Default | Description |
---|---|---|
--help, -h | help for the results command | |
--orgs strings <string> | List of organizations to scan for contributors Comma separated list | |
--projects <string> | List of projects to scan for contributors Comma separated list | |
--repos <string> | List of repositories to scan for contributors Comma separated list | |
--token <string> | Azure DevOps personal access token. Requires “Connected server” and “Code“ scope | |
--url-azure <string> | API base URL | |
--format <string> | table | The output format for the response. Possible values are |
Examples
./cx utils contributor-count azure --orgs <orgs> --token <token>
[email protected]:~/ast-cli$ ./cx utils contributor-count azure --orgs Checkmarx --token 12345678910 Name UniqueContributors ---- ------------------ Checkmarx/public/ast-cli 2 Checkmarx/private/ast-java-wrapper 1 ... ... Total unique contributors 7 2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
./cx utils contributor-count azure --orgs <orgs> --token <token> --debug
[email protected]:~/ast-cli$ ./cx utils contributor-count azure --orgs Checkmarx --token 12345678910 Name UniqueContributors ---- ------------------ Checkmarx/public/ast-cli 2 Checkmarx/private/ast-java-wrapper 1 ... ... Total unique contributors 7 Name UniqueContributorsUsername ---- -------------------------- Checkmarx/public/ast-cli User Checkmarx Checkmarx/private/ast-java-wrapper UserCheckmarx ... 2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
./cx utils contributor-count azure --orgs <orgs> --projects <projects> --token <token>
[email protected]:~/ast-cli$ ./cx utils contributor-count azure --orgs Checkmarx --projects public --token 12345678910 Name UniqueContributors ---- ------------------ Checkmarx/public/ast-cli 2 ... ... Total unique contributors 5 2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
./cx utils contributor-count azure --orgs <orgs> --projects <projects> --token <token> --debug
[email protected]:~/ast-cli$ ./cx utils contributor-count azure --orgs Checkmarx --projects public --token 12345678910 Name UniqueContributors ---- ------------------ Checkmarx/public/ast-cli 2 ... ... Total unique contributors 5 Name UniqueContributorsUsername ---- -------------------------- Checkmarx/public/ast-cli User Checkmarx ... 2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
./cx utils contributor-count azure --orgs <orgs> --projects <projects> --repos <repos> --token <token>
[email protected]:~/ast-cli$ ./cx utils contributor-count azure --orgs Checkmarx --projects public --repos asa-cli --token 12345678910 Name UniqueContributors ---- ------------------ Checkmarx/public/ast-cli 2 Total unique contributors 2 2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
./cx utils contributor-count azure --orgs <orgs> --projects <projects> --repos <repos> --token <token> --debug
[email protected]:~/ast-cli$ ./cx utils contributor-count azure --orgs Checkmarx --projects public --repos ast-cli --token 12345678910 Name UniqueContributors ---- ------------------ Checkmarx/public/ast-cli 2 Total unique contributors 2 Name UniqueContributorsUsername ---- -------------------------- Checkmarx/public/ast-cli User Checkmarx 2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
gitlab
The gitlab
command presents the unique contributors for the provided GitLab groups or projects.
Notice
This command returns a breakdown of unique contributors per repo as well as the total number of unique contributors. When a particular user contributes to several different repos, this is counted as a single contributor for the total count. Therefore, the total count will not necessarily be equal to the sum of the individual repos.
Usage
.\cx.exe utils contributor-count gitlab [flags]
Flags
Name | Default | Description |
---|---|---|
--format <string> | table | The output format for the response. Possible values are |
--help, -h | help for the github command | |
--token <string> | GitLab OAuth token with at least ‘read_api’ and 'read_repository' permissions. | |
--groups <strings> | List of group names to scan for contributors Comma separated list for more than one names If a subgroup is being used, the full path of subgroup is required . Full path includes the names of the parent groups and can be copied from the gitlab urls when the group is opened in the browser | |
--projects <strings> | List of project names to scan for contributors Project names should be full path/namespace Comma separated list for using more than one project names | |
--url-gitlab <string> | API base URL |
Examples
C:\Users\ast-cli> .\cx.exe utils contributor-count gitlab --token <token> --groups Checkmarx-ts/cxlite Name UniqueContributors ---- ------------------ ... Checkmarx/CxLite/CxDemo 1 ... Total unique contributors 1
C:\Users\ast-cli>.\cx.exe utils contributor-count gitlab --token <token> --projects Checkmarx/CxLite/CxDemo Name UniqueContributors ---- ------------------ Checkmarx/CxLite/CxDemo 1 Total unique contributors 1
bitbucket
The bitbucket
command presents the unique contributors for the provided Bitbucket repositories, projects and organizations.
Notice
This command returns a breakdown of unique contributors per repo as well as the total number of unique contributors. When a particular user contributes to several different repos, this is counted as a single contributor for the total count. Therefore, the total count will not necessarily be equal to the sum of the individual repos.
Usage
./cx utils contributor-count bitbucket [flags]
Flags
Name | Default | Description |
---|---|---|
--help, -h | help for the Bitbucket command | |
--workspaces <string> | List of workspaces to scan for contributors A Comma separated list | |
--repos <string> | List of repositories to scan for contributors A Comma separated list | |
--username <string> | Username for Bitbucket authentication | |
--password <string> | App password for Bitbucket authentication. Requires read on “Workspace membership“ and “Repositories“ permissions | |
--url-bitbucket <string> | API base URL | |
--format <string> | table | The output format for the response. Possible values are |
Examples
./cx utils contributor-count bitbucket --workspaces <workspaces> --username <username> --password <password>
[email protected]:~/ast-cli$ ./cx utils contributor-count bitbucket --workspaces Checkmarx --username cx --password 12345678910 Name UniqueContributors ---- ------------------ Checkmarx/ast-cli 2 Checkmarx/ast-java-wrapper 1 ... ... Total unique contributors 7 2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
./cx utils contributor-count bitbucket --workspaces <workspaces> --username <username> --password <password> --debug
[email protected]:~/ast-cli$ ./cx utils contributor-count bitbucket --workspaces Checkmarx --username cx --password 12345678910 Name UniqueContributors ---- ------------------ Checkmarx/ast-cli 2 Checkmarx/ast-java-wrapper 1 ... ... Total unique contributors 7 Name UniqueContributorsUsername ---- -------------------------- Checkmarx/ast-cli User Checkmarx Checkmarx/ast-java-wrapper UserCheckmarx ... 2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
./cx utils contributor-count bitbucket --workspaces <workspaces> --repos <repos> --username <username> --password <password>
[email protected]:~/ast-cli$ ./cx utils contributor-count azure --orgs Checkmarx --repos ast-cli --username cx --password 12345678910 Name UniqueContributors ---- ------------------ Checkmarx/ast-cli 2 Total unique contributors 2 2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
./cx utils contributor-count bitbucket --workspaces <workspaces> --repos <repos> --username <username> --password <password> --debug
[email protected]:~/ast-cli$ ./cx utils contributor-count azure --orgs Checkmarx --repos ast-cli --username cx --password 12345678910 Name UniqueContributors ---- ------------------ Checkmarx/ast-cli 2 Total unique contributors 2 Name UniqueContributorsUsername ---- -------------------------- Checkmarx/ast-cli User Checkmarx 2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
bitbucket-server
The bitbucket-server
command presents the unique contributors for the provided Bitbucket Server repositories and projects.
Notice
This command returns a breakdown of unique contributors per repo as well as the total number of unique contributors. When a particular user contributes to several different repos, this is counted as a single contributor for the total count. Therefore, the total count will not necessarily be equal to the sum of the individual repos.
Usage
./cx utils contributor-count bitbucket-server [flags]
Flags
Name | Required | Default | Description |
---|---|---|---|
--help, -h | no | Help for the | |
--projects <string> | no TipHowever, when you submit | all | List of projects to scan for contributors A comma separated list |
--repos <string> | no | all | List of repositories to scan for contributors A comma separated list |
--token <string> | no | If no token is provided, then only public projects are searched | The HTTP access token that you generated in Bitbucket. To learn how to generate a token, see the section "Create HTTP access tokens" here. TipOn older versions of Bitbucket Server this is referred to as a "Personal access token". For Permissions select, at a minimum:
|
--server-url <string> | yes | The URL of your Bitbucket Server instance | |
--format <string> | no | table | The output format for the response. Possible values are |
Examples
./cx utils contributor-count bitbucket-server --server-url <server-url> --token <token>
[email protected]:~/ast-cli$ ./cx utils contributor-count bitbucket-server --server-url bitbucket.my.com --token MYTOKEN Name UniqueContributors ---- ------------------ CX/ast-cli 2 ... AS/my-project 1 ... ... Total unique contributors 7 2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
With Debug
./cx utils contributor-count bitbucket-server --server-url <server-url> --token <token> --debug
[email protected]:~/ast-cli$ ./cx utils contributor-count bitbucket-server --server-url bitbucket.my.com --token MYTOKEN --debug Name UniqueContributors ---- ------------------ CX/ast-cli 2 ... AS/my-project 1 ... ... Total unique contributors 7 Name UniqueContributorsUsername ---- -------------------------- CX/ast-cli user - [email protected] ... AS/my-project user2 - [email protected] ... 2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
./cx utils contributor-count bitbucket-server --projects <projects> --server-url <server-url> --token <token>
[email protected]:~/ast-cli$ ./cx utils contributor-count bitbucket-server --projects CX --server-url bitbucket.my.com --token MYTOKEN Name UniqueContributors ---- ------------------ CX/ast-cli 2 CX/ast-java-wrapper 1 ... ... Total unique contributors 7 2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
With Debug
./cx utils contributor-count bitbucket-server --projects <projects> --server-url <server-url> --token <token> --debug
[email protected]:~/ast-cli$ ./cx utils contributor-count bitbucket-server --projects CX --server-url bitbucket.my.com --token MYTOKEN --debug Name UniqueContributors ---- ------------------ CX/ast-cli 2 CX/ast-java-wrapper 1 ... ... Total unique contributors 7 Name UniqueContributorsUsername ---- -------------------------- CX/ast-cli user - [email protected] CX/ast-java-wrapper user2 - [email protected] ... 2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
./cx utils contributor-count bitbucket-server --projects <projects> --repos <repos> --server-url <server-url> --token <token>
[email protected]:~/ast-cli$ ./cx utils contributor-count bitbucket-server --projects CX --repos ast-cli --server-url bitbucket.my.com --token MYTOKEN Name UniqueContributors ---- ------------------ CX/ast-cli 2 Total unique contributors 2 2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
With Debug
./cx utils contributor-count bitbucket-server --projects <projects> --repos <repos> --server-url <server-url> --token <token> --debug
[email protected]:~/ast-cli$ ./cx utils contributor-count bitbucket-server --projects CX --repos ast-cli --server-url bitbucket.my.com --token MYTOKEN --debug Name UniqueContributors ---- ------------------ CX/ast-cli 2 Total unique contributors 2 Name UniqueContributorsUsername ---- -------------------------- CX/ast-cli user - [email protected] 2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
learn-more
The learn-more
command provides the ability to retrieve additional descriptions from the CLI for SAST vulnerabilities.
The command must be run with the attribute query-id
, which can be retrieved from a scan’s results and passed to this command.
Usage
./cx utils learn-more --query-id <query-id> --format [json|table|list]
Flags
Name | Default | Description |
---|---|---|
--query-id (required) | The SAST query-id for a vulnerability | |
--format | list | The output format for the response. Possible values are |
---help, -h | Help for the learn-more command |
Examples
learn-more command
Default (without format flag)
./cx utils learn-more --query-id 5854466950125120303 QueryID : 5854466950125120303 QueryName : Open_Redirect QueryDescriptionID : Stored_Open_Redirect ResultDescription : The potentially tainted value provided by @SourceElement in @SourceFile at line @SourceLine is used as a desti nation URL by @DestinationElement in @DestinationFile at line @DestinationLine, potentially allowing attackers to perform an open redirection. Risk : An attacker could use social engineering to get a victim to click a link to the application, so that the user will be immediately redirected to another site of the attacker's choice. An attacker can then craft a destination website to fool the v ictim; for example - they may craft a phishing website with an identical looking UI as the previous website's login page, and with a si milar looking URL, convincing the user to submit their access credentials in the attacker's website. Another example would be a phishing website with an identical UI as that of a popular payment service, convincing the user to submit their payment information. Cause : The application redirects the user’s browser to a URL provided by a tainted input, without first ensuring that URL leads to a trusted destination, and without warning users that they are being redirected outside of the current site. An attacker could use social engineering to get a victim to click a link to the application with a parameter defining another site to which the app lication will redirect the user’s browser. Since the user may not be aware of the redirection, they may be under the misconception that the website they are currently browsing can be trusted. GeneralRecommendations : 1. Ideally, do not allow arbitrary URLs for redirection. Instead, create a mapping from user-provided parameter values to legitimate URLs. 2. If it is necessary to allow arbitrary URLs: * For URLs inside the application site, first filter and encode the user-provided parameter, and then either: * Create a white-list of allowed URLs inside the application * Use variables as a relative URL as an absolute one, by prefixing it with the application site domain - this will ensure all redirection will occur inside the domain * For URLs outside the application (if necessary), either: * White-list redirection to allowed external domains by first filtering URLs with trusted prefixes. Prefixes must be tested u p to the third slash \[/\] - `scheme://my.trusted.domain.com/,` to prevent evasion. For example, if the third slash \[/\] is not valida ted and scheme://my.trusted.domain.com is trusted, the URL scheme://my.trusted.domain.com.evildomain.com would be valid under this filter, but the domain actually being browsed is evildomain.com, not domain.com. * For fully dynamic open redirection, use an intermediate disclaimer page to provide users with a clear warning that they are leaving the site. Samples : [{Java protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String redirectUrl = request.getParameter("redirectUrl"); if (redirectUrl != null) { response.sendRedirect(redirectUrl); } else { response.sendRedirect("/"); } } Java Servlet Vulnerable to Open Redirection} {Java protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String redirectUrl = request.getParameter("redirectUrl"); if (redirectUrl != null && redirectUrl.startsWith("https://www.trusteddomain.com/")) { response.sendRedirect(redirectUrl); } else { response.sendRedirect("/"); } } Whitelisting an Allowed External Domain, Preventing Open Redirection}]
Json format
./cx utils learn-more --query-id 5854466950125120303 --format json [{"queryId":"5854466950125120303","queryName":"Open_Redirect","queryDescriptionId":"Stored_Open_Redirect","resultDescription":"The pote ntially tainted value provided by @SourceElement in @SourceFile at line @SourceLine is used as a destination URL by @DestinationElement in @DestinationFile at line @DestinationLine, potentially allowing attackers to perform an open redirection.\n\n","risk":"An attacker could use social engineering to get a victim to click a link to the application, so that the user will be immediately redirected to ano ther site of the attacker's choice. An attacker can then craft a destination website to fool the victim; for example - they may craft a phishing website with an identical looking UI as the previous website's login page, and with a similar looking URL, convincing the use r to submit their access credentials in the attacker's website. Another example would be a phishing website with an identical UI as tha t of a popular payment service, convincing the user to submit their payment information.\n\n","cause":"The application redirects the us er’s browser to a URL provided by a tainted input, without first ensuring that URL leads to a trusted destination, and without warning users that they are being redirected outside of the current site. An attacker could use social engineering to get a victim to click a l ink to the application with a parameter defining another site to which the application will redirect the user’s browser. Since the user may not be aware of the redirection, they may be under the misconception that the website they are currently browsing can be trusted.\ n\n","generalRecommendations":"\r\n1. Ideally, do not allow arbitrary URLs for redirection. Instead, create a mapping from user-provid ed parameter values to legitimate URLs.\r\n2. If it is necessary to allow arbitrary URLs:\r\n * For URLs inside the application s ite, first filter and encode the user-provided parameter, and then either:\r\n * Create a white-list of allowed URLs inside th e application\r\n * Use variables as a relative URL as an absolute one, by prefixing it with the application site domain - thi s will ensure all redirection will occur inside the domain\r\n * For URLs outside the application (if necessary), either:\r\n * White-list redirection to allowed external domains by first filtering URLs with trusted prefixes. Prefixes must be tested up to the third slash \\[/\\] - `scheme://my.trusted.domain.com/,` to prevent evasion. For example, if the third slash \\[/\\] is not validat ed and scheme://my.trusted.domain.com is trusted, the URL scheme://my.trusted.domain.com.evildomain.com would be valid under this filte r, but the domain actually being browsed is evildomain.com, not domain.com.\r\n * For fully dynamic open redirection, use an i ntermediate disclaimer page to provide users with a clear warning that they are leaving the site.\r\n\n\n","samples":[{"progLanguage":" Java","code":"protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n String redirectUrl = request.getParameter(\"redirectUrl\");\n if (redirectUrl != null) {\n response.sendRedirect(redirectUr l);\n } else {\n response.sendRedirect(\"/\");\n }\n}","title":"Java Servlet Vulnerable to Open Redirection"},{"progLang uage":"Java","code":"protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOExceptio n {\n String redirectUrl = request.getParameter(\"redirectUrl\");\n if (redirectUrl != null \u0026\u0026 redirectUrl.startsWith(\ "https://www.trusteddomain.com/\")) {\n response.sendRedirect(redirectUrl);\n } else {\n response.sendRedirect(\"/\");\n }\n}","title":"Whitelisting an Allowed External Domain, Preventing Open Redirection"}]}]
remediation
The remediation
command enables you to automatically remediate vulnerabilities for results that came from a specific Checkmarx scanner.
Usage
./cx utils remediation [command]
Flags
Name | Default | Description |
---|---|---|
--help | N/A | help for the utils remediation |
Commands
Name | Default | Description |
---|---|---|
kics | used to remediate kics results | |
sca | used to remediate sca results |
kics
The kics
command enables you to automatically remediate sca vulnerabilities.
Caution
This feature is currently supported only for Terraform projects.
Usage
./cx utils remediation kics [flags]
Flags
Name | Mandatory | Default | Description |
---|---|---|---|
--engine <string> | no | docker | Name in the $PATH for the container engine to run kics. Example:podman |
--kics-files <string> | yes | N/A | Absolute path to the folder that contains the file(s) to be remediated. |
--results-file <string> | yes | N/A | Path to the kics scan results file. This is used to identify and remediate the kics vulnerabilities. |
--similarity-ids <string>,<string> | no | Remediates all vulnerabilities | List with the similarity ids that should be remediated : --similarity-ids b42a19486a8e18324a9b2c06147b1c49feb3ba39a0e4aeafec5665e60f98d047,9574288c118e8c87eea31b6f0b011295a39ec5e70d83fb70e839b8db4a99eba8 |
Examples
Remediating all vulnerabilities
./cx utils remediation kics --results-file <PATH-TO-RESULTS> --kics-files <ABSOLUTE-PATH-TO-FILES> [email protected]:/AST$ ./cx utils remediation kics --results-file "./results.json" --kics-files "/home/terraform_examples/" {"available_remediation_count":3,"applied_remediation_count":3}
Remediating a specific vulnerability
./cx utils remediation kics --results-file <PATH-TO-RESULTS> --kics-files <ABSOLUTE-PATH-TO-FILES> --similarity-ids <SIMILARITY-ID-LIST> [email protected]:/AST$ ./cx utils remediation kics --results-file "./results.json" --kics-files "/home/terraform_examples/" --similarity-ids b42a19486a8e18324a9b2c06147b1c49feb3ba39a0e4aeafec5665e60f98d047 {"available_remediation_count":3,"applied_remediation_count":1}
Remediating using a specific engine
./cx utils remediation kics --results-file <PATH-TO-RESULTS> --kics-files <ABSOLUTE-PATH-TO-FILES> --engine <ENGINE-NAME> [email protected]:/AST$ ./cx utils remediation kics --results-file "./results.json" --kics-files "/home/terraform_examples/" --engine podman {"available_remediation_count":3,"applied_remediation_count":3}
sca
The sca
command enables you to automatically remediate sca vulnerabilities.
Usage
./cx utils remediation sca [flags]
Warning
Currently only npm dependency files (package.json) are supported for this functionality.
Flags
Name | Default | Description |
---|---|---|
--package-files <string> | N/A | Path to input package files to remediate the package version |
--package <string> | N/A | Name of the package to be replaced |
--package-version <string> | N/A | Version of the package to be replaced |
Examples
Remediating a specific package successfully
././cx utils remediation sca --package-files <PACKAGE-FILE-PATHS> --package <PACKAGE-NAME> --package-version <PACKAGE-VERSION> [email protected]:/AST$ ./cx utils remediation sca --package-files /home/package.json ,/home/src/package.json --package copyfiles --package-version 1.2.1
Remediating a nonexistent package
././cx utils remediation sca --package-files <PACKAGE-FILE-PATHS> --package <PACKAGE-NAME> --package-version <PACKAGE-VERSION> [email protected]:/AST$ ./cx utils remediation sca --package-file /home/package.json --package copyfile --package-version 1.2.1 Package copyfile not found
Remediating using an unsupported file
././cx utils remediation sca --package-files <PACKAGE-FILE-PATHS> --package <PACKAGE-NAME> --package-version <PACKAGE-VERSION> [email protected]:/AST$ ./cx utils remediation sca --package-file /home/pom.xml --package log4j --package-version 1.2.1 Unsupported package manager file
pr
The pr command decorates pull requests with results from Checkmarx One scans that were triggered by that pull request. The pull request comments show a list of new vulnerabilities that were introduced by the code changes as well a list of vulnerabilities that were fixed by the code changes. Currently, the only supported scm configuration is github
.

The pull request decoration command requires the following attributes to decorate a PR successfully
--scan-id, --token, --namespace, --repo-name, --pr-number
Usage
./cx utils pr github --scan-id <scan-id> --token <PAT> --namespace <organization> --repo-name <repository> --pr-number <pr number>
Flags
Name | Mandatory | Default | Description |
---|---|---|---|
--scan-id | yes | n/a | The scan ID for the PR that is being decorated. This can be extracted from the scan result that is obtained after the pull request is scanned. |
--token | yes | n/a | The token for SCM access in order to create decoration |
-- namespace | yes | n/a | SCM namespace for the repository |
--repo-name | yes | n/a | SCM repository name |
--pr-number | yes | n/a | The pull request number for decoration PR |
Examples
pr github command
./cx.exe utils pr github --scan-id b8e043bc-4c72-4638-ac54-7ac1b40d1234 --namespace jay-nanduri --repo-name testGHAction --pr-number 1 --token <secret-token> 2022/08/31 12:31:43 PR comment created successfully.
tenant
The tenant
command enables users to retrieve info about the global settings that apply to their tenant account (i.e., the info shown on the Account Settings screen in the web portal).
Usage
./cx utils tenant [flags]
Flags
Name | Default | Description |
---|---|---|
--format | list | The output format for the response. Possible values are |
---help, -h | Help for the |
Examples
Sample Response
[email protected]:~/ast-cli$ ./cx utils tenant Key : scan.config.sast.defaultConfigId Value : Key : scan.config.kics.filter Value : Key : scan.config.sast.presetName Value : ASA Premium Key : scan.handler.git.token Value : Key : scan.config.sca.LastSastScanTime Value : Key : scan.config.sast.filter Value : Key : scan.handler.git.sshKey Value : Key : scan.config.sca.filter Value : Key : scan.config.sca.ExploitablePath Value : Key : scan.handler.git.repository Value : Key : scan.config.sast.engineVerbose Value : Key : scan.handler.git.branch Value : Key : scan.config.kics.platforms Value : Key : scan.config.sast.languageMode Value : Key : scan.config.sast.incremental Value : Key : scan.config.plugins.ideScans Value :