Skip to main content

utils

The utils command enables the ability to perform Checkmarx One utility functions.

Usage

./cx utils [command] 

Flags

Name

Default

Description

---help, -h

help for the health-check command

completion

The completion command enables the ability to perform CLI command auto completion.

The auto completion supports 4 command line types: bash, zsh, fish, and powershell.

Notice

Auto completion enabling is valid only for the current session.

In case that the session is closed you need to configure it again.

Usage

./cx utils completion --shell [bash|zsh|fish|powershell]

Flags

Name

Default

Description

--shell, -s

The type of shell [bash/zsh/fish/powershell]

---help, -h

help for the health-check command

Examples

Bash Auto Completion

Linux

To configure auto completions for each session, execute the following:

# load and export a set of Environment Variables for the completion command:
$ source <(./cx utils completion -s bash)
# Load completion for each Linux session:
$ ./cx utils completion -s bash > /etc/bash_completion.d/cx
MAC

To configure auto completions for each session, execute the following:

# load and export a set of Environment Variables for the completion command:
$ source <(./cx utils completion -s bash)
# Load completion for each MAC session:
$ ./cx utils completion -s bash > /usr/local/etc/bash_completion.d/cx

zsh Auto Completion

To configure auto completions for each session, execute the following:

# Enable auto completion for the environment:
$ echo "autoload -U compinit; compinit" >> ~/.zshrc
# To load auto completion for each session, execute once:
$ ./cx utils completion -s zsh > "${fpath[1]}/_cx"
# start a new shell for this setup to take effect

fish Auto Completion

To configure auto completions for each session, execute the following:

# Configure auto completion:
$ ./cx utils completion -s fish | source
# To load auto completion for each session, execute once:
$ ./cx utils completion -s fish > ~/.config/fish/completions/cx.fish

PowerShell Auto Completion

# load and export a set of Environment Variables for the completion command:
$ PS> .\cx.exe utils completion -s powershell | Out-String | Invoke-Expression
# To load auto completion for each session, execute:
$ PS> .\cx.exe utils completion -s powershell > cx.ps1
# source this file from your PowerShell profile

env

The env command presents the configured environment variables.

Usage

./cx utils env [flags] 

Flags

Name

Default

Description

---help, -h

help for the env command

Examples

Using the env command

[email protected]:~/ast-cli$ ./cx utils env

Detected Environment Variables:

            cx_proxy_auth_type:
                  cx_client_id:
              cx_client_secret:
                     cx_apikey:
                     cx_branch:
                    cx_timeout:
                   cx_base_uri:
                     cx_tenant:
                    http_proxy:
                  sca_resolver:
              cx_base_auth_uri:

contributor-count

The contributor-count command enables the ability to count unique contributors from different SCM repositories, for the past 90 days.

Usage

./cx utils contributor-count [command] 

Flags

Name

Default

Description

--help, -h

help for the user-count command

Global Flags

The user-count family of commands does not support all global flags. The following flags are supported.

Flag

Default

Description

--proxy <string>

Proxy server to send communication through

--proxy-auth-type <string>

Proxy authentication type (basic or ntlm)

--proxy-ntlm-domain <string>

Window domain when using NTLM proxy

--timeout <string>

5 Seconds

Timeout for network activity

--debug

Debug mode with detailed logs

github

The github command presents the unique contributors for the provided GitHub repositories or organizations. Contributors are found by visiting all repositories and comparing the author property of each commit. Bots are counted as contributors if their commits do not have “type” as “Bot” (dependabot is correctly excluded). Contributors who commit with different names in git configurations will be counted as different contributors.

Usage

./cx utils contributor-count github [flags] 

Flags

Name

Default

Description

--format <string>

table

The output format for the response. Possible values are json, list or table.

--help, -h

Help for the github command

--orgs <strings>

List of organizations to scan for contributors. Comma separated list.

--repos <strings>

List of repositories to scan for contributors.

Comma separated list.

--token <string>

GitHub OAuth token. Requires “Repo” scope and organization SSO authorization, if enforced by the organization.

--url <string>

https://api.github.com/

API base URL

Examples

Using the github Command to Count an Organization
PS C:\Users\ast-cli> cx utils contributor-count github --orgs checkmarx --token <token>

Name                               UniqueContributors 
----                               ------------------ 
...
Checkmarx/ast-cli                  1                  
Checkmarx/kics                     2   
...      
Total unique contributors          N
Using the github Command to Count Specific Repositories
PS C:\Users\ast-cli> cx utils contributor-count github --repos ast-cli,kics --orgs checkmarx --token <token>

Name                               UniqueContributors 
----                               ------------------ 
Checkmarx/ast-cli                  1                  
Checkmarx/kics                     2         
Total unique contributors          3

azure

The azure command presents the unique contributors for the provided Azure DevOps repositories, projects, and organizations.

Usage

./cx utils contributor-count azure [flags]

Flags

Name

Default

Description

--help, -h

help for the results command

--orgs strings <string>

List of organizations to scan for contributors

Comma separated list

--projects <string>

List of projects to scan for contributors

Comma separated list

--repos <string>

List of repositories to scan for contributors

Comma separated list

--token <string>

Azure DevOps personal access token. Requires “Connected server” and “Code“ scope

--url-azure <string>

https://dev.azure.com/

API base URL

--format <string>

table

The output format for the response. Possible values are json, list or table.

Examples

Using the azure Command to Count an Organization contributors
./cx utils contributor-count azure --orgs <orgs> --token <token>
[email protected]:~/ast-cli$ ./cx utils contributor-count azure --orgs Checkmarx --token 12345678910

Name                                      UniqueContributors 
----                                      ------------------ 
Checkmarx/public/ast-cli                  2
Checkmarx/private/ast-java-wrapper        1                    
...                                       ...
Total unique contributors                 7     

2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
./cx utils contributor-count azure --orgs <orgs> --token <token> --debug
[email protected]:~/ast-cli$ ./cx utils contributor-count azure --orgs Checkmarx --token 12345678910

Name                                      UniqueContributors 
----                                      ------------------ 
Checkmarx/public/ast-cli                  2
Checkmarx/private/ast-java-wrapper        1                    
...                                       ...
Total unique contributors                 7     

Name                                      UniqueContributorsUsername 
----                                      -------------------------- 
Checkmarx/public/ast-cli                  User Checkmarx
Checkmarx/private/ast-java-wrapper        UserCheckmarx                
...

2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
Using the azure Command to Count Projects contributors
./cx utils contributor-count azure --orgs <orgs> --projects <projects> --token <token>
[email protected]:~/ast-cli$ ./cx utils contributor-count azure --orgs Checkmarx --projects public --token 12345678910

Name                                      UniqueContributors 
----                                      ------------------ 
Checkmarx/public/ast-cli                  2                  
...                                       ...
Total unique contributors                 5     

2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
./cx utils contributor-count azure --orgs <orgs> --projects <projects> --token <token> --debug
[email protected]:~/ast-cli$ ./cx utils contributor-count azure --orgs Checkmarx --projects public --token 12345678910

Name                                      UniqueContributors 
----                                      ------------------ 
Checkmarx/public/ast-cli                  2                  
...                                       ...
Total unique contributors                 5     


Name                                      UniqueContributorsUsername 
----                                      -------------------------- 
Checkmarx/public/ast-cli                  User Checkmarx          
...

2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
Using the azure Command to Count Repositories contributors
./cx utils contributor-count azure --orgs <orgs> --projects <projects> --repos <repos> --token <token>
[email protected]:~/ast-cli$ ./cx utils contributor-count azure --orgs Checkmarx --projects public --repos asa-cli --token 12345678910

Name                                      UniqueContributors 
----                                      ------------------ 
Checkmarx/public/ast-cli                  2                  
Total unique contributors                 2     

2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
./cx utils contributor-count azure --orgs <orgs> --projects <projects> --repos <repos> --token <token> --debug
[email protected]:~/ast-cli$ ./cx utils contributor-count azure --orgs Checkmarx --projects public --repos ast-cli --token 12345678910

Name                                      UniqueContributors 
----                                      ------------------ 
Checkmarx/public/ast-cli                  2                                                    
Total unique contributors                 2     


Name                                      UniqueContributorsUsername 
----                                      -------------------------- 
Checkmarx/public/ast-cli                  User Checkmarx          


2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.

gitlab

The gitlab command presents the unique contributors for the provided GitLab groups or projects.

Usage

.\cx.exe utils contributor-count gitlab [flags]

Flags

Name

Default

Description

--format <string>

table

The output format for the response. Possible values are json, list or table.

--help, -h

help for the github command

--token <string>

GitLab OAuth token with at least ‘read_api’ and 'read_repository' permissions.

--groups <strings>

List of group names to scan for contributors

Comma separated list for more than one names

If a subgroup is being used, the full path of subgroup is required . Full path includes the names of the parent groups and can be copied from the gitlab urls when the group is opened in the browser

--projects <strings>

List of project names to scan for contributors

Project names should be full path/namespace

Comma separated list for using more than one project names

--url-gitlab <string>

https://gitlab.com

API base URL

Examples

Using the gitlab Command to Count an Organization
C:\Users\ast-cli> .\cx.exe utils contributor-count gitlab --token <token> --groups Checkmarx-ts/cxlite

Name                               UniqueContributors 
----                               ------------------ 
...
Checkmarx/CxLite/CxDemo            1                  
...      
Total unique contributors          1
Using the gitlab Command to Count Specific Repositories
C:\Users\ast-cli>.\cx.exe utils contributor-count gitlab --token <token> --projects Checkmarx/CxLite/CxDemo

Name                               UniqueContributors 
----                               ------------------ 
Checkmarx/CxLite/CxDemo            1                           
Total unique contributors          1

bitbucket

The bitbucket command presents the unique contributors for the provided Bitbucket repositories, projects and organizations.

Usage

./cx utils contributor-count bitbucket [flags]

Flags

Name

Default

Description

--help, -h

help for the Bitbucket command

--workspaces <string>

List of workspaces to scan for contributors

A Comma separated list

--repos <string>

List of repositories to scan for contributors

A Comma separated list

--username <string>

Username for Bitbucket authentication

--password <string>

App password for Bitbucket authentication. Requires read on “Workspace membership“ and “Repositories“ permissions

--url-bitbucket <string>

https://api.bitbucket.org/2.0/

API base URL

--format <string>

table

The output format for the response. Possible values are json, list or table.

Examples

Using the bitbucket Command to Count Workspace Contributors
./cx  utils contributor-count bitbucket --workspaces <workspaces> --username <username> --password <password>
[email protected]:~/ast-cli$ ./cx utils contributor-count bitbucket --workspaces Checkmarx --username cx --password 12345678910

Name                                      UniqueContributors 
----                                      ------------------ 
Checkmarx/ast-cli                         2
Checkmarx/ast-java-wrapper                1                    
...                                       ...
Total unique contributors                 7     

2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
./cx utils contributor-count bitbucket --workspaces <workspaces> --username <username> --password <password> --debug
[email protected]:~/ast-cli$ ./cx utils contributor-count bitbucket --workspaces Checkmarx --username cx --password 12345678910

Name                                      UniqueContributors 
----                                      ------------------ 
Checkmarx/ast-cli                         2
Checkmarx/ast-java-wrapper                1                    
...                                       ...
Total unique contributors                 7       

Name                                      UniqueContributorsUsername 
----                                      -------------------------- 
Checkmarx/ast-cli                         User Checkmarx
Checkmarx/ast-java-wrapper                UserCheckmarx                
...

2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
Using the bitbucket Command to Count Repositories Contributors
./cx utils contributor-count bitbucket --workspaces <workspaces> --repos <repos> --username <username> --password <password>
[email protected]:~/ast-cli$ ./cx utils contributor-count azure --orgs Checkmarx --repos ast-cli --username cx --password 12345678910

Name                                      UniqueContributors 
----                                      ------------------ 
Checkmarx/ast-cli                         2                  
Total unique contributors                 2     

2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
./cx utils contributor-count bitbucket --workspaces <workspaces> --repos <repos> --username <username> --password <password> --debug
[email protected]:~/ast-cli$ ./cx utils contributor-count azure --orgs Checkmarx --repos ast-cli --username cx --password 12345678910

Name                                      UniqueContributors 
----                                      ------------------ 
Checkmarx/ast-cli                         2                  
Total unique contributors                 2        


Name                                      UniqueContributorsUsername 
----                                      -------------------------- 
Checkmarx/ast-cli                         User Checkmarx          


2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.

bitbucket-server

The bitbucket-server command presents the unique contributors for the provided Bitbucket Server repositories and projects.

Usage

./cx utils contributor-count bitbucket-server [flags]

Flags

Name

Required

Default

Description

--help, -h

no

Help for the bitbucket-server command

--projects <string>

no

Tip

However, when you submit --repos, it is required to also submit --projects.

all

List of projects to scan for contributors

A comma separated list

--repos <string>

no

all

List of repositories to scan for contributors

A comma separated list

--token <string>

no

If no token is provided, then only public projects are searched

Authentication token

--server-url <string>

yes

The URL of your Bitbucket Server instance

--format <string>

no

table

The output format for the response. Possible values are json, list or table.

Examples

Using the bitbucket-server Command to Count All Contributors
./cx utils contributor-count bitbucket-server --server-url <server-url> --token <token>
[email protected]:~/ast-cli$ ./cx utils contributor-count bitbucket-server --server-url bitbucket.my.com --token MYTOKEN

Name                                      UniqueContributors 
----                                      ------------------ 
CX/ast-cli                                2
...
AS/my-project                             1                    
...                                       ...
Total unique contributors                 7     

2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.

With Debug

./cx utils contributor-count bitbucket-server --server-url <server-url> --token <token> --debug
[email protected]:~/ast-cli$ ./cx utils contributor-count bitbucket-server --server-url bitbucket.my.com --token MYTOKEN --debug

Name                                      UniqueContributors 
----                                      ------------------ 
CX/ast-cli                                2
...
AS/my-project                             1
...                                       ...
Total unique contributors                 7       

Name                                      UniqueContributorsUsername 
----                                      -------------------------- 
CX/ast-cli                                user - [email protected]
...
AS/my-project                             user2 - [email protected]
...

2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
Using the bitbucket-server Command to Count Projects' Contributors
./cx utils contributor-count bitbucket-server --projects <projects> --server-url <server-url> --token <token>
[email protected]:~/ast-cli$ ./cx utils contributor-count bitbucket-server --projects CX --server-url bitbucket.my.com --token MYTOKEN

Name                                      UniqueContributors 
----                                      ------------------ 
CX/ast-cli                                2
CX/ast-java-wrapper                       1                    
...                                       ...
Total unique contributors                 7     

2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.

With Debug

./cx utils contributor-count bitbucket-server --projects <projects> --server-url <server-url> --token <token> --debug
[email protected]:~/ast-cli$ ./cx utils contributor-count bitbucket-server --projects CX --server-url bitbucket.my.com --token MYTOKEN --debug

Name                                      UniqueContributors 
----                                      ------------------ 
CX/ast-cli                                2
CX/ast-java-wrapper                       1
...                                       ...
Total unique contributors                 7       

Name                                      UniqueContributorsUsername 
----                                      -------------------------- 
CX/ast-cli                                user - [email protected]
CX/ast-java-wrapper                       user2 - [email protected]
...

2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
Using the bitbucket-server Command to Count Repositories' Contributors
./cx utils contributor-count bitbucket-server --projects <projects> --repos <repos> --server-url <server-url> --token <token>
[email protected]:~/ast-cli$ ./cx utils contributor-count bitbucket-server --projects CX --repos ast-cli --server-url bitbucket.my.com --token MYTOKEN

Name                                      UniqueContributors 
----                                      ------------------ 
CX/ast-cli                                2                  
Total unique contributors                 2     

2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.

With Debug

./cx utils contributor-count bitbucket-server --projects <projects> --repos <repos> --server-url <server-url> --token <token> --debug
[email protected]:~/ast-cli$ ./cx utils contributor-count bitbucket-server --projects CX --repos ast-cli --server-url bitbucket.my.com --token MYTOKEN --debug

Name                                      UniqueContributors 
----                                      ------------------ 
CX/ast-cli                                2
Total unique contributors                 2        


Name                                      UniqueContributorsUsername 
----                                      -------------------------- 
CX/ast-cli                                user - [email protected] 


2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.

learn-more

The learn-more command provides the ability to retrieve additional descriptions from the CLI for SAST vulnerabilities.

The command must be run with the attribute query-id, which can be retrieved from a scan’s results and passed to this command.

Usage

./cx utils learn-more --query-id <query-id> --format [json|table|list]

Flags

Name

Default

Description

--query-id (required)

The SAST query-id for a vulnerability

--format

list

The output format for the response. Possible values are json, list or table.

---help, -h

Help for the learn-more command

Examples

learn-more command

Default (without format flag)
./cx utils learn-more --query-id 5854466950125120303
QueryID                : 5854466950125120303
QueryName              : Open_Redirect
QueryDescriptionID     : Stored_Open_Redirect
ResultDescription      : The potentially tainted value provided by @SourceElement in @SourceFile at line @SourceLine is used as a desti
nation URL by @DestinationElement in @DestinationFile at line @DestinationLine, potentially allowing attackers to perform an open redirection.


Risk                   : An attacker could use social engineering to get a victim to click a link to the application, so that the user 
will be immediately redirected to another site of the attacker's choice. An attacker can then craft a destination website to fool the v
ictim; for example - they may craft a phishing website with an identical looking UI as the previous website's login page, and with a si
milar looking URL, convincing the user to submit their access credentials in the attacker's website. Another example would be a phishing website with an identical UI as that of a popular payment service, convincing the user to submit their payment information.


Cause                  : The application redirects the user’s browser to a URL provided by a tainted input, without first ensuring that
 URL leads to a trusted destination, and without warning users that they are being redirected outside of the current site. An attacker 
could use social engineering to get a victim to click a link to the application with a parameter defining another site to which the app
lication will redirect the user’s browser. Since the user may not be aware of the redirection, they may be under the misconception that the website they are currently browsing can be trusted.


GeneralRecommendations :
1.  Ideally, do not allow arbitrary URLs for redirection. Instead, create a mapping from user-provided parameter values to legitimate URLs.
2.  If it is necessary to allow arbitrary URLs:
    *   For URLs inside the application site, first filter and encode the user-provided parameter, and then either:
        *   Create a white-list of allowed URLs inside the application
        *   Use variables as a relative URL as an absolute one, by prefixing it with the application site domain - this will ensure all redirection will occur inside the domain
    *   For URLs outside the application (if necessary), either:
        *   White-list redirection to allowed external domains by first filtering URLs with trusted prefixes. Prefixes must be tested u
p to the third slash \[/\] - `scheme://my.trusted.domain.com/,` to prevent evasion. For example, if the third slash \[/\] is not valida
ted and scheme://my.trusted.domain.com is trusted, the URL scheme://my.trusted.domain.com.evildomain.com would be valid under this filter, but the domain actually being browsed is evildomain.com, not domain.com.
        *   For fully dynamic open redirection, use an intermediate disclaimer page to provide users with a clear warning that they are leaving the site.



Samples                : [{Java protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    String redirectUrl = request.getParameter("redirectUrl");
    if (redirectUrl != null) {
        response.sendRedirect(redirectUrl);
    } else {
          response.sendRedirect("/");
    }
} Java Servlet Vulnerable to Open Redirection} {Java protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    String redirectUrl = request.getParameter("redirectUrl");
    if (redirectUrl != null && redirectUrl.startsWith("https://www.trusteddomain.com/")) {
        response.sendRedirect(redirectUrl);
    } else {
          response.sendRedirect("/");
    }
} Whitelisting an Allowed External Domain, Preventing Open Redirection}]
Json format
./cx utils learn-more --query-id 5854466950125120303 --format json
[{"queryId":"5854466950125120303","queryName":"Open_Redirect","queryDescriptionId":"Stored_Open_Redirect","resultDescription":"The pote
ntially tainted value provided by @SourceElement in @SourceFile at line @SourceLine is used as a destination URL by @DestinationElement
 in @DestinationFile at line @DestinationLine, potentially allowing attackers to perform an open redirection.\n\n","risk":"An attacker 
could use social engineering to get a victim to click a link to the application, so that the user will be immediately redirected to ano
ther site of the attacker's choice. An attacker can then craft a destination website to fool the victim; for example - they may craft a
 phishing website with an identical looking UI as the previous website's login page, and with a similar looking URL, convincing the use
r to submit their access credentials in the attacker's website. Another example would be a phishing website with an identical UI as tha
t of a popular payment service, convincing the user to submit their payment information.\n\n","cause":"The application redirects the us
er’s browser to a URL provided by a tainted input, without first ensuring that URL leads to a trusted destination, and without warning 
users that they are being redirected outside of the current site. An attacker could use social engineering to get a victim to click a l
ink to the application with a parameter defining another site to which the application will redirect the user’s browser. Since the user
 may not be aware of the redirection, they may be under the misconception that the website they are currently browsing can be trusted.\
n\n","generalRecommendations":"\r\n1.  Ideally, do not allow arbitrary URLs for redirection. Instead, create a mapping from user-provid
ed parameter values to legitimate URLs.\r\n2.  If it is necessary to allow arbitrary URLs:\r\n    *   For URLs inside the application s
ite, first filter and encode the user-provided parameter, and then either:\r\n        *   Create a white-list of allowed URLs inside th
e application\r\n        *   Use variables as a relative URL as an absolute one, by prefixing it with the application site domain - thi
s will ensure all redirection will occur inside the domain\r\n    *   For URLs outside the application (if necessary), either:\r\n     
   *   White-list redirection to allowed external domains by first filtering URLs with trusted prefixes. Prefixes must be tested up to 
the third slash \\[/\\] - `scheme://my.trusted.domain.com/,` to prevent evasion. For example, if the third slash \\[/\\] is not validat
ed and scheme://my.trusted.domain.com is trusted, the URL scheme://my.trusted.domain.com.evildomain.com would be valid under this filte
r, but the domain actually being browsed is evildomain.com, not domain.com.\r\n        *   For fully dynamic open redirection, use an i
ntermediate disclaimer page to provide users with a clear warning that they are leaving the site.\r\n\n\n","samples":[{"progLanguage":"
Java","code":"protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n  
  String redirectUrl = request.getParameter(\"redirectUrl\");\n    if (redirectUrl != null) {\n        response.sendRedirect(redirectUr
l);\n    } else {\n          response.sendRedirect(\"/\");\n    }\n}","title":"Java Servlet Vulnerable to Open Redirection"},{"progLang
uage":"Java","code":"protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOExceptio
n {\n    String redirectUrl = request.getParameter(\"redirectUrl\");\n    if (redirectUrl != null \u0026\u0026 redirectUrl.startsWith(\
"https://www.trusteddomain.com/\")) {\n        response.sendRedirect(redirectUrl);\n    } else {\n          response.sendRedirect(\"/\");\n    }\n}","title":"Whitelisting an Allowed External Domain, Preventing Open Redirection"}]}]

remediation

The remediation command enables you to automatically remediate vulnerabilities for results that came from a specific Checkmarx scanner.

Usage

./cx utils remediation [command]

Flags

Name

Default

Description

--help

N/A

help for the utils remediation

Commands

Name

Default

Description

kics

used to remediate kics results

sca

used to remediate sca results

kics

The kics command enables you to automatically remediate sca vulnerabilities.

Caution

This feature is currently supported only for Terraform projects.

Usage

./cx utils remediation kics [flags]

Flags

Name

Mandatory

Default

Description

--engine <string>

no

docker

Name in the $PATH for the container engine to run kics. Example:podman

--kics-files <string>

yes

N/A

Absolute path to the folder that contains the file(s) to be remediated.

--results-file <string>

yes

N/A

Path to the kics scan results file. This is used to identify and remediate the kics vulnerabilities.

--similarity-ids <string>,<string>

no

Remediates all vulnerabilities

List with the similarity ids that should be remediated : --similarity-ids b42a19486a8e18324a9b2c06147b1c49feb3ba39a0e4aeafec5665e60f98d047,9574288c118e8c87eea31b6f0b011295a39ec5e70d83fb70e839b8db4a99eba8

Examples

Remediating all vulnerabilities
./cx utils remediation kics --results-file <PATH-TO-RESULTS> --kics-files <ABSOLUTE-PATH-TO-FILES>
[email protected]:/AST$ ./cx utils remediation kics --results-file "./results.json" --kics-files "/home/terraform_examples/"
{"available_remediation_count":3,"applied_remediation_count":3}
Remediating a specific vulnerability
./cx utils remediation kics --results-file <PATH-TO-RESULTS> --kics-files <ABSOLUTE-PATH-TO-FILES> --similarity-ids <SIMILARITY-ID-LIST>
[email protected]:/AST$ ./cx utils remediation kics --results-file "./results.json" --kics-files "/home/terraform_examples/" --similarity-ids b42a19486a8e18324a9b2c06147b1c49feb3ba39a0e4aeafec5665e60f98d047
{"available_remediation_count":3,"applied_remediation_count":1}
Remediating using a specific engine
./cx utils remediation kics --results-file <PATH-TO-RESULTS> --kics-files <ABSOLUTE-PATH-TO-FILES> --engine <ENGINE-NAME>
[email protected]:/AST$ ./cx utils remediation kics --results-file "./results.json" --kics-files "/home/terraform_examples/" --engine podman
{"available_remediation_count":3,"applied_remediation_count":3}

sca

The sca command enables you to automatically remediate sca vulnerabilities.

Usage

./cx utils remediation sca [flags]

Warning

Currently only npm dependency files (package.json) are supported for this functionality.

Flags

Name

Default

Description

--package-files <string>

N/A

Path to input package files to remediate the package version

--package <string>

N/A

Name of the package to be replaced

--package-version <string>

N/A

Version of the package to be replaced

Examples

Remediating a specific package successfully
././cx utils remediation sca --package-files <PACKAGE-FILE-PATHS> --package <PACKAGE-NAME> --package-version <PACKAGE-VERSION>
[email protected]:/AST$ ./cx utils remediation sca --package-files /home/package.json ,/home/src/package.json --package copyfiles --package-version 1.2.1
Remediating a nonexistent package
././cx utils remediation sca --package-files <PACKAGE-FILE-PATHS> --package <PACKAGE-NAME> --package-version <PACKAGE-VERSION>
[email protected]:/AST$ ./cx utils remediation sca --package-file /home/package.json --package copyfile --package-version 1.2.1
Package copyfile not found
Remediating using an unsupported file
././cx utils remediation sca --package-files <PACKAGE-FILE-PATHS> --package <PACKAGE-NAME> --package-version <PACKAGE-VERSION>
[email protected]:/AST$ ./cx utils remediation sca --package-file /home/pom.xml --package log4j --package-version 1.2.1
Unsupported package manager file

pr

The pr command decorates pull requests with results from Checkmarx One scans that were triggered by that pull request. The pull request comments show a list of new vulnerabilities that were introduced by the code changes as well a list of vulnerabilities that were fixed by the code changes. Currently, the only supported scm configuration is github.

6333663227.png

The pull request decoration command requires the following attributes to decorate a PR successfully

--scan-id, --token, --namespace, --repo-name, --pr-number

Usage

./cx utils pr github --scan-id <scan-id> --token <PAT> --namespace <organization> --repo-name <repository> --pr-number <pr number>

Flags

Name

Mandatory

Default

Description

--scan-id

yes

n/a

The scan ID for the PR that is being decorated. This can be extracted from the scan result that is obtained after the pull request is scanned.

--token

yes

n/a

The token for SCM access in order to create decoration

-- namespace

yes

n/a

SCM namespace for the repository

--repo-name

yes

n/a

SCM repository name

--pr-number

yes

n/a

The pull request number for decoration PR

Examples

pr github command

./cx.exe utils pr github --scan-id b8e043bc-4c72-4638-ac54-7ac1b40d1234 --namespace jay-nanduri --repo-name testGHAction --pr-number 1 --token <secret-token>
2022/08/31 12:31:43 PR comment created successfully.

tenant

The tenant command enables users to retrieve info about the global settings that apply to their tenant account (i.e., the info shown on the Account Settings screen in the web portal).

Usage

./cx utils tenant [flags]

Flags

Name

Default

Description

--format

list

The output format for the response. Possible values are json, list or table.

---help, -h

Help for the tenant command

Examples

Sample Response

[email protected]:~/ast-cli$ ./cx utils tenant
Key   : scan.config.sast.defaultConfigId
Value :

Key   : scan.config.kics.filter
Value :

Key   : scan.config.sast.presetName
Value : ASA Premium

Key   : scan.handler.git.token
Value :

Key   : scan.config.sca.LastSastScanTime
Value :

Key   : scan.config.sast.filter
Value :

Key   : scan.handler.git.sshKey
Value :

Key   : scan.config.sca.filter
Value :

Key   : scan.config.sca.ExploitablePath
Value :

Key   : scan.handler.git.repository
Value :

Key   : scan.config.sast.engineVerbose
Value :

Key   : scan.handler.git.branch
Value :

Key   : scan.config.kics.platforms
Value :

Key   : scan.config.sast.languageMode
Value :

Key   : scan.config.sast.incremental
Value :

Key   : scan.config.plugins.ideScans
Value :