TeamCity Plugin - Changelog

We added a new environment variable, CX_HTTP_PROXY, which can be used to designate a specialized proxy for Checkmarx One. When this is used, it overrides the proxy specified in your general HTTP_PROXY variable.

You can now designate a scan as a "Private Package" and assign a package version to it using the Additonal parameters options. Once a private package has been scanned, info about the risks affecting that package will be identified by SCA when that package version is used in any of your projects. You can download an article about private packages here.

We added the --exploitable-path flag to the Additonal parameters options. This enables you to designate whether or not Exploitable Path will run on this particular scan. When used, this overrides the designation made in the project settings.

We also added a flag --sca-last-sast-scan-time, which enables you to specify the number of days that SAST scan results are considered valid for use in Exploitable Path (i.e., if there is no current SAST scan, how many days prior to the current SCA scan will Checkmarx One look for a SAST scan to use for analyzing Exploitable Path.)

Improved memory usage when uploading zip files.

Added file extensions go.mod, go.sum, *.dart, and *.plist to the list of included files (when creating the zip archive for scanning).

Fixed issue that spaces in additional params values had been causing errors.

All references to AST have been changed to use the new product name "Checkmarx One".

Added option to generate reports in PDF format by setting --report-format to pdf. For PDF format reports, you can add the following additional flags:

The KICS scanner is now referred to in Checkmarx One as "IaC Security". All mentions of the scanner and the vulnerabilities identified by it, now refer to IaC Security.

The API Security scanner is now supported for use via the CLI. When running the scan create command, you can now add api_security to the list of scanners under --scan-types.

A report is now generated when a build fails because of a threshold set in the Checkmarx One plugin.

You can now add filters to the scan create command (to exclude files/folders from the scan) separately for each specific scanner. The flags for the new filters are: --sast-filter <string>, --kics-filter <string>, --sca-filter <string>. See scan create.

You can now add an ssh key to a scan, using the flag --ssh-key <string> with the path to the ssh private key.

Changed the flag to async so that the workflow continues without failure for async scans.

Added all permissions for github token being used in action.

In the scan create command, we renamed the format flag as scan-info-format.

Renamed the results command as results show command.

In the scan create command, we renamed the format flag as scan-info-form.

Fixed problems with the proxy connection

Added SummaryJSON reports.

Added the --scan-timeout <int> flag to the scan create command, enabling users to specify a time limit after which the scan will fail and terminate. See documentation here.

Updated UI elements to reflect the new Checkmarx branding (e.g., logo).

Added ability to break builds by specifying a threshold for acceptable vulnerabilities.

Added support for exporting scan results directly to SonarQube or SonarCloud console. See documentation here.

Updated CLI to version 2.0.4

Added branch parameter (required)

Automatically trigger CxSAST, CxSCA and KICS scans from TeamCity projects

Supports use of CLI arguments to customize scan configuration

Automatically updates to the latest plugin version

Interface for viewing scan results summary and trends in the TeamCity environment

Direct links from within TeamCity to detailed Checkmarx One scan results and reports