Skip to main content

GitHub Actions - Changelog

The following table lists the features and changes that have been implemented for GitHub Actions with the relevant version release.

Plugin Version

Release Date

CLI Version


Bug Fixes


Feb 5, 2024


  • Fixed issue that sarif output had been failing when there were no SAST results.


Jan 17, 2024


  • The output log is now stored to a variable cxcli, enabling users to access this data further along in their pipeline.

  • Made the summary HTML report responsive in order to improve display on narrow screens.

  • Fixed issue that submitting --groups was interfering with project configuration (e.g., removing designation of primary branch).

  • Fixed issue that sarif reports had been failing when no vulnerabilities were identified.


Oct 10, 2023


  • Updated CLI code to GO version 1.21.1 in order to remediate a vulnerability.

  • We now return an unlimited number of results in the results summary (had been limited to 10k).

  • Added an environment variable, "CX_IGNORE_PROXY", for ignoring proxies. Mark the variable as true to ensure that all Checkmarx One CLI commands run directly from the local machine.

  • Added Podfile and Podfile.lock to the list of included files (when creating the zip archive for scanning).


July 28, 2023


  • Added information about violated policies to the scan summary output.

    For policies that are configured to "break build", when the policy is violated the scan will fail. (The --ignore-policy flag can be applied using --additional-params to prevent policies from causing the scan to fail).


June 30, 2023


  • Added the ability to generate SBOM reports. SBOMs can be generated using CycloneDX or SPDX format. SPDX reports are output in JSON format, and CycloneDX can be output as JSON or xml. This can be done using the scan create or results show command.

  • Increased the default limit for projects returned using the project list command to 10,000. (This enables Checkmarx One to effectively verify whether a project with the specified name already exists when a scan is initiated via CLI/plugin.)

  • We added a new environment variable, CX_HTTP_PROXY, which can be used to designate a specialized proxy for Checkmarx One. When this is used, it overrides the proxy specified in your general HTTP_PROXY variable.


    We still support use of the HTTP_PROXY variable if you choose to use the same proxy for Checkmarx One as for your other applications.


Apr 3, 2023


  • You can now designate a scan as a "Private Package" and assign a package version to it using the addtional_params options. Once a private package has been scanned, info about the risks affecting that package will be identified by SCA when that package version is used in any of your projects. You can download an article about private packages here.

  • We added the --sca-exploitable-path flag to the additional_params options. This enables you to designate whether or not Exploitable Path will run on this particular scan. When used, this overrides the designation made in the project settings.

    We also added a flag --sca-last-sast-scan-time, which enables you to specify the number of days that SAST scan results are considered valid for use in Exploitable Path (i.e., if there is no current SAST scan, how many days prior to the current SCA scan will Checkmarx One look for a SAST scan to use for analyzing Exploitable Path.)


    The --sca-last-sast-scan-time flag is not yet fully supported and may not function as designed.

  • Improved memory usage when uploading zip files.

  • Added file extensions go.mod, go.sum, *.dart, and *.plist to the list of included files (when creating the zip archive for scanning).


Feb 23, 2023


  • The scan results summary is now shown in the build summary section on the build page.

  • Added option to generate reports in PDF format by setting --report-format to pdf. For PDF format reports, you can add the following additional flags:

    • Add the --report-pdf-email flag to specify email recipients.

    • Add the --report-pdf-options flag to specify which sections to include in the report. Options are: Iac-Security, Sast,Sca, ScanSummary, ExecutiveSummary, ScanResults.


Feb 2, 2023


General improvements and bug fixes.


Jan 27, 2023


  • Added option to generate reports in PDF format.


Jan 20, 2023


  • All references to AST have been changed to use the new product name "Checkmarx One".

  • Fixed issue that the Checkmarx GitHub action had been using an API that was deprecated by GitHub.


Dec 7, 2022


  • The KICS scanner is now referred to in Checkmarx One as "IaC Security". All mentions of the scanner and the vulnerabilities identified by it, now refer to IaC Security.

  • The API Security scanner is now supported for use via the CLI. When running the scan create command, you can now add api_security to the list of scanners under --scan-types.


Nov 10, 2022


  • The scan ID is now given as an output of the step, so that it can be used to obtain data from the scan for use in subsequent steps.


Sep 21, 2022


  • General improvements and bug fixes


Sep 15, 2022


  • General improvements and bug fixes


Sep 2, 2022


  • Added a Job Summary with the scan ID to the GitHub Action.

  • The comments for pull requests are now decorated with results from Checkmarx One scans that were triggered by that pull request. The comments show a list of new vulnerabilities introduced by the code change as well as the vulnerabilities that were fixed.

  • All documentation links now point to the new Checkmarx documentation portal at



Aug 1, 2022


  • General improvements and bug fixes


Jul 5, 2022


  • General improvements and bug fixes


Jun 15, 2022


  • General improvements and bug fixes


Jun 2, 2022


  • You can now add filters to the scan create command (to exclude files/folders from the scan) separately for each specific scanner. The flags for the new filters are: --sast-filter <string>, --kics-filter <string>, --sca-filter <string>. See scan create.


    The existing flag --file-filter , which sets filters for the entire scan (for all scanners) is still in use.

  • You can now add an ssh key to a scan, using the flag --ssh-key <string> with the path to the ssh private key.

Fixed issue that the branch specified in the settings was not overriding the pull request branch. The pull request branch is now used as the default when no branch is specified.


Apr 12, 2022


General improvements and bug fixes


Mar 2, 2022


  • Added new --sca-resolver-params flag to the scan create command. See documentation here.

  • The branch name is now shown correctly for Pull requests.


Feb 11, 2022


  • In the scan create command, we renamed the format flag as scan-info-format.

  • Renamed the results command as results show command.

  • Fixed a problem with proxy connections.

  • An error is now generated when project name is empty.


Jan 26, 2022


  • Added SummaryJSON reports.

  • Added the --scan-timeout <int> flag to the scan create command, enabling users to specify a time limit after which the scan will fail and terminate. See documentation here.

  • Updated UI elements to reflect the new Checkmarx branding (e.g., logo).


Jan 11, 2022


  • Added ability to break builds by specifying a threshold for acceptable vulnerabilities.

  • Added support for exporting scan results directly to SonarQube or SonarCloud console. See documentation here.


Nov 3, 2021


  • Updated CLI to version 2.0.4

  • Added branch parameter (required)


  • Added tenant support to CLI

  • Added tenant support to Github action and Jenkins


  • Added tenant support.

  • Updated the sources parameter:

    • Removed archive_source and source _directory.

    • Support only -s option

  • Fixed bug with additional parameters and spaces.

  • Fixed Preset – Not mandatory anymore.


  • Updated documentation:

    • Using scan_types instead of project_types


  • Supports SAST Scans.

  • Defines required and non-required parameters.

  • Provide examples for demos.