VSCode Tutorial - Settings.json
Goals
This tutorial is designed to teach the following topics:
How to enable scanning any folder or file from the CxVSCode plugin
How to move to Quiet (silent) mode
How to exclude or include files or folders
How to change the report path
How to configure a proxy
Prerequisites
VSCode 1.44 or later
CxSAST 9.0 or higher with known user credentials
Source code available
Checkmarx VSCode extension installed and enabled
The following tutorials completed:
Login
Scan & Reports
settings.json available in the active work space inside the .vscode folder.
Procedure – Enabling Scan any Folder or File
On the Extension page, click the Extend icon. The CxVSCode plugin dialog appears.
On the Checkmarx SAST 9.x plugin dialog, click
. A dropdown menu appears.
From the dropdown menu, select Extension Settings.
Enable the Enable Scan Buttons option.
Verify that the following has been added to the settings.json file.
cx.enableScanButtons": true
In the CX PORTAL toolbar, click Scan Any File. You are asked to select a file for scanning.
Select a file to scan and ensure the scan has completed successfully.
Disable the Enable Scan Buttons option.
Verify that the setting.json file has been updated and that
cx.enableScanButtons
has been removed.
To verify that the Enable Scan Buttons option is disabled:
In the CX PORTAL toolbar, click :Scan_any_file:. A warning appears indicating that this option is dsabled.
Procedure – Change to Quiet Mode
Click the Extension button to open the Extensions page.
Under Checkmarx SAST 9.x, click
. A dropdown menu appears.
From the dropdown menu, select Extension Settings.
Enable the Quiet mode.
Verify that the following has been added to the settings.json file.
cx.quiet": true
From CX SCAN RESULT, generate a report. No popups appear.
In the CX PORTAL toolbar, click Scan Any File. You are asked to select a file for scanning.
Click Extension to open the Extensions page.
Under CxVSCode, click Settings. A dropdown menu appears.
From the dropdown menu, select Extension Setting.
Enable the Quiet mode option.
Verify that the following has been added to the settings.json file.
cx.quiet": true
From CX SCAN RESULT generate a report. No popups appear.
Disable the Quiet mode option.
Verify that settings.json has been updated and the cx.quiet setting has been removed.
Procedure – Change Exclude/Include File or Folder Extensions
Click Extension to open the Extensions page.
Under Checkmarx SAST 9.x, click
. A dropdown menu appears.
From the dropdown menu, select Extension Settings.
Enable the Quiet mode option.
Change the File Extensions and Folder Exclusions settings as follows:
Verify that the changes are reflected in the settings.json file.
Notice
Strings starting with an exclamation mark (!) indicate that they must be excluded. Remove the exclamation mark to include the items.
Procedure – Change Report Path
Click Extension to open the Extensions page.
Under Checkmarx SAST 9.x, click
. A dropdown menu appears.
From the dropdown menu, select Extension Settings.
Edit the Report Path setting as follows:
Check that the edited report path is reflected in the setting.json file in the cx.reportPath variable as follows:
cx.reportPath": "C:\\Users\\xxxxxx\\OneDrive - yyyyyy\\Documents\\CxFlow\\Report1.json"
Generate a new report and verify that it is available in the correct path.
Procedure – Change the SSL Certificate Path
Click Extension to open the Extensions page.
Under Checkmarx SAST 9.x, click
. A dropdown menu appears.
From the dropdown menu, select Extension Settings.
Edit the SSL certificate Path setting as follows:
Check that the SSL certificate path is reflected in the setting.json file in the cx.sslCertificatePath variable as follows:
cx.sslCertificatePath : "d:\certificates\cacert_chain.crt"
Enter the path into the certificate chain file that contains all intermediate and root CA certificates for https connections.
Procedure - Enable User Credentials Login
Click Extension to open the Extensions page.
Under Checkmarx SAST 9.x, click
. A dropdown menu appears.
From the dropdown menu, select Extension Settings.
Enable the User Credentials Login setting as follows:
Verify that the modified report path is reflected in the setting.json file in the cx.enableUserCredentialsLogin variable as follows:
cx.enableUserCredentialsLogin: " true"
Select this option for user credentials login.
Procedure – Enabling Workspace Only Scan
Click Extension to open the Extensions page.
Under Checkmarx SAST 9.x, click
. A dropdown menu appears.
From the dropdown menu, select Extension Settings.
Select Enable Workspace Only Scan.
Verify in the settings.json file that the following line was added.
cx.enableWorkspaceOnlyScan ": true
In the CX PORTAL, click Scan Any File.
Select a file/folder/workspace to scan and right click on it. You get an option to scan only on the workspace level and not any file or folder.
Configuring a Proxy
Navigate to File > Preferences > Settings > Application > Proxy. The proxy dialog appears.
Under Proxy, enter the URL of the proxy server, for example http://proxyhost:port.
Under Proxy Support, select Override. All http requests from VSCode Extension are routed via the proxy server.
Assigning Users
You are able to assign users to vulnerabilities as explained below.
Open the Result table from the Settings menu.
Select the vulnerability to which you want to assign the user.
Select Assign User and enter the user name for the new user. The user appears in the Assigned User column of the selected vulnerability.
Working with Comments
You are able to to add and edit comments for one or multiple vulnerabilities. Adding a comment to multiple vulnerabilities is referred to as bulk comment from this point on.
To add a comment to one or several vulnerabilities (bulk comment):
In the Result table, select at least one vulnerability and click
. The Add Comment dialog appears.
Enter the comment and then click <Submit>. The comment is added under Comments for the selected vulnerabilities. Up to the last five comments appear listed under Comments for each vulnerability.
To make adding comment mandatory:
Click Extension. The Extensions page appears.
Select Mandatory Comments. Comments are now mandatory on result change.
Notice
If this option is enabled inside CxSAST, but commenting is not defiined as mandatory on the plugin side, an error message appears in the Extension Settings dialog with a reminder to make comments mandatory.

Once comments are set to be mandatory and the scan results change, the Add Comment dialog appears and you are asked to add a comment.

Once added, the result state and the associated vulnerability are checked in the Results State column and the comment appears in the Comment column..

