Skip to main content

Setting Up the CLI Plugin

Prerequisites for CxSCA

  • Checkmarx CxSCA available

  • CLI Plugin (2020.2.11 and up)

  • Java JRE and SDK

  • Maven

The CLI plugin must be installed on your Management station and be connected to CxSCA.

Prerequisites for CxSAST/CxOSA

  • Checkmarx CxSAST/CxOSA installed (8.9.0 and up)

  • Checkmarx CLI Plugin (8.90.0 and up) installed on the same station

  • Java JRE and SDK

  • Maven

Notice

If your network requires connecting to the CxSAST server via a proxy, refer to Configuring CxConsole to Use a Proxy.

Installing the CLI Plugin

The relevant version of the CLI plugin is available for download from the Checkmarx Plugins page and downloads as CxConsolePlugin-<version number>.zip, for example CxConsolePlugin-2021.1.4.

To download and install the plugin:

  1. Download the CLI plugin from the Checkmarx Plugins page. The plugin is downloaded to the default download folder of your computer.

  2. Extract CxConsolePlugin-<version number>.zip into a folder of your choice. The CxConsole is ready for running the CLI.

Enabling the CLI Plugin for Use with CxSCA and CxSAST via Master Access Control

By default, plugins require a local user account that has been created via CxSCA User Management. To make CxSCA accessible for plugins via the Master Access Control, follow the instructions in this section.

Notice

  • A Master Access Control must be configured for CxSCA. For further information and instructions, refer to Using Master Access Control .

  • A valid CxSAST account with at least the 'SAST Scanner' role must be in place.

  • For CxSAST deployments without Management & Orchestration, the database must be modified as illustrated below.

To modify the database for CxSAST deployments without Management & Orchestration:

  • Open a command line interface and execute the database query below for MS SQL Server Management Studio Client as relevant for your CxSAST version:

To enable the CLI plugin for use with CxSCA via Master Access Control:

  1. Navigate to the CLI plugin folder.

  2. Open cx_console.properties in a text editor such as Notepad++. This file is located under <CLI Plugin Folder>\config.

  3. Navigate to the property “scan.sca.accesscontrol.url”.

  4. Change its value to the Master Access Control URL, for example scan.sca.accesscontrol.url=http://10.32.3.220/CxRestAPI/auth/.

Notice

The last "/" in the Master Access Aontrol URL is required. The URL looks similar to the following: scan.sca.accesscontrol.url=http://10.32.3.220/CxRestAPI/auth/

The sample command below illustrates a CLI command to perform a CxSCA scan using the CLI plugin via Master Access Control.

runCxConsole.cmd ScaScan -v -Projectname "Teamcity-Plugin_Prerelease" -locationtype folder -locationpath "d:\Source\SastAndOsaAndNuget\SastAndOsaSource"  -scaUsername <SAST Account UserName> -scaPassword <SAST Account Password> -scaAccount <scaAccountName>

Running the Scan Command

The CLI includes a single command:

scan

When being run from a script, the full command syntax is:

<path>\CxConsole\runCxConsole.cmd scan <arguments>

Property

Description

<path>

Full path to the CxConsole directory

<arguments>

Listed below. No defined order must me maintained. Some arguments are mandatory

Notice

The path for runCxConsole.cmd can be defined in the Path Environment Variable. In this case, it is not necessary to enter the full <path>.

Scan Command Arguments

The scan command runs a scan whose results will be saved to a new or existing CxSAST project. The code source must be specified. The existing project source location is not used. Upon running the command, the progress is displayed in the console and refreshed once per minute. When the scan is completed (or failed), the following three files are generated:

  • Log file: The default location is \CxConsole\Log . You can specify a different location with the –log command argument.

  • XML report (useful for automated parsing): You can specify a non-default location with the –xml command argument.

  • PDF report: Generated only if you use the –pdf command argument.

Notice

The log folder must have Read/Write permissions.