Running Scans from the CLI

Applications such as CxSAST and CxOSA enable you to run static application security tests (SAST) and open-source analysis (OSA) scans as a CLI command. By default, the SAST scans run in synchronous mode. This means that the CLI initiates the scan task, which can then be viewed in the CLI and the created log file. In asynchronous mode, the scan ends when the scan request reaches the scan queue. Therefore, the scan results can be viewed in the (CxSAST) web application only.

To scan projects with open source packages, use the CxConsole commands as explained below. The CxConsole CLI provides software composition analysis based only on the manifest files and fingerprints. This analysis involves compressing and sending only the manifest files, configuration files, file names, and fingerprint data to the CxSCA cloud. The source code is not sent to the cloud.

Running scans from the CLI requires the prerequisites below.

CxSAST and CxOSA

Checkmarx CxSAST (v8.9.0 and up) installed. For the required version, refer to the change log entry for the specific version of the plugin.
Checkmarx CLI Plugin (8.90.0 and up) installed. The files to download and install the plugin can be found in the Checkmarx central plugins repository.

Notice

The user running the CLI plugin scan must have both 'Scanner' and 'Reviewer' role permissions.

CxSCA

Checkmarx CxSCA enabled (CxSCA in the cloud) with a valid license.

Notice

You are unable to start using CxSCA unless the end user license agreement (EULA) has been viewed and accepted.

This section lists the syntax for scans from the CLI for CxSCA, CxSAST and CxOSA.

CxSCA Scan

<path to CxConsolePlugin>\runCxConsole.cmd ScaScan -scalocationpath <arg> -ProjectName <arg> -scaUsername <arg> -scaPassword <arg> -scaAccount<arg>

Example: C:\>runCxConsole.cmd ScaScan -scalocationpath "C:\ant\testant" -ProjectName "CxServer/SP/Company/Users/bs java" -scaUsername **** -scaPassword ********* -scaAccount *****

CxSCA - SCA Resolver Scan

<path to CxConsolePlugin>\runCxConsole.cmd ScaScan -scalocationpath <arg> -ProjectName <arg> -scaUsername <arg> -scaPassword <arg> -scaAccount<arg> -enablescaresolver -pathtoresolver <arg> -scaresolveraddparameters <arg>

Example: C:\CxConsolePlugin\runCxConsole.cmd ScaScan -scalocationpath "C:\ant\testant" -ProjectName "CxServer/Project1" -scaUsername **** -scaPassword ********* -scaAccount ***** -enablescaresolver -pathtoresolver "C:\ScaResolver-win64" -scaresolveraddparameters "-s C:\ant\testant -n Propject1 -r C:\ScaResolver-win64\Offline\results.json"

Notice

Make sure to provide the full path to "results.json" for the "-r" parameter as illustrated in the syntax example above.

CxSAST Scans

Synchronous mode: runCxConsole Scan -v -CxServer <host> -ProjectName <projectName> -CxUser <username> -CxPassword <password> -LocationType <LocationType> -LocationPath <locationpath>

Example (project name is bookname j2): runCxConsole.cmd Scan -v -ProjectName "CxServer/bookname j2" -CxServer http://localhost -cxuser username -cxpassword admin -LocationType folder -LocationPath "C:\Data\Projects\Java\bs java" -preset "Checkmarx Default"


Asynchronous mode: runCxConsole AsyncScan -v -CxServer <host> -ProjectName <projectName> -CxUser <username> -CxPassword <password> -LocationType <LocationType> -LocationPath <locationpath>

Example (project name is bookname j2): runCxConsole.cmd AsyncScan -v -ProjectName "CxServer/bookname j2" -CxServer http://localhost -cxuser username -cxpassword admin -LocationType folder -LocationPath "C:\Data\Projects\Java\bs java" -preset "Checkmarx Default"

CxOSA Scans

Synchronous mode: runCxConsole Scan -v -CxServer <host> -ProjectName <projectName> -CxUser <username> -CxPassword <password> -LocationType <LocationType> -LocationPath <locationpath> -Preset <preset> -EnableOsa -OsaLocationPath <filename>

Example (CxOSA scan part of the existing 'bc ts java project'): runCxConsole.cmd Scan -v -ProjectName "team/SP/Company/Users/bc ts java" -CxServer http://localhost -cxuser admin -cxpassword admin -LocationType folder -LocationPath C:\Users\Desktop\project -preset Default -EnableOsa -OsaJson

Example (CxOSA scan of C:\Users\Desktop\testProjects\osa_jenkins_project as part of the existing 'bc ts java project'): 
runCxConsole.cmd Scan -v -ProjectName "team/SP/Company/Users/bc ts java" -CxServer http://localhost -cxuser admin -cxpassword admin -LocationType folder -LocationPath C:\Users\Desktop\project -preset Default -EnableOsa -OsaLocationPath C:\Users\Desktop\buildProducts -OsaJson

This section lists and explains the parameters for the CLI parameters.

Key	Description
Global
-CxServer <server>	Mandatory: Enter the IP address or a resolvable hostname.
-TrustedCertificates	Optional: This parameter can be used to add certified security to the connection. By default, all certificates are trusted. When disabled, only certificates signed by a trusted certificate authority can be accepted. Notice Only available when the URL starts with ‘https’ for SSL.
-configascode	Optional: Override the scan settings with the Remote/Local configuration file, which is located inside the source directory.
-ProjectName <project name>	Mandatory: An existing or new project name with full path. If the project does not exist, it is being created, for example -ProjectName CxServer/SP/Company/Users/my project Notice In case of CxSCA, if the project does not exist, it will be created. In addition, a team is assigned to it. The slashes for the path in versions 8.x are backwards and appear as follows: -ProjectName CxServer\SP\Company\Users\my project
-LocationType <type>	Mandatory: Source location type: Enter one of the following: folder shared (network location) SVN TFS Perforce GIT
-WorkspaceMode <path>	Optional: When the -LocationType parameter is set to Perforce, add the -WorkspaceMode and the workspace name into -LocationPath
-LocationPath <path>	Local or network path to sources or the source repository branch. This parameter is mandatory, if -LocationType is set to folder, SVN, TFS, Perforce or shared.
-LocationURL <url>	The source control URL. The parameter is mandatory, if -LocationType points to any source control system. Warning For GIT repositories, the GIT username and password must be part of the LocationURL, for example http://my_username:[email protected]/
-LocationPort <url>	Optional: Source control system port: Default: 8080 (TFS) 80 (SVN) or 1666 (Perforce)
-LocationBranch <branch>	The full path to the Source Git branch. This parameter is mandatory, if -LocationType is set to GIT.
-LocationUser <username>	The source control/network credentials. This parameter ismandatory, if -LocationType is set to TFS, Perforce or shared. Warning For GIT repositories, the GIT username and password must be part of the LocationURL, for example http://my_username:[email protected]/
-LocationPassword <password>	The source control/network credentials. This parameter is mandatory, if -LocationType is set to TFS, Perforce or shared. Warning For GIT repositories, the GIT username and password must be part of the LocationURL, for example http://my_username:[email protected]/
-LocationPrivateKey <path\file>	The GIT SSH key locations. This parameter is mandatory, if -Locationtype is set to GIT using SSH.
-ForceScan	Optional: Force scan on source code, which has not been changed since the last scan of the same project. -ForceScan is not compatible with the -Incremental parameter. Note If the user configures both -ForceScan and -Incremental, a full scan will be performed.
-LocationPathExclude <folders list>	Optional: Comma separated list of folder name patterns to be excluded from scans. For example, exclude all folders whose names start with test and all folders whose names end with log: -locationPathExclude “test,log” Notice In case this parameter is sent, it is added to the default exclusion of the CLI configuration file (cx_console.properties).
-LocationFilesExclude <files list>	Optional: Comma separated list of file name patterns to be excluded from scans. For example, exclude all files with a '.class' extension: When using a local repository such as Folder: -LocationFilesExclude “!/.class”* When using a remote repository such as Git: *-LocationFilesExclude “.class” Notice In case this parameter is sent, it is added to the default exclusion of the CLI configuration file (cx_console.properties**).
-includeExcludePattern <files list>	Optional: Comma separated list of file name patterns to exclude/include from/to a scan. For example, exclude all files with '.class' extension by entering the following: *-includeexcludepattern "!.class,*/.java"**
-Configuration <configuration>	Optional: Code language configuration. Possible values are the following ones: Default Configuration Improved Scan Flow, for additional information on this option, refer to Creating and Configuring a CxSAST Project.. Japanese (Shift-JIS) Korean Multi-language Scan Notice If -Configuration is not set, 'Default Configuration' is used.
-Private	Optional: If set, the scan is invisible to others.
-Log <path\file>	Optional: If set, a log file is created.
-Comment <text>	Optional: Saves a comment with the scan results, for example: -comment "important scan1" Notice Not supported in AsyncScan mode.
-verbose \| -v	Optional: Turns on the Verbose mode. When turned on, all messages and events are sent to the console or log file. Notice For debugging, place this argument before others, so that if the command is failing at any other argument, the Verbose mode remains active.
-CheckPolicy	Optional: If enabled, the build breaks, if either the CxSAST, CxSCA or the CxOSA policy has been violated. Notice This command is supported with synchronous CxSAST, CxSCA and CxOSA scans. A policy is assigned to a project from within CxSAST or CxSCA. In case of a CxSCA scan, the name and description of all violated policies and rules are displayed. If the command line is used, but there is no policy assigned to the project, the output still shows "Policy: Compliant"
-postScanAction <post scan action name>	An action that is executed by the CxSAST server once the scan is complete. Post scan actions are configured in the CxSAST server. Set this parameter to the name of the post scan action required.
CxSAST
-EnableSASTBranching	Optional: Enable to support branching.
-MasterBranchProjName	Optional: The SAST project will be created from the branch name provided in this parameter value. This parameter is mandatory if the EnableSASTBranching parameter is enabled.
-PeriodicFullScan	Optional: This specifies when a full scan should commence once an a number of incremental scans have run. The incremental parameter is mandatory if the periodic full scan value is provided. The calculation starts with the BUILD_NUMBER when the feature is enabled. The BUILD_NUMBER variable, is an environment variable and must be set in system environment variables. Example: If the next BUILD_NUMBER enabled for the feature is 566 and the periodic scan value is 2, then the 566 build/job will be incremental and 568 will be full. Every third build/job will be full. If the next build number when the feature was enabled is 565, then 565 will be a full scan and then every subsequent third job. The logic is : the remainder of BUILD_NUMBER divided by (frequency+1)
-useSSO	Optional: Single Sign-On: Use Windows credentials of the current user to log into CxSAST. Notice If you use CxSAST 9.0.0 and utilize -useSSO, update the CLI to v9.0.0.
-CxUser <username>	Mandatory unless -useSSO is used: CxSAST username to log in
-CxPassword <password>	Mandatory unless -useSSO is used: CxSAST password to log in
-Preset <preset>	Optional: If this parameter is not set, the default preset Checkmarx Default is used, even if a different preset has already been set for the existing project.
-Incremental	Optional: Run incremental scan instead of a full scan. Scans only new and modified files, relative to project's last scan. -Incremental disables any -ForceScan settings. Notice Any changes that exceed the incremental scan threshold fail the scan. Note If the user configures both -ForceScan and -Incremental, a full scan will be performed.
-SASTHigh <number of high SAST vulnerabilities>	Optional: CxSAST high severity vulnerability threshold. If the number of high vulnerabilities exceeds the threshold, the scan ends with an error. Refer to Error/Exit Codes. Notice Not supported in AsyncScan mode.
-SASTMedium <number of medium SAST vulnerabilities>	Optional: CxSAST medium severity vulnerability threshold. If the number of medium vulnerabilities exceeds the threshold, the scan ends with an error. Refer to Error/Exit Codes. Notice Not supported in AsyncScan mode.
-SASTLow <number of low SAST vulnerabilities>	Optional: CxSAST low severity vulnerability threshold. If the number of low vulnerabilities exceeds the threshold, the scan ends with an error. Refer to Error/Exit Codes. Notice Not supported in AsyncScan mode.
-ReportXML <file>	Optional: Creates a scan report in XML format. Notice Not supported in AsyncScan mode. Not supported with CxSCA.
-ReportPDF <file>	Optional: Creates a scan report in PDF format. Notice Not supported in AsyncScan mode. Not supported with CxSCA.
-ReportCSV <file >	Optional: Creates a scan report in CSV format (as a comma separated file). Notice Not supported in AsyncScan mode. Not supported with CxSCA.
-ReportRTF <file>	Optional: Creates a scan report in RTF format. Notice Not supported in AsyncScan mode. Not supported with CxSCA.
CxSCA
-generateScaReport	Optional: Enable to generate the SCA report.
-scaReportformat	Optional: Will set the report file format. When generateScaReport is enabled, this parameter is mandatory. The report shows an overview of the security of the project as well as specific vulnerabilities, legal risks, and outdated versions identified by the scan. Reports can be generated in pdf, xml, json, or csv format. Reports are generated in the directory mentioned using -scareportpath parameter. The following case-insensitive values must be passed for different report types: pdf type report pdf xml type report xml json type report json csv type report csv - scan report in CSV, produces a zip file that can be extracted to obtain the CSV file
-scareportpath <dir path>	Optional: This will set the path of the directory where the SCA report will be generated. When generateScaReport is enabled, this parameter is mandatory. The SCA report will be generated in the subdirectory Checkmarx/Reports under the given directory path.
-ScaLocationPath <arg>	Mandatory: The URL of your CxSCA application, for example https://sca.checkmarx.net.
-ScaUsername <arg>	Mandatory: The user name to log in to your CxSCA application.
-ScaPassword <arg>	Mandatory: The password to log in to your CxSCA application.
-ScaAccount <arg>	Mandatory: The name of your CxSCA account.
-includesource	Optional: If enabling this option, the entire source code is included in the zip archive for scanning.
-scaconfigfile	Optional: Provide the configuration files of the package managers used in this project. Example: Nuget.config for Nuget, .npmrc for npm etc. Use the CxSCA agent to perform the scan. The CxSCA agent attempts to resolve the dependency using the manager's configuration files. Example: -scaconfigfile “c:\user\.m2\settings.xml”, “c:\user\npm\.npmrc”
-env	Optional: Relevant with -scaconfigfile In many cases, package manager configuration files reference environment variables, often to provide credentials without storing them in a file. Pass all those variables using this option.
-cxsasturl	Optional: The URL of the CxSAST server, for example https://cxsasthost:port This parameter is used to obtain scan results from the CxSAST server that are required by the CxSCA scan for Exploitable Path detection. Note -cxsasturl has been deprecated and is no longer supported.
-cxsastuser	Optional: The CxSAST username. This parameter is used to obtain scan results from the CxSAST server that are required by the CxSCA scan for Exploitable Path detection. Note -cxsastuser has been deprecated and is no longer supported.
-cxsastpass	Optional: The CxSAST password for the CxSAST user. This parameter is used to obtain scan results from the CxSAST server that are required by the CxSCA scan for Exploitable Path detection. Note -cxsastpass has been deprecated and is no longer supported.
-customfields	Optional: Add scan level custom fields and their values. Example: -customfields "PreScan, AfterScan, OnlyRead" Notice Supported for CxSAST 9.4 and higher.
-scatimeout	Optional: Add scan level custom fields and their values. The SCA timeout values are provided in minutes. Example: -scatimeout 75 Notice Supported for CxSAST 9.4 and higher.
-enablescaresolver	Optional: Enable the SCA Resolver utility to perform a SCA scan. Notice To use the SCA Resolver utility with the CLI plugin, go to Checkmarx SCA Resolver Download and Installation for additional information and instructions on downloading and extracting the SCA resolver zip archive.
-pathtoresolver	When using the SCA Resolver utility, use this parameter to define the path to the SCA Resolver folder where the required ScaResolve.exe file resides.
-scaresolveraddparameters	You may run the SCA Resolver utility in offline mode by adding additional command line arguments as illustrated in the example below. Example: -enablescaresolver-pathtoresolver C:\Users\Installations\ScaResolver-win64-scaresolveraddparameters "-r C:\Users\Installations\ScaResolver-win64\Offline" -enablescaresolver -pathtoresolver "C:\Users\Installations\ScaResolver-win64" -scaresolveraddparameters "-s C:\Users\Code\JavaCode -n Checkmarx -r C:\Users\Installations\ScaResolver-win64\Offline" The plugin will automatically determine values for some mandatory arguments to ScaResolver to perform both Dependency Resolution and Exploitable Pathdetection. The user does not need to define these parameters in ‘scaresolveraddparameter’. These arguments are: -s: Path to the source code -n: Project name The plugin will also automatically determine the values for the following Exploitable Path detection parameters when CxSAST and CxSCA scans are run together. User need not define these parameters in ‘scaresolveraddparameter’. --cxuser: SAST Server username. --cxpassword: Password for SAST Server username. --cxserver: SAST server URL. Required arguments to run SCA Resolver: -r or--resolver-result-path: The path to the directory/file where the resolver results will be saved. Required arguments to perform Exploitable Path: --sast-result-path: The path where exploitable path results will be stored. --cxprojectname or--cxprojectid: Name or ID of the SAST project to be used to fetch exploitable path results. One of these must be provided. Note In case of only a CxSCA Scan, to use the Exploitable path detection, the cxprojectname or cxprojectid, cxuser, cxpassword, cxserver, and sast-result-path parameters are mandatory.
-cxsastprojectname	Optional: The CxSAST project name used to scan the project source code, for example CxServer/team1/projectname This parameter is used to obtain scan results from the CxSAST server that are required by the CxSCA scan for Exploitable Path detection. Notice If you use this parameter, make sure to enable Exploitable Path in CxSCA. Note -cxsastprojectname has been deprecated and is no longer supported.
-cxsastprojectid	Optional: The CxSAST project ID used to scan the project source code This parameter is used to obtain scan results from the CxSAST server that are required by the CxSCA scan for Exploitable Path detection. Notice If you use this parameter, make sure to enable Exploitable Path in CxSCA. Note -cxsastprojectid has been deprecated and is no longer supported.
CxOSA
-enableOsa	Optional: Enable CxOSA (open-source analysis). Either the -osaLocationPath or the -LocationType parameter must be defined as 'folder' or 'shared'. Notice If -osaLocationPath does not exist, use -locationPath
-OsaLocationPath <filename>	Optional: The local or network path to the sources or the source repository branch. This may include multiple lists of local or shared folders separated by a comma. Notice If -osaLocationPath does not exist, use -locationPath
-OsaArchiveToExtract <files list>	Optional: A comma separated list of file extensions to be extracted in the OSA scan, for example *-OsaArchiveToExtract .zip** only extracts files with a *.zip extension.
-OsaFilesInclude <files list>	Optional: A comma separated list of file name patterns to be included with in the CxOSA scan, for example *.dll only includes DLL files. Notice Only languages that are supported by CxOSA can be included.
-OsaFilesExclude <files list>	Optional: A comma separated list of file name patterns to be excluded from the CxOSA scan. Exclude extensions by using !/.<extension>* or exclude files by using !/<file> Example: -OsaFilesExclude “!*/.class” excludes all files with the extension “.class”. Example: -OsaFilesExclude “!/plexus-utils-1.5.6.jar” excludes all files with the name plexus-utils-1.5.6.jar. Notice In case this parameter is sent, it overrides the default exclusion defined in the CLI configuration file (cx_console.properties).
-OsaPathExclude <folders list>	Optional: Comma separated list of folder path patterns to be excluded from the OSA scan. Example: -OsaPathExclude “test” excludes all folders that start with a test* prefix. Notice If this parameter is sent, it overrides the default exclusion defined in the CLI configuration file (cx_console.properties).
-OsaScanDepth <OSA analysis unzip depth>	Optional: Defines the extraction depth of files to be include in the OSA scan. Notice Must be a number above 0.
-executepackagedependency	Optional: Retrieves all supported package dependencies before performing the OSA scan.
-OSAHigh <number of high OSA vulnerabilities>	Optional: CxOSA high severity vulnerability threshold. If the number of high vulnerabilities exceeds the threshold, the scan ends with an error. Refer to Error/Exit Codes. Notice -OSAHigh is not supported in AsyncScan mode.
-OSAMedium <number of medium OSA vulnerabilities>	Optional: CxOSA medium severity vulnerability threshold. If the number of medium vulnerabilities exceeds the threshold, the scan ends with an error. Refer to Error/Exit Codes. Notice -OSAMedium is not supported in AsyncScan mode.
-OSALow <number of low OSA vulnerabilities>	Optional: CxOSA low severity vulnerability threshold. If the number of low vulnerabilities exceeds the threshold, the scan ends with an error. Refer to Error/Exit Codes. Notice -OSALow is not supported in AsyncScan mode.
-OsaReportHtml <path\file>	Creates an OSA scan report in HTML format. Notice -OsaReportHtml has been deprecated and is no longer supported.
-OsaReportPDF <path\file>	Creates an OSA scan report in PDF format. Notice -OsaReportPDF has been deprecated and is no longer supported.
-OsaJson <path>	Optional: Creates an OSA scan report in json format. Notice -OsaJson is not supported in AsyncScan mode.
-osafailonerror	Optional: Enables users to stop the scan and consider it failed, if an error is encountered during the CxOSA scan.
-osaerrorlogdir <path\file>	Optional: Enables users to get a seperate log file for each CxOSA error. Every log file includes the exact command line reference.
-osascanjson <path\file>	Optional: Enables users to use custom “.json” files for OSA dependency. The scan fails, if this file is empty.
-osafsaconf <configuration list>	Optional: Allows users to add a custom FSA configuration while performing an CxOSA scan.
-osaarchivetoextract <extensions list>	Optional: Enables user to append list of files that will get extracted before performing CxOSA scan.

These examples show CLI sample commands for each of the new features.

For Exploitable Path/Attack Vector

- runCxConsole.cmd Scan -v -Projectname "CxServer\NewProject" -cxServer http://10.32.3.128 -cxuser [email protected] -cxpassword Cx123456! -locationtype folder -locationpath “D:\SourceCode\JavaVulnerableLableCode” -enableSca -scaUsername ********* -scaPassword *********** -scaAccount plugins -cxsasturl http://10.32.3.128 -cxsastuser [email protected] -cxsastpass Cx123456!1 -cxsastprojectname “CxServer\SubhadraBamboo1” -cxsastprojectid 100

For Break the Build Policy

- runCxConsole.cmd Scan -v -Projectname "CxServer\NewProject" -cxServer http://10.32.3.128 -cxuser [email protected] -cxpassword Cx123456! -locationtype folder -locationpath “D:\SourceCode\JavaVulnerableLableCode” -enableSca -scaUsername ********* -scaPassword *********** -scaAccount plugins -checkpolicy

For Private Registry and Environment Variable

- runCxConsole.cmd Scan -v -Projectname "CxServer\NewProject" -cxServer http://10.32.3.128 -cxuser [email protected] -cxpassword Cx123456! -locationtype folder -locationpath “D:\SourceCode\JavaVulnerableLableCode” -enableSca -scaUsername ********* -scaPassword *********** -scaAccount plugins -env “key1:value1,key2:value2” -scaconfigfile “C:\Program Files\nodejs\node_modules\npm\npmrc, C:\Users\admin\.m2\settings.xml”

Include Source Code in CxSCA Scan

- runCxConsole.cmd Scan -v -Projectname "CxServer\NewProject" -cxServer http://10.32.3.128 -cxuser [email protected] -cxpassword Cx123456! -locationtype folder -locationpath “D:\SourceCode\JavaVulnerableLableCode” -enableSca -scaUsername ********* -scaPassword *********** -scaAccount plugins -includesource

Project Creation and Team Assignment in CxSCA

- runCxConsole.cmd Scan -v -Projectname "CxServer\NewProject" -cxServer http://10.32.3.128 -cxuser [email protected] -cxpassword Cx123456! -locationtype folder -locationpath “D:\SourceCode\JavaVulnerableLableCode” -enableSca -scaUsername ********* -scaPassword *********** -scaAccount plugins -includesource

Run CxOSA scan for C:\Users\Desktop\buildProducts and exclude folders src, temp and files .class

runCxConsole.cmd OsaScan -v -Projectname team\projectName -CxServer http://xx.xx.xx.xx -cxuser admin -cxpassword admin -OsaLocationPath C:\Users\Desktop\buildProducts -OsaFilesExclude *.class -OsaPathExclude src, temp

Run CxOSA scan for C:\Users\Desktop\buildProducts and exclude folders src, temp and files plexus-utils-1.5.6.jar

runCxConsole.cmd OsaScan -v -Projectname team\projectName -CxServer http://xx.xx.xx.xx -cxuser admin -cxpassword admin -locationType folder -OsaLocationPath C:\Users\Desktop\buildProducts -OsaFilesExclude */plexus-utils-1.5.6.jar -OsaPathExclude src,temp

Run CxOSA scan for C:\Users\Desktop\buildProducts and extract . zip files with an extraction depth of 3 and then exclude folders src, temp and files .class,

runCxConsole.cmd OsaScan -v -Projectname team\projectName -CxServer http://xx.xx.xx.xx -cxuser admin -cxpassword admin -locationtype shared -OsaLocationPath C:\Users\Desktop\buildProducts -OsaScanDepth 3 -OsaArchiveToExtract *.zip -OsaFilesExclude *.class -OsaPathExclude src, temp

Run CxOSA scan (in asynchronous mode) for C:\Users\Desktop\buildProducts and exclude folders src, temp and files .class

runCxConsole.cmd AsyncOsaScan -v -Projectname team\projectName -CxServer http://xx.xx.xx.xx -cxuser admin -cxpassword admin -OsaLocationPath C:\Users\Desktop\buildProducts -OsaFilesExclude *.class -OsaPathExclude src, temp

Run CxOSA scan for project Checkmarx One from the folder C:\cx\myProj and exclude the folders src, temp and files .class

runCxConsole.cmd OsaScan -v -Projectname SP\Cx\Engine\Checkmarx One -CxServer http://localhost -cxuser admin -cxpassword admin -locationpath C:\cx\myProj -OsaFilesExclude *.class -OsaPathExclude src, temp

Run CxOSA scan for -osafailonerror

runCxConsole.cmd OsaScan -v -Projectname team\projectName -CxServer http://xx.xx.xx.xx -cxuser admin -cxpassword admin -locationtype shared -OsaLocationPath C:\Users\Desktop\buildProducts -osafailonerror

Run CxOSA scan for -osascanjson

runCxConsole.cmd OsaScan -v -Projectname team\projectName -CxServer http://xx.xx.xx.xx -cxuser admin -cxpassword admin -locationtype shared -OsaLocationPath C:\Users\Desktop\buildProducts -osascanjson C:\Users\Desktop\OSADependencies.json

Run CxOSA scan for - osaerrorlogdir

runCxConsole.cmd OsaScan -v -Projectname team\projectName -CxServer http://xx.xx.xx.xx -cxuser admin -cxpassword admin -locationtype shared -OsaLocationPath C:\Users\Desktop\buildProducts -osaerrorlogdir "C:\Temp\OSALogDirectory"

Run CxOSA scan for - osaerrorlogdir

runCxConsole.cmd OsaScan -v -Projectname team\projectName -CxServer http://xx.xx.xx.xx -cxuser admin -cxpassword admin -locationtype shared -OsaLocationPath C:\Users\Desktop\buildProducts -osafsaconf "maven.projectNameFromDependencyFile"

Run CxOSA scan for project Checkmarx One from a shared location: \storage\path1 and create a log file

runCxConsole.cmd OsaScan -v -Projectname SP\Cx\Engine\Checkmarx One -cxserver http://localhost -cxuser admin -cxpassword admin -locationpath \storage\path1 -locationuser dm\matys -locationpassword XYZ -OsaJson -log a.log

Run CxSCA scan with log

runCxConsole.cmd SCAScan -Projectname CxServer\RihanFOlderExc1003 -LocationType Folder -LocationPath \\storage\Temp\Margarital\Source\HighMediumLowVul -scaUsername RihanK -scaPassword Plugins1! -scaAccount plugins -log aa.log

The table below lists CLI Exit and Error codes that are issued when a task is executed. The code description may help identifying and troubleshooting issues.

Code	Description
0	Completed successfully
1	Failed to start scan (general error)
2	Invalid license for SDLC
3	Invalid license for OSA
4	Login failed
5	OSA scan requires an existing project on the server
6	Failed to resolve dependencies for OSA scan
7	No dependencies found for OSA scan
10	Failed on threshold SAST HIGH
11	Failed on threshold SAST Medium
12	Failed on threshold SAST LOW
13	Failed on threshold OSA HIGH
14	Failed on threshold OSA Medium
15	Failed on threshold OSA Low
18	Policy is violated
19	Generic threshold failure if both SAST and OSA fail
30	Failed to resolve Maven dependencies for OSA scan
31	Failed to resolve Gradle dependencies for OSA scan
32	Failed to resolve NPM dependencies for OSA scan
33	Failed to resolve Nuget/DotNet dependencies for OSA scan
130	Canceled by user (Ctrl-C)

Note

The CxOSA scan should be defined only, if -LocationType is specified as folder or shared.
The CxOSA scan as a CLI command is supported with CxSAST (v8.4.2 and up).
A CxOSA scan can only be defined for an existing project.
Supports new CxSCA features like dependency resolution by using private registries, exploitable path and include sources. Private registries and the Exploitable path functionality require using the CxSCA Resolver.
If the path/file is invalid or there are no deflecting argument the -OsaJson report can be found under C:\CLIDir\CxConsolePlugin-8.42.0\<project name>\.
In cases where there are both SAST High and SAST Medium issues, the highest severity exit/error code is used, for example 10 - Failed on threshold SAST HIGH.
NPM, NuGet, Python and other supported package managers must be installed in order to use -executepackagedependency and retrieve all dependencies before performing the OSA scan.
The parameters ('-OsaReportHtml' & '-OsaReportPDF') have been deprecated and are no longer supported in this version. If applied, the following log message is written; ${param} is not supported in this CLI version.
To run the CLI with a Proxy use the following cases:
- Run CLI with Proxy using the following system variables:
  -DproxySet=true -Dhttp{s}.proxyHost=${proxy_host} -Dhttp{s}.proxyPort=${proxy_port}
- Run CLI with with Proxy authentication using the following system variables:
  -DproxySet=true -Dhttp{s}.proxyHost=${proxy_host} -Dhttp{s}.proxyPort=${proxy_port} -Dhttp{s}.proxyUser=${proxy_username} -Dhttp{s}.proxyPassword=${proxy_password}
If running the CLI with both 'http.' and 'https.' proxy parameters, the CLI prioritizes 'https.'
To specify a truststore for use, the cx_console.properties file must be configured in the following manner:
- Add the new trustStore and trustStorePassword properties in the cx_console properties file. Specify values for these properties.
  The trustStore property takes the path of the trust store certificate path and the trustStorePassword property takes the password set for the trust store. These properties values are saved in JMV arguments. When these properties are set the certificate is taken from the specified path and not from cacerts.

In this section:

Running Scans from the CLI

CxSAST and CxOSA

Notice

CxSCA

Notice

Notice

Notice

Notice

Warning

Warning

Warning

Note

Notice

Notice

Notice

Notice

Notice

Notice

Notice

Notice

Note

Notice

Notice

Notice

Notice

Notice

Notice

Notice

Note

Note

Note

Notice

Notice

Notice

Note

Notice

Note

Notice

Note

Notice

Notice

Notice

Notice

Notice

Notice

Notice

Notice

Notice

Notice

Notice

Notice

Note

Search results