Skip to main content

Running Scans from the CLI

Applications such as CxSAST and CxOSA enable you to run static application security tests (SAST) and open-source analysis (OSA) scans as a CLI command. By default, the SAST scans run in synchronous mode. This means that the CLI initiates the scan task, which can then be viewed in the CLI and the created log file. In asynchronous mode, the scan ends when the scan request reaches the scan queue. Therefore, the scan results can be viewed in the (CxSAST) web application only.

To scan projects with open source packages, use the CxConsole commands as explained below. The CxConsole CLI provides software composition analysis based only on the manifest files and fingerprints. This analysis involves compressing and sending only the manifest files, configuration files, file names, and fingerprint data to the CxSCA cloud. The source code is not sent to the cloud.


  • The CxOSA scan should be defined only if -LocationType is specified as folder or shared.

  • The CxOSA scan as a CLI command is supported with CxSAST (v8.4.2 and up).

  • A CxOSA scan can only be defined for an existing project.

  • Supports new CxSCA features like dependency resolution by using private registries and exploitable paths and include sources. Private registries and the Exploitable path functionality require using the CxSCA Resolver.

  • If the path/file is invalid or there is no deflecting argument, the -OsaJson report can be found under C:\CLIDir\CxConsolePlugin-8.42.0\<project name>\.

  • In cases with SAST High and SAST Medium issues, the highest severity exit/error code is used, for example, 10 - Failed on threshold SAST HIGH.

  • NPM, NuGet, Python, and other supported package managers must be installed to use -executepackagedependency and retrieve all dependencies before performing the OSA scan.

  • The parameters ('-OsaReportHtml' & '-OsaReportPDF') have been deprecated and are no longer supported in this version. If applied, the following log message is written: ${param} is not supported in this CLI version.

  • To run the CLI with a Proxy use the following cases:

    • Run CLI with Proxy using the following system variables:

      -DproxySet=true -Dhttp{s}.proxyHost=${proxy_host} -Dhttp{s}.proxyPort=${proxy_port}

    • Run CLI with with Proxy authentication using the following system variables:

      -DproxySet=true -Dhttp{s}.proxyHost=${proxy_host} -Dhttp{s}.proxyPort=${proxy_port} -Dhttp{s}.proxyUser=${proxy_username} -Dhttp{s}.proxyPassword=${proxy_password}

  • If running the CLI with both 'http.' and 'https.' proxy parameters, the CLI prioritizes 'https.'

  • To specify a truststore for use, the file must be configured in the following manner:

    • Add the new trustStore and trustStorePassword properties in the cx_console properties file. Specify values for these properties.

      The trustStore property takes the path of the trust store certificate path and the trustStorePassword property takes the password set for the trust store. These properties values are saved in JMV arguments. When these properties are set, the certificate is taken from the specified path and not from cacerts.

  • Due to known limitations of Windows consoles, if non-English characters are not supported on the Windows command prompt, then please check the checkbox Beta: Use Unicode UTF-8 for worldwide language support under Settings --> Language Settings --> Administrative Language Settings --> Change System Locale button --> Region Setting screen and select the appropriate font from the command prompt by --> Right click --> Properties --> Font. This may not work consistently on all Windows consoles.If non-English characters are not supported in Linux via the command line, then the Config-As-Code functionality can be used.