Skip to main content

Running Scans from the CLI

Applications such as CxSAST and CxOSA enable you to run static application security tests (SAST) and open-source analysis (OSA) scans as a CLI command. By default, the SAST scans run in synchronous mode. This means that the CLI initiates the scan task, which can then be viewed in the CLI and the created log file. In asynchronous mode, the scan ends when the scan request reaches the scan queue. Therefore, the scan results can be viewed in the (CxSAST) web application only.

To scan projects with open source packages, use the CxConsole commands as explained below. The CxConsole CLI provides software composition analysis based only on the manifest files and fingerprints. This analysis involves compressing and sending only the manifest files, configuration files, file names, and fingerprint data to the CxSCA cloud. The source code is not sent to the cloud.


  • The CxOSA scan should be defined only, if -LocationType is specified as folder or shared.

  • The CxOSA scan as a CLI command is supported with CxSAST (v8.4.2 and up).

  • A CxOSA scan can only be defined for an existing project.

  • Supports new CxSCA features like dependency resolution by using private registries, exploitable path and include sources. Private registries and the Exploitable path functionality require using the CxSCA Resolver.

  • If the path/file is invalid or there are no deflecting argument the -OsaJson report can be found under C:\CLIDir\CxConsolePlugin-8.42.0\<project name>\.

  • In cases where there are both SAST High and SAST Medium issues, the highest severity exit/error code is used, for example 10 - Failed on threshold SAST HIGH.

  • NPM, NuGet, Python and other supported package managers must be installed in order to use -executepackagedependency and retrieve all dependencies before performing the OSA scan.

  • The parameters ('-OsaReportHtml' & '-OsaReportPDF') have been deprecated and are no longer supported in this version. If applied, the following log message is written; ${param} is not supported in this CLI version.

  • To run the CLI with a Proxy use the following cases:

    • Run CLI with Proxy using the following system variables:

      -DproxySet=true -Dhttp{s}.proxyHost=${proxy_host} -Dhttp{s}.proxyPort=${proxy_port}

    • Run CLI with with Proxy authentication using the following system variables:

      -DproxySet=true -Dhttp{s}.proxyHost=${proxy_host} -Dhttp{s}.proxyPort=${proxy_port} -Dhttp{s}.proxyUser=${proxy_username} -Dhttp{s}.proxyPassword=${proxy_password}

  • If running the CLI with both 'http.' and 'https.' proxy parameters, the CLI prioritizes 'https.'

  • To specify a truststore for use, the file must be configured in the following manner:

    • Add the new trustStore and trustStorePassword properties in the cx_console properties file. Specify values for these properties.

      The trustStore property takes the path of the trust store certificate path and the trustStorePassword property takes the password set for the trust store. These properties values are saved in JMV arguments. When these properties are set the certificate is taken from the specified path and not from cacerts.