Skip to main content

Configuring Scans with Config-As-Code

This section explains how to configure the scan using code CLI.

Preparation

  1. Make sure that your source code contains .checkmarx/cx.config .

  2. Use the argument -configascode in the CLI command.

Note

To successfully apply -configascode , OverrideProjectSetting under the dbo.CxComponentConfiguration table in the CxSAST database server must be set to true.

Config-As-Code File Content

Sample of .checkmarx/cx.config

project: 
  fullPath: \"CxServer/GIT_PROJECT\"
  origin: "cx-cli"
sast: 
  configuration: "Default Configuration"
  excludeFolders: \"_cvs, .svn, .hg, .git, .bzr, bin, obj, backup, node_modules\"
  includeExcludePattern: \"!**/*.DS_Store, !**/*.ipr, !**/*.iws, !**/*.TEST_SOMETHING, !**/*.bak, !**/*.tmp, !**/*.aac, !**/*.aif, !**/*.iff, !**/*.m3u, !**/*.mid, !**/*.mp3, !**/*.mpa, !**/*.ra, !**/*.wav, !**/*.wma, !**/*.3g2, !**/*.3gp, !**/*.asf, !**/*.asx, !**/*.avi, !**/*.flv, !**/*.mov, !**/*.mp4, !**/*.mpg, !**/*.rm, !**/*.swf, !**/*.vob, !**/*.wmv, !**/*.bmp, !**/*.gif, !**/*.jpg, !**/*.png, !**/*.psd, !**/*.tif, !**/*.jar, !**/*.zip, !**/*.rar, !**/*.exe, !**/*.dll, !**/*.pdb, !**/*.7z, !**/*.gz, !**/*.tar.gz, !**/*.tar, !**/*.ahtm, !**/*.ahtml, !**/*.fhtml, !**/*.hdm, !**/*.hdml, !**/*.hsql, !**/*.ht, !**/*.hta, !**/*.htc, !**/*.htd, !**/*.htmls, !**/*.ihtml, !**/*.mht, !**/*.mhtm, !**/*.mhtml, !**/*.ssi, !**/*.stm, !**/*.stml, !**/*.ttml, !**/*.txn, !**/*.class, !**/*.iml, !**/Checkmarx/Reports/*.*\"
  high: 3
  medium: 1
  low: 2
  incremental: false
  preset: "Checkmarx Default"
  privateScan: false
sca:
  fileInclude: \”*.dll\” 
  fileExclude: \“!**/*.class,!**/plexus-utils-1.5.6.jar \” 
  pathExclude: \“test*\”
  high: 3
  medium: 3
  low: 3

Config-As-Code Keys

Key

Mandatory?

Description

fullPath

Mandatory

An existing or new project name with full path. If the project does not exist, it will be created.

Example: fullPath: \"CxServer/GIT_PROJECT\"

origin

Optional

Add a specific origin in SAST.

Example: origin: "cx-cli-M"

Notice

If not specified, the default origin of CLI plugin is used.

sast:

configuration

Optional

Code language configuration. Possible values are:

  • Default Configuration

  • Japanese (Shift-JIS)

  • Korean

  • Multi-language Scan

Notice

If not specified, the configuration in CLI command is used.

excludeFolders

Comma separated list of folder name patterns to be excluded from scans. For example, exclude all folders whose names start with test and all folder whose names end with log:

excludeFolders :\“test*,*log\”

Notice

If not specified, the LocationPathExclude parameter in the CLI command is used.

If this parameter is set, it will be added to the default exclusion of the CLI configuration file (cx_console.properties)

includeExcludePattern

Optional

Comma separated list of file name patterns to exclude/include from/to scan.

For example, exclude all files with '.DS_Store’ an include ‘.java’ extension : \"!**/*.DS_Store, **/*.java\"

Notice

If not specified, the includeexcludepattern parameter in the CLI command is used.

If this parameter is set, it will be added to the default exclusion of the CLI configuration file (cx_console.properties).

high

Optional. Not supported in AsyncScan mode

CxSAST high severity vulnerability threshold. If the number of high vulnerabilities exceeds the threshold, the scan ends with an error.

Notice

If not specified, the SASTHigh parameter in the CLI command is used.

medium

Optional. Not supported in AsyncScan mode

CxSAST medium severity vulnerability threshold. If the number of high vulnerabilities exceeds the threshold, the scan ends with an error.

Notice

If not specified, the SASTMedium parameter in the CLI command is used.

low

Optional. Not supported in AsyncScan mode

CxSAST low severity vulnerability threshold. If the number of high vulnerabilities exceeds the threshold, the scan ends with an error.

Notice

If not specified, the SASTLow parameter in the CLI command is used.

incremental

Optional

Run incremental scan instead of a full scan. Scans only new and modified files, relative to project's last scan.

Notice

If not specified, the Incremental parameter in the CLI command is used.

preset

Optional

Notice

  • If not specified, the preset parameter in the CLI command is used.

  • If not specified in the CLI command, the preset that is defined in the existing project or, for a new project, the default preset is used.

privateScan

Optional

Scan will not be visible to other users.

Notice

If not specified, the private parameter in the CLI command is used. Default value is false.

sca:

fileInclude

Optional

Comma separated list of file name patterns to include in the CxSCA scan, for example \”*.dll\” only includes dll files.

Notice

If not specified, the ScaFilesInclude parameter in the CLI command is used.

fileExclude

Optional

Comma separated list of file name patterns to exclude from the CxSCA scan. Exclude extensions by entering !**/*.<extension> or exclude files by entering !**/<file>.

Examples: \!**/*.class\” excludes all files that start with “.class”.

Examples: \!**/plexus-utils-1.5.6.jar\” excludes all files named plexus-utils-1.5.6.jar.

Notice

If not specified, the ScaFilesExclude parameter in the CLI command is used.

pathExclude

Optional

Comma separated list of folder path patterns to exclude from the CxSCA scan.

For example, \test*\” excludes all folders which start with test prefix.

Notice

If not specified, the ScaPathExclude parameter in the CLI command is used.

high

Optional. Not supported in AsyncScan mode

CxSCA high severity vulnerability threshold. If the number of high vulnerabilities exceeds the threshold, scan will end with an error.

Notice

If not specified, the ScaHigh parameter in the CLI command is used.

medium

Optional. Not supported in AsyncScan mode

CxSCA medium severity vulnerability threshold. If the number of medium vulnerabilities exceeds the threshold, scan will end with an error.

Notice

If not specified, the ScaMedium parameter in the CLI command is used.

low

Optional. Not supported in AsyncScan mode

CxSCA low severity vulnerability threshold. If the number of low vulnerabilities exceeds the threshold, scan will end with an error.

Notice

If not specified, the ScaLow parameter in the CLI command is used.

origin

Optional

Add specific origin in SAST.

For example origin: "cx-cli-M"

Notice

If not specified, the default origin of CLI plugin is used.

fullPath

Mandatory

An existing or new project name with full path. If the project does not exist, it will be created.

Example: fullPath: \"CxServer\GIT_PROJECT\"

Notice

  • If the config-as-code is called from the CLI cmd, the parameters in the config file override the CLI arguments.

  • If the config-as-code argument is called from the CLI cmd, but no cx.config file exists in the source code, an exception is returned.

  • The config-as-code works with the following folder types:

    • public GIT

    • private GIT

    • shared

    • folder

  • When including special characters, such as )(*_ !, as part of string values, these values must be enclosed by \”\”, for example: \!**/*.class\

  • The CLI plugin supports Project Override Settings with CxSAST 9.3 and up. To enable this feature, set the flag 'OverrideProjectSetting' under the dbo.CxComponentConfiguration table in the CxSAST database server to false. The default value is true.

    When you run a scan from the CxConsole, “CLI“ is displayed in the Scan Method column of the Scan History tab.