Installing and Configuring the Jenkins Plugin

Java JRE and SDK

NPM

POM

NuGet

Python

Enable TLS/SSL Server Certificate Validation

Check to enable TLS (Transport Layer Security) and SSL (Secure Sockets Layer) protocol validation. This helps to provide communication security over your network.

Default Server URL

Checkmarx Server URL or IP address with or without port, for example http://<server-name>or https://<ip-address>:<port>.

You are able to override these default settings at a later stage for individual jobs and projects.

Credentials

This option is for users who may already keep the Checkmarx credentials within the Jenkins credentials manager, and would like to use them with the CxSAST Jenkins plugin. To do so, select your credentials from the drop-down list.

Use Jenkins proxy

Check to enable the proxy setting for all the jobs that use the CxSAST server default URL. To disable the proxy for these jobs, clearthis option.

Once enabled , it affects the CxSAST, CxOSA, and CxSCA scans.

<Test Connection>

Click <Test Connection> and wait until the credentials are successfully validated.

Maven Path

Path to the Maven executable, usually located in the Maven bin folder. If left empty, the system-defined path is used. This is required for CxSCA. If using CxSAST with CxOSA, leave this field empty.

<Validate Maven Path>

Click <Validate Maven Path> and wait until the path has been successfully validated.

Default Exclude folders

Enter a global comma separated list of folders to be excluded from the scan. Entries in this list are automatically converted to exclude wildcard patterns and appended to the full pattern list provided in the Default Include/Exclude Wildcard Patterns section.

You may override these settings for individual jobs/projects at a later stage.

Default Include/Exclude Wildcard Patterns

global default include/exclude wildcard patterns by entering a comma separated list for files or file groups to be included or excluded. To exclude files or file groups, start the entry with !

Examples:

You may override these settings for individual jobs/projects at a later stage.

Deny new Checkmarx projects creation

Enabling this option prohibits the creation of new projects in Checkmarx, or assigning an existing project to a different team. Disabling this option allows this action.

Hide results

Check to hide scan results from all jobs/projects and builds.

Remove HTML Results in Async Mode

If checked, reports are removed when scanning in asynchronous mode. The message Job is configured to run Checkmarx scan asynchronously. Report generation is disabled appears.

If cleared, the report of the last successful scan appears with the message Job is configured to run Checkmarx scan asynchronously. Displayed results are of the previous successful scan.

Job status when CxSAST scan returns an error

Define how to act when a triggered CxSAST scan in synchronous mode fails and returns an error message (i.e., no scan results):

You are able to override these settings later for individual jobs/projects.

Globally define vulnerability thresholds for all jobs

Enable the set vulnerability settings for all jobs/projects option to define the default global settings for all jobs/projects that are not using local settings. You are able to override these settings later for individual jobs/projects, unless the Lock global vulnerability settings for all scans/jobs option is enabled.

Always use the defined global vulnerability thresholds

Check to always use the default global settings and prevent the overriding of these settings later for individual jobs/projects.

Available if Globally define vulnerability thresholds for all jobs is enabled.

Build status when results exceed threshold

Define the build status (Unstable or Failure) when the number of severity vulnerabilities exceed the specified threshold.

Available if the Set vulnerability settings for all jobs option is enabled.

CxSAST High severity vulnerabilities threshold

Define the CxSAST high severity vulnerability threshold. If set, the threshold is crossed, if the number of high severity vulnerabilities exceeds it.

Available if the Set vulnerability settings for all jobs option is enabled.

You may override these settings later for individual jobs/projects.

CxSAST Medium severity vulnerabilities threshold

Define the CxSAST medium severity vulnerability threshold. If set, the threshold is crossed if the number of medium severity vulnerabilities exceeds it.

Available if the Set vulnerability settings for all jobs option is enabled.

You may override these settings later for individual jobs/projects.

CxSAST Low severity vulnerabilities threshold

Define the CxSAST low severity vulnerability threshold. If set, the threshold is crossed if the number of low severity vulnerabilities exceeds it

Available if the Set vulnerability settings for all jobs option is enabled.

You may override these settings later for individual jobs/projects.

Dependency scan high severity vulnerabilities threshold

Define a threshold for the dependency scan high severity vulnerabilities. The build will be marked (failed or unstable) if the sum of the high severity vulnerabilities is larger than the threshold.

Available if the Set vulnerability settings for all jobs option is enabled.

You may override these settings later for individual jobs/projects.

Dependency scan medium severity vulnerabilities threshold

Define a threshold for the dependency scan medium severity vulnerabilities. The build will be marked (failed or unstable) if the sum of the medium severity vulnerabilities is larger than the threshold.

Available, if the Set vulnerability settings for all jobs option is enabled.

You may override these settings later for individual jobs/projects.

Dependency scan low severity vulnerabilities threshold

Define a threshold for the dependency scan low severity vulnerabilities. The build will be marked (failed or unstable) if the sum of the low severity vulnerabilities is larger than the threshold.

Available if the Set vulnerability settings for all jobs option is enabled.

You may override these settings later for individual jobs/projects.

Set job scan timeout threshold

Check to enable the Set the job scan timeout threshold option.

Scan timeout (minutes)

Define the job scan timeout threshold (only available if Set job scan timeout thresholdis enabled).

Continue when timed out

If checked, the build continues when the scan timed out. In this case, the latest scan report is displayed.

Globally define dependency scan settings

Check to enable the globally defined dependency scan and associated settings.

Include/Exclude wildcard patterns

Define a comma-separated list of include or exclude wildcard patterns.

You may override these settings later for individual jobs/projects.

Exclude folders

Define a comma-separated list of folders to exclude from the dependency scan.

You may override these settings later for individual jobs/projects.

Use CxOSA dependency scanner

Enablethe CxOSA dependency scanner and associated settings.

Available, if Globally define dependency scan settings is enabled.

Archive extract patterns

Define a comma separated list of archive wildcard patterns to include their extracted content for the dependency scan, e.g., *.zip, *.jar, *.ear. Supported archive types are .jar, .war, .ear, .sca, .gem, .whl, .egg, .tar, .gz, .tgz, .zip, .rar. Leave empty to extract all archives (only available if ‘Use CxOSA dependency scanner’ is enabled).

Execute dependency managers ‘install packages’ command before scan

Select this option to be able to scan packages from various dependency managers as part of the dependency scan (only available if ‘Use CxOSA dependency scanner’ is enabled).

Use CxSCA dependency scanner

Check to enable the CxSCA dependency scanner and associated settings.

Available, if Globally define dependency scan settings is enabled.

CxSCA API URL

URL of the SCA API endpoint, only available if Use CxSCA dependency scanner is enabled.

Default: https://api-sca.checkmarx.net

Using the CxSCA EU cluster: https://eu.api-sca.checkmarx.net

Access Control server URL

URL of the Access Control server used to log on to CxSCA, only available if Use CxSCA dependency scanner is enabled.

Default: https://platform.checkmarx.net

Using the CxSCA EU cluster: https://eu.platform.checkmarx.net

CxSCA web app URL

URL of the CxSCA web application. It is used to generate a web report URL. If omitted, the CxSCA scan runs as usual and no report URL is generated. This option is only available if Use CxSCA dependency scanner is enabled .

Default: https://sca.checkmarx.net

Using the CxSCA EU cluster: https://eu.sca.checkmarx.net

CxSCA credentials

Credentials used to log on to CxSCA, username and password. They are normally different from the CxSAST credentials.

This option is available, if Use CxSCA dependency scanner is enabled.

Account

Customer account in CxSCA used during login (only available if Use CxSCA dependency scanner is enabled).

Package Manager's Config File(s) Path

Use this parameter to provide configuration files of the package managers used in the project, for example:

This option is available, if Perform SCA scan by uploading manifest file(s)/source to SCA Service is enabled.

Private Registry Environment Variable

Use the CxSCA agent to perfom the scan. The CxSCA agent attempts to perform a dependency resolution using the package manager’s configuration files provided.

Example: - “c:\user\.m2\settings.xml”, “c:\user\npm\.npmrc”

This option is relevant with the - Package Manager's Config File(s) Path parameter.

In many cases, the package manager's configuration files reference environment variables. This is often performed to provide credentials without storing them in a file. Pass all such variables using the following option:

Example: -env param1:value1,param2:value2

This option is available, if Perform SCA scan by uploading manifest file(s)/source to SCA Service is enabled.

Include Source

When enabling this option, the entire source code is added to the zip archive that is sent to the cloud for processing.

Enable Synchronous Mode

When enabling this option, the scan results are listed in Jenkins. Otherwise, a link to the scan results in the CxSAST web application is provided.

Generate CxSAST PDF report

When enabling this option, the scan results are available as PDF file and can be accessed by following a link with the scan results in Jenkins.

This option is available only, if Enable Synchronous Mode is enabled.

Enable Project's Policy Enforcement

When enabling this option, the build breaks, if either the CxOSA, CxSAST or CxSCA policy is violated.

The policy is assigned to a project from within CxSAST or CxSCA.

In case of CxSCA, the name and description of all violated policies and rules within are displayed in the logs. In addition, the build is reported as failed, if any of the violated policies indicates a ‘Break the build’ action.

Enable Vulnerability Threshold

When enabling this option, you are able to define vulnerabilitry thresholds.

This option is available only, if Enable Synchronous Mode is enabled.

Once enabled, the Global Settings option is unavailable.

Hide Debug Logs

When enabling this option, no debug level logs are generated in the job output.

Allow Global Comment

When enabling this option, Global CxSAST comments are added to the build comment.

By default, the global comment field is empty. When both job level comments and global comments are provided and 'Allow Global Comment' has been checked, both comments are concatenated.

Any variables used in the comment text are expanded before sending sending them to CxSAST.

Perform SCA scan using dependency resolution by SCA resolver tool

Enable this option for SCA Resolver. To scan in Offline mode of SCA.

Path to SCA Resolver

Enter the path on the Jenkins node's host where ScaResolver is installed,

for example C:\\Users\\Installations\\ScaResolver-win64 or /opt/ScaResolver-linux64, depending on the operating system in use.

Only available, if Perform SCA scan using dependency resolution by SCA resolver tool is enabled.

SCA Resolver Additional Parameters

Provide arguments to ScaResovler in the format that is supported by the ScaResolver tool. ScaResolver is executed in Offline mode. '-s', '-n' and '-r' are mandatory parameters, for example -s C:\\Users\\SampleProject -n ProjectName -r c:\\output, where the parameters stand for the following:

Only available, if Perform SCA scan using dependency resolution by SCA resolver tool is enabled.

Perform SCA scan by uploading manifest file(s)/source to SCA Service

This allows performing a SCA scan using the Manifest file. Enables the other options such as Include Sources and Package Managers Config’s File Path.

Enable Exploitable Path

When enabling this option, this mechanism attempts to correlate CxSCA with CxSAST scan results to clarify, if a vulnerability identified in the open source library is exploitable.

For additional information on this functionality, refer to Exploitable Path in the CxSCA documentation space.

Additional parameters become available once you check Enable Exploitable Path.

Only available, if Perform SCA scan by uploading manifest file(s)/source to SCA Serviceis enabled.

SAST Server URL

This parameter is used to obtain scan results from the CxSAST server that are required for Exploitable Path detection by the CxSCA scan.

Enter the URL of the CxSAST server, for example https://cxsasthost:port

Only available, if Perform SCA scan by uploading manifest file(s)/source to SCA Serviceis enabled.

Project Full Path

The CxSAST project name with its full path used to scan the project source code, for example CxServer/team1/projectname

This project name and its full path are used to retrieve scan results from the CxSAST server that are required for Exploitable Path detection by the CxSCA scan.

Project ID

The ID of the CxSAST project that is used to scan the project source code. It is used to retrieve scan results from the CxSAST server that are required for Exploitable Path detection by the CxSCA scan.

Enter the Project ID of the CxSAST project used to scan the project source code. This parameter is used to obtain scan results from the CxSAST server required for the Exploitable Path detection by CxSCA.

Only available, if Perform SCA scan by uploading manifest file(s)/source to SCA Serviceis enabled.

SCA Teampath

Enter the team for the new CxSCA project. If left empty, the SAST team is assigned to the SCA project.

SCA Timeout

Set the timeout for the SCA scan. If the SCA scan exceeds that time, the job fails. If left empty, the timeout is set to 60 minutes by default.