Skip to main content

Bamboo Plugin Overview

Checkmarx CxSAST is a powerful Static Source Code Analysis (SAST) solution designed for identifying, tracking and fixing technical and logical security flaws. CxSAST is integrated seamlessly into the Software Development Life Cycle (SDLC), enabling the early detection and mitigation of crucial security flaws.

The CxSAST Bamboo plug-in is installed in the Atlassian Bamboo environment and enables:

  • Automatic code scan upon triggered builds, uploading the project's code to CxSAST directly from Atlassian Bamboo.

  • Interface for viewing scan results summary and trends in the Atlassian Bamboo environment.

  • Direct links from within Atlassian Bamboo to detailed CxSAST scan results and reports.

Bamboo now uses a new core library with better compatibility and increased result accuracy. A new capability extracts dependencies resolving manifest files in customer side:

  • (CxOSA v8.9.0 and up): Support scanning of Python requirements.xml file

  • (CxOSA v8.9.0 and up): Support scanning of NuGet .nuspec file

  • (CxOSA (V8.7.0 and up): Support scanning of the NPM package.json

  • (CxOSA (V8.7.0 and up): Support scanning of Maven pom.xml files

For all Maven and NPM configuration files, Cx Manager downloadS the necessary packages, calculate metadata, and submitting them to Cloud engine. Repositories must be accessible to the manager.

CxOSA (v8.9.0 and up)

In order to scan dependencies used by the following package managers (NPM, NuGet and Python only), the following checkbox must be enabled (replacing the former checkbox entitled “Enable NPM Install”): “Execute dependency managers 'install packages' command before Scan

  • NPM:

    • In order to initiate NPM scan, NPM must be installed.

    • NPM project is only scanned if contains at least one JS file

    • Dependency resolving is internally performed by “NPM LS” command.

  • NuGet: In order to initiate NuGet scan, NuGet must be installed.

  • Python: In order to initiate Python scan, Python must be installed.

  • POM: Maven should be installed locally

Prerequisites for CxSAST & CxOSA - Bamboo (v8.9.0 and up)

  • Atlassian Bamboo installed (5.9 to 6.5)

    • Atlassian Bamboo requires Java Development Kit (3.1 and up)

  • Checkmarx CxSAST installed (8.9.0 and up)

  • Java 8 (for running OSA scans)

  • Checkmarx CxSAST Bamboo Plugin installed (8.9.0 and up)

  • Release – Checkmarx CxSAST Bamboo Plugin (Add-on) available from the Atlassian Marketplace.

  • End User License Agreement (EULA) - If not already accepted during the CxSAST/CxOSA installation and setup, in order to perform an CxOSA scan from within the plugin, the EULA must be already have been accepted in the CxSAST / CxOSA Web interface. In all Checkmarx plugins the following message is raised; ‘In order to start working with CxOSA, your CxSAST Administrator needs to accept the End User License Agreement (EULA) from the CxSAST / CxOSA web interface’

Note that you are unable to start using CxOSA unless the end user license agreement (EULA) has been viewed and accepted.

CxOSA (V8.7.0 to v8.8.0)

  • NPM:

    • In order to initiate NPM scan, NPM must be installed.

    • NPM project is only scanned if contains at least one JS file

    • Dependency resolving is internally performed by “NPM LS” command.

    • It is required to enable “Enable NPM Install" If the dependencies are not installed on the project.

  • POM: Maven should be installed locally.

Prerequisites for CxSAST & CxOSA - Bamboo (v8.7.0 to v8.8.0)

  • Atlassian Bamboo installed - for v8.7.0: 5.9 to 6.3, and for v8.8.0: 5.9 to 6.5

    • Atlassian Bamboo requires Java Development Kit (3.1 and up)

  • Checkmarx CxSAST installed (8.4.1 and up)

  • Checkmarx CxSAST Bamboo Plugin installed (8.41.0 and up)

  • CxOSA (8.7.0 and up)

    • MPM and Maven should be installed

    • Java 8 (for running OSA scans)

  • Release – Checkmarx CxSAST Bamboo Plugin (Add-on) available from: