2.0.55 | Sept 25, 2023 | | Fixed issue regarding incomplete contributor count results for BitBucket, Azure DevOps, GitHub and GitLab. This was accomplished using timeout and retry to overcome rate limits. We also added pagination for Azure DevOps.
|
2.0.56 | Sept 9, 2023 | Added global flag --ignore-proxy for ignoring proxies, so that all Checkmarx One CLI commands run directly from the local machine. Alternatively, this can be done by setting the environment variable "CX_IGNORE_PROXY" as true. TipWhen using Checkmarx One plugins, only the environment variable method works.
| |
2.0.54 | Aug 9, 2023 | | Fixed issue that had been causing KICS Realtime scans to fail. Fixed issue that HTML output wasn't being shown properly for results that contain HTML content. Stopped showing the Policy Violation header in the console results for projects that don't have any associated policies.
|
2.0.53 | July 28, 2023 | Added information about violated policies to the scan results. This information is shown in the console summary as well as in the Summary HTML and Markdown reports. These results are shown both for scan create and results show commands. For policies that are configured to "break build", when the policy is violated the scan will fail. (The --ignore-policy flag can be used to prevent policies from causing the scan to fail. Added the mask command under utils . This command is used to return the secrets identified in a file and show how they will be masked when the file is sent to ChatGPT using the chat command. See mask By default, the scan create command now runs scans only on the scanners that are licensed for your account (in order to avoid unnecessary failures).
| Fixed issue that risk management using the triage command hadn't been working for IaC Security risks. For scans run using kics-realtime , when no results are found, instead of showing the scan as failed we now show it as a successful scan with no results.
|
2.0.52 | July 18, 2023 | | |
2.0.51 | July 13, 2023 | | |
2.0.50 | June 30, 2023 | | |
2.0.49 | June 30, 2023 | Added ”AI Guided Remediation”, which harnesses the power of AI to help you to understand the vulnerabilities in your code, and resolve them quickly and easily. TipWhen sending source code to GPT, we protect your sensitive data by anonymizing all passwords and secrets before the content is sent. The query used to identify sensitive data can be seen here. TipCurrently supported only for IaC Security vulnerabilities. Increased the default limit for projects returned using the project list command to 10,000. (This enables Checkmarx One to effectively verify whether a project with the specified name already exists when a scan is initiated via CLI/plugin.) Enabled SBOM reports for all tenant accounts.
| |
2.0.48 | June 13, 2023 | | |
2.0.47 | May 24, 2023 | | When a kics-realtime scan completes successfully and doesn't find any IaC securtiy vulnerabilities, the results are now correctly returned showing "0" IaC security vulnerabilities. The contributor count for BitBucket now counts only contributors who have contributed in the past 90 days, as expected.
|
2.0.46 | Apr 28, 2023 | | |
2.0.45 | Apr 13, 2023 | We added a new environment variable, CX_HTTP_PROXY, which can be used to designate a specialized proxy for Checkmarx One. When this is used, it overrides the proxy specified in your general HTTP_PROXY variable. NoticeWe still support use of the HTTP_PROXY variable if you choose to use the same proxy for Checkmarx One as for your other applications. We increased the number of branches returned using the project branches command from 20 to 1,000.
| |
2.0.44 | Apr 3, 2023 | You can now designate a scan as a "Private Package" and assign a package version to it using the addtional_params options. Once a private package has been scanned, info about the risks affecting that package will be identified by SCA when that package version is used in any of your projects. You can download an article about private packages here. We added the --sca-exploitable-path flag to the additional_params options. This enables you to designate whether or not Exploitable Path will run on this particular scan. When used, this overrides the designation made in the project settings. We also added a flag --sca-last-sast-scan-time , which enables you to specify the number of days that SAST scan results are considered valid for use in Exploitable Path (i.e., if there is no current SAST scan, how many days prior to the current SCA scan will Checkmarx One look for a SAST scan to use for analyzing Exploitable Path.) WarningThe --sca-last-sast-scan-time flag is not yet fully supported and may not function as designed. Improved memory usage when uploading zip files. Added file extensions go.mod, go.sum, *.dart, and *.plist to the list of included files (when creating the zip archive for scanning).
| |
2.0.43 | Mar 24, 2023 | | Fixed issue that spaces and capital letters had been interfering with Threshold functionality. Fixed problem with generating sarif reports. Fixed issue that debug logs were showing URLs that contained sensitive data. Fixed issue that SCA vulnerabilities marked as "Not Exploitable" were being included in the scan summary data. (Current behavior for all scanners is that "Not Exploitable" vulnerabilities are not included in the scan summary.)
|
2.0.42 | Feb 22, 2023 | Added additional options for pdf format reports. When running the results show command or the scan create command with --report-format set to pdf , you can now: Add the --report-pdf-email flag to specify email recipients. Add the --report-pdf-options flag to specify which sections to include in the report. Options are: Iac-Security, Sast,Sca, ScanSummary, ExecutiveSummary, ScanResults.
Added the option to generate reports in markdown format using the --report-format flag. Added the --sca-realtime command, which enables running an SCA scan on the contents of a folder. The SCA realtime scan is similar to the KICS realtime scan in the fact that it is a free tool which does not require a Checkmarx account. The results are returned in the response body as a JSON object. TipEven for users with a Checkmarx account, the realtime scan results are not synced with the user's Checkmarx account.
| |
2.0.41 | Feb 2, 2023 | General improvements and bug fixes. | |
2.0.40 | Jan 27, 2023 | | |
2.0.39 | Jan 19, 2023 | | |
2.0.38 | Jan 19, 2023 | All references to AST have been changed to refer to the new product name "Checkmarx One". We now validate for licensed scanners (engines). When a scan is run using default settings, all licensed scanners are used. When the --scan-types flag is used and a non-licensed scanner is specified, an error message is returned.
| |
2.0.37 | Dec 6, 2022 | | |
2.0.36 | Nov 30, 2022 | The KICS scanner is now referred to in Checkmarx One as "IaC Security". All mentions of the scanner and the vulnerabilities identified by it, now refer to IaC Security. The API Security scanner is now supported for use via the CLI. When running the scan create command, you can now add api_security to the list of scanners under --scan-types . Scan results now differentiate between regular SCA vulnerabilities and Supply Chain Security (SCS) risks. In addition, a distinction is now made between direct dependencies and transitive dependencies.
| |
2.0.35 | Nov 16, 2022 | Added support for Bitbucket Server for the contributor-count command, see bitbucket-server. Added support for identifying "supply chain" vulnerabilities.
| |
2.0.34 | Nov 9, 2022 | General improvements and bug fixes. | |
2.0.33 | Nov 7, 2022 | Improved methods for polling status and retrying scans. | |
2.0.32 | Oct 21, 2022 | General improvements and bug fixes. | |
2.0.31 | Oct 17, 2022 | General improvements and bug fixes. | |
2.0.30 | Oct 3, 2022 | Added an additional sanitization to the logs, by removing the proxy value. Added specific error messages when a user doesn't have a container engine (e.g., Docker) installed and running. The CLI now extracts the base-uri from the API Key, making it unnecessary to submit the base-uri indipendantly. We added a new command for retrieving tenant settings via the CLI.
| |
2.0.29 | Sep 19, 2022 | | |
2.0.28 | Sep 15, 2022 | Added a --resubmit flag for the scan create command. This causes the scan to run with the same configuration that was used for the most recent scan of the specified project and branch. | |
2.0.27 | Sep 2, 2022 | | |
2.0.26 | Aug 31, 2022 | We added a new pr command for decorating pull requests with results from Checkmarx One scans that were triggered by that pull request. The pull request comments show a list of new vulnerabilities that were introduced by the code changes as well a list of vulnerabilities that were fixed by the code changes. See pr TipThis command is currently supported only for GitHub. All documentation links now point to the new Checkmarx documentation portal at https://checkmarx.com/resource/documentation.
| |
2.0.25 | Aug 26, 2022 | | |
2.0.24 | Aug 22, 2022 | | |
2.0.23 | Aug 12, 2022 | For the KICS remediation utility, we added the option to remediate all vulnerabilities in the project. See kics Added additional info to the SCA results, including the association between the vulnerabilities and the open-source packages to which they apply.
| When running KICS commands, there is a requirement to have Docker running locally. We now have a dedicated error message for this issue. Accumulation of unneeded zip files had been causing issues in Jenkins. We now delete zip files that are no longer in use.
|
2.0.22 | Jul 26, 2022 | Added a new utils command, learn-more , for getting additional info about a specific vulnerability. Submit this command with a query-id (obtained from scan results) indicating the vulnerability for which you want additional info. See learn-more Added a new utils command, remediation sca , for automatically replacing a vulnerable package version with a non-vulnerable version. Add arguments specifying the precise package that you would like to remediate. See sca Added a new utils command, remediation kics , for automatically remediating KICS vulnerabilities. You can remediate all vulnerabilities, or you can submit identifying details about the specific vulnerabilities that you would like to remediate. See kics Added a new scan create command, kics-platforms , to specify which platforms to run the kics scan on. See Flags
| |
2.0.21 | Jul 4, 2022 | | A scan report is now generated when a scan fails because of a threshold violation. The branch name in the summary URL is now encoded. Return more precise results for KICS real-time scanner.
|
2.0.20 | Jun 21, 2022 | | |
2.0.19 | Jun 8, 2022 | Added a new command for running a KICS scan as a standalone tool in your local environment. To run the scan, you are required to provide the file source. You can also add additional KICS parameters. See sca-realtime Updated the content of the summary that is shown when a scan is run. The following changes were made: Show “Scan Type”, possible values are “incremental” or “full” Show Timeout, possible values are “None” if the scan didn’t timeout or a value in seconds indicating the time that elapsed before the scan timed out Show “Project Name” instead of “Project ID” Formatted the display of the vulnerabilities results summary Added a link to view the scan results in the web app
| |
2.0.18 | May 6, 2022 | | |
2.0.17 | May 5, 2022 | You can now add filters to the scan create command (to exclude files/folders from the scan) separately for each specific scanner. The flags for the new filters are: --sast-filter <string> , --kics-filter <string> , --sca-filter <string> . NOTE The existing flag --file-filter , which sets filters for the entire scan (for all scanners) is still in use. You can now add an ssh key to the project create command, using the flag --ssh-key <string> with the path to the ssh private key. You can now add an ssh key to the scan create command, using the flag --ssh-key <string> with the path to the ssh private key. Added the scanId field to the results json file. Added support for file filters for scans run on zip files. Reduced size of CLI Docker image.
| |
2.0.16 | Apr 11, 2022 | SAST and KICS vulnerabilities for which the state has been set as “Not Exploitable” are no longer included in the vulnerabilities counts in the results summary. Added additional details to sarif output.
| |
2.0.15 | Mar 28, 2022 | The user-count utility was renamed as contributor-count . Also, username was added to the --debug logs. Added a utility command to determine the number of unique contributing developers for the past 90 days for BitBucket, Azure DevOps and Gitlab repos.
| |
2.0.14 | Mar 4, 2022 | Created a utility command to determine the number of unique contributing developers for the past 90 days for GitHub repos. Added a new command ./cx results codebashing [flags] for retrieving a link to the relevant Codebashing lesson for a vulnerability.
| |
2.0.13 | Feb 23, 2022 | | |
2.0.12 | Feb 10, 2022 | | Fixed a problem with proxy connections. An error is now generated when project name is empty. Fixed the help text for the threshold flag. Fixed the help text for the result command to include state filters. Fixed the help text for the SCA Resolver flag.
|
2.0.11 | Jan 27, 2022 | | |
2.0.10 | Jan 19, 2022 | The results output for SAST vulnerabilities now includes a brief description of the vulnerability. Added the --scan-timeout <int> flag to the scan create command, enabling users to specify a time limit after which the scan will fail and terminate. Added an new type of report, SummaryJSON . This creates a JSON file with a summary of the vulnerabilities of each severity level.
| |
2.09 | Jan 4, 2022 | Added the ability to triage scan results and modify the ‘state’, ‘severity’ and ‘comments’ predicates accordingly. Added a CLI command for triaging results. Added --threshold flag to a scan create command. This enables you to set thresholds that will cause the scan to fail. Thresholds are set separately for each type of scanner using the following format: <engine>-<severity>=<limit> .
| |
2.0.4 | Nov 3, 2021 | Added automatic retry for scans upon initial connection failure using flags: Users can now add tags and assign the scan to a Checkmarx One “group” (for user management) as part of the scan create command. Integration tests now have 80% coverage. Branch flag is now required. The flag for running scans in asynchronous mode was changed from --nowait to --async . When installing the CLI through homebrew, brew install checkmarx/ast-cli/ast-cli , auto-completion is done automatically.
| |
2.0.0 | Sep 23, 2021 | Added a new “utils logs” command - The utils logs command provides the option to select which scan logs can be printed to the CLI screen. The possible options are: SAST, KICS. Added a new “result” command - The result command enables the ability to retrieve scan results in AST. The results are downloaded to a file. The following file formats are supported: json, sarif, summaryHTML, summaryConsole Add SCA resolver module - The CLI can resolve local packages for CxSCA scan type.
| |
2.0.0-rc.22 | Sep 1, 2021 | | |
2.0.0_RC14 | | Added result summary (High, Medium ,Low) to scan create command output. Added result command to the main commands menu. Added the following sub-commands to the new results command:
| |
2.0.0_RC12 | Jul 13, 2021 | Added --tags flag to scan create command. This should be a comma separated list of tags like this: --tags myTagA,myTagB or --tags myTagA. It is also possible to include (key:value) pairs in tags like this: --tags myTag:42,myTagB:hello,myTagC. Removed the -w shortcut for the scan create --nowait command. Added --branch flag to scan create command. This indicates which branch is being scanned. If the --source flag is a GIT repository path, this value will also update AST which branch to pull the code from. Removed unsupported sub-commands from the utils command: query sast-metadata sast-rm
Added the utils env command to echo out current AST environment variables. Fixed --nowait environment message spelling error. Correct scan cancel --help menu grammar. removed --repo-url flag from project create command. Removed SAST_manager option from utils health-check command. Updated auth register command output to display a clearer error message when user enters bad credentials. Modified several commands output tables according to the following: Removed the Updated at column. Updated the information in the Created at column to present only date. The tables are visible in the scan list, and project list commands outputs.
Resolved the behavior that some incorrect commands weren't displaying the expected help messages. Added a new auth validate command. The scan sub-commands (show, delete and cancel) required Scan ID values be passed as an additional flag. These commands were updated to accept the --scan-id flag. The project sub-commands (show, delete) required Project ID values be passed as an additional flag. These commands were updated to accept the --project-id flag.
| |
2.0.0_RC11 | Jun 8, 2021 | Added support for multi-tenancy Added environment variable CX_TENANT Added global CLI argument (--tenant) Added tenant name to the configure command menu. Added tenant support for the register command.
| |
2.0.0_RC10 | May 22, 2021 | scan create command: --sources flag can handle the following scans: GIT repo zip archive Directory
Removed the following flags: --directory, -d --repo-url, -r
Removed extra message when creating a scan
| |
2.0.0_RC9 | May 20, 2021 | | |
2.0.0_RC8 | May 17, 2021 | | |
2.0.0_RC7 | May 13, 2021 | | |
2.0.0_RC6 | May 10, 2021 | scan create command: Removed (--incremental-kics) and (--incremental-sca) Fixed the following: Not showing error when bad auth encountered. Using --scan-types flag with “spaces” between the values caused an error - Fixed
Renamed global parameter (--secret) to (--client-secret) Removed the BFL command Renamed environment variable CX_SECRET to CX_CLIENT_SECRET Added configure set option (cx_base_auth_uri) utils configure set command: Renamed (cx_token) to (cx_apikey) Renamed (cx_ast_access_key_id) to (cx_ast_client_id) Renamed configure set option (cx_ast_access_key_secret) to (cx_ast_client_secret)
configure show command:
TipThe "effective" value means it shows how the CLI presents the property after combining environment variables, configuration variables and CLI arguments. | |
2.0.0_RC5 | May 10, 2021 | | |
2.0.0_RC4 | May 3, 2021 | | |