Skip to content

checkmarxExecuteScan

Checkmarx is the recommended tool for security scans of JavaScript, iOS, Swift and Ruby code.

Description

Checkmarx is a Static Application Security Testing (SAST) tool to analyze i.e. Java- or TypeScript, Swift, Golang, Ruby code, and many other programming languages for security flaws based on a set of provided rules/queries that can be customized and extended.

This step by default enforces a specific audit baseline for findings and therefore ensures that:

  • No 'To Verify' High and Medium issues exist in your project
  • Total number of High and Medium 'Confirmed' or 'Urgent' issues is zero
  • 10% of all Low issues are 'Confirmed' or 'Not Exploitable'

You can adapt above thresholds specifically using the provided configuration parameters and i.e. check for absolute thresholds instead of percentage whereas we strongly recommend you to stay with the defaults provided.

Usage

We recommend to define values of step parameters via config.yml file. In this case, calling the step is reduced to one simple line.
Calling the step can be done either via the Jenkins library step or on the command line.

Jenkins Pipeline

library('piper-lib-os')

checkmarxExecuteScan script: this

Command Line

piper checkmarxExecuteScan

Outputs

Output type Details
influx measurement checkmarx_data
  • high_issues
  • high_not_false_positive
  • high_not_exploitable
  • high_confirmed
  • high_urgent
  • high_proposed_not_exploitable
  • high_to_verify
  • medium_issues
  • medium_not_false_positive
  • medium_not_exploitable
  • medium_confirmed
  • medium_urgent
  • medium_proposed_not_exploitable
  • medium_to_verify
  • low_issues
  • low_not_false_positive
  • low_not_exploitable
  • low_confirmed
  • low_urgent
  • low_proposed_not_exploitable
  • low_to_verify
  • information_issues
  • information_not_false_positive
  • information_not_exploitable
  • information_confirmed
  • information_urgent
  • information_proposed_not_exploitable
  • information_to_verify
  • initiator_name
  • owner
  • scan_id
  • project_id
  • projectName
  • team
  • team_full_path_on_report_date
  • scan_start
  • scan_time
  • lines_of_code_scanned
  • files_scanned
  • checkmarx_version
  • scan_type
  • preset
  • deep_link
  • report_creation_time

Parameters

Overview

Name Mandatory Additional information
password yes Vault Secret pass via ENV, Vault or Jenkins credentials (checkmarxCredentialsId)
projectName yes
script yes Jenkins only reference to Jenkins main pipeline script
serverUrl yes
username yes Vault Secret pass via ENV, Vault or Jenkins credentials (checkmarxCredentialsId)
avoidDuplicateProjectScans no
filterPattern no
fullScanCycle no
fullScansScheduled no
generatePdfReport no
incremental no
maxRetries no
preset no
pullRequestName no
sourceEncoding no
stashContent no Jenkins only
teamId no
teamName no
verbose no activates debug output
verifyOnly no
vulnerabilityThresholdEnabled no
vulnerabilityThresholdHigh no
vulnerabilityThresholdLow no
vulnerabilityThresholdMedium no
vulnerabilityThresholdResult no
vulnerabilityThresholdUnit no

Details

avoidDuplicateProjectScans

Whether duplicate scans of the same project state shall be avoided or not

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

filterPattern

The filter pattern used to zip the files relevant for scanning, patterns can be negated by setting an exclamation mark in front i.e. !test/*.js would avoid adding any javascript files located in the test directory

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default !**/node_modules/**, !**/.xmake/**, !**/*_test.go, !**/vendor/**/*.go, **/*.html, **/*.xml, **/*.go, **/*.py, **/*.js, **/*.scala, **/*.ts
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

fullScanCycle

Indicates how often a full scan should happen between the incremental scans when activated

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default 5
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

fullScansScheduled

Whether full scans are to be scheduled or not. Should be used in relation with incremental and fullScanCycle

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default true
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

generatePdfReport

Whether to generate a PDF report of the analysis results or not

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default true
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

incremental

Whether incremental scans are to be applied which optimizes the scan time but might reduce detection capabilities. Therefore full scans are still required from time to time and should be scheduled via fullScansScheduled and fullScanCycle

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default true
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

maxRetries

Maximum number of HTTP request retries upon intermittend connetion interrupts

back to overview

Scope Details
Aliases -
Type int
Mandatory no
Default 3
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

password

The password to authenticate

back to overview

Scope Details
Aliases -
Type string
Mandatory yes
Default $PIPER_password (if set)
Secret yes
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references Jenkins credential id:
  id: checkmarxCredentialsId
  reference to: password

Vault paths:
  • $(vaultPath)/checkmarx

preset

The preset to use for scanning, if not set explicitly the step will attempt to look up the project's setting based on the availability of checkmarxCredentialsId

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_preset (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

projectName

The name of the Checkmarx project to scan into

back to overview

Scope Details
Aliases - checkmarxProject
- checkMarxProjectName (deprecated)
Type string
Mandatory yes
Default $PIPER_projectName (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

pullRequestName

Used to supply the name for the newly created PR project branch when being used in pull request scenarios

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_pullRequestName (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

script

Jenkins-specific: Used for proper environment setup.

The common script environment of the Jenkinsfile running. Typically the reference to the script calling the pipeline step is provided with the this parameter, as in script: this. This allows the function to access the commonPipelineEnvironment for retrieving, e.g. configuration parameters.

back to overview

Scope Details
Aliases -
Type Jenkins Script
Mandatory yes
Default
Secret no
Configuration scope
  • ☐ parameter
  • ☐ general
  • ☐ steps
  • ☐ stages
Resource references none

serverUrl

The URL pointing to the root of the Checkmarx server to be used

back to overview

Scope Details
Aliases checkmarxServerUrl
Type string
Mandatory yes
Default $PIPER_serverUrl (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

sourceEncoding

The source encoding to be used, if not set explicitly the project's default will be used

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default 1
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

stashContent

Jenkins-specific: Used for proper environment setup.

Specific stashes that should be considered for the step execution.

back to overview

Scope Details
Aliases -
Type []string
Mandatory no
Default - checkmarx
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

teamId

The group ID related to your team which can be obtained via the Pipeline Syntax plugin as described in the Details section

back to overview

Scope Details
Aliases - checkmarxGroupId
- groupId (deprecated)
Type string
Mandatory no
Default $PIPER_teamId (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

teamName

The full name of the team to assign newly created projects to which is preferred to teamId

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_teamName (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

username

The username to authenticate

back to overview

Scope Details
Aliases -
Type string
Mandatory yes
Default $PIPER_username (if set)
Secret yes
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references Jenkins credential id:
  id: checkmarxCredentialsId
  reference to: username

Vault paths:
  • $(vaultPath)/checkmarx

verbose

verbose output

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

verifyOnly

Whether the step shall only apply verification checks or whether it does a full scan and check cycle

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

vulnerabilityThresholdEnabled

Whether the thresholds are enabled or not. If enabled the build will be set to vulnerabilityThresholdResult in case a specific threshold value is exceeded

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default true
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

vulnerabilityThresholdHigh

The specific threshold for high severity findings

back to overview

Scope Details
Aliases -
Type int
Mandatory no
Default 100
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

vulnerabilityThresholdLow

The specific threshold for low severity findings

back to overview

Scope Details
Aliases -
Type int
Mandatory no
Default 10
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

vulnerabilityThresholdMedium

The specific threshold for medium severity findings

back to overview

Scope Details
Aliases -
Type int
Mandatory no
Default 100
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

vulnerabilityThresholdResult

The result of the build in case thresholds are enabled and exceeded

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default FAILURE
Possible values - FAILURE
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

vulnerabilityThresholdUnit

The unit for the threshold to apply.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default percentage
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

checkmarxCredentialsId

Jenkins-specific: Used for proper environment setup. See using credentials for details.

Jenkins 'Username with password' credentials ID containing username and password to communicate with the Checkmarx backend.

back to overview

Scope Details
Aliases -
Type string
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages