The following plugin provides functionality available through Pipeline-compatible steps. Read more about how to integrate steps into your Pipeline in the Steps section of the Pipeline Syntax page.

For a list of other such plugins, see the Pipeline Steps Reference page.

Checkmarx Plugin

step([$class: 'CxScanBuilder']): Execute Checkmarx Scan

  • credentialsId
    This option is for users that may already have Jenkins credentials, as defined in Jenkins, and would like to use them with the CxSAST Jenkins plugin. Select your credentials from the drop-down list.
    NOTE: If your credentials do not exist in the system, you can add them by clicking Add and selecting Jenkins (see Adding Jenkins Credentials to the CxSAST Jenkins Plugin, for more information).
    • Type: String
  • buildStep
    • Type: String
  • teamPath
    • Type: String
  • sastEnabled
    • Type: boolean
  • exclusionsSetting
    • Type: String
  • failBuildOnNewResults
    Enables the option to fail the build according to the defined severity (or higher). This option works in addition to the regular thresholds (e.g. if "x" total high vulnerabilities were found OR at least 1 new vulnerability, fail the build). This option is only available if the "Enable vulnerability threshold" parameter is enabled.
    • Type: boolean
  • failBuildOnNewSeverity
    • Type: String
  • osaArchiveIncludePatterns

    Comma separated list of archive wildcard patterns to include their extracted content for the scan. eg. *.zip, *.jar, *.ear
    Supported archive types are: jar, war, ear, sca, gem, whl, egg, tar, tar.gz, tgz, zip, rar
    Leave empty to extract all archives
    • Type: String
  • osaInstallBeforeScan
    Select this option in order to be able to scan packages from various dependency managers (NPM, Nugget, Python and more.) as part of the CxOSA scan
    • Type: boolean
  • useOwnServerCredentials (optional)
    • Type: boolean
  • serverUrl (optional)
    Checkmarx server url or ip address with or without port. Syntax: http(s)://server-name:port. Example: http://checkmarx-server, https://10.0.0.255:9495
    • Type: String
  • username (optional)
    Login username
    • Type: String
  • password (optional)
    Login password
    • Type: String
  • projectName (optional)
    A full absolute name of a project. The full Project name includes the whole path to the project, including Server, service provider, company, and team. Example: "CxServer\SP\Company\Users\bs_java" If project with such a name doesn't exist in the system, new project will be created. May reference build parameters like ${PARAM}.
    • Type: String
  • projectId (optional)
    • Type: long
  • groupId (optional)
    Fully qualified team name for the project.
    • Type: String
  • preset (optional)
    Scan preset. When not specified, will use the predefined preset for an existing project, and Default preset for a new project.
    • Type: String
  • jobStatusOnError (optional)
    Determines how to act when a triggered Checkmarx scan in synchronous mode fails and returns an error message (i.e. no scan results, not to be confused with valid scan results that exceed the threshold).
    • FAILURE is equivalent to a Job error that fails the entire build.
    • UNSTABLE is equivalent to a Job warning that allows the build to proceed normally but provides an unstable status upon completion.
    • Use the global setting implies that this project uses the value either FAILURE or UNSTABLE defined globally by the CxSAST Jenkins plugin.
    • Values: GLOBAL, FAILURE, UNSTABLE
  • presetSpecified (optional)
    • Type: boolean
  • excludeFolders (optional)
    Comma separated list of folders to exclude from scan. Entries in this list are automatically converted to exclude wildcard patterns and appended to the full pattern list provided in the advanced section. May reference build parameters like ${PARAM}.

    Conversion is done as follows:
    fold1, fold2 fold3
    is converted to:
    !**/fold1/**/*, !**/fold2/**/*, !**/fold3/**/*,

    • Type: String
  • filterPattern (optional)
    Comma separated list of include or exclude wildcard patterns. Exclude patterns start with exclamation mark "!".

    Example: **/*.java, **/*.html, !**\test\**\XYZ*

    Pattern Syntax

    A given directory is recursively scanned for all files and directories. Each file/directory is matched against a set of selectors, including special support for matching against filenames with include and exclude patterns. Only files/directories which match at least one pattern of the include pattern list, and don't match any pattern of the exclude pattern list will be placed in the list of files/directories found.

    When no list of include patterns is supplied, "**" will be used, which means that everything will be matched. When no list of exclude patterns is supplied, an empty list is used, such that nothing will be excluded. When no selectors are supplied, none are applied.

    The filename pattern matching is done as follows: The name to be matched is split up in path segments. A path segment is the name of a directory or file, which is bounded by File.separator ('/' under UNIX, '\' under Windows). For example, "abc/def/ghi/xyz.java" is split up in the segments "abc", "def","ghi" and "xyz.java". The same is done for the pattern against which should be matched.

    The segments of the name and the pattern are then matched against each other. When '**' is used for a path segment in the pattern, it matches zero or more path segments of the name.

    There is a special case regarding the use of File.separators at the beginning of the pattern and the string to match:
    When a pattern starts with a File.separator, the string to match must also start with a File.separator. When a pattern does not start with a File.separator, the string to match may not start with a File.separator. When one of these rules is not obeyed, the string will not match.

    When a name path segment is matched against a pattern path segment, the following special characters can be used:
    '*' matches zero or more characters
    '?' matches one character.

    May reference build parameters like ${PARAM}.

    Examples:

    "**\*.class" matches all .class files/dirs in a directory tree.

    "test\a??.java" matches all files/dirs which start with an 'a', then two more characters and then ".java", in a directory called test.

    "**" matches everything in a directory tree.

    "**\test\**\XYZ*" matches all files/dirs which start with "XYZ" and where there is a parent directory called test (e.g. "abc\test\def\ghi\XYZ123").

    • Type: String
  • incremental (optional)
    Run incremental scan instead of full scan.
    • Type: boolean
  • fullScansScheduled (optional)
    • Type: boolean
  • fullScanCycle (optional)
    Incremental scans are faster, but with time they become less accurate.
    Therefore, after a number of incremental scans it is recommended to perform a full scan.
    Here you can schedule periodic full scans to be executed after a certain number of incremental scans.

    Alternatively, if you want to run full scans on weekends, you can create 2 separate jobs.
    First job - to run incremental scans on weekdays and second job - to run full scans on weekends.
    • Type: int
  • sourceEncoding (optional)
    Source code character encoding.
    • Type: String
  • comment (optional)
    Free text comment. May reference build parameters like ${PARAM}.
    • Type: String
  • skipSCMTriggers (optional)
    Do not perform Checkmarx scan when the build was triggered by SCM Change.
    • Type: boolean
  • waitForResultsEnabled (optional)
    In synchronous mode, Checkmarx build step will wait for Checkmarx scan to complete, then retrieve scan results and optionally check vulnerability thresholds. When disabled, the build step finishes after scan job submissions to Checkmarx server.
    • Type: boolean
  • vulnerabilityThresholdEnabled (optional)
    Mark the build as unstable if the number of high severity vulnerabilities is above the specified threshold.
    • Type: boolean
  • highThreshold (optional)
    High severity vulnerability threshold. If set, the threshold is crossed if number of high severity vulnerabilities exceeds it.
    • Type: int
  • mediumThreshold (optional)
    Medium severity vulnerability threshold. If set, the threshold is crossed if number of medium severity vulnerabilities exceeds it.
    • Type: int
  • lowThreshold (optional)
    Low severity vulnerability threshold. If set, the threshold is crossed if number of low severity vulnerabilities exceeds it.
    • Type: int
  • osaEnabled (optional)
    • Type: boolean
  • osaHighThreshold (optional)
    OSA high severity vulnerability threshold. If set, the threshold is crossed if number of high severity vulnerabilities exceeds it.
    • Type: int
  • osaMediumThreshold (optional)
    OSA medium severity vulnerability threshold. If set, the threshold is crossed if number of medium severity vulnerabilities exceeds it.
    • Type: int
  • osaLowThreshold (optional)
    OSA low severity vulnerability threshold. If set, the threshold is crossed if number of low severity vulnerabilities exceeds it.
    • Type: int
  • generatePdfReport (optional)
    Downloads a PDF report with scan results from the Checkmarx server. The report is available via a link on "Checkmarx Scan Results" page.
    • Type: boolean
  • enableProjectPolicyEnforcement (optional)
    Mark the build as failed or unstable if the project's policy is violated.
    Notes:
    1. Assigning a policy to a project is done from within CxSAST
    2. OSA Scan must be selected in the build job configuration
    • Type: boolean
  • thresholdSettings (optional)
    • Type: String
  • vulnerabilityThresholdResult (optional)
    • Type: String
  • includeOpenSourceFolders (optional)

    Include/Exclude definition will not affect dependencies resolved from package manager manifest files.

    Comma separated list of include or exclude wildcard patterns. Exclude patterns start with exclamation mark "!".

    Example: *.jar */folder/* */folder1/folder2/* */folder*/* */file.* */file*.jar */test/*file*.*

    May reference build parameters like ${PARAM}.

    Examples:

    "**/*.jar" matches all .jar jars in a directory tree.

    "*/test/a??.jar" matches all files/dirs which start with an 'a', then two more characters and then ".jar", in a directory called test.

    "**" matches everything in a directory tree.

    "**/test/**/XYZ*" matches all files/dirs which start with "XYZ" and where there is a parent directory called test (e.g. "abc/test/def/ghi/XYZ123").

    • Type: String
  • excludeOpenSourceFolders (optional)
    Comma separated list of folders to exclude from scan.
    • Type: String
  • avoidDuplicateProjectScans (optional)
    If there is a scan of this project in the queue in status working or queued do not send a new scan request to Checkmarx
    • Type: boolean
  • generateXmlReport (optional)
    Generate full XML and HTML CxSAST scan reports. These reports will contain additional information about the detected vulnerabilities
    • Type: boolean
  • thisBuildIncremental (optional)
    • Type: boolean

Was this page helpful?

Please submit your feedback about this page through this quick form.

Alternatively, if you don't wish to complete the quick form, you can simply indicate if you found this page helpful?

    


See existing feedback here.