The following plugin provides functionality available through Pipeline-compatible steps. Read more about how to integrate steps into your Pipeline in the Steps section of the Pipeline Syntax page.

For a list of other such plugins, see the Pipeline Steps Reference page.

Checkmarx Plugin

step([$class: 'CxScanBuilder']): Execute Checkmarx Scan

  • credentialsId : String
    This option is for users that may already have Jenkins credentials, as defined in Jenkins, and would like to use them with the CxSAST Jenkins plugin. Select your credentials from the drop-down list.
    NOTE: If your credentials do not exist in the system, you can add them by clicking Add and selecting Jenkins (see Adding Jenkins Credentials to the CxSAST Jenkins Plugin, for more information).
  • sastCredentialsId : String
  • buildStep : String
  • teamPath : String
  • sastEnabled : boolean
  • exclusionsSetting : String
  • failBuildOnNewResults : boolean
    Enables the option to fail the build according to the defined severity (or higher). This option works in addition to the regular thresholds (e.g. if "x" total high vulnerabilities were found OR at least 1 new vulnerability, fail the build). This option is only available if the "Enable vulnerability threshold" parameter is enabled.
  • failBuildOnNewSeverity : String
  • useOwnServerCredentials : boolean (optional)
  • serverUrl : String (optional)
    Checkmarx server url or ip address with or without port. Syntax: http(s)://server-name:port. Example: http://checkmarx-server,
  • username : String (optional)
    Login username
  • password : String (optional)
    Login password
  • isProxy : boolean (optional)
  • configAsCode : boolean (optional)
    Create cx.config config-as-code input file at the root of the repo in '.checkmarx' folder. For example .checkmarx/cx.config
  • projectName : String (optional)
    A full absolute name of a project. The full Project name includes the whole path to the project, including Server, service provider, company, and team. Example: "CxServer\SP\Company\Users\bs_java" If project with such a name doesn't exist in the system, new project will be created. May reference build parameters like ${PARAM}.
  • projectId : long (optional)
  • groupId : String (optional)
    Fully qualified team name for the project.
  • preset : String (optional)
    Select the scan preset for this project
  • jobStatusOnError (optional)
    Determines how to act when a triggered Checkmarx scan in synchronous mode fails and returns an error message (i.e. no scan results, not to be confused with valid scan results that exceed the threshold).
    • FAILURE is equivalent to a Job error that fails the entire build.
    • UNSTABLE is equivalent to a Job warning that allows the build to proceed normally but provides an unstable status upon completion.
    • Use the global setting implies that this project uses the value either FAILURE or UNSTABLE defined globally by the CxSAST Jenkins plugin.
  • presetSpecified : boolean (optional)
  • excludeFolders : String (optional)
    Comma separated list of folders to exclude from scan. Entries in this list are automatically converted to exclude wildcard patterns and appended to the full pattern list provided in the advanced section. May reference build parameters like ${PARAM}.

    Conversion is done as follows:
    fold1, fold2 fold3
    is converted to:
    !**/fold1/**/*, !**/fold2/**/*, !**/fold3/**/*,

  • filterPattern : String (optional)
    Comma separated list of include or exclude wildcard patterns. Exclude patterns start with exclamation mark "!".

    Example: **/*.java, **/*.html, !**\test\**\XYZ*

    Pattern Syntax

    A given directory is recursively scanned for all files and directories. Each file/directory is matched against a set of selectors, including special support for matching against filenames with include and exclude patterns. Only files/directories which match at least one pattern of the include pattern list, and don't match any pattern of the exclude pattern list will be placed in the list of files/directories found.

    When no list of include patterns is supplied, "**" will be used, which means that everything will be matched. When no list of exclude patterns is supplied, an empty list is used, such that nothing will be excluded. When no selectors are supplied, none are applied.

    The filename pattern matching is done as follows: The name to be matched is split up in path segments. A path segment is the name of a directory or file, which is bounded by File.separator ('/' under UNIX, '\' under Windows). For example, "abc/def/ghi/" is split up in the segments "abc", "def","ghi" and "". The same is done for the pattern against which should be matched.

    The segments of the name and the pattern are then matched against each other. When '**' is used for a path segment in the pattern, it matches zero or more path segments of the name.

    There is a special case regarding the use of File.separators at the beginning of the pattern and the string to match:
    When a pattern starts with a File.separator, the string to match must also start with a File.separator. When a pattern does not start with a File.separator, the string to match may not start with a File.separator. When one of these rules is not obeyed, the string will not match.

    When a name path segment is matched against a pattern path segment, the following special characters can be used:
    '*' matches zero or more characters
    '?' matches one character.

    May reference build parameters like ${PARAM}.


    "**\*.class" matches all .class files/dirs in a directory tree.

    "test\a??.java" matches all files/dirs which start with an 'a', then two more characters and then ".java", in a directory called test.

    "**" matches everything in a directory tree.

    "**\test\**\XYZ*" matches all files/dirs which start with "XYZ" and where there is a parent directory called test (e.g. "abc\test\def\ghi\XYZ123").

  • incremental : boolean (optional)
    Run incremental scan instead of full scan.
  • fullScansScheduled : boolean (optional)
  • fullScanCycle : int (optional)
    Incremental scans are faster, but with time they become less accurate.
    Therefore, after a number of incremental scans it is recommended to perform a full scan.
    Here you can schedule periodic full scans to be executed after a certain number of incremental scans.

    Alternatively, if you want to run full scans on weekends, you can create 2 separate jobs.
    First job - to run incremental scans on weekdays and second job - to run full scans on weekends.
  • postScanActionId : int (optional)
    Select Post Scan Action name that is to be performed automatically after a scan.(Note that the feature works with 9.3 version SAST onwards.)
  • sourceEncoding : String (optional)
    Source code character encoding.
  • comment : String (optional)
    Free text comment. If the comment contains variables like ${GIT_COMMIT}, ${GIT_BRANCH}, ${GIT_URL}, ${GIT_AUTHOR_NAME} or any Jenkins variable. It shall be expanded as long as it is a valid variable available to Jenkins else considers it as plain text.
  • skipSCMTriggers : boolean (optional)
    Do not perform Checkmarx scan when the build was triggered by SCM Change.
  • waitForResultsEnabled : boolean (optional)
    In synchronous mode, Checkmarx build step will wait for Checkmarx scan to complete, then retrieve scan results and optionally check vulnerability thresholds. When disabled, the build step finishes after scan job submissions to Checkmarx server.
  • vulnerabilityThresholdEnabled : boolean (optional)
    Mark the build as unstable if the number of high severity vulnerabilities is above the specified threshold.
  • highThreshold : int (optional)
    High severity vulnerability threshold. If set, the threshold is crossed if number of high severity vulnerabilities exceeds it.
  • mediumThreshold : int (optional)
    Medium severity vulnerability threshold. If set, the threshold is crossed if number of medium severity vulnerabilities exceeds it.
  • lowThreshold : int (optional)
    Low severity vulnerability threshold. If set, the threshold is crossed if number of low severity vulnerabilities exceeds it.
  • osaHighThreshold : int (optional)
    High severity vulnerabilities threshold for dependency scan. If set, the threshold is crossed if number of high severity vulnerabilities exceeds it.
  • osaMediumThreshold : int (optional)
    Medium severity vulnerabilities threshold for dependency scan. If set, the threshold is crossed if number of medium severity vulnerabilities exceeds it.
  • osaLowThreshold : int (optional)
    Low severity vulnerabilities threshold for dependency scan. If set, the threshold is crossed if number of low severity vulnerabilities exceeds it.
  • generatePdfReport : boolean (optional)
    Downloads a PDF report with scan results from the Checkmarx server. The report is available via a link on "Checkmarx Scan Results" page.
  • enableProjectPolicyEnforcement : boolean (optional)
    Mark the build as failed or unstable if the project's policy is violated.
    Assigning a policy to a project is done from within CxSAST
  • thresholdSettings : String (optional)
  • vulnerabilityThresholdResult : String (optional)
  • avoidDuplicateProjectScans : boolean (optional)
    If there is a scan of this project in the queue in status working or queued do not send a new scan request to Checkmarx
  • addGlobalCommenToBuildCommet : boolean (optional)
    Allow global sast comment to be added to the build comment.By default the global comment is empty. When both job level comments and global comments are provided and 'Allow Global comment' is selected, then both comments shall be concatenated.
  • generateXmlReport : boolean (optional)
    Generate full XML and HTML CxSAST scan reports. These reports will contain additional information about the detected vulnerabilities
  • hideDebugLogs : boolean (optional)
    Enabling this will not generate any debug level logs in the job output.
  • forceScan : boolean (optional)
    Force Scan - If force scan is enabled, SAST will perform scan even if there are no code changes.
  • customFields : String (optional)
    Add scan level custom fields and its value. Example: field1:value1,field2:value2.(Note that the feature works with 9.4 version SAST onwards.)
  • dependencyScanConfig (optional)
      Nested Object
    • SASTUserName : String (optional)
    • dependencyScanExcludeFolders : String (optional)
    • dependencyScanPatterns : String (optional)
    • dependencyScannerType (optional)
      • Values: OSA, SCA
    • enableScaResolver (optional)
    • fsaVariables : String (optional)
    • isExploitablePath : boolean (optional)
    • isIncludeSources : boolean (optional)
    • osaArchiveIncludePatterns : String (optional)
    • osaInstallBeforeScan : boolean (optional)
    • overrideGlobalConfig : boolean (optional)
    • pathToScaResolver : String (optional)
    • sastCredentialsId : String (optional)
    • scaAccessControlUrl : String (optional)
    • scaConfigFile : String (optional)
    • scaCredentialsId : String (optional)
    • scaEnvVariables : String (optional)
    • scaResolverAddParameters : String (optional)
    • scaSASTProjectFullPath : String (optional)
    • scaSASTProjectID : String (optional)
    • scaSastServerUrl : String (optional)
    • scaServerUrl : String (optional)
    • scaTeamId : String (optional)
    • scaTeamPath : String (optional)
    • scaTenant : String (optional)
    • scaTimeout : int (optional)
    • scaWebAppUrl : String (optional)
    • useJobLevelSastDetails : boolean (optional)
  • excludeOpenSourceFolders : String (optional)
  • includeOpenSourceFolders : String (optional)
  • osaArchiveIncludePatterns : String (optional)

    Comma separated list of archive wildcard patterns to include their extracted content for the scan. eg. *.zip, *.jar, *.ear
    Supported archive types are: jar, war, ear, sca, gem, whl, egg, tar, tar.gz, tgz, zip, rar
    Leave empty to extract all archives
  • osaEnabled : boolean (optional)
  • osaInstallBeforeScan : boolean (optional)
    Select this option in order to be able to scan packages from various dependency managers (NPM, Nugget, Python and more.) as part of the CxOSA scan
  • overrideProjectSetting : boolean (optional)
    When selected, preset & engine configuration value selected in the pipeline will be saved on the CxSAST project.
  • thisBuildIncremental : boolean (optional)

Was this page helpful?

Please submit your feedback about this page through this quick form.

Alternatively, if you don't wish to complete the quick form, you can simply indicate if you found this page helpful?


See existing feedback here.