Creating and Configuring a CxSAST Project (v8.9.0)

Owned by David P (Deactivated)
Last updated: Feb 25, 2020
6 min read

To create a CxSAST project:

Select Project & Scans > Create New Project

Configure the following General project properties:

  • Project Name - should indicate the source code to be scanned and tracked.
  • Preset - set of queries to be run on the code scan. Default includes a set of queries recommended by Checkmarx for most projects. Select the preset that best matches your application, for example, for an Android project select Android. For a full list of executed queries, see the Vulnerability Queries section in the release notes.
  • Configuration - Apart from the default configuration setting, additional configuration selection traditionally for advanced users, can be used for scanning double-byte encoded source code. There is also the possibility to select a multi-language configuration. This means that all files will be scanned, regardless of language type. If there is a need, a threshold parameter can be adjusted in the database.  
    • Default configuration will scan the primary language (e.g., java, C#, python, etc.) with the most files and all secondary languages (e.g., JavaScript, PL-SQL, vb-script, etc.).  For example, a project with 100 java files, 50 python files, and 60 JavaScript files, will have only the java and JavaScript scanned with the Default configuration.
    • The Multi-language configuration will scan all languages including multiple primary languages.  If the same project with 100 java files, 50 python files, and 60 JavaScript files is scanned, all languages – java, python, and JavaScript will be scanned.
  • Team - determines who will be able to view your project and its scan results. Available options depend on the permissions of the logged-on user. Selecting CxServer allows access only to the server Administrator. If you're working as a single user, leave the default option.
  • Policy - select a predefined violation policy from the Policy drop-down. Refer to Policy Management for more information about defining violation policies and rules.

Click Next

Configure the following source code Location properties:

  • Local - Click Select to browse to a local zip file containing the code. Future scans to the project are also via local upload (see Managing Projects and Running Scans).

    CxSAST does not scan two files with the same name or files with special characters that are not supported in Windows.

    If the zip file is larger than 200 MB, you will not be able to upload it. To create a smaller zip file of only files with specified extensions, use the CxZip utility

    Zip files generated in a Linux environment may not function properly.

    If a zip file is uploaded that contains file path greater than 255 characters, the file will not be sent for scanning. Shorten the file path and try again.

    If the zip file contains another zip file inside, the internal zip file will not be sent for scanning. Unzip the contents to the main zip file before scanning.

  • Shared - project code that is maintained on a network server accessible from the CxSAST Server. Click Select, provide your Windows domain credentials in order for CxSAST to access the network (username format: domain_name\user name), and select one or more network folders containing the project code.

    Zipped source code is not supported for shared location scans. Unzip the contents of the zip file before scanning.

    CxSAST does not scan two files with the same name or files with special characters that are not supported in Windows.

  • Source Control - project code that is maintained in either TFS , SVN , GIT or PerForce source control systems. Click Select (see Configuring the Connection to a Source Control System).

    Files inside a zip file that are located inside a repository will not be sent for scanning. Unzip the contents of the zip file to the repository before scanning.

    CxSAST does not scan two files with the same name or files with special characters that are not supported in Windows.

  • Source Pulling - an extension to "Shared" option above, "Source Pulling" activates a configurable script to pull source code from a source control system into the Shared location specified.  Note: this script must be set previously configured in the CxSAST Windows client application. 

  • Optionally, you can exclude certain folders or files from the scan process. 

    Type a comma-separated list of the folders or files that you would like excluded from the scan; wildcards can also be used.  In the below archive, the folder name ‘lib’ and the file name ‘readme.txt’ have been added to the Exclude fields and will not be included for the upcoming  project scan:

         |+ add-ons 
         | |+ connectors 
         | | |+ cvc3.js 
         | | |+ spass.js 
         | | + z3.js 
         | | - lib 
         | | | - readme.txt 
         | | | - smt_solver.js 
         | + src 
         | +doc 
         | - readme.txt 
         + src 
         - lib 
         |- find_sql_injections.js 
         |- jquery.js 
         + logic.js

    CxSAST does not scan two files with the same name or files with special characters that are not supported in Windows.

Click Count Lines to display the number of lines in the current project.

Please note that as the Java Script is being enhanced in the scan process, the real count of lines might be larger than the result that will be shown from the Count Lines option or the Cx CMD Line Counter.

Click Next. The following steps of the wizard are optional. You can click Finish to skip them. 

Scheduling is not applicable to a Local source code location, since the CxSAST Server cannot automatically access the local source. You will need to periodically manually upload a new zip file.

Configure the following scan execution Scheduling properties:

  • None - defines no scheduling
  • Now - defines an immediate scan
  • By Schedule - define an automatic weekly scan according to the specified time
    • Run on Weekdays - define which day to run the periodic scan
    • Run Time - define what time to run the periodic scan.

To support continuous integration development methodology, it is recommended to schedule periodic scanning of source files, so they can be checked after modifications. This can be automated via the CLI in the Build file, but it does not have to be done this way because CxSAST scans source code and does not require building or compiling the source code.

Click Next.The following steps of the wizard are optional. You can click Finish to skip them. 

Configure the following Advanced Action properties:

  • Send pre-scan email to - define to which e-mail to send a pre-scan notification
  • Send post-scan e-mail to - define to which e-mail to send a post-scan notification
  • Send scan failure e-mail to - define to which e-mail to send a scan failure notification
  • Run post scan action - define which post scan action to run (see Configuring an Executable Action
  • Issue Tracking Settings - define to which issue tracking system to integrate (see Configuring JIRA Integration Settings).

Click Next.The following steps of the wizard are optional. You can click Finish to skip them. 

Configure the Custom Field properties according to the available custom fields (see Custom Field Management).

Click Next.The following steps of the wizard are optional. You can click Finish to skip them. 

Configure the Data Retention properties: 

Click Finish and check the scan status (see The Queue (v8.9.0 to v9.3.0)).



Read more: