Installing and Configuring the Azure DevOps (MS-VSTS) Plugin (v8.7.0)

The Checkmarx CxSAST plug-in for MS-VSTS is simple to install and configure.

Note that currently there is no option to perform an upgrade. You first need to remove the current plugin and install the updated version from the Visual Studio Marketplace

Installing the Checkmarx plug-in for MS-VSTS

To install the Checkmarx plug-in for Visual Studio Team Services:

If the plugin has been released to the Visual Studio Market Place (post beta) perform Search and Install the Checkmarx Plugin.


Open MS-VSTS and go to Browse Marketplace> Manage Extensions > Extensions. The Checkmarx CxSAST plugin should be displayed as installed.

Adding CxSAST as a Build Step

To add CxSAST as a build step:

Open MS-VSTS and from the Main screen click Build and Releases and select Builds. The Build Definition screen is displayed.

Click the Actions  icon in line with the project that you would like to perform a build and click Edit.  The Build Tasks screen is displayed.

Click  Add Task. The Add Tasks list is displayed.

You can use the Search field to quickly find the Checkmarx CxSAST task.

Click Add for the Checkmarx CxSAST task. The Checkmarx CxSAST task is displayed in the Build Task list.

Select the Checkmarx CxSAST task. The Checkmarx CxSAST Task definitions are displayed.

Define the following Checkmarx Server definitions:

DefinitionDescription
VersionIf you have two versions of the CxSAST - MS-VSTS plugin installed, you can choose which one to use.
Display NameEnter the display name for the Checkmarx task (e.g. Checkmarx CxSAST Scan)
Checkmarx EndpointSelect an existing endpoint (entry point to the service) from the drop-down list or setup a new endpoint by clicking Manage (see Setting up a New Checkmarx Endpoint).
Project NameEnter a Project Name by either selecting an existing project from the list, or by typing in a name to create a new scan project.
PresetSelect a predefined set of queries (preset) from the list. Predefined presets are provided by Checkmarx or you can configure your own.
Custom Preset

Select a custom set of queries (custom preset) from the list. Custom presets are provided in cases where the desired preset is not available from the Checkmarx presets.

Specifying a custom preset will override any predefined preset provided above.

TeamSelect a team (group) for which the project is associated.

Define the following Checkmarx Scan (CxSAST & CxOSA) definitions:

DefinitionDescription
Incremental Scan Enable the Incremental Scan checkbox if you want to reduce the scan time. Scans only the recently updated changes.
CxSAST Folder ExclusionDefine a comma delineated list of the folders to exclude from the scan (e.g. dto,target,WEB-INF).
CxSAST Include/Exclude File ExtensionDefine a comma separated list of include or exclude wildcard patterns. Exclude patterns start with exclamation mark "!" (Exclusion Example: !.tmp, !.html. Inclusion Example: *.java ).
Synchronous ModeEnable the Synchronous Mode checkbox if you want to see the scan results inside the CxSAST plug-in results window. If disabled, the results are only displayed inside the CXSAST application.
Enable CxSAST Vulnerability Threshold Level

Enable the vulnerability threshold option (only available if synchronous mode is enabled). Set the maximum number of vulnerabilities of a given severity before the scan fails.

CxSAST High: Define a threshold for the high severity vulnerabilities. The build will be marked as failed if the number of the high severity vulnerabilities is larger than the threshold.

CxSAST Medium: Define a threshold for the medium severity vulnerabilities. The build will be marked as failed if the number of the medium severity vulnerabilities is larger than the threshold. Threshold must be 0 or greater to set a threshold, or leave blank for no thresholds.

CxSAST Low: Define a threshold for the low severity vulnerabilities. The build will be marked as failed if the number of the low severity vulnerabilities is larger than the threshold. Threshold must be 0 or greater to set a threshold, or leave blank for no thresholds.

Enable CxOSA Scan

Enable the CxOSA option to initiate Open Source Analysis for this scan/job. Disabled by default.

CxOSA Folder Exclusions

Define a comma separated list of the folders to exclude from OSA scan (e.g. **/*.jar)

CxOSA Include/Exclude wildcard patterns

Define a comma separated list of include or exclude wildcard patterns. Exclude patterns start with exclamation mark "!", Include with "*".

The Includes/Exclude wildcard patterns parameter will not affect dependencies resolved from manifest files.

CxOSA Archive Extract Extensions

Comma separated list of archive wildcard patterns to include their extracted content for the scan (e.g. *.zip, *.jar, *.ear). Supported archive types are: jar, war, ear, sca, gem, whl, egg, tar, tar.gz, tgz, zip, rar. Leave blank to extract all archives.

Enable CxOSA Vulnerability ThresholdsEnable the vulnerability threshold option (only available if synchronous mode is enabled). Set the maximum number of vulnerabilities of a given severity before the scan fails.

CxOSA High: Define a threshold for the high severity vulnerabilities. The build will be marked as failed if the number of the high severity vulnerabilities is larger than the threshold. Threshold must be 0 or greater to set a threshold, or leave blank for no thresholds

CxOSA Medium: Define a threshold for the medium severity vulnerabilities. The build will be marked as failed if the number of the medium severity vulnerabilities is larger than the threshold. Threshold must be 0 or greater to set a threshold, or leave blank for no thresholds.

CxOSA Low: Define a threshold for the low severity vulnerabilities. The build will be marked as failed if the number of the low severity vulnerabilities is larger than the threshold. Threshold must be 0 or greater to set a threshold, or leave blank for no thresholds.

Define the following Checkmarx Control Option definitions:

DefinitionDescription
EnabledClear the Enabled check box if you want to disable a step. This is a handy option if a step is not working correctly or if you need to focus on other parts of the process.
Continue On ErrorEnable the Continue On Error checkbox to define that if an error occurs in a step, the build will be partially successful at best, and the next step will be run. If disabled, the build fails and no subsequent steps are run.
Always RunEnable the Always Run checkbox for the rollback task option, so that the script can get executed when any of the tasks in the job fail.
TimeoutSpecify the maximum time, in minutes, that a task is allowed to execute before being cancelled by server. A zero value indicates an infinite timeout.
Run this TaskSpecify when this task should run. Choose "Custom conditions" to specify more complex conditions.

Setting up a New Checkmarx Endpoint

You can select an existing service endpoint from the drop-down list when you are configuring the Checkmarx endpoint definitions (see Adding CxSAST as a Build Task) or you can setup a new service endpoint.

To setup a new Checkmarx endpoint:

From the Checkmarx Task definitions screen, go to the Checkmarx Endpoint field and click Manage. The Service Endpoint screen is displayed.

Define the following CxServer authentication definitions:

DefinitionDescription
Connection NameEnter the Connection Name (e.g. CxEndPoint)
Server URLEnter your server URL (URL must start with the http(s)://<serverurl>)
User NameEnter your Checkmarx username
PasswordEnter your Checkmarx password

The Server URL, User Name and Password definitions are provided by Checkmarx following the MS-VSTS registration (see Checkmarx for MS-VSTS Registration).

Click OK to complete.