CxSAST & CxOSA Maven Plugin (v8.7.0 to v8.9.0)

Maven is a software project management and build automation tool used primarily for Java projects and can also be used to build and manage projects written in C#, Ruby, Scala, and other languages. Based on the concept of a Project Object Model (POM), Maven can manage a project's build, reporting and documentation from a central piece of information. The Maven project is hosted by the Apache Software Foundation. Maven is built using a plugin-based architecture that allows it to make use of any application controllable through standard input. The Maven project is hosted by the Apache Software Foundation.


CxSAST is a security solution provided by Checkmarx that scans application source code for vulnerabilities. You can integrate CxSAST with any Maven code build process, enabling a project XML file to automatically initiate a CxSAST scan. Integration is achieved with the Checkmarx's CxSAST Maven plugin. The plugin can be found on the central repository and is simple to install and configure.

CxOSA (v8.7.0 and up) - Maven now uses a new core library with better compatibility and increased result accuracy. The new capability extracts dependencies resolving manifest files in customer side, therefore supports scanning of Maven pom.xml files. For all Maven configuration files, Cx Manager will download the necessary packages, calculate metadata, and submitting them to Cloud engine. Repositories must be accessible to the manager.

Prerequisites for CxSAST and CxOSA - Apache Maven

  • Apache Maven installed (3.2.0 and up)
    • Maven requires Java Development Kit (3.1 and up)
  • Checkmarx CxSAST installed (8.4.1 and up)
  • CxOSA (8.7.0 and up) - Maven should be installed locally
    • Java 8 (for running OSA scans)
  • CxSAST Maven Plugin installed (8.41.0 and up):
    • Release – Predefined for automatic download and installation.
  • End User License Agreement (EULA) - If not already accepted during the CxSAST/CxOSA installation and setup, in order to perform an CxOSA scan from within the plugin, the EULA must be already have been accepted in the CxSAST / CxOSA Web interface. In all Checkmarx plugins the following message is raised; ‘In order to start working with CxOSA, your CxSAST Administrator needs to accept the End User License Agreement (EULA) from the CxSAST / CxOSA web interface’

    Note that you are unable to start using CxOSA unless the end user license agreement (EULA) has been viewed and accepted.