JFrog Artifactory Integration for SCA Scanner

Checkmarx One provides an integration with JFrog Artifactory, enabling you to run SCA scans on packages in your private JFrog Artifactory. We provide a convenient wizard on the Checkmarx One Integrations page that enables you to submit your JFrog credentials and create the integration. Then, you need to add the relevant info to the configuration files in each of the relevant projects.

Prerequisites

A Personal API key for the repository where the packages are located, with read access to the relevant repos.
Notice
In JFrog go to Admin > Identity & Access > Users then select your user and go to the Authentication tab and generate the API key.
If the artifactory is not publicly accessible, then you need to configure a CxLink to enable access.

Limitations

The integration is not effective for scans run via the Checkmarx One CLI tool or associated plugins.
Supported only for projects that use Nuget, Maven or Npm package managers.

Step 1 - Setting up an Integration

To set up a JFrog Artifactory Private Artifactory Integration:

Open the Integrations page.
Click on the JFrog Artifactory tile under Private Registries for Containers, then click Start.
The JFrog Artifactory Integration wizard opens on the right side of the screen.
Name Your Account and optionally fill in the Description and Associate Tags fields, then click Next.
Make a note of the name that you designated, as you will need to use this name in the following step.
Under Username enter the Username for your JFrog account.
In the API Key field, enter the API key for your JFrog Artifactory (as described above in Prerequisites).
In the URL field, enter the URL for your JFrog account using the format https://<subdomain>.jfrog.io.
Alternatively, if you have configured a CxLink to access this repo, enter the CxLink (using the following format: https://<subdomain>.<domain>/link/<UUID>). Learn more about CxLink here.
Click Add Account.

Monitoring Integration Status

You can monitor the status of your JFrog integrations to see whether or not the integration is connected. Possible statuses are:

Pending - The integration was just set up and hasn't connected yet.
Connected - The integration is running and you are able to scan images in your JFrog Artifactory.
Disconnected - Checkmarx One is not currently able to access your private JFrog Artifactory.

To monitor the integration status:

Go to Integrations > Inventory tab, and select Runtime & Cloud.
Check the Status column for each of your integrations.

Step 2 - Project Configuration

For each project that you would like to scan, the info for accessing your private repo must be specified in the config files, which are added to your project's source code using the following folder structure, depending on the package manager:

NuGet - ./.checkmarx/sca/nuget/NuGet.Config
Maven: - ./.checkmarx/sca/maven/settings.xml
npm - ./.checkmarx/sca/npm/.npmrc

Add the templates provided below to the specified files, and replace the placeholders <MASK_NAME> with the name of the integration (which you designated in the JFrog integration wizard in the previous step).

Notice

If the config files already exist in your project, then you can add the template content to your existing file.

Templates

Nuget

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
    <add key="Artifactory" value="${{cx.<MASK_NAME>.url}}/artifactory/api/nuget/v3/automatedtests-nuget/" />
  </packageSources>
  <packageSourceCredentials>
    <Artifactory>
      <add key="Username" value="${{cx.<MASK_NAME>.username}}" />
      <add key="ClearTextPassword" value="${{cx.<MASK_NAME>.password}}" />
    </Artifactory>
  </packageSourceCredentials>
</configuration>

Maven

<?xml version="1.0" encoding="UTF-8"?>
<settings xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.2.0 http://maven.apache.org/xsd/settings-1.2.0.xsd" xmlns="http://maven.apache.org/SETTINGS/1.2.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <servers>
    <server>
      <id>jfrog</id>
      <username>${{cx.<MASK_NAME>.username}}</username>
      <password>${{cx.<MASK_NAME>.password}}</password>
    </server>
  </servers>
  <profiles>
    <profile>
      <id>artifactory</id>
      <repositories>
        <repository>
          <id>central</id>
          <name>cx-virtual</name>
          <url>${{cx.<MASK_NAME>.url}}/artifactory/automatedtests-maven/</url>
          <snapshots>
            <enabled>true</enabled>
          </snapshots>
        </repository>
      </repositories>
    </profile>
  </profiles>
  <activeProfiles>
    <activeProfile>artifactory</activeProfile>
  </activeProfiles>
</settings><?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
    <add key="Artifactory" value="${{cx.<MASK_NAME>.url}}/artifactory/api/nuget/v3/automatedtests-nuget/" />
  </packageSources>
  <packageSourceCredentials>
    <Artifactory>
      <add key="Username" value="${{cx.<MASK_NAME>.username}}" />
      <add key="ClearTextPassword" value="${{cx.<MASK_NAME>.password}}" />
    </Artifactory>
  </packageSourceCredentials>
</configuration>

Npm

In this section:

JFrog Artifactory Integration for SCA Scanner

Prerequisites

Notice

Limitations

Step 1 - Setting up an Integration

Monitoring Integration Status

Step 2 - Project Configuration

Notice

Templates

Nuget

Maven

Npm

Search results