Checkmarx SCA

Checkmarx SCA

Category: SCA
License: Commercial (with Free Trial)
Visit Website →

Checkmarx SCA is an enterprise software composition analysis solution that identifies vulnerabilities, license risks, and supply chain threats in open-source dependencies.

Part of the Checkmarx One platform, it combines traditional vulnerability scanning with behavioral analysis to detect malicious packages before they compromise your software.

What is Checkmarx SCA?

Checkmarx SCA goes beyond matching dependencies against vulnerability databases.

The tool employs a three-pronged analysis approach: evaluating package provider credibility, assessing maintenance patterns, and performing behavioral analysis to detect malicious intent.

This combination helps security teams distinguish between theoretical vulnerabilities and actual risks.

The solution integrates with the broader Checkmarx One application security platform, allowing teams to correlate SCA findings with SAST, DAST, and API security results.

This unified view helps prioritize remediation based on exploitability and business context rather than raw vulnerability counts.

Key Features

Supply Chain Risk Analysis

Checkmarx SCA evaluates the trustworthiness of package maintainers and repositories.

The analysis considers factors like contributor history, publishing patterns, and association with known malicious actors.

Packages from suspicious sources receive higher risk scores regardless of known vulnerabilities.

Behavioral Analysis

The engine analyzes package behavior to detect malicious code.

This includes identifying packages that access sensitive system resources, establish network connections, or exhibit patterns associated with dependency confusion attacks.

Behavioral analysis catches zero-day supply chain attacks before vulnerabilities are publicly disclosed.

Malicious Package Detection

Purpose-built detection for typosquatting, dependency confusion, and compromised legitimate packages.

The system monitors for packages with names similar to popular libraries, those published to public registries with internal package names, and packages with sudden suspicious updates.

Exploitability Prioritization

Not all vulnerabilities pose equal risk.

Checkmarx SCA correlates vulnerabilities with your codebase to determine if vulnerable code paths are actually reachable.

This exploitability analysis helps teams focus on vulnerabilities that matter rather than chasing every CVE.

License Compliance

Comprehensive license detection and policy enforcement.

Define acceptable licenses for your organization, receive alerts when dependencies introduce problematic terms, and generate compliance reports for legal review.

The system handles complex licensing scenarios including dual-licensed packages.

Container Scanning

Analyze container images for vulnerable base layers and installed packages.

The scanner examines Dockerfiles, identifies the base image supply chain, and maps vulnerabilities across all image layers.

Installation

Checkmarx SCA is available as part of Checkmarx One (SaaS) or as an on-premises deployment.

CLI Scanner

Install the Checkmarx CLI:

# Linux/macOS
curl -LO https://download.checkmarx.com/CxOne/CLI/latest/ast-cli_linux_x64.tar.gz
tar -xzf ast-cli_linux_x64.tar.gz
sudo mv cx /usr/local/bin/

# Windows (PowerShell)
Invoke-WebRequest -Uri https://download.checkmarx.com/CxOne/CLI/latest/ast-cli_windows_x64.zip -OutFile cx.zip
Expand-Archive cx.zip

Configure authentication:

cx configure
# Enter your Checkmarx One tenant, API key, and base URL

IDE Plugins

Available for:

  • Visual Studio Code
  • IntelliJ IDEA
  • Visual Studio
  • Eclipse

How to Use Checkmarx SCA

Basic Scan

Run an SCA scan on your project:

cx scan create --project-name my-project \
  --source . \
  --scan-types sca \
  --branch main

View results:

cx results show --scan-id <scan-id> --report-format json

Generating SBOMs

cx scan create --project-name my-project \
  --source . \
  --scan-types sca \
  --sca-generate-sbom true

Export SBOM in CycloneDX format:

cx results sbom --scan-id <scan-id> --format cyclonedx

Container Scanning

cx scan create --project-name my-container \
  --source docker:myregistry/myimage:latest \
  --scan-types sca

Policy Configuration

Define policies in a checkmarx.yaml file:

policies:
  sca:
    severityThreshold: high
    violateOnVulnerability: true
    licensePolicy:
      deny:
        - GPL-3.0
        - AGPL-3.0
      allow:
        - MIT
        - Apache-2.0
        - BSD-3-Clause

Apply during scan:

cx scan create --project-name my-project \
  --source . \
  --scan-types sca \
  --config checkmarx.yaml

Integration

GitHub Actions

name: Checkmarx SCA
on: [push, pull_request]

jobs:
  sca-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Checkmarx SCA Scan
        uses: checkmarx/ast-github-action@main
        with:
          cx_tenant: ${{ secrets.CX_TENANT }}
          cx_client_id: ${{ secrets.CX_CLIENT_ID }}
          cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }}
          project_name: ${{ github.repository }}
          scan_types: sca
          additional_params: --sca-resolver npm

      - name: Upload Results
        uses: actions/upload-artifact@v4
        with:
          name: checkmarx-results
          path: cx_result.json

GitLab CI

checkmarx-sca:
  image: checkmarx/ast-cli:latest
  script:
    - cx configure --tenant $CX_TENANT --client-id $CX_CLIENT_ID --client-secret $CX_CLIENT_SECRET
    - cx scan create --project-name $CI_PROJECT_NAME --source . --scan-types sca --branch $CI_COMMIT_REF_NAME
  artifacts:
    reports:
      sast: cx_result.json

Azure DevOps

trigger:
  - main

pool:
  vmImage: 'ubuntu-latest'

steps:
  - task: CheckmarxOne@1
    inputs:
      CheckmarxService: 'Checkmarx One'
      projectName: '$(Build.Repository.Name)'
      scanTypes: 'sca'
      branchName: '$(Build.SourceBranchName)'

Jenkins Pipeline

pipeline {
    agent any
    environment {
        CX_TENANT = credentials('checkmarx-tenant')
        CX_CLIENT_ID = credentials('checkmarx-client-id')
        CX_CLIENT_SECRET = credentials('checkmarx-client-secret')
    }
    stages {
        stage('Checkmarx SCA') {
            steps {
                sh '''
                    cx configure --tenant $CX_TENANT --client-id $CX_CLIENT_ID --client-secret $CX_CLIENT_SECRET
                    cx scan create --project-name $JOB_NAME --source . --scan-types sca
                '''
            }
        }
    }
}

When to Use Checkmarx SCA

Checkmarx SCA fits organizations that need:

  • Supply chain attack detection beyond standard CVE matching
  • Behavioral analysis to catch malicious packages
  • Integration with SAST for comprehensive application security
  • Exploitability analysis to prioritize real risks
  • Enterprise features like SSO, audit logging, and compliance reporting

The platform works best for teams already using or considering Checkmarx One for SAST.

The unified platform provides correlation between vulnerability types and consistent policy management.

Organizations focused solely on dependency vulnerability scanning may find lighter-weight tools sufficient.

Checkmarx SCA delivers value when supply chain security, behavioral analysis, and enterprise governance are priorities.

Other SCA Tools

Arnica
Arnica

Pipelineless SCA with Package Reputation

Black Duck
Black Duck

SBOM & License Compliance

CAST Highlight
CAST Highlight

Chrome Extension, SBOM Export

Contrast SCA
Contrast SCA

Runtime Library Prioritization

See all SCA tools