@@ -62,6 +62,12 @@ public class CheckmarxScanBuilder extends Builder implements SimpleBuildStep {
6262 public static final String SVN_REVISION_VAR = "${SVN_REVISION}" ;
6363 public static final String LOGFILE = "./output.log" ;
6464
65+ private static final List <String > SENSITIVE_KEYS = Arrays .asList (
66+ "--apikey" ,
67+ "--scs-repo-token" ,
68+ "--client-secret" ,
69+ "--token"
70+ );
6571
6672 CxLoggerAdapter log ;
6773 @ Nullable
@@ -443,6 +449,7 @@ private String getBranchNameOrDefault(EnvVars envVars) {
443449 * @param envVars
444450 * @return
445451 */
452+
446453 private String getBranchToPrint (EnvVars envVars ) {
447454
448455 if (StringUtils .isNotEmpty (getBranchName ())) return getBranchName ();
@@ -453,6 +460,16 @@ private String getBranchToPrint(EnvVars envVars) {
453460 return "" ;
454461 }
455462
463+ private String maskSensitiveValues (String input , List <String > sensitiveKeys ) {
464+ if (StringUtils .isNotEmpty (input )) {
465+ return sensitiveKeys .stream ()
466+ .reduce (input , (maskedInput , key ) ->
467+ maskedInput .replaceAll (key + "\\ s+\\ S+" , key + " ********" ));
468+ }
469+ return input ; // Return the input as-is if empty or null
470+ }
471+
472+
456473 /**
457474 * Prints scan configuration which is gonna be used by the CLI
458475 *
@@ -482,6 +499,9 @@ private void printConfiguration(EnvVars envVars, CheckmarxScanBuilderDescriptor
482499 log .info ("Using global additional options: " + !getUseOwnAdditionalOptions ());
483500
484501 String additionalOptions = getUseOwnAdditionalOptions () ? getAdditionalOptions () : descriptor .getAdditionalOptions ();
502+
503+ additionalOptions = maskSensitiveValues (additionalOptions , SENSITIVE_KEYS );
504+
485505 log .info ("Additional Options: " + Optional .ofNullable (additionalOptions ).orElse ("" ));
486506
487507 }
0 commit comments