Frequently Asked Questions

Answers to common questions about CXRay.

General

What is CXRay?

CXRay is a comprehensive DevSecOps security platform that provides vulnerability scanning (CVE), configuration analysis (CCE), and Software Bill of Materials (SBOM) generation for your software projects and infrastructure.

Is CXRay free?

CXRay offers multiple tiers:

• Community: Free for open-source projects
• Professional: Paid tier for commercial projects
• Enterprise: Custom pricing with advanced features and support

What programming languages does CXRay support?

CXRay supports all major programming languages including:

• JavaScript/TypeScript (Node.js)
• Python
• Java
• Go
• Ruby
• PHP
• Rust
• C/C++
• .NET (C#, F#)

How often is the vulnerability database updated?

The CXRay vulnerability database is updated continuously as new CVEs are published. By default, the local database is updated daily, but you can configure custom update frequencies.

Scanning

How long does a typical scan take?

Scan duration varies based on project size:

• Small projects (< 50 dependencies): 30-60 seconds
• Medium projects (50-200 dependencies): 1-3 minutes
• Large projects (> 200 dependencies): 3-10 minutes

Incremental scans are significantly faster as they only scan changed files.

Can I scan private repositories?

Yes, CXRay supports scanning private repositories. You'll need to:

1. Provide appropriate authentication (SSH key, token, or credentials)
2. Ensure CXRay has necessary permissions to access the repository

Does CXRay send my code to external servers?

By default, CXRay can run entirely offline:

• CVE scanning: Uses local database
• CCE scanning: Runs locally
• SBOM generation: Processes locally

Only metadata (package names and versions) is sent to CXRay API when using cloud features. Your actual source code never leaves your environment.

Can I run CXRay in air-gapped environments?

Yes, CXRay fully supports air-gapped environments:

# Download database on connected machine
cxray db export --output cxray-db.tar.gz

# Transfer to air-gapped environment and import
cxray db import cxray-db.tar.gz

# Run scans offline
cxray scan --offline .

Vulnerabilities

What should I do when a vulnerability is found?

Follow these steps:

1. Assess: Understand the vulnerability's impact on your application
2. Prioritize: Focus on critical and high-severity issues first
3. Remediate: Update to patched version or apply workarounds
4. Verify: Re-scan to confirm the issue is resolved
5. Document: Record the finding and resolution

Why does CXRay report vulnerabilities in development dependencies?

Development dependencies can pose security risks:

• Compromised dev dependencies can inject malicious code
• Supply chain attacks often target development tools
• Dev dependencies may be accidentally included in production builds

To exclude dev dependencies:

cxray scan --production-only .

Can I ignore specific vulnerabilities?

Yes, but use this feature carefully:

# .cxray.yml
ignore:
  cve:
    - id: CVE-2021-12345
      reason: "Not applicable - affected function not used"
      expires: 2024-12-31
      approved_by: "security-team@example.com"

How are vulnerability severities determined?

CXRay uses the CVSS (Common Vulnerability Scoring System) standard:

• Critical: CVSS 9.0-10.0
• High: CVSS 7.0-8.9
• Medium: CVSS 4.0-6.9
• Low: CVSS 0.1-3.9

Configuration

Where should I place the configuration file?

CXRay looks for configuration files in this order:

1. .cxray.yml in current directory
2. cxray.yml in current directory
3. ~/.cxray/config.yml (global configuration)
4. /etc/cxray/config.yml (system-wide configuration)

You can also specify a custom location:

cxray scan --config /path/to/config.yml .

Can I use environment variables in configuration?

Yes, use the ${VAR_NAME} syntax:

api:
  api_key: ${CXRAY_API_KEY}
  endpoint: ${CXRAY_API_URL:-https://api.cxray.io}

How do I configure different settings for different environments?

Use multiple configuration files:

# Development
cxray scan --config .cxray.dev.yml .

# Production
cxray scan --config .cxray.prod.yml .

Or use conditional configuration:

environments:
  development:
    fail_on_severity: none
  production:
    fail_on_severity: high

Integration

Can CXRay integrate with my CI/CD pipeline?

Yes, CXRay provides native integrations for:

• Jenkins
• GitHub Actions
• GitLab CI
• CircleCI
• Azure DevOps
• Travis CI
• Bitbucket Pipelines

And can be used with any CI/CD system via CLI or API.

Does CXRay work with Docker?

Yes, CXRay can:

• Scan Dockerfiles for configuration issues
• Scan container images for vulnerabilities
• Run inside Docker containers
• Integrate with Docker build process

Can I use CXRay with Kubernetes?

Yes, CXRay supports Kubernetes:

• Scan Kubernetes manifests
• Scan Helm charts
• Run as Kubernetes admission controller
• Deploy as DaemonSet for continuous scanning

SBOM

What SBOM formats does CXRay support?

CXRay supports:

• SPDX (Software Package Data Exchange) - versions 2.2 and 2.3
• CycloneDX - versions 1.3, 1.4, and 1.5

How do I share SBOMs with customers?

Generate and export SBOM:

# Generate SBOM
cxray scan --type sbom --format spdx --output sbom.json .

# Include in release artifacts
tar czf release.tar.gz app/ sbom.json

Can I import existing SBOMs?

Yes:

# Import and analyze
cxray sbom import sbom.json

# Check for vulnerabilities
cxray sbom check sbom.json

Performance

How can I speed up scans?

Several optimization strategies:

1. Use incremental scanning:

   cxray scan --incremental .

2. Exclude unnecessary paths:

   scan:
     exclude:
       - node_modules/
       - test/

3. Use parallel scanning:

   cxray scan --parallel 4 .

4. Cache results:

   cxray scan --cache .

Does CXRay impact build times?

Impact varies:

• Initial scan: 1-5 minutes depending on project size
• Incremental scans: 10-30 seconds
• Cached scans: < 10 seconds

Parallel execution and caching minimize impact.

Licensing and Compliance

What license does CXRay use?

CXRay itself is proprietary software. The vulnerability data is aggregated from public sources under various licenses.

Can CXRay help with license compliance?

Yes, CXRay can:

• Identify all dependency licenses
• Flag incompatible licenses
• Generate license reports
• Check against license policies

cxray scan --type sbom --license-check .

Is CXRay GDPR compliant?

Yes, CXRay is designed with privacy in mind:

• Minimal data collection
• No personal code analysis
• Data encryption in transit and at rest
• Compliance with data residency requirements

Support

Where can I get help?

Multiple support channels:

• Documentation: https://docs-dev.cxray.io
• Email: support@cxray.io
• Community Forum: https://community.cxray.io
• GitHub Issues: For bug reports and feature requests

How do I report a bug?

1. Check existing issues: https://github.com/cxray/cxray/issues
2. Collect diagnostic information:

   cxray doctor --output diagnostics.txt

3. Submit detailed bug report with:
   • CXRay version
   • Operating system
   • Steps to reproduce
   • Expected vs actual behavior
   • Diagnostic information

Does CXRay offer training or consulting?

Yes, Enterprise plans include:

• Onboarding training
• Best practices workshops
• Custom integration consulting
• Security advisory services

Contact sales@cxray.io for details.

Next Steps

• Common Issues
• Getting Started
• API Reference