The administrator must be able to choose if the vulnerabilities returned by checkmarx can be visibles or not on Jenkins.

The option "Hide results" in the global configuration only hide vulnerabilities display on the project's page of Jenkins.

But if the user configure his build to generate the json and/or the xml report, the report file will be accessible in the build workspace.

We don't want to see any details of Checkmarx analysis on Jenkins, we only use the Jenkins plugin to run scans and we prefer to access directly on Checkmarx to consult the results.

It is possible to add the options :

• "Never create OSA report"
• "Never create SAST report"
• "Never create SCA report"

in the Jenkins global configuration ?

For the moment, we comment the call of the methods "createSastReports", "createScaReports" and "createOsaReports" in CxScanBuilder.java.

But we have to rebuild at every release.

• Jenkins 2.277.4
• checkmarx-plugin 2021.2.94