Improved Scan Report
The Checkmarx One Improved Scan Report is a new type of report that includes an expanded set of data points and a user-friendly interface. It can be generated through the User Interface page and published in PDF or JSON format. To generate this report, toggle on the Generate improved scan report option at the Select Engines stage of the Generate Report settings.
The following template is currently available:
Vulnerability Type - the displayed results are grouped by vulnerability type.
There is an alternative method for generating reports from the Analytics screen, which enables greater flexibility. This procedure is described below.
Understanding the Report Content - Generic KPIs
Filtered By
Shows the filters applied when generating the report.
 |
Included: Data included in the report. All data available in the report is filtered according to the specified filters.
Excluded: Data filtered out from the report.
Currently, it is not possible to exclude data from the report, all data is included by default.
Scan Information
Scan Information shows details related to the SAST, IaC, and SCA scans, such as Scan Duration and Lines of Code Scanned, etc.
Scan Results Overview
Total Results by Scanner/Engine
This section provides a breakdown of the total scan results categorized by scanner: SAST, SCA, or IaC.
By Density / Grade
This KPI is applicable to SAST and IaC only.
Shows the percentage of the scanned code with vulnerabilities: the ratio between the total number of vulnerabilities and the total number of lines of code *1000.
The percentage inside the pie chart refers to the lines of code with vulnerabilities and the percentage outside refers to the lines of code without vulnerabilities.
 |
By Status
This KPI is applicable to SAST, IaC, and SCA.
The pie chart shows the number of vulnerabilities grouped by status (New vs Recurrent). Each status displays the percentage and the total number of results found.
 |
By Severity
This KPI is applicable to SAST, IaC, and SCA.
The pie chart shows the scan results grouped by severity. Each severity displays the total number of findings, their percentage, and their density.
 |
By State
This KPI is applicable to SAST, IaC, and SCA.
This pie chart shows the scan results grouped by State. Each state displays the total number of findings, their percentage, and their density.
 |
By Language
The stacked chart shows the number of vulnerabilities and densities detected for each scanned language and their severities.
 |
By Technology
This KPI is applicable to the IaC scanner only. It shows the issues and vulnerabilities split by technology and helps users understand where problems occur across different parts of their infrastructure.
By Package
This KPI is applicable to the SCA scanner only. It shows the issues and vulnerabilities split by package.
By Vulnerability
This KPI is applicable to SAST only.
The table shows the total results by vulnerability type and their breakdown by severity and the total number of files where a vulnerability was detected.
The first column lists the name and the severity of the vulnerability type found. When the severity of a result is changed from its default it will be reflected in the report.
 |
Top 10 Vulnerabilities
This KPI is applicable to SAST only.
This card displays the 10 vulnerabilities with the highest totals of scanned findings.
It also shows the total findings for these 10 vulnerabilities and the total number of files with vulnerabilities. The total number of files affected is based on all distinct files with vulnerabilities and not the distinct files of the ‘10 vulnerabilities’ list.
Example: SQL_Injection: There are 15 High results, 0 Medium, 0 Low, and 0 Info.
 |
Top 10 Vulnerable Files
This KPI is applicable to SAST only.
This card displays the 10 files with the highest totals of scanned findings.
Example:\bookstore\Login.cs: There are 4 High results, 0 Medium, 0 Low, and 11 Info.
 |
5 Oldest Vulnerabilities
This KPI is applicable to SAST only.
The aging is calculated and not restricted to the project you are analyzing. The first date is calculated based on the result, regardless of the project.
 |
Scan Results
Each Vulnerability Type scan displays the total results with a description and its related categories.
The results are displayed together for each vulnerability type. This includes: Severity, Status, First and Last Detection dates, Source, and Destination. You can click on the hyperlink to be redirected to the result details in the Application.
 |
Categories
In each category available in the SAST engine, the total results are organized by severity.
Only categories with results are available in the report. Categories without results are excluded by default.
 |
Generating Scan Reports
Generate scan reports using an intuitive wizard. The report generation process offers remarkable flexibility, allowing you to tailor every aspect of your report to suit your needs:
Choose from multiple formats such as PDF, JSON, or CSV for your report.
Select a scan from a project by using a convenient file search or provide a specific scan ID.
Tailor the report by selecting the severity levels of issues to include.
Specify the scanners whose findings you want to incorporate into the report.
Define the status of vulnerabilities to be included, whether they are New or Recurrent.
Select the state of results to be included, such as To Verify, Not Exploitable, Urgent, etc.
Optionally, you can further personalize your report by:
Customizing the report name
Providing a list of email addresses to automatically send the report to
Choosing which sections of the scan results to include in the report.
To generate a scan report:
On the Analytics & Reports page click on Scan Report in the top right corner. The report generation wizard is displayed.
In the Format drop-down list, choose the desired report format: PDF, JSON, or CSV.
Notice
The CSV option is only available for SAST reports, that is when only the SAST scanner option is selected under Scanners.
Choose the scan for which the report will be generated using one of two methods: by project or by scan ID.
When selecting By Project, click
and pick a project from the list or type its name into the search field. Then, select a branch under Select a Branch or keep the default option Last Scan Selected.If you prefer using a scan ID, click on
and input the ID.
Under Severity, select the severity levels of issues to include in the report. The default is High and Medium.
Under Scanners, specify the scanners whose findings you want to incorporate into the report.
Under Status, specify whether to include in the report newly discovered vulnerabilities (New), previously identified vulnerabilities that have reappeared (Recurrent), or both types.
Under Results State, select the state of of the results to include in the report. By default, the following states are selected: To Verify, Confirm, and Urgent.
Additionally, you can fine-tune your report settings by clicking on Optional Settings at the bottom of the wizard interface.
To assign a meaningful name to the report, enter it in the Report Name field. If left empty, each report will receive a generic title "Report Name."
To send the report via email, input the recipients' email addresses into the Send Report to Emails field. If sending to multiple recipients, separate their email addresses with commas.
Notice
The maximum of 10 recipients are allowed.
To focus on specific areas of interest in the scan results, select which sections of the scan results to include in the report from the By Sections drop-down list. For details on report sections, see Improved Scan Report.
Click Generate.
In addition to managing scan report creation through the UI, as detailed in this article, you can also manage it programmatically via our API.