Checkmarx SCA (REST) API - Export Service
Overview
This API enables you to export reports of the data identified by a Checkmarx SCA scan.
Currently, this API supports generating Software Bill of Materials (SBOM) reports. SBOMs can be generated in either CycloneDX v1.4 or SPDX v2.2 format. SPDX SBOMs are output in JSON format. For CycloneDX, there is an option to output the data as JSON or XML.
Note
Each API call generates a report in a single format. If you would like to generate reports in multiple formats, then you need to send a separate API call for each report.
Workflow
Create a project and run a scan. Take note of the
scanId.Use
POST /export/requests, specifying thescanId, andfile-formatto generate a report. Take note of theexportId.Use
GET /export/requests, specifying theexportId, to check the status of the report.Once the report is complete, use the
fileUrlto download the report.
Base URL
US Environment - https://api-sca.checkmarx.net/export
EU Environment - https://eu.api-sca.checkmarx.net/export
Authentication
Authentication for all SCA endpoints is done using an access token. To learn how to generate an access token, see Checkmarx SCA (REST) API - POST Token.
Export Endpoints Summary
API | Method | Endpoint | Description |
|---|---|---|---|
Create a report | POST | /requests | Generate a report for a specific scan by specifying the
|
Get report | GET | /requests | Check the status of a specific report, and once the report is completed, retrieve the Url to download the report. |
Get report formats | GET | /file-formats | Get a list of supported formats. |
POST Create a report
This endpoint is used to generate a report for a specific scan by specifying the scanId and the desired report format.
Notice
The success response includes an exportId which is used to get the download URL.
Request Parameters
The POST method must be submitted with the following body parameters.
Parameter | Mandatory | Type | Enum | Description |
|---|---|---|---|---|
ScanId | yes | string | N/A | The unique identifier of the scan for which you would like to generate a report. |
FileFormat | yes | string |
| The format of the report. |
Body Parameters Sample
{
"ScanId": "fbd46412-0227-44ef-9feb-8464273a1234",
"FileFormat": "CycloneDxJson"
}cURL Sample
curl --location --request POST 'https://api.scacheckmarx.com/export/requests' \
--header 'Authorization: Bearer {TOKEN}' \
--header 'Content-Type: application/json' \
--data-raw '{
"ScanId": "fbd46412-0227-44ef-9feb-8464273a1234",
"FileFormat": "CycloneDxXml"}'Success Response
Code: 202
The response body consists of the exportId of the report.
Response Sample
{
"exportId": "2d46cf11-a77c-4333-922a-b3bc33581234"
}GET report
This endpoint is used to check the status of a specific report. Once the report is completed, this endpoint also returns the Url to be used for downloading the report.
Request Parameters
The GET method must be submitted with the following body parameter.
Parameter | Mandatory | Type | Enum | Description |
|---|---|---|---|---|
exportId | yes | string | N/A | The unique identifier of the report for which you would like to get the status and download link. |
Body Parameters Sample
{
"exportId": "2d46cf11-a77c-4333-922a-b3bc33581234"
}cURL Sample
curl --location --request GET 'https://api.scacheckmarx.com/export/requests?exportId=e537bcb0-e539-4a6b-9881-43cb2ea21234' \
--header 'Authorization: Bearer {TOKEN}'Success Response
Code: 200
The response body consists of the following parameters.
Parameter | Type | Enum | Description |
|---|---|---|---|
exportId | string | N/A | The unique identifier of the scan for which you would like to generate a report. |
exportStatus | string |
| The current status of the report generation. |
fileUrl | string | The URL for downloading the report. This parameter is only returned for reports that are in "Completed" status. |
Response Sample
{
"exportId": "2d46cf11-a77c-4333-922a-b3bc33586060",
"exportStatus": "Completed",
"fileUrl": "https://mysbom.json"
}