Skip to main content

Project Results Summary

Once a scan is completed it is possible to view and analyze the scan results.

Scan results are aggregated for each Project / Application. It is possible to drill down into the scan results for more detailed information.

In addition, the scan results are aggregated for each of the Checkmarx One scan types - SAST, API Security, IaC Security, SCA.

Addressing false negatives caused by configuration filters:

In previous versions, scans from SAST, SCA, IaC or API Security would fail due to configuration filters that removed all available code for a specific scanner. For instance, if a user set a filter to exclude all Java files and then ran a SAST scan, the scan would fail because there were no files left to analyze.

To eliminate false negatives caused by filters and provide clearer and more reliable scan results, Checkmarx One will mark a scan as successful even if there are no files left after applying filters.

Opening the Project Page

In the Applications and Projects table, stand on the project line and click on eye_icon.png.

The Project Overview tab open is successfully opened.

Project_Overview_Tab.png

Project Overview

Project Overview page presents aggregated information and analytics for a specific Project.

Project Overview is presented as the default view once a user opens the project page.

Project_Overview_Tab.png

Overview Widgets

Risk Level

The Risk Level widget displays the project risk level.

The data reflects the last scan in the project for the selected branch.

The widget shows as a colored area that depends on three risk level. It includes a text definition as well:

  • High Risk - Red High_Risk.png

  • Medium Risk - Yellow Medium_Risk.png

  • Low Risk - Gray Low_Risk.png

High_Risk_Widget.png

Total Vulnerabilities

The Total Vulnerabilities widget displays the number of total vulnerabilities, distributed by severities (High, Medium, Low).

The data reflects the last scan in the project for the selected branch.

The widget includes the following indicators:

  • 4 stacked bars (High, Medium, Low, Info) with the number of vulnerabilities per bar type.

  • The total number of vulnerabilities.

Total_Vulnerabilities_Widget.png

Vulnerabilities per Scan Type

The Vulnerabilities per Scan Type widget displays the distribution of vulnerabilities by scan types.

The data reflects the last scan in the project for the selected branch.

The widget includes the following:

  • A number of stacked bars - Reflecting the scan types usage, for example SAST, SCA, KICS

  • The amount of vulnerabilities per each scan type.

Vulnerabilities_by_Scan_Type_Widget.png

Note

API Security results are included with the SAST results.

Last Scan

The Last Scan widget displays the amount of days that have passed since the last completed scan to the current date.

The data reflects the last scan in the project for the selected branch.

Last_Scan_Widget.png

Severity Over Time

The Severity Over Time widget displays the latest vulnerabilities value distributed by severity (High, Medium, Low).

This value is calculated per day within the selected time range.

The data reflects all the scans in the project for the selected branch.

The widget includes the following time ranges:

  • 1 week

  • 1 month

  • 3 months

  • 6 months (Default)

  • 1 year

Severity_over_Time_Widget.png

Aging Summary

The Aging Summary widget displays the number of vulnerabilities distributed by severities for the first discovery date in a specific time range.

The data reflects the last scan in the project for the selected branch.

The widget includes a bar chart presentation with the following parameters:

  • x-axis - Displays 4 constant time ranges:

    • 0 - 30 days

    • 30 - 60 days

    • 60 - 90 days

    • 90+ days

  • y-axis - Displays the number of vulnerabilities.

  • Chart data - 3 stacked bars per each time range (High_Risk.png High, Medium_Risk.png Medium, Low_Risk.png Low, Low_Risk.png Info) with the number of vulnerabilities per bar type.

Aging_Summary_Widget.png

Results by Technologies

The Results by Technologies widget displays the percentage of vulnerabilities detected for each language and technology.

Results_by_Technologies_Widget.png

Compliance

The Compliance widget displays all the compliance standards that exist in the Checkmarx One Database.

The data indicates which scan has been verified for the compliance standards and which scan did not.

The data reflects the last scan in the project for the selected branch.

The widget includes the following:

  • A donut chart that includes Passed / Failed compliance standards.

  • A count of:

    • Passed compliance standards.

    • Total compliance standards.

  • Clicking each item directs the user to the relevant standard in the Compliance tab as illustrated for OWASP Top 10 API as an example.

Compliance_Widget.png
OWASP_Top_10_API.png

Scan History

Scan_History_Screen.png

The Scan History tab presents a list of all the scans that were performed within a project.

Each record shows information about each scan that was completed. The screen images illustrate a scenario where all four scanners were used for the scan.

The information appears in a table with each column indicating a different value. These values are listed and explained in the table below.

Column

Description

Possible Values

Scan Date

The date and time on which the scan was performed

  • For example Thursday, September 15, 2022, 11:46 PM

Branch

The branch that has been scanned

For .zip files, the the value is N/A.

  • Master (or any other branch)

  • N/A

Tags

Project tags

  • Any value

Initiator

The client who initiated the scan

  • Username

  • CLI

  • GitHub-Action-Integration

Scan Origin

Where was the scan triggered from

  • Browser

  • CLI

Source

Source file format

  • GitHub

  • GitLab

  • Zip

Scanners

The scanners that have been used for the scan

  • SAST

  • SCA

  • IaC Security

  • APISEC

Severity

The amount of vulnerabilities, distributed by severities

  • High High_Severity.png

  • Medium Medium_Severity.png

  • Low Low_Severity.png

Scan Type

Scan Type

  • Full Scan

  • Incremental

Duration

Scan duration

  • HH:MM:SS

Status

Scan status

  • Completed,

  • Partial - for example, it failed for one scanner, but for the remaining ones, the scan was completed

  • Failed - for all used scanners

  • Canceled

Options for what to do with the scan

  • Delete_Trash_Bin.PNG Delete the scan

  • Export.png Generate a report

Opening Scan Results

Clicking on a specific scan opens a preview pane on the right screen side. From the Preview pane it is possible to open the Scan Results page for that specific scanner.

Click Results to display the scan results for the requested scanner.

Scan_Results.png

Filtering the Scans List View

Filtering Branches

By default, the Scans list is filtered by Branch.

The Scans list view includes only the Repository based scans.

6407421963.png

Filtering Zip Files

The zip source files filter is configured in Checkmarx One as N/A.

The Scans list view includes only the zip files scans.

6406078549.png

Deleting a Scan

You can delete any scan marked as Completed from the Scan History screen.

To delete a scan:

  1. Click More_Options.png and then select Delete_Trash_Bin.PNG Delete Scan.

  2. Click <OK> to confirm your request.

SAST Scans Comparison

SAST comparison feature is designed for SAST results comparison of 2 SAST scans of the same branch / zip file.

The essence of the feature is to provide the user better understanding on which SAST vulnerabilities were added/fixed/reoccurred in the same repository branch or zip file scans.

Checkmarx One provides an interactive interface for the SAST comparison, like the results interface for a single scan.

Comparing SAST Results

To compare SAST results, perform the following:

  1. Perform at least 2 SAST scans of the same repository branch or zip file.

  2. Open the projects page by using one of the methods that appear in this link Viewing Scan Results

  3. Click on Scan History

    Scan_History1.png
  4. Select 2 scans from the list

    Note

    The scans can be full scans or incremental.

    Select_2_Scans.png
  5. Click on Compare SAST Results

    Compare_SAST_Results.png

    SAST results viewer is opened

  6. Expand the relevant language/vulnerability

    Expand_Vulnerability.png
  7. Click on one of the findings

    Open_Vulnerability.png

    SAST code viewer is opened with a comparison between the 2 selected scans

Note

The user will be able to see 3 different results statuses:

  • New Issues: Issues that were found only in the newer scan.

    The user can also add notes, change the state and those changes are reflected in the most recent scan.

  • Fixed Issues: Issues that were found only in the older scan.

    The user can't add notes nor change the state because the result is fixed.

  • Recurring Issues: Issues that were found in both scans.

    The user can also add notes, change the state and those changes are reflected in the most recent scan.

Limitations

  • The feature supports only SAST scans. If one of the selected scans doesn't contain SAST scanner the comparison option will be greyed out and disabled, with the suitable tooltip.

  • The comparison is being performed using 2 SAST scans. In case that the user selects more than 2 scans the comparison option will be greyed out and disabled, with the suitable tooltip.

Scanners

The Scanners tab provides a multi-scanner overview on the API Security, SAST, SCA and IaC Security scanners that have been used for the last completed scan within a project. The results for each scanner type are presented in a separate screen, the scanner dashboard, using dedicated widgets for the results analysis. These dashboards are introduced on the Scanner Dashboard pages:

SAST Scanner

The SAST Scanner screen provides an overview of the last completed SAST scan, using SAST widgets.

SAST_Scanner_Dashboard.png

SAST Widgets

Recurring Results

Recurring Results widget displays the number of vulnerabilities with “recurrent” status.

SAST_Scanner_Dashboard__Recurring_Results.png
New Results

New Results widget displays the number of vulnerabilities with “new” status.

SAST_Scanner_Dashboard__New_Results.png
Total Vulnerabilities

Total Vulnerabilities widget displays the total number of vulnerabilities per severity - High, Medium, Low, Info.

SAST_Scanner_Dashboard__Total_Vulnerabilities.png
Results by State

Results by State widget presents the number of vulnerabilities per state (To Verify, Confirmed, Not exploitable, etc.).

SAST_Scanner_Dashboard__Results_by_State.png
Results by Language

Results by Language widget presents the number of vulnerabilities per language (VbNet, JavaScript, CSharp, etc.).

SAST_Scanner_Dashboard__Results_by_Language.png
Results by Vulnerabilities

Results by Vulnerabilities widget presents the number of vulnerabilities per category (Stored XSS, XPath Injection, etc.).

SAST_Scanner_Dashboard__Results_by_Vulnerability.png

Pie Charts

Note

The illustrated pie charts in this section are from different scans than the previous ones.

You may hide content from the pie charts or display additional information on content as explained below.

To hide content from pie charts:

Click the content Language/State. The relevant content appears crossed out and the result is hidden from the chart as illustrated below.

5961515114.png
5960958091.png

To display additional information on a result:

Hover over the desired pie chart section, a tooltip appears with information on the content as illustrated below.

5961416805.png

Filter the Widget View

The default widget view is filtered according to the scanned source file branch - Repository scans.

The zip source files view is configured as N/A.

5959450813.png

Notice

  • For repository scanned files the main branch is Master, but it is possible to see also the sub-branches (In case they were scanned).

  • It is also possible to set any scanned branch as Primary.

  • If zip source files were scanned in the project, it is possible to switch the widgets view to N/A.

SAST Results

The SAST Scanner screen offers an option to directly open SAST results.

To open SAST results, click on View Results.

Clicking View Results redirects users to the SAST results filtered view.

For more information about SAST results, refer to Viewing SAST Result.

Initiate a New Scan

The SAST Scanner screen also provides the option to scan new source files without the need to switch view.

To scan new source files, click on Click_Scan1.png

For additional information on scanning new source files, refer to Scanning Projects.

SCA Scanner

The SCA Scanner screen provides an overview of the last completed SCA scan, using SCA widgets.

SCA_Scanner_Dashboard.png

SCA Widgets

Scanned Packages

Scanned Packages widget displays the total number of scanned packages.

SCA_Scanner_Dashboard__Scanned_Packages.png
Outdated Packages

Outdated Packages widget displays the total number of outdated packages (i.e. packages for which a newer version is available) in your Project.

SCA_Scanner_Dashboard__Outdated_Packages.png
Total Vulnerabilities

Total Vulnerabilities widget displays the total number of vulnerable packages, distributed by severity - High, Medium, Low,

SCA_Scanner_Dashboard__Total_Vulnerabilities.png
Vulnerabilities detected In

Vulnerabilities detected In widget displays the number of vulnerabilities distributed by the type of entity in which they were found (Packages, Images).

SCA_Scanner_Dashboard__Vulnerabilities_Detected_In.png
Results by State

Results by State widget displays the number of vulnerabilities distributed by the current state of the vulnerability.

SCA_Scanner_Dashboard__Results_by_State.png
Results by Legal Risk

Results by Legal Risk widget displays the vulnerable scanned packages distributed by legal risk severity - High, Medium, Low, Unknown.

SCA_Scanner_Dashboard__Results_by_Legal_Risk.png
Results by License Type

Results by License Type widget displays the vulnerable scanned packages per license type - zlib, public domain, mit, mozilla 1.1 etc.

SCA_Scanner_Dashboard__Results_by_License_Type.png
Top Vulnerable Packages

Top Vulnerable Packages widget shows the packages with the highest number of vulnerabilities. For each package, the number of vulnerabilities associated with that package is listed, for example org.yaml:snakeyaml has 3 vulnerabilities.

SCA_Scanner_Dashboard__Top_Vulnerable_packages_and_Images.png

Pie Charts

Note

The illustrated pie charts in this section are from different scans than the previous ones.

You may hide content from the pie charts or display additional information on content as explained below.

To hide content from pie charts:

Click the desired element in the graph. The respective element is hidden from the chart as illustrated below.

5967216841.png
5966790908.png

To display additional information on a result:

Hover over the desired pie chart section, a tooltip appears with information on the content as illustrated below.

5966889279.png

Filtering the Widget View

The default widget view is filtered according to the scanned source file branch - Repository scans.

The zip source files view is configured as N/A.

5960598520.png

Notice

  • For repository scanned files the main branch is Master, but it is possible to see also the sub-branches (In case they were scanned).

  • It is also possible to set any scanned branch as Primary.

  • If zip source files were scanned in the project, it is possible to switch the widgets view to N/A.

SCA Results

The SCA Scanner screen allows you to directly open SCA results.

To open SCA results, click on View Results.

Clicking View Results redirects users to the SCA results pages.

For a description of the information displayed on the SCA Results pages, refer to Viewing SCA Results.

Initiate a New Scan

The SCA Scanner screen allows you to directly scan new source files without the need to switch views.

To scan new source files, click Click_Scan1.png

For additional information on scanning new source files, refer to Scanning Projects.

IaC Security Scanner

The IaC Security Scanner screen provides an overview of the last completed IaC Security scan, using IaC Security widgets.

IaC_Dashboard.png

IaC Security Widgets

Scanned Files

Scanned Files widget presents the number of scanned files.

KICS_Scanner_Dashboard__Scanned_Files.png
New Vulnerabilities

New Vulnerabilities widget presents the number of vulnerabilities with new status.

KICS_Scanner_Dashboard__New_Vulnerabilities.png
Total Vulnerabilities

Total Vulnerabilities widget presents the total number of vulnerabilities per severity - High, Medium, Low.

KICS_Scanner_Dashboard__Total_Vulnerabilities.png
Results by State

Results by State widget presents the number of vulnerabilities per state (To Verify, Confirmed, Not exploitable, etc.).

KICS_Scanner_Dashboard__Results_by_State.png
Results by Platform

Results by Platform widget presents the number of vulnerabilities per platform (Common, Dockerfile, Kubernetes, etc.).

Results_by_Platform.png
Results by Category

Results by Category widget presents the vulnerabilities distribution per Category (Insecure Configurations, Access Control, Resource Management, etc.).

KICS_Scanner_Dashboard__Results_by_Category.png

Pie Charts

Note

The illustrated pie charts in this section are from different scans than the previous ones.

You may hide content from the pie charts or display additional information on content as explained below.

To hide content from pie charts:

Click the content Language/State. The relevant content appears crossed out and the result is hidden from the chart.

5961547979.png
5961318704.png

To display additional information on a result:

Hover over the desired pie chart section, a tooltip appears with information on the content as illustrated below.

5961220276.png

IaC Security Results

IaC Security Scanner screen provides the option to directly open IaC Security results.

To open IaC Security results, click on View_Results_Button.png. It will redirects users to the IaC Security results view.

For additional information on IaC Security results, go to IaC Security Results.

Initiate a New IaC Security Scan

IaC Security Scanner screen also provides the option to scan new source files without the need to switch view.

To scan new source files click Click_Scan1.png.

For more information about scanning new source files, refer to Scanning Projects.

API Security Project Results

The API Security Scanner screen provides an overview of the last completed API security scan using API Security widgets.

APISEC_Scanner_Dashboard.png

API Security Widgets

Detected APIs

The number of detected APIs in the code. This scan detected 10 APIs in the code.

APISEC_Scanner_Dashboard__Detected_APIs.png
Sensitive Data APIs

The number of APIs with at least one sensitive data attribute. This scan detected sensitive data attributes in 9 out of the 10 detected APIs. Sensitive Data categories and parameters are listed in the table below.

APISEC_Scanner_Dashboard__Sensitive_Data_APIs.png

Category

Parameters

Name

firstname, surname, familyname, fullname, name

Personal Data

birthday, dob, dateofbirth, phone, mobile, email, socialsecurity, ssn, driverslicense

Address

address, zipcode

Bank

credit, cardnumber, account

Secrets

credentials, secret, auth, apikey, pass, pwd, password

Undocumented APIs

Lists the number of undocumented API endpoints found in the code but not in the Swagger file after scanning both the code and the documentation.

In the illustrated example, API Security detected Undocumented APIs once.

UndocumentedAPIsOverview.png
Results by Vulnerabilities

A list of sensitive data attributes with an indicator on how often each of these sensitive data attributes was detected.

In the illustrated example, API Security detected Parameter Tampering twice and three more once each.

6485115003.png
Results by Risk

The number of sensitive data attributes according to their risk.

In the illustrated example, API Security detected 5 vulnerabilities of which 2 were of high risk and 3 of medium risk.

APISEC_Scanner_Dashboard__Results_by_Risk.png

Viewing Results

To view results, click View Results. The Risks table appears. It lists the risks and provides additional information detailed in the parameters below and described in Viewing API Results.

APISec_doc_04.png

Parameter

Description

SeveritySeverity.png

Indicates the risk severity as follows:

High_Severity.pngHigh

Medium_Severity.pngMedium

Low_Severity.pngLow

Risk Name

The name of the risk.

Status

Indicates the status of the risk as follows:

New.png- A newly detected vulnerability.

Recurrent_List.png- The vulnerability has been detected at least once before.

Endpoint Path

The end path of the resource URL.

Method

The operation that the endpoint performs on resources.

Data Origin

Indicates where the risk was detected, for example inside the code.

Risk Discovered

The date when the risk was detected.

Doc

Undocumented APIs present a risk because attackers may use them as an undetectable surveillance and reconnaissance channel.

This column shows whether the endpoint is documented or not:

  • "-" appears when no documentation file was not scanned

  • Yes: The endpoint appears in the scanned document, and it is documented

  • No: The endpoint appears in the scanned document, but it is not documented

AuthN

Unauthenticated APIs present a risk because they may allow easy access to confidential information.

This column shows whether the endpoint is authenticated or not.

  • "-" appears when no documentation file was not scanned

  • Yes: The endpoint appears in the scanned document, and it is authenticated

  • No: The endpoint appears in the scanned document, but it is not authenticated

You can view the parameters of a code risk by clicking its row.

  • Under Parameters, click View_All_Parameters.png. All sensitive data parameters in the code appear.

    Parameters_Global.png
  • Interface

    Description

    Global_Warnings.png

    List of all sensitive parameters in the API with warnings. This section is identical to the list of sensitive data parameters.

    Global_Requests.png

    List of all parameters in the request to the API. The sensitive parameters are labeled Sensitive.png.

    Global_Responnse.png

    List of all parameters in the response by the API. The sensitive parameters are labeled Sensitive.png.

To view the details of a documentation risk, click its row and the vulnerability in the Swagger file will appear with an embedded description box.

SwaggerFileRiskView.png

API Security Project Results

The API Security Scanner screen provides an overview of the last completed API security scan using API Security widgets.

APISEC_Scanner_Dashboard.png

API Security Widgets

Detected APIs

The number of detected APIs in the code. This scan detected 10 APIs in the code.

APISEC_Scanner_Dashboard__Detected_APIs.png

Sensitive Data APIs

The number of APIs with at least one sensitive data attribute. This scan detected sensitive data attributes in 9 out of the 10 detected APIs. Sensitive Data categories and parameters are listed in the table below.

APISEC_Scanner_Dashboard__Sensitive_Data_APIs.png

Category

Parameters

Name

firstname, surname, familyname, fullname, name

Personal Data

birthday, dob, dateofbirth, phone, mobile, email, socialsecurity, ssn, driverslicense

Address

address, zipcode

Bank

credit, cardnumber, account

Secrets

credentials, secret, auth, apikey, pass, pwd, password

Undocumented APIs

Lists the number of undocumented API endpoints found in the code but not in the Swagger file after scanning both the code and the documentation.

In the illustrated example, API Security detected Undocumented APIs once.

UndocumentedAPIsOverview.png

Results by Vulnerabilities

A list of sensitive data attributes with an indicator on how often each of these sensitive data attributes was detected.

In the illustrated example, API Security detected Parameter Tampering twice and three more once each.

6485115003.png

Results by Risk

The number of sensitive data attributes according to their risk.

In the illustrated example, API Security detected 5 vulnerabilities of which 2 were of high risk and 3 of medium risk.

APISEC_Scanner_Dashboard__Results_by_Risk.png

Viewing Results

To view results, click View Results. The Risks table appears. It lists the risks and provides additional information detailed in the parameters below and described in Viewing API Results.

APISec_doc_04.png

Parameter

Description

SeveritySeverity.png

Indicates the risk severity as follows:

High_Severity.pngHigh

Medium_Severity.pngMedium

Low_Severity.pngLow

Risk Name

The name of the risk.

Status

Indicates the status of the risk as follows:

New.png- A newly detected vulnerability.

Recurrent_List.png- The vulnerability has been detected at least once before.

Endpoint Path

The end path of the resource URL.

Method

The operation that the endpoint performs on resources.

Data Origin

Indicates where the risk was detected, for example inside the code.

Risk Discovered

The date when the risk was detected.

Doc

Undocumented APIs present a risk because attackers may use them as an undetectable surveillance and reconnaissance channel.

This column shows whether the endpoint is documented or not:

  • "-" appears when no documentation file was not scanned

  • Yes: The endpoint appears in the scanned document, and it is documented

  • No: The endpoint appears in the scanned document, but it is not documented

AuthN

Unauthenticated APIs present a risk because they may allow easy access to confidential information.

This column shows whether the endpoint is authenticated or not.

  • "-" appears when no documentation file was not scanned

  • Yes: The endpoint appears in the scanned document, and it is authenticated

  • No: The endpoint appears in the scanned document, but it is not authenticated

You can view the parameters of a code risk by clicking its row.

  • Under Parameters, click View_All_Parameters.png. All sensitive data parameters in the code appear.

    Parameters_Global.png
  • Interface

    Description

    Global_Warnings.png

    List of all sensitive parameters in the API with warnings. This section is identical to the list of sensitive data parameters.

    Global_Requests.png

    List of all parameters in the request to the API. The sensitive parameters are labeled Sensitive.png.

    Global_Responnse.png

    List of all parameters in the response by the API. The sensitive parameters are labeled Sensitive.png.

To view the details of a documentation risk, click its row and the vulnerability in the Swagger file will appear with an embedded description box.

SwaggerFileRiskView.png

Compliance

6406602769.png

The Compliance tab shows details about applicable compliance standards for the Project. The left side panel shows a list of applicable compliance standards. Clicking on a standard shows info for that standard in the main display.

List Pane

The left side pane shows a list of all standards that are applicable for this Project (i.e. all standards for which the relevant queries were run).

Next to each compliance standard is either a checkmark, indicating that the Project passed the requirements of that compliance standard, or an exclamation point, indicating that it failed.

Notice

The Project is considered to have passed a compliance standard if it does not have any Medium_Severity.png or High_Severity.png severity vulnerabilities.

6406144059.png

Main Display

The main display show shows details about the vulnerabilities that were identified that do not comply with selected standard.

Total Vulnerabilities Widget

This widget shows the number of vulnerabilities that do not comply with this standard, broken down by severity level (HIGH, MEDIUM, LOW, INFO). The info is shown as color coded doughnut graph.

6406799367.png

Aging Summary Widget

This widget shows a bar graph indicating the number of new vulnerabilities related to this compliance standard that were identified during various time periods. The data is broken down by severity level.

Note

The data shown in this widget is for vulnerabilities that are present in the last scan of the selected branch of this Project.

6406570006.png

Vulnerabilities Categories Table

The bottom section shows a list of categories of vulnerabilities that were discovered in the Project. For each category, details are shown about the vulnerabilities discovered.

The following information is shown for each category:

Parameter

Description

Possible Values

Category

The name of the vulnerability category

e.g. Heap_Inspection, Privacy_Violation, etc.

Total Vulnerabilities

The total number of vulnerabilities discovered in this category

A number

Severity

The amount of vulnerabilities, distributed by severity

  • High High_Severity.png

  • Medium Medium_Severity.png

  • Low Low_Severity.png

  • Info Info_Severity.png

A number

Languages

The language(s) of the detected vulnerabilities

e.g. Java

Engines

The type of scan engine that discovered the vulnerability

SAST, SCA or KICS