Skip to main content

results

The results command is used to retrieve scan results in Checkmarx One.

Usage

./cx results[command] [flags]

Help

Glossary
--help, -h

Help for the results command.

Results Commands

results can be used with the following commands:

results show

The results show command is used to retrieve scan results (i.e., generate reports) in Checkmarx One.

Usage

./cx results show [flags]

Flags

Glossary
--filter <strings> (Default: All results are included)

Specify filters for the data that will be included in the report that is generated.

Filters aren't applied to PDF reports. You can specify which sections to include in a PDF report using --report-pdf-options.

  • Use the ";" sign as the delimiter for arrays.

  • Available filters are: limit, offset, sort, include-nodes, node-ids, query, group, severity, state, status.

  • Enum values:

    • severity - High, Medium, Low, Info (Info is only for SAST scanner).

    • state - TO_VERIFY, NOT_EXPLOITABLE, PROPOSED_NOT_EXPLOITABLE, CONFIRMED, URGENT, IGNORED, NOT_IGNORED.

    • status - NEW, RECURRENT, FIXED.

    • sort - -severity, +severity, -status, +status, -state, +state, -type, +type, -firstfoundat, +firstfoundat, -foundat, +foundat, -firstscanid, +firstscanid.

      Default sorting: +status, +severity.

      Tip

      "+" = ascending order

      "-" = descending order

--help, -h

Help for the results command.

--output-name <string> (Default: cx_result)

Specify a name for the output file.

--output-path <string> (Default: ".")

Specify the file path for the output file.

--report-format <string> (Default: json)

Specify the format for the report that is generated.

Options are: summaryHTML, summaryJSON, summaryConsole, sarif, gl-sast, json, sonar, markdown, PDF, or SBOM

Json, sarif, gl-sast, and sonar formats generate a detailed list of risks identified in the project (gl-sast returns only sast results). SummaryHTML, summaryJSON, summaryConsole and markdown formats generate summary reports with aggregated risk data. PDF format reports by default generate a complete report including both a summary of risks as wel as a detailed list of risks. You can specify which sections to include in the report using --report-pdf-options.

Tip

For SBOM reports, you need to add the --report-sbom-format flag to specify the SBOM standard and output format.

--report-pdf-email <string>

Specify email recipients who will receive the pdf report. Multiple emails are separated by a ",".

This flag can only be used when --report-format is set as pdf.

--report-pdf-options <string> (Default: All Sections)

Specify the sections that will be included in the pdf format report.

This flag can only be used when --report-format is set as pdf.

Available sections are: Sast, Sca, Iac-Security, ScanSummary, ExecutiveSummary, and ScanResults.

ScanResults includes results for all scanners (IaC-Security, Sast and Sca).

--report-sbom-format (Default: CycloneDxJson)

Specify the type of SBOM standard (CycloneDX or SPDX) as well as the output format.

Options are: CycloneDxJson, CycloneDxXml, or SpdxJson.

--sast-redundancy

Checkmarx identifies vulnerabilities with matching sub-flows, which enables prioritization of fixes that will resolve multiple vulnerabilities with a single fix.

When this flag is used, a new field data.redundancy is shown for each vulnerability, indicating which vulnerability should be prioritized as fix and which ones should be considered redundant.

--scan-id <string> (Required)

Scan ID.

Pagination

By default all results are included in the report (up to 10k). You can use limit to adjust the maximum number of results to return and offset to specify the number of results to skip before starting to return results.

Example: The following command generates a report for records 21-30.

./cx results show --filter "limit=10,offset=20"

Applying Filters and Sorting

You can filter the results included in the report by specifying various parameters such as severity, state and status. These filters apply both to the list of risks that is returned as well as to the summary data that is given. You can also specify how the list of risks is sorted in the report.

When multiple filter attributes are used, an AND operator is applied between attributes. When multiple values are given for an attribute, an OR operator is used between values.

Filters are applied using the following syntax:

./cx results show --filter "attributeA=value1,attributeB=value1;value2;value3,..."

Example: The following command returns a report that includes data for all risks with a severity level "high" or "medium" and the status "new". The results are sorted by "first found at" in descending order.

./cx results show --filter "severity=high;medium,status=new,sort=-firstfoundat+queryname"

Workflow Examples

ophir@OphirS-Laptop:~/ast-cli$ ./cx scan list

Scan ID                              Project ID                           Status    Created at Tags    Initiator                      Origin                 
-------                              ----------                           ------    ---------- ----    ---------                      ------                 
3c028677-5df7-4bd9-8a10-7214ced45670 683c51da-8644-4e27-990f-1128ab911a1b Completed 09-10-21   []      service-account Github                 
c0507cb4-c68a-4db8-9565-5308d409a931 683c51da-8644-4e27-990f-1128ab911a1b Completed 09-10-21   []      service-account Github                 
5ee3482e-b068-4bc5-9671-1c98098b3062 683c51da-8644-4e27-990f-1128ab911a1b Completed 09-09-21   []      service-account Github                 
Retrieve scan results for a specific scan ID using default settings
./cx results show --scan-id <scan ID>
user@laptop:~/ast-cli$ ./cx results show --scan-id 3c028677-5df7-4bd9-8a10-7214ced45670
2023/08/03 22:33:32 Creating JSON Report:  cx_result.jsonCreating JSON Report:  cx_result.json
Retrieve scan results for a specific scan ID using several flags
./cx results show --scan-id <scan ID> --report-format sarif --output-name <file name> --output-path <output file location>
user@laptop:~/ast-cli$ ./cx results show --scan-id aca72f5d-1b58-4821-b7f0-508f857a9d4b --report-format sarif --output-name Demo_Sarif_Report --output-path "."
2023/08/04 12:17:38 Creating SARIF Report:  Demo_Sarif_Report.sarif
Generate a PDF report of SAST vulnerabilities and send it to an email recipient
./cx results show --scan-id <scan ID> --report format pdf --report-pdf-email <recipient_email> --report-pdf-options <specify_sections>
user@laptop:~/ast-cli$ ./cx results show --scan-id aca72f5d-1b58-4821-b7f0-508f857a9d4b --report-format pdf --report-pdf-email [email protected] --report-pdf-options sast
2023/08/04 12:25:52 Sending PDF report to:  [[email protected]]

results codebashing

The results codebashing command is used to retrieve Codebashing links from Checkmarx One.

Warning

In order to use this command, you need to have a Codebashing account that has been linked to your Checkmarx One account. Please contact your Checkmarx support representative for assistance.

Usage

./cx results codebashing [flags]

Flags

Glossary
--cwe-id <string> (Required)

CWE ID for the vulnerability.

--format <string> (Default: json)

The output format for the response. Possible values are json, list or table.

--help, -h

Help for the results command.

--language <string> (Required)

Language of the vulnerability.

--vulnerability-type <string> (Required)

Vulnerability type.

Examples