Skip to main content

Viewing Checkmarx One Results in Eclipse

Once you have run a Checkmarx One scan on the source code of your Eclipse project, you can import the scan results into your Eclipse IDE. The results are integrated within the IDE in a manner that makes it easy to identify the vulnerable code, triage the results, and take the required remediation actions.

First you need to import the results from the latest scan of your Eclipse project. Then you can view the results in your Eclipse IDE.

Figure 1. 

GIF - How to load and view Checkmarx scan results in Eclipse

Loading your Checkmarx One Results

To load results from a scan:

  1. In your Eclipse project, click on Window > Show View > Other.


    The Show View window opens.

  2. Select Checkmarx > Checkmarx One Scan from the list to open the Checkmarx View (or search for Checkmarx One Scan in the search box) and click Open.


    The Checkmarx panel opens at the bottom of the screen.



    If you haven’t done the initial setup, the Open Settings button is shown in the Checkmarx panel. Click on the button and then configure the integration as described in Checkmarx One Eclipse Plugin Initial Setup.Checkmarx One Eclipse Plugin Initial Setup

  3. Enter the Scan ID of the scan for which you want to show results (i.e., the most recent scan of your Eclipse project). Use one of the following methods to enter the Scan ID:

Viewing Checkmarx One Scan Results in the Checkmarx View

You can open the Checkmarx panel below your project and navigate the tree display to view details about a specific vulnerability.


In order to show the source code for a specified attack vector, you need to have the relevant project open in your Eclipse console.

To view the Checkmarx One results in the Checkmarx panel:

  1. After you import the scan results, and the results are shown in the Checkmarx panel, click on an arrow to expand that node in the tree.

  2. You can use the Checkmarx Toolbar (on the right) to adjust the display, see actions below.

  3. Click on a vulnerability.

    The details panel is shown on the right, including the a summary of the vulnerability info, a brief description and the Attack Vector (for SAST vulnerabilities).

  4. Click on a node in the Attack Vector.

    An editor opens containing the source code in the respective file and location for the selected node.


Checkmarx Toolbar





Filter High

Show/hide high severity vulnerabilities.


Filter Medium

Show/hide medium severity vulnerabilities.


Filter Low

Show/hide low severity vulnerabilities.


Filter Info

Show/hide info severity vulnerabilities.


Clear and Refresh

Clear the Project, branch and scan selection and refresh the Project selection list.


Get Results

Triggers attempt to fetch results for the specified Scan ID.



Cancels attempt to fetch results for the specified Scan ID.


Filter by state

Filter results by state (multi-select, by default all are selected except for Not Exploitable and Proposed Not Exploitable)



Select/deselect grouping categories. Options are: Severity, Query Name and State. You can group by multiple parameters. The groups will be nested according to the order in which they are selected (i.e., the first selection will be the top level grouping and the next selection will be the nested grouping below that etc.)

Managing (Triaging) Results

Checkmarx One tracks specific vulnerability instances throughout your SDLC. Each vulnerability instance has a ‘Predicate’ associated with it, which is comprised of the following attributes: ‘state’, ‘severity’ and ‘comments’. After reviewing the results of a scan, you have the ability to triage the results and modify these predicates accordingly. For more info about triaging results in Checkmarx One, see Managing (Triaging) Vulnerabilities.

You can manage the results directly in the Eclipse console.


Only users with the Checkmarx One role update-result (e.g., a risk-manager) are authorized to make changes to the predicate. Only users with the role update-result-not-exploitable (e.g., an admin) are authorized to mark a vulnerability as ‘Not Exploitable’.

To edit the result predicate:

  1. Navigate to the vulnerability that you would like to edit.

  2. To adjust the severity, click on the Severity field, and select from the dropdown list the severity that you would like to assign. Options are: High, Medium, Low or Info.

  3. To adjust the state, click on the State field, and select from the dropdown list the state that you would like to assign. For SAST and KICS, options are: To Verify, Not Exploitable, Proposed Not Exploitable, Confirmed or Urgent. For SCA, options are: Not Ignored or Ignored.


    If you mark a vulnerability as Not Exploitable or Ignored it will not be shown in the results in the web app for this scan or for subsequent scans of this Project.

  4. To add a comment, click on the Enter comment field and enter your comment.

  5. In order to apply your changes, click Update.

    The new predicate is applied to the vulnerability instance in this scan as well as to recurring instances of the vulnerability in subsequent scans of the Project. The changes made to the predicate are shown in the Changes tab.