Skip to main content

SAST Results API

Notice

A comprehensive Checkmarx One API Reference Guide is now available here.

Overview

Get comprehensive results for each of the vulnerabilities detected in a specific SAST scan (by scan ID). This API returns full details about each vulnerability detected, including vulnerability details, history, compliance, affected nodes etc. You can limit the results, by using pagination and/or setting filter parameters. You can also sort the results by several parameters.

Notice

If you would like to get the SAST results together with results from the other scanners run on the scan, use GET /api/results.

SAST Results URL

The URL for SAST Results endpoints is <base_url>/api/sast-results

Workflow

  1. Use POST /api/scans to create a scan (specifying to run the SAST scanner), generating a “scan id”.

  2. Use the “scan id” with GET /api/sast-results to get the results of that KICS scan.

Authentication

Authentication for all Checkmarx One endpoints is done using JWT (JSON Web Token) access token. Access tokens are generated using the Authentication API.

Swagger

To view these APIs in the Swagger UI and run sample API calls, go to <base_url>/spec/v1/ and select Sast Results in the definition field.

GET SAST Results

Gets a list of all vulnerabilities identified in a particular scan by the SAST scanner and shows detailed info about each vulnerability. The only required query param is scan-id. You can limit results by using pagination and or by filtering by various scan attributes such as severity, status, language etc. You can also filter by the location of the vulnerability by specifying the file name, source node, sink node etc.

In addition, you can specify how the results are sorted (e.g., created at, name, user agent etc.).

Authentication

Authentication for all Checkmarx One endpoints is done using JWT (JSON Web Token) access token. Access tokens are generated using the Authentication API.

cURL Samples

Get results for a scan using default settings

curl -X GET "https://eu.ast.checkmarx.net/api/sast-results/?scan-id=eef184b7-f4b2-4884-aad9-3b01d30d8b04" -H  "accept: application/json" -H  "Authorization: Bearer <token>"

Filter for results in “java” language and the file name contains the string “security”

curl -X GET "https://eu.ast.checkmarx.net/api/sast-results/?scan-id=704dff04-dbaa-436a-951f-d26d8c691418&language=java&source-file=security&source-file-operation=CONTAINS" -H  "accept: application/json" -H  "Authorization: Bearer <token>"

Sort results by query name in descending order and exclude node info from the results

curl -X GET "https://eu.ast.checkmarx.net/api/sast-results/?scan-id=704dff04-dbaa-436a-951f-d26d8c691418&nodes=false&apply-predicates=true&offset=0&limit=20&sort=%2Bqueryname" -H  "accept: application/json" -H  "Authorization: Bearer <token>"

Parameters

The following table describes the parameters for which default settings are applied unless otherwise specified:

See query parameters in the Swagger visualization above.

Parameter

Description

Default value

include-nodes

  • True - Included detailed info about each of the nodes affected by a vulnerability.

  • False - Don’t include node info.

True

apply-predicates

Checkmarx One tracks specific vulnerability instances throughout your SDLC. Each vulnerability instance (based on similarityID) has a ‘Predicate’ associated with it, which is comprised of the following attributes: ‘state’, ‘severity’ and ‘comments’. If these have been changed from the original values then this parameter determines whether the new predicate or the original predicate will be shown.

  • True - The new predicate is shown.

  • False - The old predicate is shown.

True

sort

How the results are sorted.

[ "+status", "+severity", "-queryname" ]

In this section: