- Checkmarx Documentation
- Checkmarx One
- Checkmarx One API Documentation
- Checkmarx One API Endpoints
- SAST Results API
SAST Results API
Notice
A comprehensive Checkmarx One API Reference Guide is now available here.
Overview
Get comprehensive results for each of the vulnerabilities detected in a specific SAST scan (by scan ID). This API returns full details about each vulnerability detected, including vulnerability details, history, compliance, affected nodes etc. You can limit the results, by using pagination and/or setting filter parameters. You can also sort the results by several parameters.
Notice
If you would like to get the SAST results together with results from the other scanners run on the scan, use GET /api/results
.
SAST Results URL
The URL for SAST Results endpoints is <base_url>/api/sast-results
US Environment - https://ast.checkmarx.net
US2 Environment - https://us.ast.checkmarx.net
EU Environment - https://eu.ast.checkmarx.net
EU2 Environment - https://eu-2.iam.checkmarx.net/
Australia & New Zealand – https://anz.ast.checkmarx.net
India - https://ind.ast.checkmarx.net
Singapore - https://sng.ast.checkmarx.net
Workflow
Use
POST /api/scans
to create a scan (specifying to run the SAST scanner), generating a “scan id”.Use the “scan id” with
GET /api/sast-results
to get the results of that KICS scan.
Authentication
Authentication for all Checkmarx One endpoints is done using JWT (JSON Web Token) access token. Access tokens are generated using the Authentication API.
Swagger
To view these APIs in the Swagger UI and run sample API calls, go to <base_url>/spec/v1/ and select Sast Results in the definition field.
US Environment - https://ast.checkmarx.net/spec/v1/
US2 Environment - https://us.ast.checkmarx.net/spec/v1/
EU Environment - https://eu.ast.checkmarx.net/spec/v1/
EU2 Envitonment - https://eu-2.ast.checkmarx.net/spec/v1/
Australia & New Zealand – https://anz.ast.checkmarx.net/spec/v1/
Singapore - https://sng.ast.checkmarx.net/spec/v1/
GET SAST Results
Gets a list of all vulnerabilities identified in a particular scan by the SAST scanner and shows detailed info about each vulnerability. The only required query param is scan-id
. You can limit results by using pagination and or by filtering by various scan attributes such as severity, status, language etc. You can also filter by the location of the vulnerability by specifying the file name, source node, sink node etc.
In addition, you can specify how the results are sorted (e.g., created at, name, user agent etc.).
Authentication
Authentication for all Checkmarx One endpoints is done using JWT (JSON Web Token) access token. Access tokens are generated using the Authentication API.
cURL Samples
Get results for a scan using default settings
curl -X GET "https://eu.ast.checkmarx.net/api/sast-results/?scan-id=eef184b7-f4b2-4884-aad9-3b01d30d8b04" -H "accept: application/json" -H "Authorization: Bearer <token>"
Filter for results in “java” language and the file name contains the string “security”
curl -X GET "https://eu.ast.checkmarx.net/api/sast-results/?scan-id=704dff04-dbaa-436a-951f-d26d8c691418&language=java&source-file=security&source-file-operation=CONTAINS" -H "accept: application/json" -H "Authorization: Bearer <token>"
Sort results by query name in descending order and exclude node info from the results
curl -X GET "https://eu.ast.checkmarx.net/api/sast-results/?scan-id=704dff04-dbaa-436a-951f-d26d8c691418&nodes=false&apply-predicates=true&offset=0&limit=20&sort=%2Bqueryname" -H "accept: application/json" -H "Authorization: Bearer <token>"
Parameters
The following table describes the parameters for which default settings are applied unless otherwise specified:
See query parameters in the Swagger visualization above.
Parameter | Description | Default value |
---|---|---|
include-nodes |
| True |
apply-predicates | Checkmarx One tracks specific vulnerability instances throughout your SDLC. Each vulnerability instance (based on similarityID) has a ‘Predicate’ associated with it, which is comprised of the following attributes: ‘state’, ‘severity’ and ‘comments’. If these have been changed from the original values then this parameter determines whether the new predicate or the original predicate will be shown.
| True |
sort | How the results are sorted. | [ "+status", "+severity", "-queryname" ] |