Checkmarx SCA (REST) API - GET Scan Reports and SBOMs
Overview
This API enables you to export reports of the data identified by a Checkmarx SCA scan. This includes detailed info about the open source packages in your project and the risks associated with them. This API can be used to generate two different types of reports:
Scan Report - shows an overview of the security of your project as well as specific vulnerabilities, legal risks, and outdated versions identified by the scan. Scan Reports can be generated in JSON, XML, PDF or CSV format.
Software Bill of Materials (SBOM) - shows detailed info about each of the open source packages used by your program and the associated risks, using CycloneDX v1.3 format. SBOM Reports can be generated in JSON or XML format.
Warning
There is an alternative method for generating SBOM reports using the Export Service. The Export Service generates SBOMs that are more compliant with SBOM formatting specifications. Export Service also supports generating SBOMs in SPDX format.
Note
Each API call generates a single type of report, in a single format. If you would like to generate multiple types of reports and/or multiple output formats, then you need to send a separate API call for each report.
Workflow
After creating a Project and running a scan, use this API to generate a report of the data identified by a specific scan.
Method
GET
URL
US Environment - https://api-sca.checkmarx.net/risk-management/risk-reports/{scan_id}/export
EU Environment - https://eu.api-sca.checkmarx.net/risk-management/risk-reports/{scan_id}/export
Media Type (header)
Authorization: Bearer <access_token>
Accept: application/*
Request Parameters
Path Parameters (Required)
Parameter | Type | Description |
---|---|---|
scan_id | string | The unique identifier of the scan for which you would like to generate a report. |
Query Parameter
Parameter | Type | Description | Enum | Default |
---|---|---|---|---|
format | string | The format of the report that is generated. Your selection determines whether the report generated is a Scan Report or an SBOM Report. It al determines the file format of the report. |
TipThere is an alternative method for generating SBOM reports using the Export Service. The Export Service generates SBOMs that are more compliant with SBOM formatting specifications. Export Service also supports generating SBOMs in SPDX format. | Json |
dataType[] | string | Specifies the sections that will be included in the report. You can specify TipThis parameter is relevant only for Scan Reports, not for SBOM Reports. |
| All |
Curl Samples
Scan Report Sample
curl -X GET "https://api-sca.checkmarx.net/risk-management/risk-reports/ebbb42f2-3421-48db-8d71-dd3f89516c91/export?format=Json&dataType[]=Vulnerabilities&dataType[]=Packages" -H accept: application/*
SBOM Report Sample
curl -X GET "https://api-sca.checkmarx.net/risk-management/risk-reports/ebbb42f2-3421-48db-8d71-dd3f89516c91/export?format=CycloneDxJson" -H accept: application/*
Success Response
Code: 200
For all reports other than CSV, the report is returned in the specified format.
For CSV reports, the response is returned in zip file format, which can be extracted to obtain the CSV files.
For a detailed description of the content of the Reports, see Viewing Scan Reports and Viewing SBOM Reports.