Skip to main content

Checkmarx SCA (REST) API - GET Scan Reports and SBOMs

Overview

This API enables you to export reports of the data identified by a Checkmarx SCA scan. This includes detailed info about the open source packages in your project and the risks associated with them. This API can be used to generate two different types of reports:

  • Scan Report - shows an overview of the security of your project as well as specific vulnerabilities, legal risks, and outdated versions identified by the scan. Scan Reports can be generated in JSON, XML, PDF or CSV format.

  • Software Bill of Materials (SBOM) - shows detailed info about each of the open source packages used by your program and the associated risks, using CycloneDX v1.3 format. SBOM Reports can be generated in JSON or XML format.

Note

Each API call generates a single type of report, in a single format. If you would like to generate multiple types of reports and/or multiple output formats, then you need to send a separate API call for each report.

Workflow

After creating a Project and running a scan, use this API to generate a report of the data identified by a specific scan.

Method

GET

URL

  • US Environment - https://api-sca.checkmarx.net/risk-management/risk-reports/{scan_id}/export

  • EU Environment - https://eu.api-sca.checkmarx.net/risk-management/risk-reports/{scan_id}/export

Media Type (header)

Authorization: Bearer <access_token>

Accept: application/*

Request Parameters

Path Parameters (Required)

Parameter

Type

Description

scan_id

string

The unique identifier of the scan for which you would like to generate a report.

Query Parameter

Parameter

Type

Description

Enum

Default

format

string

The format of the report that is generated. Your selection determines whether the report generated is a Scan Report or an SBOM Report. It al determines the file format of the report.

  • Json - Scan Report in JSON format

  • Xml - Scan Report in XML format

  • Pdf - Scan Report in PDF format

  • Csv - Scan Report in CSV format

    Tip

    - for this format, the response is given as a zip file, which can be extracted to obtain the CSV files

  • CycloneDxJson - SBOM report CycloneDX v1.3 format, returned as a JSON

  • CycloneDxXml - SBOM report CycloneDX v1.3 format, returned as an XML

Json

dataType[]

string

Specifies the sections that will be included in the report. You can specify

Tip

This parameter is relevant only for Scan Reports, not for SBOM Reports.

  • All

  • Packages

  • Vulnerabilities

  • Licenses

  • Policies

  • SupplyChainRisks

All

Curl Samples

Scan Report Sample

curl -X GET "https://api-sca.checkmarx.net/risk-management/risk-reports/ebbb42f2-3421-48db-8d71-dd3f89516c91/export?format=Json&dataType[]=Vulnerabilities&dataType[]=Packages" -H accept: application/*

SBOM Report Sample

curl -X GET "https://api-sca.checkmarx.net/risk-management/risk-reports/ebbb42f2-3421-48db-8d71-dd3f89516c91/export?format=CycloneDxJson" -H accept: application/*

Success Response

Code: 200

For all reports other than CSV, the report is returned in the specified format.

For CSV reports, the response is returned in zip file format, which can be extracted to obtain the CSV files.

For a detailed description of the content of the Reports, see Viewing Scan Reports and Viewing SBOM Reports.

Error Response