Scan Reports
The scan report offers detailed information on scans performed in Checkmarx One. It provides an overview of a project's security, highlighting specific vulnerabilities.
Generating Scan Reports
You can generate a scan report in Checkmarx One using either default or customized settings.
The default report is quick and straightforward, using predefined parameters like PDF format, scan type, severity levels, status, project-based organization, scanners, and results state. This method is ideal when you need a standard overview without any additional configuration.
In contrast, the customized report offers extensive flexibility, allowing you to select formats, choose specific scans, and tailor the content by severity levels, scanner findings, vulnerability status, and result states. Additional personalization options include naming the report, setting up email distribution, and selecting specific sections to include. This method is useful when you require detailed and specific reporting to meet unique needs.
In addition, you can generate customized reports via (REST) API. See our documentation for Improved Reports Service API.
Note
The legacy report is now available only via the legacy Reports Service API.
Generating a default report
A default report is a report with the following predefined settings:
Format: PDF
Type: Scan
Severity Levels
Status
By Project
Scanners
Results State
To generate a default report:
From the project overview, open the Scan History tab.
Click on the three-dot icon for the required scan.
Select Generate Default Report from the drop-down menu.
You can generate default reports for multiple scans by selecting them in the Scan History tab and choosing Generate Default Report from the drop-down menu. However, generating customized reports for more than one scan is not possible.
Generating a customized report
To generate a customized report, proceed as follows:
Do one of the following:
From the project overview, open the Scan History tab, click on the more options icon for the relevant scan and select Customize Report from the drop-down menu.
On the Insights Analytics page click on Reports in the top right corner.
The report generation wizard is displayed.
Under Report Type, make sure that Scan is selected (default).
In the Format drop-down list, choose the desired report format: PDF, JSON, or CSV.
Notice
The CSV option is only available for SAST reports, that is when only the SAST scanner option is selected under Scanners.
Choose the scan for which the report will be generated using one of two methods: by project or by scan ID.
When selecting By Project, click and pick a project from the list or type its name into the search field. Then, select a branch under Select a Branch or keep the default option Last Scan Selected.
If you prefer using a scan ID, click on and input the ID.
Under Severity, select the severity levels of issues to include in the report. The default is High and Medium.
Under Scanners, specify the scanners whose findings you want to incorporate into the report.
Under Status, specify whether to include in the report newly discovered vulnerabilities (New), previously identified vulnerabilities that have reappeared (Recurrent), or both types.
Under Results State, select the state of of the results to include in the report. By default, the following states are selected: To Verify, Confirm, and Urgent.
Additionally, you can fine-tune your report settings by clicking on Optional Settings at the bottom of the wizard interface.
To assign a meaningful name to the report, enter it in the Report Name field. If left empty, each report will receive a generic title "Report Name."
To send the report via email, input the recipients' email addresses into the Send Report to Emails field. If sending to multiple recipients, separate their email addresses with commas.
Notice
The maximum of 10 recipients are allowed.
To focus on specific areas of interest in the scan results, select which sections of the scan results to include in the report from the By Sections drop-down list. For details on report sections, see below.
Click Generate.
Understanding the Report Content - Generic KPIs
Filtered By
Shows the filters applied when generating the report.
Included: Data included in the report. All data available in the report is filtered according to the specified filters.
Excluded: Data filtered out from the report.
Currently, it is not possible to exclude data from the report, all data is included by default.
Scan Information
Scan Information shows details related to the SAST, IaC, and SCA scans, such as Scan Duration and Lines of Code Scanned, etc.
Scan Results Overview
Total Results by Scanner/Engine
This section provides a breakdown of the total scan results categorized by scanner: SAST, SCA, or IaC.
By Density / Grade
This KPI is applicable to SAST and IaC only.
Shows the percentage of the scanned code with vulnerabilities: the ratio between the total number of vulnerabilities and the total number of lines of code *1000.
The percentage inside the pie chart refers to the lines of code with vulnerabilities and the percentage outside refers to the lines of code without vulnerabilities.
By Status
This KPI is applicable to SAST, IaC, and SCA.
The pie chart shows the number of vulnerabilities grouped by status (New vs Recurrent). Each status displays the percentage and the total number of results found.
By Severity
This KPI is applicable to SAST, IaC, and SCA.
The pie chart shows the scan results grouped by severity. Each severity displays the total number of findings, their percentage, and their density.
By State
This KPI is applicable to SAST, IaC, and SCA.
This pie chart shows the scan results grouped by State. Each state displays the total number of findings, their percentage, and their density.
By Language
The stacked chart shows the number of vulnerabilities and densities detected for each scanned language and their severities.
By Technology
This KPI is applicable to the IaC scanner only. It shows the issues and vulnerabilities split by technology and helps users understand where problems occur across different parts of their infrastructure.
By Package
This KPI is applicable to the SCA scanner only. It shows the issues and vulnerabilities split by package.
By Vulnerability
This KPI is applicable to SAST only.
The table shows the total results by vulnerability type and their breakdown by severity and the total number of files where a vulnerability was detected.
The first column lists the name and the severity of the vulnerability type found. When the severity of a result is changed from its default it will be reflected in the report.
Top 10 Vulnerabilities
This KPI is applicable to SAST only.
This card displays the 10 vulnerabilities with the highest totals of scanned findings.
It also shows the total findings for these 10 vulnerabilities and the total number of files with vulnerabilities. The total number of files affected is based on all distinct files with vulnerabilities and not the distinct files of the ‘10 vulnerabilities’ list.
Example: SQL_Injection: There are 15 High results, 0 Medium, 0 Low, and 0 Info.
Top 10 Vulnerable Files
This KPI is applicable to SAST only.
This card displays the 10 files with the highest totals of scanned findings.
Example:\bookstore\Login.cs: There are 4 High results, 0 Medium, 0 Low, and 11 Info.
5 Oldest Vulnerabilities
This KPI is applicable to SAST only.
The aging is calculated and not restricted to the project you are analyzing. The first date is calculated based on the result, regardless of the project.
Scan Results
Each Vulnerability Type scan displays the total results with a description and its related categories.
The results are displayed together for each vulnerability type. This includes: Severity, Status, First and Last Detection dates, Source, and Destination. You can click on the hyperlink to be redirected to the result details in the Application.
Categories
In each category available in the SAST engine, the total results are organized by severity.
Only categories with results are available in the report. Categories without results are excluded by default.