Viewing SCS Results
The results from the software supply chain scanners are shown under the Software Supply Chain tab in your Workspace 
. The Overview screen shows each of the projects that were scanned using a software supply chain scanner, and an overview of the scan process and results. You can drill down by clicking on a row to see the detailed results from each of the Software Supply Chain scanners that scanned the project.
Viewing Software Supply Chain Overview
The Overview screen shows each of the projects that were scanned using a software supply chain scanner, and an overview of the scan process and results.
The following table describes the data shown on this screen.
Notice
The data shown in this table is based on the combined findings from both of the SCS scan engines.
Item | Description | Possible Values |
|---|---|---|
Project | The name of the Checkmarx One project that was scanned. | e.g., demoProject |
SLSA | The step/s of the supply chain where risks were detected. These supply chain steps are based on the SLSA model. | Source, Build, Package, Dependencies |
Risks | Shows the number of risks identified, broken down by severity level. Hover over the bar to show the breakdown by severity. | e.g., |
Engines | The SCS scan engines that scanned this project. | Currently supported: Secret Detection and OSSF Scorecard |
Last Results | The date and time of the most recent successful SCS scan of the project. | e.g., 27 Nov 2023 10:13 |
Viewing the Software Supply Chain Project Screen
Clicking on the row of a project in the overview screen opens the Software Supply Chain Project screen for that project.
Notice
Alternatively, you can navigate to this screen by opening the SCS results viewer for the relevant project from the Projects tab.
This screen shows detailed SCS results for the specific project. The results are shown separately for each scanner. If the project was scanned by more than one scanner, then you can select which scanner results to show using the drop-down list in the header bar.
The main screen shows risks identified by the selected scanner, grouped by category. Click on a category to expand the display and show the affected file/artifact and the suggest remediation action.
You can apply filters and/or enter free text search strings.
OSSF Scorecard
When the Scorecard scanner is selected, results are grouped by the OSSF check that identified the risk.
Hover over the info icon next to the name of a check type to see a description of that check.
Click on a check type to expand the section and show a list of risks of that type.
 |
The following table describes the information shown for each risk.
Item | Description |
|---|---|
Severity | The severity of the risk. |
File/Artifact | The path to the file or artifact in which the risk was detected. |
Remediation | Provides a link to the OSSF documentation which includes remediation recommendations for the relevant OSSF check. |
Secret Detection
When the Secret Detection scanner is selected, results are grouped by the type of secret detected. When you click on a type, a list of risks of that type is shown.
The following table describes the information shown for each risk.
Item | Description |
|---|---|
Severity | The severity of the risk. Note: The severity for all detected secrets is High. |
File/Artifact | The path to the file or artifact in which the secret was detected. |
Location | The line in which the secret was detected. |
Validity | Indicates whether or not the secret is currently valid. |
Remediation | Shows a few characters of the detected secret, with the remaining characters masked for security purposes. The recomended remediation for detected secrets is to first remove the secret from your file and then change the secret. |