- Checkmarx Documentation
- Checkmarx One
- Checkmarx One CLI Tool
- Checkmarx One CLI Commands
- results
results
The results
command is used to retrieve scan results in Checkmarx One.
Usage
./cx results[command] [flags]
Help
- --help, -h
Help for the results command.
Results Commands
results
can be used with the following commands:
results show
The results show
command is used to retrieve scan results (i.e., generate reports) in Checkmarx One.
Notice
Reports generated via the CLI use the standard scan report format. There is a newer type of customized scan report that can be generated via API or from the web application.
Usage
./cx results show [flags]
Flags
- --filter <strings> (Default: All results are included)
Specify filters for the data that will be included in the report that is generated.
Filters aren't applied to PDF reports. You can specify which sections to include in a PDF report using
--report-pdf-options
.Use the ";" sign as the delimiter for arrays.
Available filters are: limit, offset, sort, include-nodes, node-ids, query, group, severity, state, status.
Enum values:
severity - Critical, High, Medium, Low, Info.
state - TO_VERIFY, NOT_EXPLOITABLE, PROPOSED_NOT_EXPLOITABLE, CONFIRMED, URGENT, EXCLUDE_NOT_EXPLOITABLE.
Notice
The state filter can be applied either by submitting a separate value for each state to include, or by submitting the value
EXCLUDE_NOT_EXPLOITABLE
in order to exclude onlyNOT_EXPLOITABLE
results.status - NEW, RECURRENT, FIXED.
sort - -severity, +severity, -status, +status, -state, +state, -type, +type, -firstfoundat, +firstfoundat, -foundat, +foundat, -firstscanid, +firstscanid.
Default sorting: +status, +severity.
Tip
"+" = ascending order
"-" = descending order
- --help, -h
Help for the results command.
- --output-name <string> (Default: cx_result)
Specify a name for the output file.
- --output-path <string> (Default: ".")
Specify the file path for the output file.
- --report-format <string> (Default: json)
Specify the format for the report that is generated.
Options are:
summaryHTML
,summaryJSON
,summaryConsole
,sarif
,gl-sast
,gl-sca
,json
,sonar
,markdown
,PDF
, orSBOM
Json, sarif, gl-sast, and sonar formats generate a detailed list of risks identified in the project (gl-sast returns only sast results and gl-sca returns only SCA results). SummaryHTML, summaryJSON, summaryConsole and markdown formats generate summary reports with aggregated risk data. PDF format reports by default generate a complete report including both a summary of risks as wel as a detailed list of risks. You can specify which sections to include in the report using
--report-pdf-options
.Tip
For SBOM reports, you need to add the
--report-sbom-format
flag to specify the SBOM standard and output format.- --report-pdf-email <string>
Specify email recipients who will receive the pdf report. Multiple emails are separated by a ",".
This flag can only be used when
--report-format
is set aspdf
.- --report-pdf-options <string> (Default: All Sections)
Specify the sections that will be included in the pdf format report.
This flag can only be used when
--report-format
is set aspdf
.Available sections are:
Sast
,Sca
,Iac-Security
,ScanSummary
,ExecutiveSummary
, andScanResults
.ScanResults
includes results for all scanners (IaC-Security, Sast and Sca).- --report-sbom-format (Default: CycloneDxJson)
Specify the type of SBOM standard (CycloneDX or SPDX) as well as the output format.
Options are:
CycloneDxJson
,CycloneDxXml
, orSpdxJson
.- --sast-redundancy
Checkmarx identifies vulnerabilities with matching sub-flows, which enables prioritization of fixes that will resolve multiple vulnerabilities with a single fix.
When this flag is used, a new field
data.redundancy
is shown for each vulnerability, indicating which vulnerability should be prioritized asfix
and which ones should be consideredredundant
.- --sca-hide-dev-test-dependencies
Adding this flag filters out dev and test dependencies from SCA results shown in scan reports.
Note: This flag is only relevant scans that ran the SCA scanner. Currently, this is not supported for PDF or SBOM reports.
- --scan-id <string> (Required)
Scan ID.
Pagination
By default all results are included in the report (up to 10k). You can use limit
to adjust the maximum number of results to return and offset
to specify the number of results to skip before starting to return results.
Example: The following command generates a report for records 21-30.
./cx results show --filter "limit=10,offset=20"
Applying Filters and Sorting
You can filter the results included in the report by specifying various parameters such as severity, state and status. These filters apply both to the list of risks that is returned as well as to the summary data that is given. You can also specify how the list of risks is sorted in the report.
When multiple filter attributes are used, an AND operator is applied between attributes. When multiple values are given for an attribute, an OR operator is used between values.
Filters are applied using the following syntax:
./cx results show --filter "attributeA=value1,attributeB=value1;value2;value3,..."
Example: The following command returns a report that includes data for all risks with a severity level "high" or "medium" and the status "new". The results are sorted by "first found at" in descending order.
./cx results show --filter "severity=high;medium,status=new,sort=-firstfoundat+queryname"
Workflow Examples
ophir@OphirS-Laptop:~/ast-cli$ ./cx scan list Scan ID Project ID Status Created at Tags Initiator Origin ------- ---------- ------ ---------- ---- --------- ------ 3c028677-5df7-4bd9-8a10-7214ced45670 683c51da-8644-4e27-990f-1128ab911a1b Completed 09-10-21 [] service-account Github c0507cb4-c68a-4db8-9565-5308d409a931 683c51da-8644-4e27-990f-1128ab911a1b Completed 09-10-21 [] service-account Github 5ee3482e-b068-4bc5-9671-1c98098b3062 683c51da-8644-4e27-990f-1128ab911a1b Completed 09-09-21 [] service-account Github
Retrieve scan results for a specific scan ID using default settings
./cx results show --scan-id <scan ID>
user@laptop:~/ast-cli$ ./cx results show --scan-id 3c028677-5df7-4bd9-8a10-7214ced45670 2023/08/03 22:33:32 Creating JSON Report: cx_result.jsonCreating JSON Report: cx_result.json
Retrieve scan results for a specific scan ID using several flags
./cx results show --scan-id <scan ID> --report-format sarif --output-name <file name> --output-path <output file location>
user@laptop:~/ast-cli$ ./cx results show --scan-id aca72f5d-1b58-4821-b7f0-508f857a9d4b --report-format sarif --output-name Demo_Sarif_Report --output-path "." 2023/08/04 12:17:38 Creating SARIF Report: Demo_Sarif_Report.sarif
Generate a PDF report of SAST vulnerabilities and send it to an email recipient
./cx results show --scan-id <scan ID> --report-format pdf --report-pdf-email <recipient_email> --report-pdf-options <specify_sections>
user@laptop:~/ast-cli$ ./cx results show --scan-id aca72f5d-1b58-4821-b7f0-508f857a9d4b --report-format pdf --report-pdf-email demo.user@gmail.com --report-pdf-options sast 2023/08/04 12:25:52 Sending PDF report to: [demo.user@gmail.com]
results codebashing
The results codebashing
command is used to retrieve Codebashing links from Checkmarx One.
Warning
In order to use this command, you need to have a Codebashing account that has been linked to your Checkmarx One account. Please contact your Checkmarx support representative for assistance.
Usage
./cx results codebashing [flags]
Flags
- --cwe-id <string> (Required)
CWE ID for the vulnerability.
- --format <string> (Default: json)
The output format for the response. Possible values are
json
,list
ortable
.- --help, -h
Help for the results command.
- --language <string> (Required)
Language of the vulnerability.
- --vulnerability-type <string> (Required)
Vulnerability type.
Examples
Retrieving codebashing link
./cx results codebashing --language <language> --vulnerabity-type <vulnerability type> --cwe-id <cwe ID>
Sample command:
C:\ast-cli_2.0.53_windows_x64>cx results codebashing --language PHP --vulnerability-type Reflected XSS All Clients --cwe-id 79
results exit-code
The results exit-code
command is used to retrieve information about the completion status for a particular scan in Checkmarx One. It also returns detailed information about failures of specific scan engines.
Usage
./cx results exit-code --scan-id <scan ID> [flags]
Flags
- --help, -h
Help for the results exit-code command.
- --scan-id <string> (Required)
The unique identifier of the scan for which you would like to retrieve the exit code info.
- --scan-types <string> (Default: Returns data for each scanner that failed)
The scanners for which you would like to retrieve exit code info. You can submit multiple scanners, separated by a comma. Possible values are: sast,sca,iac-security,api-security
Examples
Retrieving exit code info for a particular scanner
./cx results exit-code --scan-id <scan ID> --scan-types <scanner type>
Sample command:
C:\ast-cli_2.0.53_windows_x64>cx results exit-code --scan-id df16d6b8-213c-4525-ad3d-36977d4f2b2d --scan-types sast [ { "Name": "sast". "Status": "Failed", "Details": "Failed to get preset", "ErrorCode": "1024100" } ]