Checkmarx One API
Unified API for Checkmarx One cloud-native application security platform.
OpenAPI Specification
openapi: 3.1.0
info:
title: Checkmarx One API
description: >-
Unified REST API for the Checkmarx One cloud-native application security
platform, providing consolidated access to SAST, SCA, KICS, and other
security scanning capabilities through a single API with project
management, scan orchestration, and results retrieval.
version: '1.0'
contact:
name: Checkmarx Support
url: https://support.checkmarx.com/
termsOfService: https://checkmarx.com/terms-of-use/
externalDocs:
description: Checkmarx One API Documentation
url: https://checkmarx.com/resource/documents/en/34965-128036-checkmarx-one-api.html
servers:
- url: https://ast.checkmarx.net/api
description: Checkmarx One (US)
- url: https://eu.ast.checkmarx.net/api
description: Checkmarx One (EU)
tags:
- name: Applications
description: Manage applications that group related projects
- name: Authentication
description: Obtain and manage authentication tokens via OAuth 2.0
- name: Configuration
description: Manage project and tenant-level scan configuration
- name: Groups
description: Manage access control groups
- name: Presets
description: Manage scan configuration presets
- name: Projects
description: Manage scanning projects and their configuration
- name: Queries
description: Manage custom SAST queries and presets
- name: Results
description: Retrieve and manage scan results and findings
- name: Scans
description: Trigger, monitor, and manage security scans
security:
- bearerAuth: []
paths:
/auth/realms/{realm}/protocol/openid-connect/token:
post:
operationId: authenticate
summary: Checkmarx Obtain access token
description: >-
Authenticate using OAuth 2.0 client credentials via the Checkmarx
One IAM service to obtain a bearer token for API access.
tags:
- Authentication
parameters:
- name: realm
in: path
required: true
description: Authentication realm name
schema:
type: string
example: your-tenant
requestBody:
required: true
content:
application/x-www-form-urlencoded:
schema:
type: object
required:
- grant_type
- client_id
- client_secret
properties:
grant_type:
type: string
enum:
- client_credentials
- refresh_token
description: OAuth 2.0 grant type
client_id:
type: string
description: API key client ID
client_secret:
type: string
description: API key client secret
refresh_token:
type: string
description: Refresh token (when using refresh_token grant)
responses:
'200':
description: Authentication successful
content:
application/json:
schema:
$ref: '#/components/schemas/TokenResponse'
'401':
description: Invalid credentials
security: []
/applications:
get:
operationId: listApplications
summary: Checkmarx List applications
description: >-
Retrieve all applications. Applications are logical groupings
of related projects for organizational purposes.
tags:
- Applications
parameters:
- name: offset
in: query
description: Pagination offset
schema:
type: integer
default: 0
- name: limit
in: query
description: Number of results to return
schema:
type: integer
default: 20
- name: name
in: query
description: Filter by application name
schema:
type: string
responses:
'200':
description: List of applications
content:
application/json:
schema:
$ref: '#/components/schemas/ApplicationListResponse'
'401':
description: Unauthorized
post:
operationId: createApplication
summary: Checkmarx Create an application
description: Create a new application to group related projects.
tags:
- Applications
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateApplicationRequest'
responses:
'201':
description: Application created
content:
application/json:
schema:
$ref: '#/components/schemas/Application'
'400':
description: Invalid request
'401':
description: Unauthorized
/applications/{applicationId}:
get:
operationId: getApplication
summary: Checkmarx Get application details
description: Retrieve details of a specific application.
tags:
- Applications
parameters:
- $ref: '#/components/parameters/applicationId'
responses:
'200':
description: Application details
content:
application/json:
schema:
$ref: '#/components/schemas/Application'
'401':
description: Unauthorized
'404':
description: Application not found
put:
operationId: updateApplication
summary: Checkmarx Update an application
description: Update an existing application's properties.
tags:
- Applications
parameters:
- $ref: '#/components/parameters/applicationId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/UpdateApplicationRequest'
responses:
'204':
description: Application updated
'400':
description: Invalid request
'401':
description: Unauthorized
'404':
description: Application not found
delete:
operationId: deleteApplication
summary: Checkmarx Delete an application
description: Delete an application. Projects within will be unassigned.
tags:
- Applications
parameters:
- $ref: '#/components/parameters/applicationId'
responses:
'204':
description: Application deleted
'401':
description: Unauthorized
'404':
description: Application not found
/projects:
get:
operationId: listProjects
summary: Checkmarx List projects
description: >-
Retrieve all projects with optional filtering by name, group,
or tag.
tags:
- Projects
parameters:
- name: offset
in: query
description: Pagination offset
schema:
type: integer
default: 0
- name: limit
in: query
description: Number of results to return
schema:
type: integer
default: 20
- name: name
in: query
description: Filter by project name
schema:
type: string
- name: groups
in: query
description: Filter by group IDs (comma-separated)
schema:
type: string
- name: tags-keys
in: query
description: Filter by tag keys
schema:
type: string
- name: tags-values
in: query
description: Filter by tag values
schema:
type: string
responses:
'200':
description: List of projects
content:
application/json:
schema:
$ref: '#/components/schemas/ProjectListResponse'
'401':
description: Unauthorized
post:
operationId: createProject
summary: Checkmarx Create a project
description: >-
Create a new project for security scanning. A project represents
a code repository or application component to be scanned.
tags:
- Projects
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateProjectRequest'
responses:
'201':
description: Project created
content:
application/json:
schema:
$ref: '#/components/schemas/Project'
'400':
description: Invalid request
'401':
description: Unauthorized
/projects/{projectId}:
get:
operationId: getProject
summary: Checkmarx Get project details
description: Retrieve details of a specific project by ID.
tags:
- Projects
parameters:
- $ref: '#/components/parameters/projectId'
responses:
'200':
description: Project details
content:
application/json:
schema:
$ref: '#/components/schemas/Project'
'401':
description: Unauthorized
'404':
description: Project not found
put:
operationId: updateProject
summary: Checkmarx Update a project
description: Update an existing project's configuration.
tags:
- Projects
parameters:
- $ref: '#/components/parameters/projectId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/UpdateProjectRequest'
responses:
'204':
description: Project updated
'400':
description: Invalid request
'401':
description: Unauthorized
'404':
description: Project not found
delete:
operationId: deleteProject
summary: Checkmarx Delete a project
description: Delete a project and all its associated scans and results.
tags:
- Projects
parameters:
- $ref: '#/components/parameters/projectId'
responses:
'204':
description: Project deleted
'401':
description: Unauthorized
'404':
description: Project not found
/scans:
get:
operationId: listScans
summary: Checkmarx List scans
description: >-
Retrieve scans with optional filtering by project, status,
and scan type.
tags:
- Scans
parameters:
- name: offset
in: query
description: Pagination offset
schema:
type: integer
default: 0
- name: limit
in: query
description: Number of results to return
schema:
type: integer
default: 20
- name: project-id
in: query
description: Filter by project ID
schema:
type: string
format: uuid
- name: statuses
in: query
description: Filter by scan statuses (comma-separated)
schema:
type: string
- name: sort
in: query
description: Sort field and direction
schema:
type: string
example: -created_at
responses:
'200':
description: List of scans
content:
application/json:
schema:
$ref: '#/components/schemas/ScanListResponse'
'401':
description: Unauthorized
post:
operationId: createScan
summary: Checkmarx Create a new scan
description: >-
Initiate a new security scan for a project. The scan can include
SAST, SCA, KICS, and other scan types based on project configuration.
tags:
- Scans
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateScanRequest'
responses:
'201':
description: Scan created and queued
content:
application/json:
schema:
$ref: '#/components/schemas/Scan'
'400':
description: Invalid request
'401':
description: Unauthorized
/scans/{scanId}:
get:
operationId: getScan
summary: Checkmarx Get scan details
description: Retrieve details and status of a specific scan.
tags:
- Scans
parameters:
- $ref: '#/components/parameters/scanId'
responses:
'200':
description: Scan details
content:
application/json:
schema:
$ref: '#/components/schemas/Scan'
'401':
description: Unauthorized
'404':
description: Scan not found
delete:
operationId: cancelScan
summary: Checkmarx Cancel a scan
description: Cancel a running or queued scan.
tags:
- Scans
parameters:
- $ref: '#/components/parameters/scanId'
responses:
'204':
description: Scan canceled
'401':
description: Unauthorized
'404':
description: Scan not found
/results:
get:
operationId: listResults
summary: Checkmarx List scan results
description: >-
Retrieve vulnerability results for a scan, with optional
filtering by severity, state, and scan type.
tags:
- Results
parameters:
- name: scan-id
in: query
required: true
description: Scan ID to retrieve results for
schema:
type: string
format: uuid
- name: offset
in: query
description: Pagination offset
schema:
type: integer
default: 0
- name: limit
in: query
description: Number of results to return
schema:
type: integer
default: 20
- name: severity
in: query
description: Filter by severity (comma-separated)
schema:
type: string
- name: state
in: query
description: Filter by result state (comma-separated)
schema:
type: string
- name: status
in: query
description: Filter by result status
schema:
type: string
enum:
- NEW
- RECURRENT
responses:
'200':
description: List of results
content:
application/json:
schema:
$ref: '#/components/schemas/ResultListResponse'
'401':
description: Unauthorized
/results/{resultId}:
get:
operationId: getResult
summary: Checkmarx Get result details
description: Retrieve detailed information about a specific finding.
tags:
- Results
parameters:
- name: resultId
in: path
required: true
description: Result unique identifier
schema:
type: string
format: uuid
responses:
'200':
description: Result details
content:
application/json:
schema:
$ref: '#/components/schemas/Result'
'401':
description: Unauthorized
'404':
description: Result not found
patch:
operationId: updateResult
summary: Checkmarx Update result state
description: >-
Update the triage state of a result, such as confirming,
marking as not exploitable, or setting to proposed not exploitable.
tags:
- Results
parameters:
- name: resultId
in: path
required: true
description: Result unique identifier
schema:
type: string
format: uuid
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/UpdateResultRequest'
responses:
'200':
description: Result updated
'401':
description: Unauthorized
'404':
description: Result not found
/results/summary:
get:
operationId: getResultsSummary
summary: Checkmarx Get results summary
description: >-
Retrieve an aggregated summary of scan results grouped by
severity and status.
tags:
- Results
parameters:
- name: scan-id
in: query
required: true
description: Scan ID to summarize
schema:
type: string
format: uuid
responses:
'200':
description: Results summary
content:
application/json:
schema:
$ref: '#/components/schemas/ResultsSummary'
'401':
description: Unauthorized
/queries:
get:
operationId: listQueries
summary: Checkmarx List SAST queries
description: Retrieve a list of available SAST queries and presets.
tags:
- Queries
parameters:
- name: offset
in: query
description: Pagination offset
schema:
type: integer
- name: limit
in: query
description: Number of results to return
schema:
type: integer
responses:
'200':
description: List of queries
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/Query'
'401':
description: Unauthorized
/presets:
get:
operationId: listPresets
summary: Checkmarx List scan presets
description: >-
Retrieve all available scan presets that define which queries
and rules to apply during scans.
tags:
- Presets
responses:
'200':
description: List of presets
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/Preset'
'401':
description: Unauthorized
/presets/{presetId}:
get:
operationId: getPreset
summary: Checkmarx Get preset details
description: Retrieve details of a specific scan preset.
tags:
- Presets
parameters:
- name: presetId
in: path
required: true
description: Preset unique identifier
schema:
type: integer
responses:
'200':
description: Preset details
content:
application/json:
schema:
$ref: '#/components/schemas/Preset'
'401':
description: Unauthorized
'404':
description: Preset not found
/groups:
get:
operationId: listGroups
summary: Checkmarx List groups
description: Retrieve all access control groups for the tenant.
tags:
- Groups
responses:
'200':
description: List of groups
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/Group'
'401':
description: Unauthorized
/configuration/project:
get:
operationId: getProjectConfiguration
summary: Checkmarx Get project scan configuration
description: >-
Retrieve the scan configuration for a project, including
engine-specific settings for SAST, SCA, and KICS.
tags:
- Configuration
parameters:
- name: project-id
in: query
required: true
description: Project ID
schema:
type: string
format: uuid
responses:
'200':
description: Project configuration
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/ProjectConfiguration'
'401':
description: Unauthorized
patch:
operationId: updateProjectConfiguration
summary: Checkmarx Update project scan configuration
description: >-
Update the scan configuration for a project, including
SAST preset, exclusion filters, and engine settings.
tags:
- Configuration
parameters:
- name: project-id
in: query
required: true
description: Project ID
schema:
type: string
format: uuid
requestBody:
required: true
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/ProjectConfiguration'
responses:
'204':
description: Configuration updated
'400':
description: Invalid request
'401':
description: Unauthorized
components:
securitySchemes:
bearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
description: >-
OAuth 2.0 bearer token obtained via client credentials from
the Checkmarx One IAM service
parameters:
applicationId:
name: applicationId
in: path
required: true
description: Application unique identifier
schema:
type: string
format: uuid
projectId:
name: projectId
in: path
required: true
description: Project unique identifier
schema:
type: string
format: uuid
scanId:
name: scanId
in: path
required: true
description: Scan unique identifier
schema:
type: string
format: uuid
schemas:
TokenResponse:
type: object
properties:
access_token:
type: string
description: OAuth 2.0 access token
token_type:
type: string
description: Token type
example: Bearer
expires_in:
type: integer
description: Token expiration time in seconds
refresh_token:
type: string
description: Refresh token
ApplicationListResponse:
type: object
properties:
totalCount:
type: integer
description: Total number of applications
filteredTotalCount:
type: integer
description: Total count after filtering
applications:
type: array
items:
$ref: '#/components/schemas/Application'
Application:
type: object
properties:
id:
type: string
format: uuid
description: Application unique identifier
name:
type: string
description: Application name
description:
type: string
description: Application description
criticality:
type: integer
description: Application criticality level (1-5)
minimum: 1
maximum: 5
rules:
type: array
items:
$ref: '#/components/schemas/ApplicationRule'
description: Rules for auto-assigning projects
projectIds:
type: array
items:
type: string
format: uuid
description: IDs of projects in this application
tags:
type: object
additionalProperties:
type: string
description: Key-value tags
createdAt:
type: string
format: date-time
description: Creation timestamp
updatedAt:
type: string
format: date-time
description: Last update timestamp
ApplicationRule:
type: object
properties:
type:
type: string
description: Rule type
value:
type: string
description: Rule value pattern
CreateApplicationRequest:
type: object
required:
- name
properties:
name:
type: string
description: Application name
description:
type: string
description: Application description
criticality:
type: integer
description: Application criticality (1-5)
default: 3
rules:
type: array
items:
$ref: '#/components/schemas/ApplicationRule'
tags:
type: object
additionalProperties:
type: string
UpdateApplicationRequest:
type: object
properties:
name:
type: string
description: Application name
description:
type: string
description: Application description
criticality:
type: integer
description: Application criticality (1-5)
rules:
type: array
items:
$ref: '#/components/schemas/ApplicationRule'
tags:
type: object
additionalProperties:
type: string
ProjectListResponse:
type: object
properties:
totalCount:
type: integer
description: Total number of projects
filteredTotalCount:
type: integer
description: Total count after filtering
projects:
type: array
items:
$ref: '#/components/schemas/Project'
Project:
type: object
properties:
id:
type: string
format: uuid
description: Project unique identifier
name:
type: string
description: Project name
groups:
type: array
items:
type: string
description: Group IDs the project belongs to
repoUrl:
type: string
description: Repository URL
mainBranch:
type: string
description: Main branch name
origin:
type: string
description: Project creation origin
tags:
type: object
additionalProperties:
type: string
description: Key-value tags
criticality:
type: integer
description: Project criticality level (1-5)
createdAt:
type: string
format: date-time
description: Creation timestamp
updatedAt:
type: string
format: date-time
description: Last update timestamp
CreateProjectRequest:
type: object
required:
- name
properties:
name:
type: string
description: Project name
groups:
type: array
items:
type: string
description: Group IDs to assign
repoUrl:
type: string
description: Source repository URL
mainBranch:
type: string
description: Main branch name
default: main
origin:
type: string
description: Project origin
tags:
type: object
additionalProperties:
type: string
criticality:
type: integer
description: Project criticality (1-5)
default: 3
UpdateProjectRequest:
type: object
properties:
name:
type: string
description: Project name
groups:
type: array
items:
type: string
repoUrl:
type: string
mainBranch:
type: string
tags:
type: object
additionalProperties:
type: string
criticality:
type: integer
ScanListResponse:
type: object
properties:
totalCount:
type: integer
description: Total number of scans
filteredTotalCount:
type: integer
description: Total count after filtering
scans:
type: array
items:
$ref: '#/components/schemas/Scan'
Scan:
type: object
properties:
id:
type: string
format: uuid
description: Scan unique identifier
status:
type: string
enum:
- Queued
- Running
- Completed
- Partial
- Failed
- Canceled
description: Overall scan status
statusDetails:
type: array
items:
$ref: '#/components/schemas/ScanStatusDetail'
description: Per-engine scan status
projectId:
type: string
format: uuid
description: Associated project ID
projectName:
type: string
description: Associated project name
branch:
type: string
description: Source branch scanned
engines:
type: array
items:
type: string
enum:
- sast
- sca
- kics
- apisec
description: Scan engines used
sourceType:
type: string
description: Source origin type
sourceOrigin:
type: string
description: Source origin detail
initiator:
type: string
description: User or system that initiated the scan
tags:
type: object
additionalProperties:
type: string
createdAt:
type: string
format: date-time
description: Scan creation timestamp
updatedAt:
type: string
format: date-time
description: Last update timestamp
ScanStatusDetail:
type: object
properties:
name:
type: string
description: Engine name
status:
type: string
description: Engine-specific scan status
details:
type: string
description: Status details message
CreateScanRequest:
type: object
required:
- project
- type
- handler
properties:
project:
type: object
required:
- id
properties:
id:
type: string
format: uuid
description: Project ID to scan
type:
type: string
enum:
- git
- upload
description: Source type
handler:
type: object
properties:
repoUrl:
type: string
description: Git repository URL (for git type)
branch:
type: string
description: Branch to scan (for git type)
uploadUrl:
type: string
description: Pre-signed upload URL (for upload type)
config:
type: array
items:
type: object
properties:
type:
type: string
enum:
- sast
- sca
- kics
- apisec
value:
type: object
additionalProperties: true
description: Per-engine scan configuration
tags:
type: object
additionalProperties:
type: string
ResultListResponse:
type: object
properties:
totalCount:
type: integer
description: Total number of results
results:
type: array
items:
$ref: '#/components/schemas/Result'
Result:
type: object
properties:
id:
type: string
format: uuid
description: Result unique identifier
similarityId:
type: string
description: Similarity ID for tracking across scans
status:
type: string
enum:
- NEW
- RECURRENT
description: Result status
state:
type: string
enum:
- TO_VERIFY
- NOT_EXPLOITABLE
- PROPOSED_NOT_EXPLOITABLE
# --- truncated at 32 KB (38 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/checkmarx/refs/heads/main/openapi/checkmarx-one-openapi.yml