Checkmarx SCA API
API for Software Composition Analysis to identify open source vulnerabilities and license compliance issues.
OpenAPI Specification
openapi: 3.1.0
info:
title: Checkmarx SCA API
description: >-
REST API for Checkmarx Software Composition Analysis (SCA),
enabling programmatic management of open source security scanning,
vulnerability detection, license compliance analysis, and
dependency inventory for software projects.
version: '1.0'
contact:
name: Checkmarx Support
url: https://support.checkmarx.com/
termsOfService: https://checkmarx.com/terms-of-use/
externalDocs:
description: Checkmarx SCA API Documentation
url: https://checkmarx.com/resource/documents/en/34965-68617-api.html
servers:
- url: https://api-sca.checkmarx.net
description: Checkmarx SCA Cloud (Production)
tags:
- name: Authentication
description: Obtain and manage authentication tokens
- name: Packages
description: Query open source package information
- name: Projects
description: Manage SCA projects
- name: Risk Reports
description: Retrieve vulnerability and risk analysis results
- name: Scans
description: Trigger and monitor dependency scans
- name: Settings
description: Manage project and organization settings
security:
- bearerAuth: []
paths:
/identity/connect/token:
post:
operationId: authenticate
summary: Checkmarx Obtain access token
description: >-
Authenticate using OAuth 2.0 client credentials to obtain a
bearer token for accessing the Checkmarx SCA API.
tags:
- Authentication
requestBody:
required: true
content:
application/x-www-form-urlencoded:
schema:
type: object
required:
- grant_type
- username
- password
- acr_values
- scope
properties:
grant_type:
type: string
enum:
- password
description: OAuth 2.0 grant type
username:
type: string
description: SCA account username
password:
type: string
description: SCA account password
acr_values:
type: string
description: Tenant identifier
example: Tenant:your-tenant
scope:
type: string
description: API access scope
example: sca_api
client_id:
type: string
description: OAuth client ID
example: sca_resource_owner
responses:
'200':
description: Authentication successful
content:
application/json:
schema:
$ref: '#/components/schemas/TokenResponse'
'400':
description: Invalid credentials
security: []
/risk-management/projects:
get:
operationId: listProjects
summary: Checkmarx List all projects
description: Retrieve a list of all SCA projects for the authenticated tenant.
tags:
- Projects
responses:
'200':
description: List of projects
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/Project'
'401':
description: Unauthorized
post:
operationId: createProject
summary: Checkmarx Create a new project
description: Create a new SCA project for scanning open source dependencies.
tags:
- Projects
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateProjectRequest'
responses:
'201':
description: Project created successfully
content:
application/json:
schema:
$ref: '#/components/schemas/Project'
'400':
description: Invalid request
'401':
description: Unauthorized
/risk-management/projects/{projectId}:
get:
operationId: getProject
summary: Checkmarx Get project details
description: Retrieve details of a specific SCA project.
tags:
- Projects
parameters:
- $ref: '#/components/parameters/projectId'
responses:
'200':
description: Project details
content:
application/json:
schema:
$ref: '#/components/schemas/Project'
'401':
description: Unauthorized
'404':
description: Project not found
put:
operationId: updateProject
summary: Checkmarx Update a project
description: Update the configuration of an existing SCA project.
tags:
- Projects
parameters:
- $ref: '#/components/parameters/projectId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/UpdateProjectRequest'
responses:
'204':
description: Project updated
'400':
description: Invalid request
'401':
description: Unauthorized
'404':
description: Project not found
delete:
operationId: deleteProject
summary: Checkmarx Delete a project
description: Delete an SCA project and all associated scan data.
tags:
- Projects
parameters:
- $ref: '#/components/parameters/projectId'
responses:
'204':
description: Project deleted
'401':
description: Unauthorized
'404':
description: Project not found
/risk-management/scans:
get:
operationId: listScans
summary: Checkmarx List scans
description: >-
Retrieve a list of SCA scans with optional filtering by
project ID.
tags:
- Scans
parameters:
- name: projectId
in: query
description: Filter by project ID
schema:
type: string
format: uuid
responses:
'200':
description: List of scans
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/Scan'
'401':
description: Unauthorized
post:
operationId: createScan
summary: Checkmarx Trigger a new scan
description: >-
Initiate a new SCA scan for a project by uploading a source
archive or pointing to a repository.
tags:
- Scans
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateScanRequest'
responses:
'201':
description: Scan created and queued
content:
application/json:
schema:
$ref: '#/components/schemas/Scan'
'400':
description: Invalid request
'401':
description: Unauthorized
/risk-management/scans/{scanId}:
get:
operationId: getScan
summary: Checkmarx Get scan details
description: Retrieve details and status of a specific SCA scan.
tags:
- Scans
parameters:
- $ref: '#/components/parameters/scanId'
responses:
'200':
description: Scan details
content:
application/json:
schema:
$ref: '#/components/schemas/Scan'
'401':
description: Unauthorized
'404':
description: Scan not found
/risk-management/risk-reports/{projectId}:
get:
operationId: getRiskReport
summary: Checkmarx Get project risk report
description: >-
Retrieve the risk report for a project, including vulnerability
summary and risk score.
tags:
- Risk Reports
parameters:
- $ref: '#/components/parameters/projectId'
responses:
'200':
description: Risk report
content:
application/json:
schema:
$ref: '#/components/schemas/RiskReport'
'401':
description: Unauthorized
'404':
description: Project not found
/risk-management/risk-reports/{projectId}/vulnerabilities:
get:
operationId: listProjectVulnerabilities
summary: Checkmarx List project vulnerabilities
description: >-
Retrieve all vulnerabilities found in a project from the most
recent scan.
tags:
- Risk Reports
parameters:
- $ref: '#/components/parameters/projectId'
responses:
'200':
description: List of vulnerabilities
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/Vulnerability'
'401':
description: Unauthorized
'404':
description: Project not found
/risk-management/risk-reports/{projectId}/packages:
get:
operationId: listProjectPackages
summary: Checkmarx List project packages
description: >-
Retrieve all open source packages detected in a project with
their license and vulnerability information.
tags:
- Risk Reports
parameters:
- $ref: '#/components/parameters/projectId'
responses:
'200':
description: List of packages
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/Package'
'401':
description: Unauthorized
'404':
description: Project not found
/risk-management/risk-reports/{projectId}/licenses:
get:
operationId: listProjectLicenses
summary: Checkmarx List project licenses
description: >-
Retrieve all licenses detected across open source packages in
a project.
tags:
- Risk Reports
parameters:
- $ref: '#/components/parameters/projectId'
responses:
'200':
description: List of licenses
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/License'
'401':
description: Unauthorized
'404':
description: Project not found
/packages/{packageType}/{packageName}/{version}:
get:
operationId: getPackageDetails
summary: Checkmarx Get package details
description: >-
Retrieve detailed information about a specific open source
package version, including known vulnerabilities.
tags:
- Packages
parameters:
- name: packageType
in: path
required: true
description: Package ecosystem type
schema:
type: string
enum:
- npm
- maven
- nuget
- pypi
- rubygems
- go
- packagist
- cargo
- name: packageName
in: path
required: true
description: Package name
schema:
type: string
- name: version
in: path
required: true
description: Package version
schema:
type: string
responses:
'200':
description: Package details
content:
application/json:
schema:
$ref: '#/components/schemas/PackageDetails'
'401':
description: Unauthorized
'404':
description: Package not found
/settings/projects/{projectId}:
get:
operationId: getProjectSettings
summary: Checkmarx Get project settings
description: Retrieve scan and policy settings for a project.
tags:
- Settings
parameters:
- $ref: '#/components/parameters/projectId'
responses:
'200':
description: Project settings
content:
application/json:
schema:
$ref: '#/components/schemas/ProjectSettings'
'401':
description: Unauthorized
'404':
description: Project not found
put:
operationId: updateProjectSettings
summary: Checkmarx Update project settings
description: Update scan and policy settings for a project.
tags:
- Settings
parameters:
- $ref: '#/components/parameters/projectId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ProjectSettings'
responses:
'204':
description: Settings updated
'400':
description: Invalid request
'401':
description: Unauthorized
'404':
description: Project not found
components:
securitySchemes:
bearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
description: >-
OAuth 2.0 bearer token obtained from the authentication endpoint
parameters:
projectId:
name: projectId
in: path
required: true
description: Project unique identifier
schema:
type: string
format: uuid
scanId:
name: scanId
in: path
required: true
description: Scan unique identifier
schema:
type: string
format: uuid
schemas:
TokenResponse:
type: object
properties:
access_token:
type: string
description: OAuth 2.0 access token
token_type:
type: string
description: Token type
example: Bearer
expires_in:
type: integer
description: Token expiration time in seconds
Project:
type: object
properties:
id:
type: string
format: uuid
description: Project unique identifier
name:
type: string
description: Project name
createdOn:
type: string
format: date-time
description: Project creation timestamp
tenantId:
type: string
description: Tenant identifier
assignedTeams:
type: array
items:
type: string
description: Teams assigned to the project
lastScanDate:
type: string
format: date-time
description: Timestamp of the most recent scan
riskScore:
type: number
format: float
description: Overall risk score for the project
totalPackages:
type: integer
description: Total number of packages detected
highVulnerabilityCount:
type: integer
description: Number of high severity vulnerabilities
mediumVulnerabilityCount:
type: integer
description: Number of medium severity vulnerabilities
lowVulnerabilityCount:
type: integer
description: Number of low severity vulnerabilities
CreateProjectRequest:
type: object
required:
- name
properties:
name:
type: string
description: Project name
assignedTeams:
type: array
items:
type: string
description: Team IDs to assign to the project
UpdateProjectRequest:
type: object
properties:
name:
type: string
description: Updated project name
assignedTeams:
type: array
items:
type: string
description: Updated team assignments
Scan:
type: object
properties:
scanId:
type: string
format: uuid
description: Scan unique identifier
projectId:
type: string
format: uuid
description: Associated project ID
status:
type: string
enum:
- Queued
- Scanning
- Done
- Failed
- Canceled
description: Current scan status
createdOn:
type: string
format: date-time
description: Scan creation timestamp
updatedOn:
type: string
format: date-time
description: Last update timestamp
origin:
type: string
description: Scan trigger origin
enum:
- API
- CLI
- Plugin
- Upload
riskReportId:
type: string
format: uuid
description: Associated risk report ID
CreateScanRequest:
type: object
required:
- projectId
properties:
projectId:
type: string
format: uuid
description: Project to scan
sourceType:
type: string
enum:
- Upload
- RemoteRepository
description: Source code input method
RiskReport:
type: object
properties:
projectId:
type: string
format: uuid
description: Project identifier
riskScore:
type: number
format: float
description: Overall risk score (0-10)
totalPackages:
type: integer
description: Total number of open source packages
directPackages:
type: integer
description: Number of direct dependency packages
totalOutdatedPackages:
type: integer
description: Number of outdated packages
vulnerabilitySummary:
$ref: '#/components/schemas/VulnerabilitySummary'
VulnerabilitySummary:
type: object
properties:
highVulnerabilityCount:
type: integer
description: Number of high severity vulnerabilities
mediumVulnerabilityCount:
type: integer
description: Number of medium severity vulnerabilities
lowVulnerabilityCount:
type: integer
description: Number of low severity vulnerabilities
totalVulnerabilityCount:
type: integer
description: Total number of vulnerabilities
Vulnerability:
type: object
properties:
id:
type: string
description: Vulnerability identifier (CVE ID)
cveName:
type: string
description: CVE name
score:
type: number
format: float
description: CVSS score
severity:
type: string
enum:
- High
- Medium
- Low
description: Vulnerability severity
publishDate:
type: string
format: date-time
description: Vulnerability publish date
packageId:
type: string
description: Affected package identifier
description:
type: string
description: Vulnerability description
recommendations:
type: string
description: Recommended remediation
cwe:
type: string
description: CWE identifier
isIgnored:
type: boolean
description: Whether the vulnerability has been marked as ignored
references:
type: array
items:
type: string
format: uri
description: External reference URLs
Package:
type: object
properties:
id:
type: string
description: Package identifier
name:
type: string
description: Package name
version:
type: string
description: Package version
packageRepository:
type: string
description: Package ecosystem (npm, maven, etc.)
isDirectDependency:
type: boolean
description: Whether this is a direct dependency
licenses:
type: array
items:
type: string
description: License names
highVulnerabilityCount:
type: integer
description: Number of high severity vulnerabilities
mediumVulnerabilityCount:
type: integer
description: Number of medium severity vulnerabilities
lowVulnerabilityCount:
type: integer
description: Number of low severity vulnerabilities
riskScore:
type: number
format: float
description: Package risk score
outdated:
type: boolean
description: Whether the package is outdated
newestVersion:
type: string
description: Newest available version
PackageDetails:
type: object
properties:
type:
type: string
description: Package ecosystem type
name:
type: string
description: Package name
version:
type: string
description: Package version
description:
type: string
description: Package description
licenses:
type: array
items:
type: string
description: Package licenses
vulnerabilities:
type: array
items:
$ref: '#/components/schemas/Vulnerability'
description: Known vulnerabilities for this package
License:
type: object
properties:
name:
type: string
description: License name
riskLevel:
type: string
enum:
- High
- Medium
- Low
- Unknown
description: License risk level
copyleftType:
type: string
enum:
- Yes
- Partial
- No
- Unknown
description: Whether the license has copyleft requirements
referenceUrl:
type: string
format: uri
description: License reference URL
packageCount:
type: integer
description: Number of packages using this license
ProjectSettings:
type: object
properties:
enableExploitablePath:
type: boolean
description: Enable exploitable path analysis
enableSastIntegration:
type: boolean
description: Enable SAST integration for contextual risk
policySeverity:
type: string
enum:
- High
- Medium
- Low
- None
description: Minimum severity to enforce policies