Register Scan Report - POST /reports/sastScan (v8.6.0 and up)

Generate a new CxSAST scan report. Once registered you can use GET /reports/sastScan/{id}/status to get the status of the scan report and then use GET /reports/sastScan/{id} to retrieve the generated report.


1. POST /reports/sastScan and register a new report
2. GET /reports/sastScan/{id}/status and get the status of the specific report
3. GET /reports/sastScan/{id} and get the report when ready





Media Type (header):

Authorization: Bearer <access token value>
Content-Type: application/json;v=1.0
cxOrigin: {request_origin}



reportRequest=[body] – Report request:
reportType=[string] – Report type options are: PDF, RTF, CSV or XML 
scanId=[integer] – Unique Id of the scan

Curl Sample:

curl -X POST --header 'Content-Type: application/json;v=1.0' --header 'Accept: application/json' --header 'Authorization: Bearer <access token> -d '{ \
   "reportType": "XML", \
   "scanId": 1000062 \
 }' 'http://localhost/cxrestapi/reports/sastScan'

Sample Response:

  "reportId": 6,
  "links": {
    "report": {
      "rel": "content",
      "uri": "/reports/sastScan/6"
    "status": {
      "rel": "status",
      "uri": "/reports/sastScan/6/status"

Success Response:

Code: 202 Accepted

Error Response:

Code: 400 Bad Request


  • Generates a new CxSAST scan report. If the request fails, it returns an error response. The report Id (reportId) and the report format (reportType) must be the same as defined when the report is retrieved (GET /reports/sastScan/{id}); if not an error occurs.
  • Reports generated in application/pdf format may not display correctly when using Swagger.
  • CxOrigin verifies that the request comes from a plugin (for example Jenkins or CLI). Once verified, users with SAVE_SAST_SCAN permission can complete the call.