Reviewing Scan Results in Azure DevOps (MS-VSTS) Plugin (v8.8.0 to v8.9.0)

Scan results activated by Azure DevOps are displayed in Azure DevOps as well as in CxSAST (please refer to the Checkmarx CxSAST Documentation  – Navigating Scan Results in CxSAST).

To retrieve and view the latest build results in Azure DevOps:

Open Azure DevOps and from the Main screen click Build and Releases and then select Builds. The Build Definition screen is displayed.

Click the Actions  icon in line with the project that you would like to view the results and click View Build Results.  The Build Results Dashboard is displayed.

A graphical summary of the Checkmarx scan results can be viewed by scrolling down the Build Results Dashboard.

A more details version of the scan results can be viewed in the Checkmarx (Report) tab on the Build Results Dashboard.

The CxSAST Summary provides information about the distribution of security issues for the build/project and is divided into the following categories:

  • Vulnerabilities Status - this graph represents the status and severity of security vulnerabilities discovered during a scan.
    •  Default Threshold - Indicates the default threshold setting
    •  High – Indicates the number of high severity vulnerabilities
    •  Medium – Indicates the number of medium severity vulnerabilities
    •  Low - Indicates the number of high low vulnerabilities
  • Results – provides a link to the code viewer in CxSAST (see Navigating Scan Results).
  •  Threshold Status - provides a threshold status indicator (compliant or exceeded).

The CxOSA Summary provides information about the distribution of security issues for the plan/project and is divided into the following categories:

  • Libraries - distribution of the vulnerable libraries:
    •  Vulnerable and outdated - includes libraries that have at least one security vulnerability and vulnerable libraries for which a newer version is available
    •  No Known Vulnerability Libraries - number of libraries without any known security vulnerabilities
  • Vulnerabilities & Libraries Status - provides a graph with the status of each vulnerability severity and the number of found vulnerability instances for each severity level.
    •  Default Threshold - Indicates the default threshold setting
    •  High – Indicates the number of high severity vulnerabilities
    •  Medium – Indicates the number of medium severity vulnerabilities
    •  Low - Indicates the number of high low vulnerabilities

  • Results – provides a link to the CxOSA Viewer in CxSAST.
  •  Threshold Status - provides a threshold status indicator (compliant or exceeded).

The CxSAST Full Report provides information about the distribution of security issues for the build/project and is divided into the following categories:

  • Report Criteria - provides the following information:
    • Start/End – start and end time for the CxSAST scan
    • Files – total number of files scanned
    • Code Lines – total number of lines of code scanned.

  • Vulnerability Type - provides a list of the vulnerabilities found, the distribution of the vulnerabilities by type (high, medium and low) and the number of vulnerability instances for each type.
  • Analyze Results – provides a link to the vulnerability results in CxSAST code viewer (please refer to the Checkmarx CxSAST Documentation – Navigating Scan Results).

The CxOSA Full Report provides information about the distribution of security issues for the build/project and is divided into the following categories:

  • Report Criteria - provides the following information:
    • Start/End – start and end time for the CxOSA analysis
    • Libraries – total number of libraries analyzed.

  • Vulnerability Type - provides a list of the vulnerabilities found, the distribution of the vulnerabilities by type (high, medium and low) and the number of vulnerability instances for each type.

  • Analysis Results – provides a link to the CxOSA Viewer in CxSAST.