Reviewing Scan Results in TeamCity

Scan results that are retrieved by TeamCity are displayed in TeamCity as well as in CxSAST. For additional information, refer to Navigating Scan Results in CxSAST.

Scanning in Synchronous Mode enables viewing the scan results in TeamCity. In Asynchronous Modeonly a link to the scan results in the CxSAST web platform is provided with the build results.


A graphical side-by-side summary of the scan results can be viewed in the Checkmarx Report on the Build Results Dashboard.


 CxSAST Summary

The CxSAST Summary provides information about the distribution of security issues for the plan/project and is divided into the following categories:

  • Status Bar – red indicates that issues have been found, which exceed the threshold or cause a violation of one or more policies:

  • Status Bar – green indicates a passed scan:

  • Vulnerabilities Status  This graph represents the status and severity of security vulnerabilities discovered during a scan as explained in the legend.
    •  Recurrent  The status of a vulnerability is recurrent if it was already discovered in a previous scan.
    •  New  The status of a vulnerability is new if it was discovered for the first time, or if it was re-opened after being resolved in a previous scan.
    •  Default Threshold  Indicates the default threshold setting.
    •  High – Indicates the number of high severity vulnerabilities.
    •  Medium – Indicates the number of medium severity vulnerabilities.
    •  Low  Indicates the number of low severity vulnerabilities.
  • PDF Report – Provides a link to the CxSAST report in PDF format.
  • Results – Provides a link to the code viewer in CxSAST. For additional information, refer to Navigating Scan Results.

 CxSAST Full Report

The CxSAST Full Report provides information about the distribution of security issues for the build/project and is divided into the following categories:

  • Report Criteria  Provides the following information:
    • Start/End – Start and end time of the CxSAST scan.
    • Files – Total number of scanned files.
    • Code Lines – Total number of scanned lines of code.
    • Vulnerability Type  Provides a list of the vulnerabilities found, the distribution of the vulnerabilities by type (high, medium and low) and the number of vulnerability instances for each type.
    • Analyze Results – Provides a link to the source code viewer in CxSAST. Foir additional information, refer to Navigating Scan Results in CxSAST.
    • PDF Report – Provides a link to the CxSAST report in PDF format.


 CxSCA Summary

The CxSCA Summary provides the following information:

  • Displays the vulnerabilities scored in three categories: high, medium and low
  • Lists the number of vulnerable, outdated and clean libraries.

 CxSCA Full Report

The CxSCA Full Report provides the following information:

  • Lists the number of vulnerabilities scored in three categories: high, medium, low
  • Identifies the libraries and the vulnerability code.
  • Indicates the number of scanned libraries and thge scan date.
  • Provides a link to CxSCA WebApp to allow viewing the results in detail. 


 CxOSA Summary

The CxOSA Summary provides information about the distribution of security issues for the build/project and is divided into the following categories:

  • Vulnerabilities & Libraries Status - provides a graph with the status of each vulnerability severity and the number of found vulnerability instances for each severity level.
    • Default Threshold  Indicates the default threshold setting.
    •  High – Indicates the number of high severity vulnerabilities.
    •  MediumIndicates the number of medium severity vulnerabilities.
  •  Low  Indicates the number of low severity vulnerabilities.

CxOSA Summary takes vulnerability result states into consideration, for example Not Exploitable vulnerabilities are not aggregated in the global summary.

  • Results – Provides a link to the CxOSA Viewer in CxSAST.

If the build is marked as failed , the number of detected vulnerability instances may exceed the configured threshold.

 CxOSA Full Report

The CxOSA Full Report provides information about the distribution of security issues for the build/project and is divided into the following categories:

  • Report Criteria  Provides the following information:
    • Start/End – Start and end time for the CxOSA analysis.
    • Libraries – Total number of analyzed libraries.
  • Vulnerability Type  Provides a list of the vulnerabilities found, the distribution of the vulnerabilities by type (high, medium and low) and the number of vulnerability instances for each type.
  • Analysis Results – Provides a link to the CxOSA Viewer in CxSAST.

Not Exploitable vulnerabilities are not aggregated in the global summary. In coordination with this, the CxOSA Full Report now displays Not Exploitable vulnerabilities with a strike-through.



If the build failed due to CxOSA and/or CxSAST policy violations, a unified report is displayed providing the following information: 

  • Number of violated policies
  • Names of violated policies
  • Names of respective rules violated 
  • Type of scan used
  • Number of instances of a violated rule
  • First detection date

A textual summary of the scan results can be viewed in the Build Log tab (Build Log > Step 1/1: Checkmarx).

Links to all the available reports are available in the Artifacts tab (Artifacts > Checkmarx).

To download a compressed file (.zip) of all available reports, click  Download all (.zip).