OculusCyber Logo

OculusCyber

Home

Browse Topics

Security Best Practices

AI Security Frameworks

Threat Intelligence

Compliance

A sample format of Checkmarx SAST output format

By oculus

November 9, 2025

Checkmarx SAST findings data is available in formats such as JSON, XML, PDF, and CSV reports and contains detailed information about identified vulnerabilities.

A sample of the data you would find for a single vulnerability instance (e.g., an SQL Injection) would include fields such as:

Key Data Fields

  • Vulnerability Type: The specific type of security flaw found (e.g., SQL Injection, Reflected XSS, Command Injection).
  • Severity: The impact ranking of the vulnerability (Critical, High, Medium, Low, Informational).
  • Status/State: The current workflow status (New, Recurrent, To Verify, Confirmed, Not Exploitable, Proposed Not Exploitable).
  • Source Node: The initial input point (user-provided or external input) that starts the vulnerable data flow.
  • Source File/Path: The name and location (file path) of the file containing the source node.
  • Sink Node: The specific code location where the vulnerable data is used in an unsafe way (e.g., the line where a query is executed).
  • Code Snippets: The relevant lines of source code where the vulnerability exists and where the data flows.
  • Description/Learn More: A detailed explanation of the vulnerability, its potential risk, and how to remediate it (including code samples of a secure implementation).
  • Detection Date: The date the vulnerability was first or last detected.
  • Project/Scan ID: Identifying information for the project and the specific scan run that found the issue.
  • Language: The programming language of the scanned code (e.g., Java, C#). 
{
  "scanId": "12345",
  "projectId": "67890",
  "vulnerability": {
    "type": "SQL_Injection",
    "severity": "High",
    "status": "To Verify",
    "description": "An SQL injection vulnerability exists when user input is used directly in an SQL query without proper sanitization.",
    "OWASP": ["A03:2021 - Injection"],
    "CWE": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
  },
  "findingDetails": {
    "source": {
      "file": "/src/main/java/com/example/LoginController.java",
      "line": 32,
      "snippet": "String username = request.getParameter(\"name\");"
    },
    "sink": {
      "file": "/src/main/java/com/example/UserRepository.java",
      "line": 150,
      "snippet": "String query = \"SELECT * FROM users WHERE name = '\" + username + \"'\";"
    },
    "dataFlow": [
      {"file": "...", "line": "..."},
      // ... intermediate steps in the data flow path
    ]
  }
}