Skip to content


CodeCharta is a tool to visualize software quality. It allows you to import and combine metrics from various sources like SonarQube, Svn, Git or directly from your source code. The visualization makes the quality of a code base tangible and can be used to gain insights and communicate with stakeholders.


Export data from SecObserve

When showing a product, there is an Export button. When clicking it, it shows a menu including an option to export the metrics about observations of this product to CodeCharta:

Export CodeCharta metrics

This export produces a CSV file with severity metrics for all open observations that have a source file as an origin.

Process data for CodeCharta

The CSV file needs to be converted to CodeCharta's JSON format. First the analysis tools of CodeCharta need to be installed. Then the exported metrics are converted like this:

ccsh csvimport secobserve_codecharta_metrics.csv -o

This produces the file This file can be visualized by CodeCharta, but contains only the source files with vulnerabilities.

To get a better picture of the whole system, this file can be combined with an export from SonarQube or the Source Code Parser.

When SonarQube is used, the export from SonarQube will include an additional node with the id of the project, that needs to be removed:

ccsh modify -f root/csec_secobserve -t root -o

Now the results from SonarQube and SecObserve can be merged:

ccsh merge -o

Visualize data in CodeCharta

The resulting file can now be visualized using These SecObserve metrics are included:

  • vulnerabilities_total
  • vulnerabilities_critical
  • vulnerabilities_high
  • vulnerabilities_medium
  • vulnerabilities_low
  • vulnerabilities_none
  • vulnerabilities_unkown
  • vulnerabilities_high_and_above
  • vulnerabilities_medium_and_above
  • vulnerabilities_low_and_above