Exporting reports
ShieldX can export the most recent scan, or any entry in scan history, to one of six formats.
Entry points
- From the dashboard: click Export in the header. A quick-pick lists supported formats and writes file to location you choose.
- From history: open any history entry and use Export this scan.
- Default format:
shieldx.reportFormatpre-selects the option in the picker.
Formats
Markdown
Human-readable summary suitable for code review, PR comments, and ticketing systems. Includes the executive overview, per-extension findings, and recommendations.
JSON
Stable structured output. Use for programmatic ingestion or to diff scans in CI.
HTML
Self-contained file with embedded fonts and styles. Good for sharing with others.
Renders the HTML report through a Chrome/Chromium binary.
- Requires Chrome, Chromium, Edge, or Brave on PATH, or
shieldx.pdfBrowserPathpointing to a binary - Command-palette picker only shows PDF when supported on current machine
- If a PDF export is requested from UI without browser support, ShieldX falls back to HTML and shows a notice
CSV
One row per extension with key fields. Useful for spreadsheets and inventory dashboards.
SARIF
Static Analysis Results Interchange Format. Use with code-scanning UIs that ingest SARIF (GitHub Advanced Security, Azure DevOps, etc.). Each finding is mapped to a SARIF result with a rule ID derived from the underlying signal.
What is included
Every export contains:
- Scan timestamp and ShieldX version
- Per-extension entry: ID, version, publisher, risk score, risk level, trust signals, risk factors, recommendation
- Policy violations from the same scan, when a policy file is present
Markdown, HTML, and PDF additionally include an executive summary paragraph.
What is not included
- Raw HTTP responses from OSV or npm
- Source code of scanned extensions
- File paths outside the extension package