Current Single-Tenant Version | 3.54

The new AI Query Builder helps customers create and refine CxQL queries more quickly and intuitively by leveraging ChatGPT in the Queries Editor.

Use guided example prompts, on-demand regeneration, and easy code copying to customize queries with less effort and fewer errors - improving productivity and reducing time spent on manual query tuning.

Access to this feature is limited to users with Edit Query permissions.

For details, see our documentation.

We now support custom states for risks identified by the SCA and IaC Security scanners.

For more information about custom states, see our Documentation Portal.

Applications can now be classified as Business or Internal, enabling more accurate risk prioritization.

Internal applications are excluded from meaningful risk impact, reducing noise, while Business applications continue to factor criticality into risk scoring.

This ensures that risk insights and top-risk views focus on applications that truly impact the business.

A new Partial scan status has been added to scan history to better reflect scans that produced results but failed later in the process.

Their results remain available for review by downloading the scan log, providing clearer visibility and reducing confusion during scan analysis.

We’ve addressed Severity 1 accessibility issues identified during enterprise validation to improve compliance with ADA and WCAG 2.2 standards.

These fixes focus on critical areas such as keyboard navigation, focus order, and error identification, ensuring the platform is more accessible and usable for all users.

You can now mark container images in the Cloud Insights inventory as Ignored to reduce noise from images that don’t require remediation.

From the inventory table, select one or more images and choose Ignore to hide them from the main view. Ignored images remain accessible through the Show Ignored Images filter, where you can review them and restore them to the inventory at any time.

This helps keep your inventory focused and actionable while preserving full control and visibility.

For more information, see documentation.

You can now define protected branches using wildcard patterns for pull request scanning.

Instead of listing individual branch names, you can use flexible patterns (e.g., *, release*, *release) to automatically include matching branches.

This reduces manual configuration, improves coverage, and scales easily for repositories with dynamic or convention-based branching strategies.

Reports now support Container Security scan results.

When generating a project or application report, you can now select the Container Security scanner alongside the existing scanner options. This delivers a unified reporting experience, presenting all scan types in a consistent format and ensuring a single, consolidated view of security insights.

Analytics dashboards now show metrics from the Container Security scanner.

You can now view container-related findings and KPIs alongside existing analytics data from other scanners. This creates a unified analytics experience, giving you consistent visibility across all supported scan types.

A new Developer Assist Usage dashboard is now available in Analytics (for customers with an AI license). The dashboard introduces multiple KPIs that surface how developers interact with AI-generated remediations, including AI Suggestions, Fix Clicked, and Unique Users. It also includes a donut widget that breaks down Developer Assist usage by scanner, and a bar graph showing real-time vulnerability detection by scanner.

This consolidated view improves transparency and highlights adoption trends without requiring custom reporting.

For more information, see our Documentation Portal.

BYOR (Bring Your Own Results) now includes a web-based import experience, making it easier and faster for customers to bring external scan results into Checkmarx One. Users can import SARIF files from the UI, associate them with projects, and track progress and status in real time.

This enhancement improves visibility and enables security teams to review issue counts and severity breakdowns immediately after import.

Customers can now delete BYOR imports and their associated results. Deletion is available for completed, failed, or canceled imports and can be performed via the UI or API, including bulk deletion where permitted.

BYOR imports now identify and display the author (blamer) and commit ID for vulnerabilities when this information is provided by external tools. When blame data is unavailable or invalid, the author is shown as N/A.

By parsing blame metadata directly from imported files, customers can see who introduced a vulnerability and in which commit, without relying on additional Git queries.

Checkmarx One now supports GitHub App–based authentication for code repository integrations as a more secure and modern alternative to Personal Access Tokens and OAuth apps. This update enables short-lived, scoped tokens, automatic token rotation, and granular permission control, significantly reducing the risk of credential leakage and simplifying integration management.

This enhancement also unlocks compatibility with GitHub Enterprise Managed Users (EMU), allowing enterprise customers with strict identity and access controls to integrate GitHub repositories.

For more information, see our Documentation Portal.

The allowed character set for OAuth client identifiers has been expanded to include the @ character.

You can now create and delete custom states directly from Global Settings in the web application. After a state is defined, it becomes available tenant-wide for vulnerability triage. This streamlines configuration and removes the need to manage custom states through the API.

For more information about custom states, see our Documentation Portal.

A new Git commit history setting in Settings > Secret Detection lets users control whether Secret Detection scans Git commit history.

When set to true (default: false), Secret Detection scans both the working tree and Git commit history, providing full historical coverage for compliance and deeper analysis.

The setting is available in:

Secret Detection now supports scanning Confluence content via API-triggered scans, with results shown in the Secrets Detection viewer alongside other scan sources.

You can scan individual pages, entire spaces, or all Confluence spaces to identify exposed secrets in collaboration content. Findings include severity, page location, detection context (current or history), and standard remediation guidance.

Analytics now supports a custom date range filter, allowing you to select exact start and end dates using a classic date picker. The selected range is applied consistently across all KPIs, trend charts, and over-time metrics on the Analytics page.

This gives you full control over the timeframe you analyze, making it easier to create accurate reports, investigate specific periods, and base decisions on the most relevant data instead of fixed, predefined ranges.

To view a full explanation of Analytics filters, see Filtering.

Webhook creation now includes built-in limits to improve platform stability and prevent accidental overload of internal services. Users can create only one webhook per Payload URL per level (Project or Tenant), with clear guidance to update an existing webhook if a duplicate is detected. The total number of webhooks a user can create is capped based on the number of supported event types, ensuring predictable and controlled usage.

When the same Payload URL exists at both Project and Tenant levels, the Project-level webhook takes precedence for matching events, while different event selections will trigger all relevant requests.

These safeguards make webhook usage more reliable and predictable, prevent misconfiguration and sprawl, and ensure integrations scale safely without impacting system performance.

Scan Details now show webhook execution status for each scan, making it clear whether associated webhooks were triggered successfully. When a scan completes, any related webhook activity is logged in the Scan Details side panel.

If a webhook fails, the log displays not only a Failed status but also a short error description explaining the reason. All existing scan conditions remain visible.

Checkmarx One now supports automatic monitoring of new Azure DevOps (ADO) repositories. When enabled, any new project created in a connected ADO organization is automatically imported into Checkmarx One, with default settings applied and a scan triggered right away.

For more information on this feature, see Monitor New Repositories.

Analytics dashboards now show metrics from the Secret Detection and Repository Health scanners.

You can now view findings and KPIs related to exposed secrets and repository health (OSSF) alongside existing analytics data from other scanners. This creates a unified analytics experience, giving you consistent visibility across all supported scan types.

Enterprise customers can now upload binary files up to 6GB (previously 100MB) via the UI and supported APIs.

This update improves workflow efficiency for enterprise-scale use cases while maintaining secure and compliant file transfers.

In order to speed up the process of adding newly identified CVEs to our database, we have introduced a new automated process that identifies and publishes CVEs in a timely manner. However, this does not replace the need for our AppSec Research team to thoroughly analyze each CVE. Therefore, when the initial automated results are available, we publish the CVE with a note indicating that it is "pending manual review”. Once our AppSec team has completed their manual analysis they publish an updated version of the CVE details in which they correct any imprecise information and add important remarks about their analysis.

Our AppSec Research team often adds remarks based on their expert analysis. These remarks give important information about exploitability and remediation options. We now highlight these comments by showing them in a separate info box both in the scan results Risk Details page and in our AppSec Knowledge Center.

We added new fields that provide additional information about the packages used in your project. This will help organizations meet regulatory requirements and improve the transparency and security of their software supply chain.

The Packages section of Checkmarx SCA reports now includes Component Description, Component Supplier and Executable Properties fields. And, SBOM reports (CycloneDX and SPDX) now include the Component Description field.

You can now view Suspected Malware risk information in the AppSec Knowledge Center. It is presented similarly to vulnerabilities. This enables users to learn about specific risks without needing to scan a project with the risky package.

Download the latest version here.

You can now triage vulnerabilities in open-source dependencies using Vulnerability Exploitability eXchange (VEX) - a standardized, machine-readable format for communicating whether a known vulnerability (such as a CVE) actually affects your software.

This enhancement enables you to export SBOMs and reports that include clear, standardized exploitability classifications, helping teams reduce noise and focus on actionable risk.

For more information about VEX triage, see Triaging SCA Results.

You can now explicitly filter packages by the Monitored state (excluding Muted and Snoozed packages).

The new filter is available in both the SCA Results → Packages tab and the SCA Global Inventory → Packages tab.

This enhancement reduces noise, streamlines triage workflows, and ensures consistent filtering behavior across all package views.

SCA now extracts copyright ownership information for open-source packages and includes it in reports, making it easier to track usage rights and meet compliance requirements. Copyright details are now included in exported SCA scan report and SBOMs. When multiple copyright statements are present, they are consolidated and clearly separated for readability.

This enhancement improves visibility, simplifies compliance workflows, and helps generate complete third-party notice files with minimal manual effort.

Added proxy support for DAST, enabling you to scan internal, non‑public, or firewall‑protected applications from the cloud without whitelisting or exposing external IPs. This provides secure, temporary, on‑demand access for full dynamic testing while removing complex firewall configurations and accelerating security validation across cloud‑native and hybrid environments. For more information, see here.

You can now run your full DAST workflow directly from the CLI, removing the need for UI interaction or tunneling setups. A REST‑API‑driven script handles authentication, session creation, scanning, and results retrieval. For more information on the DAST CLI, see here.

New Paths, Mode, and Initiator columns are now available in the Scans History tab.

Added support for viewing DAST vulnerabilities by Alert on the Environments page, in addition to the existing Instance view.

Viewing by Alert aligns with industry standards by displaying the underlying vulnerability, while viewing by Instance shows how many times that vulnerability was detected.

Added ways to associate the application with an environment. You can now associate applications to the environment through the Environment tab, Application tab, an environment’s settings, or through the application’s Overview tab.

The Overview tab displays an at‑a‑glance summary of an environment, including associated applications, groups, and users; scan dates and times; and high‑level dashboards of the discovered vulnerabilities and compliance postures.

Added support for uploading SOAP API files in DAST. When configuring your API-type environment, in addition to Postman, OpenAPI, and HAR files, you can now upload SOAP API files.

For more information, refer to this page.

The following new queries have been added:

For more IaC updates, see the IaC changelog.