- Checkmarx Documentation
- Checkmarx One
- Release Notes
- Current Single-Tenant Version | 3.50
Current Single-Tenant Version | 3.50
New Features and Enhancements
CxLink Migration to Zrok v1
Upgrading to Zrok v1 provides the latest security updates, vulnerability fixes and improvements.
User-Controlled Incremental Scan for Branches
Incremental scan support for branch configurations is now fully exposed to users in the UI. Previously, this capability was controlled only through a feature flag, limiting visibility and user control. With this release, the feature flag has been removed, and users can now directly manage their incremental scan settings.
For more information, see documentation
Results Metadata Grouping Available in UI
The Results Metadata Grouping setting, previously controlled by a feature flag, is now available in the UI, giving customers direct control over how results are grouped for triaging.
For more information, see Result scope level in the configuration options.
Manual Bearer Token Entry for API Scans
In some cases, bearer tokens in the API specification may not grant access to API docs, causing scans to fail. To ensure scans succeed, now you can manually add bearer tokens using + Add custom headers and confirm your headers and target URL are correct.
Predefined Scan Configurations in DAST
Added predefined scan configurations to the Environment Setup Wizard and Environment settings, so you no longer need to manage configuration files or ZAP.
SAST Application Column Management UI Persistency
Clicking the Set to default button in the table UI saves the current column configuration, including visibility, order, pin state, whether a column is marked as default, and column width.
When you revisit the page, whether by logging in, refreshing the browser, or opening a new tab of the table, these settings will persist, ensuring your customized view remains intact.
Complete SAST Results Viewer Enabled in UI
All columns are now available directly in the SAST Result Viewer UI, rather than just the API.
To enhance customization, a new column management button has been introduced. This feature allows you to show or hide columns, pin key ones to lock their position in the table, and drag others to reorder them for better visibility. See here for more information.
Custom States for Container Security
We now support custom states for risks identified by the Container Security scanner.
Note
This capability is available for new IAM customers only.
File Upload Limit via UI Increased to 6GB
We have increased the maximum binary file upload size from 100MB to 6GB for enterprise customers.
The expanded limit enables efficient transfer and management of large files and strengthens our upload infrastructure for future scalability.
Ability to Export SCA and IaC Scan Results in CSV Format
SCA, IaC, and Containers scan results can now be exported in CSV format, providing greater flexibility for reporting and data processing. For more information on exporting scan results, please see here.
Split Secret Detection and Repository Health Licensing
The Code Repository Integrations feature now supports separate licenses for Secret Detection and Repository Health. This provides more granular control over these features.
Analytics: Added State Filter Across Dashboards
A new State filter has been added to Vulnerabilities, Executive Overview, and the Engineering dashboards, enabling users to refine analytics based on vulnerability states, including both system and custom states.
This enhancement provides more precise insights, improves triage workflows, and allows teams to focus on the vulnerability states most relevant to their analysis.
Feedback Apps: Added “Resolution” Field for Closing Issues
You can now specify a required Resolution when closing issues through the Feedback Apps integration with Jira or Azure DevOps.
This enhancement ensures issues can be closed correctly according to your workflows and compliance requirements. It improves lifecycle automation, prevents integration errors, and aligns the Feedback App with existing issue management processes.
SCA
Support for package.lock.json
For .NET projects, we added support for scanning packages.lock.json files.
Triage in Global Inventory
In the SCA Global Inventory, you can now do bulk-action triage on multiple item, by selecting all relevant items and then clicking on Manage States. This applies to the Packages, Vulnerabilities and Malware, and Licenses tabs. This makes it easy to apply triage across the entire tenant.
For example, if you decide that a particular package is not a concern, you can search for all instances of that package in the Packages tab and mark them all as Muted.
This feature streamlines large-scale triage workflows and saves time by allowing you to apply consistent decisions with a single action.
For more information, see documentation
Private Repository Configuration via API
When integrating Checkmarx One projects with private registries for SCA scanning, it is now possible to manage the configurations via API instead of adding them to the project’s config files. The Private Registry APIs enable creating and editing configurations, assigning tags to configurations, and associating configurations with projects.
Note
Currently supported only for JFrog Artifactory.
Learn about private registry integrations here.
See complete API documentation here.
IaC
Updated to version 2.1.16
Fixes and Improvements
Corrected false positives for SNS topic public accessibility in Terraform/AWS, Ansible/AWS, and CloudFormation/AWS.
Added support for database resources in two Azure queries.
Included cases for Azure App Service resources (azurerm_linux_web_app and azurerm_windows_web_app).
Prevented panic when parsing recursive YAML anchors or aliases.
Added support for arrays and minor fixes in queries.
Updated to version 2.1.17
Enhancements
[Terraform Azure] Ensure that Azure Databricks is deployed in a customer-managed virtual network (VNet).
[Terraform Google Cloud Platform] Ensure Log_min_error_statement Database Flag for Cloud SQL PostgreSQL Instance is set to Error or stricter.
[Terraform Google Cloud Platform] Ensure that the Log_min_messages Flag for a Cloud SQL PostgreSQL Instance is set at minimum to Warning.
Bug Fixes
Fixed multiple occurrences of "failed to convert integer in YAML parser" during scan.
Resolved issue where client received 403 when changing state despite having correct permissions.
Updated YAML parsing to support a wider variety of integer representations.
Resolved Issues
Item | Description |
|---|---|
AST-120770 | Establishing a connection failed after multiple attempts. |
AST-120359 | Authentication to certain web applications in DAST failed. |
AST-119984 | Establishing a connection did not work as expected. |
AST-119074 | Generic API Key (ClientSecret) produced false negatives. |
AST-118991 | Generic API Key (SecretKey) produced false negatives. |
AST-118979 | Authentication to public web applications in DAST failed. |
AST-117177 | SAST results were missing descriptions. |
AST-116382 | Predefined Azure role identifiers (RBAC) were incorrectly flagged as secrets. |
AST-115570 | Generic API Key produced false positives. |
AST-120044 | The “Download Logs” option did not appear for specific tenants. |
AST-119647 | Authentication to additional public web applications in DAST failed. |
AST-118856 | DAST vulnerability reports contained duplicate compliance data. |
AST-118034 | Constant error messages appeared in the UI even though scans completed successfully. |
AST-117997 | Certain users were unable to tag scans. |
AST-117993 | Projects could not be deleted. |
AST-116320 | Generating DAST scan reports failed when scans contained a large number of vulnerabilities. |
AST-116212 | SAST worker failed to read results due to an XML parsing error. |
AST-108655 | The UI displayed an unclear message when the primary branch was not set. |
AST-98430 | SAST worker failed to read scan status due to a deserialization error (EOF). |
AST-114083 | Changing the preset setting at the project level was not possible. |
AST-114444 | GitLab projects did not convert via API, though creation and updates worked through the UI with the same credentials. |
Item | Description |
|---|---|
AST-123607 | Fixed vulnerabilities by severity displayed today’s date in the Detected First and Detected Last fields. |
AST-122322 | DAST provided an incorrect secret key during two-factor authentication.. |
AST-122103 | Grouping by path in DAST results broke the UI when the path was very long. |
AST-120573 | The Containers Realtime API did not recognize |
AST-118573 | Container scans reported remediation images as vulnerable. |
AST-116707 | Confirming a malicious package flagged in a container was not possible. |
AST-116035 | Critical vulnerabilities were reported in |
AST-115617 | The Source Extractor channel in FIS shut down unexpectedly. |
AST-115463 | The Container Security GraphQL API returned incorrect counters.rs. |
AST-114094 | The Container Security GraphQL API did not function properly. |
AST-114081 | CSV SAST Results reports did not display the full vulnerability URL. |
AST-114049 | In Analytics, the “Vulnerabilities by State” drill-down data did not match the CSV report. |
AST-108903 | Container scans failed from CLI version 2.3.21 onward. |
AST-107697 | Container image scans failed and returned an error. |
AST-105819 | The Scan History page displayed zero results and showed a “Failed to get Containers summaries” message. |
AST-101532 | Input validation for AWS ECR integration in Container Security was not working correctly. |
AST-100434 | Container scans failed due to a timeout error ( |
AST-96382 | Scanning containers via CLI and UI produced inconsistent results. |
SCA-24730 | The feature flag |
SCA-24666 | The Scan Runner marked scans as failed even after successful retries. |
SCA-24644 | NuGet sources were removed unexpectedly. |
SCA-24469 | The |
SCA-24445 | Some packages did not appear in the UI. |
SCA-24417 | Incorrect version and dependency details were shown for |
SCA-24408 | The SCA Resolver scanned the |
SCA-24362 | SCA scans failed after JFrog integration. |
AST-122242 | DAST was missing a record for the “Login” button click event. |
AST-120822 | Pull Request comments showed unclear messaging when attempting to connect to an LLM, even when the feature was not licensed. |
AST-120766 | The SAST worker encountered failures that required RCA analysis. |
AST-116925 | The PUT method returned HTTP 500 on the release candidate under Access Management. |
AST-115620 | Terraform Plan files did not return results in IaC. |
AST-115005 | Setting the primary branch in project settings failed. |
AST-114868 | IaC generated a false positive for “SNS Topic is Publicly Accessible.” |
AST-114807 | Branches containing special characters did not appear in Scan History. |
AST-111151 | Filtering the scan queue took longer than 15 seconds. |
AST-109896 | Filter performance on certain project pages was slow. |
AST-105352 | IaC results returned outdated severity information. |
AST-121115 | Application reports generated empty lists of applications and scanners. |
AST-120024 | Authorization was granted to an incorrect group name under Access Management Phase 1. |
AST-120549 | Internal server errors (500) occurred for OAuth clients with the manage-access permission. |
AST-119795 | Reset password events appeared as user.mfa.updated in the Audit Trail. |
AST-118003 | Adding groups during project creation did not work properly when subgroups were involved. |
AST-114556 | Users could not log in via SAML or SSO in the DEU environment. |
AST-120097 | A Keycloak issue occurred during the Import Tool run in IAM. |