Upcoming Single-Tenant Version | 3.36

The SAST engine in Checkmarx One has been upgraded to version 9.7.2. To discover all the new features and updates in the latest version, refer to this page.

This version introduces project-level control over the deletion of entire source code or retention of vulnerable code snippets, enhancing platform security and enabling efficient code management in Checkmarx One.Customers can enable this functionality per project from the project settings page. The following options are available:

The Entities base report delivers insights into high-risk security issues and their trends over time, showcasing Checkmarx One’s value in identifying, managing, and resolving vulnerabilities. The report’s entities-based approach enables flexible grouping and breakdowns by the selected entity.

This version introduces reports focused on the Project entity, providing detailed, project-level insights.

This feature optimizes analytics by filtering data to the default main branch (e.g., "main" or "default main") of each project. This approach enhances clarity and performance, ensuring analytics data remains relevant and actionable.

Cloud Insights now integrates with CrowdStrike by establishing a secure connection with CrowdStrike’s API endpoints. The integration is set up easily by launching the setup wizard from the Cloud Insights page in the Checkmarx One UI.

This enhancement expands Cloud Insights' coverage, reinforcing Checkmarx’s position as an application security leader within the CNAPP ecosystem.

For more information, see documentation.

Cloud Insights now supports an improved matching algorithm based on OCI (Open Container Initiative) "Labels," which are key-value pairs used to describe metadata about container images. This method ensures 100% accuracy when matching container images to Checkmarx One project names. OCI Labels provide standardized information such as image version, maintainers, and source code repository, allowing for precise identification and management of images.

A new card information feature is now displayed when hovering over a vulnerability’s risk score, providing clear details on how the score is calculated, including the metrics, weighting factors, and other contributing elements. This feature gives users a deeper understanding of vulnerability severity, enabling them to prioritize remediation efforts more effectively.

Configure the queries IaC executes using preset configurations at the Tenant, Project, CLI, or Config file level. This gives you greater flexibility and control over your security scans, allowing you to tailor query execution to fit your specific workflows and environments.

Improved the drilldown view in the Bring Your Own Risk (BYOR) interface. Resolutions are displayed in a cleaner, more readable format, and URLs are now clickable - no more copying and pasting. This improvement makes accessing the right actions or resources faster and easier, simplifying your workflow and making everything more user-friendly.

For more information, see documentation.

The Pre-Commit Secret Scanning feature helps prevent accidental exposure of sensitive information such as passwords, API keys, and access tokens. If secrets are detected, the commit is blocked, and developers receive a detailed report to help remediate the issue.

For more information, see documentation.

Schedule full project scans via the API, eliminating the need to manually trigger them through the UI. Configure scans based on specific times, recurrence patterns, and preferred scanners. The API provides clear response codes for success or failure and includes options to disable scheduled scans when needed. This update helps ensure important scans aren't missed, reduces manual effort, and fits seamlessly into your automation workflows.

For more information, see documentation.

View ASPM risk-scored results directly in your IDE, bringing critical vulnerability prioritization into your daily workflow. Instead of sifting through every finding, you will see what matters most—high-risk issues first, helping you remediate faster and more efficiently. This update aligns the IDE experience with the ASPM model in the web app and reduces noise while enhancing developer adoption.

We now provide an integration with AWS ECR, enabling users to automatically pull images from private ECR repos and scan them using the Checkmarx One Container Security scanner. The integration is done by creating an "Assume Role" in ECR (Role ARN), which grants access to Checkmarx to pull images from your repos.

We provide a convenient wizard on the Checkmarx One Integrations page that enables you to create the integration by submitting info about the "Assume Role" (Role ARN and External ID) that you created, and the repo that you are granting access to.

For more information, see documentation.

Added support for uploading source code as a .tar files (in addition to existing support for .zip) for Container Security scans.

We now show remediation suggestions for specific base images. We provide easy navigation between remediation suggestions for the overall image and for the specific base images used in the image.

We now support marking images and packages that were identified by the Container Security as Muted or temporarily Snoozed. This functionality applies in the same manner that it applies to packages identified by the SCA scanner, as explained here.

We added the “Status” column to the results table. This column indicates whether the status of an image has been changed to Muted or Snoozed. It also indicates if a package is “Unresolved”. For Unresolved images, hovering over the status indicator shows a tooltip with an explanation of why the image wasn’t resolved.

We have added a new tab, Licenses, to the SCA Global Inventory. This tab shows all relevant licenses for packages consumed in all of the tenant's projects. The data from this table can be exported as a .csv file.

This will greatly improve visibility of licenses on a tenant-wide level.

We now officially support changing risk severity score via API. We have also added the SCA Management of Risk and Management of Packages APIs to our official API documentation (Stoplight).

For more infromation, see documentation.

For SCA vulnerabilities, we added a new permission, update-result-state-propose-not-exploitable(-if-in-group), which grants permission to change risk state only to Proposed Not Exploitable state.

We have improved the accuracy of results when running an SCA scan on an SPDX format SBOM.

We now limit who can make changes to a license state. We created a new IAM permission for this action, update-license-state(-if-in-group). By default, this is included in the role ast-risk-manager.

We now enable identification of new vulnerabilities based on comparison to previous scans of the specific branch. The default behavior is now to use the new branch-based approach. There is still an option to apply the previous methodology of project-based identification of new vulnerabilities. This configuration can be set on the tenant, project or scan level.

Added a bulk action for triaging (i.e., changing state, severity and adding comments) for multiple SCA risks at once. This is done by selecting the checkbox next to each of the risks and then making the change.

Similarly, in the Licenses tab, you can now use a bulk action to triage license states (effective/not effective).

Updated the IaC Security scanner to version 2.1.6.

Updates and Bug Fixes: