- Checkmarx Documentation
- Checkmarx One
- Release Notes
- Upcoming Single-Tenant Version | 3.48
Upcoming Single-Tenant Version | 3.48
New Features and Enhancements
Legacy API Deprecation
The Legacy API endpoint /api/presets (SAST Queries Audit Presets) will be deprecated on December 31, 2025.
Please transition to the new API endpoint /api/preset-manager (Preset Manager), which provides improved functionality and enhanced management of SAST presets.
Integration of DAST Metrics into Analytics Module
The Analytics page has been enhanced to incorporate data from DAST, allowing you to view your organization's security posture across all environments.
By combining DAST insights with other analytics, you can identify, assess, and prioritize risks more effectively.
Advanced filtering and customization help you focus on high-risk findings or compliance-sensitive areas for sharper, actionable analysis.
CxLink | Regenerate Broken or Disconnected Links
The new Regenerate feature lets users quickly restore disconnected CxLinks without changing the link alias. Instead of manually recreating links and updating projects, users can regenerate the connection in one step.
CxLink Client Metadata Visibility
The CxLink Client Metadata feature improves observability and simplifies troubleshooting for customers and support teams. Tenant and Link client information - such as client type, version, and URL - is now visible in the UI through tooltips when hovering over the status column.
This enhancement helps customers quickly identify and resolve connection issues, reduces dependency on support for diagnosis, and provides clearer insight into link configuration for more reliable connection management.
Drill Down from Fix Vulnerabilities
The Drill Down from Fix Vulnerabilities feature adds interactivity to the Vulnerabilities charts, allowing users to click directly from the dashboard to view detailed fixable vulnerabilities aligned with the selected KPI.
Users can refine results with Severity and State filters, group vulnerabilities dynamically by KPI (e.g., Severity or Status), and view essential details such as Application, Project, Branch, Scanner, Time to Fix, and Date of Fix. Data updates instantly without page reloads and can be exported to CSV, preserving all applied filters.
This enhancement provides a faster, more intuitive way to explore and act on vulnerabilities, improving visibility and accelerating remediation. The first release focuses on the “Vulnerabilities by Severity” KPI.
Analytics | Filter by Group
The Filter by Group enhancement adds a new filtering option to the Analytics page, allowing users to refine data by Group directly from the More Filters list.
Tags and Groups are now consolidated into a single filtering level, providing a unified experience. The Tag filter has also been updated to match the same checkbox + select component, ensuring consistent and intuitive UI/UX across all filter options.
This update streamlines data exploration and improves usability for users managing multiple groups or tag-based configurations.
Checkmarx One SAST Importer | Support for Custom States in Migration
Note
This capability is available for new IAM customers only.
The Checkmarx One SAST Importer now supports migrating custom states and corresponding custom permissions from on-premises Checkmarx SAST to Checkmarx One.
During the migration process, all custom states and their associated permissions are automatically extracted from Checkmarx SAST and ingested into Checkmarx One per tenant, ensuring full feature parity between the two environments.
Increased File Upload Limit via CLI to 6GB
The platform now supports binary file uploads up to 6GB via the CLI, a significant increase from the previous 100MB limit.
This update improves efficiency and scalability for enterprise users by enabling faster, frictionless transfer of large binaries, reducing operational overhead, and ensuring the platform is better equipped to support complex, high-volume workflows.
Enforcing SSO-Only Access for Application Users
To enhance organizational security and compliance by enforcing SSO policies, admins can now disable traditional username/password authentication and mandate SSO-only login.
SCA
Added Policy Condition for Vulnerability Status
We added a new “status” policy condition for the SCA scanner. This enables setting status (New or Recurrent) as a condition in a complex SCA scanner policy. For example, you can now create a policy that is triggered by new SCA vulnerabilities, but filters out dev and test dependencies.
Bulk Action Change Package State
Added a bulk action for changing the state (Monitored, Muted, Snoozed) and adding comments for multiple packages at once. This is done by selecting the checkbox next to each of the relevant packages and then making the change.
Global Inventory and Risks Improvements
The Global Inventory screen has been redesigned to deliver a faster, more intuitive experience aligned with the Checkmarx One design system. Key enhancements include:
Improved performance and responsiveness for smoother navigation and faster data loading
Refreshed look and feel consistent with the overall Checkmarx One UX
New columns displaying associated Groups and Applications for better context
Refined column titles and data to make information easier to understand and filter
These updates provide a clearer, more efficient view of your organization’s inventory and risks.
Improved License Reporting
We have dramatically revamped how licenses are represented in SCA scan reports. This change applies to SCA Scan Reports generated via the web application (UI) or Export Service (REST) APIs.The following are some of the key improvements:
Added data about license Permissions, Limitations and Conditions.
Added a new Package Licenses section that provides data about licenses in the context of specific packages in your project. (Included in CSV, XML and JSON but not PDF.)
Added a new Legal Risks section that provides data about risks posed by the license usage in your project. (Included in CSV, XML and JSON but not PDF.)
Added an option to filter results to show only data for licenses marked as "Effective".
IaC
Updated to version 2.1.14
New Features and Enhancements
New SimID Implementation
Updated
POST /api/kics-results-predicatesrequest to includescanId
Bug Fixes
Runtime and Engine Stability
Fixed panic error: runtime index out of range
Resolved inconsistencies between scan history and scan summary results
Addressed duplicated SimilarityID issues affecting ETL processing
Platform and UI
Fixed error when adding Bicep platform to platform list
Corrected query editor showing empty queries under Bicep instead of ARM
Addressed misbehavior in project & scan counters/summaries
Corrected False Negatives (FN) for:
Unrestricted Security Group Ingress
Security Group With Unrestricted Access To SSH
Sensitive Port Exposed To Entire Network
Remote Desktop Port Open To Internet
S3 Bucket Allows Public Policy
IAM Policies With Full Privileges
ECS Services assigned with public IP
Neptune Logging Disabled
Launch Configuration Not Encrypted
Trusted Microsoft Services Not Enabled
Secretsmanager Secret Without KMS
EKS Cluster Encryption Disabled
Instance uses metadata service IMDSv1
Lambda Function Without Dead Letter Queue
Redshift Cluster Without VPC
ELBv2 ALB Access Log Disabled
Elasticsearch Domain Not Encrypted Node To Node
ECR Repository Not Encrypted With CMK
Cloudformation queries missing results
App Service Authentication and HTTP2 Disabled
Tags not copied to RDS Cluster snapshot
IAM DB Cluster Auth Not Enabled
Postgres RDS logging disabled
ECS Cluster Not Encrypted At Rest
DAX Cluster Not Encrypted
S3 bucket notifications disabled
Security alert policy missing
Storage Share File ACL permissions misflagged
SQL Server Database retention settings not detected
IAM policy allows data exfiltration
Passwords and Secrets queries missing flags
Corrected False Positives (FP) for:
Passwords And Secrets - Generic Secret
Passwords And Secrets - Generic Password
Storage Share File ACL permissions
Updated to version 2.1.15
New Features and Enhancements
Logging enhancement: Added parsing summary and scan summary counters to verbose logs.
IaC now uses a path-based reference instead of Levenshtein distance to generate similarityIDs, fixing duplication issues in repetitive files like OpenAPI and AzureResourceManager.
Fixes and Improvements
Query Fixes
Fixed false positives (FP) and false negatives (FN) for:
Passwords and Secrets – Generic Token & Generic Secret
API Gateway with CloudWatch Logging Disabled.
Operation without successful HTTP status code.
SQL Server Ingress From Any IP.
Added support for:
azurerm_mssql_firewall_rulein 2 Azure queries.aws_launch_templatein IMDSv1 detection query.azurerm_linux_web_app,azurerm_windows_web_app, andfunction_appresources in Azure queries.
Removed BETA naming from Tencent Cloud & Databricks queries.
Engine Fixes
Fixed issue where Bicep files were not being included/excluded with type flags.
Bug Fixes
Fixed issue where results did not include
stateID.Fixed issue where user was Unable to change IaC predicates if username exceeds 50 characters.
Fixed request results limit bug in IaC Security Policy Management (limit set to 200).
Container Security
Unified Related Results
We have improved the handling of OS-level packages, making it easier to interpret the scan results. Previously, each binary package (e.g., libssl.so) was listed independently, even when it carried the exact same vulnerabilities as the source package it was built from (e.g., openssl-1.1.1k). This inflated vulnerability counts and caused confusion regarding remediation.
Now, if a binary has the same CVEs as its source, then they are shown as a single unified result and the CVEs are only counted once.· If a binary has different vulnerabilities than it's source, then it will still appear separately, so that nothing is missed.
For more information, see documentation.
CLI and Plugins Releases of October 2025
CLI Version 2.3.38
General improvements and bug fixes.
CLI Version 2.3.37
Status | Item | Description |
|---|---|---|
NEW | Kerberos proxy Authentication | Added support for Kerberos proxy authentication using MIT Kerberos as well as Windows native SSPI Kerberos. We added new global flags to support configuration of Kerberos authentication. See Global Flags |
FIXED | Rate Limits | Fixed issue that rate limits had been causing |
CI/CD Plugins
In October we released the following CI/CD plugin versions:
Azure DevOps Plugin - 3.0.18 (uses CLI v2.3.38)
Improvements and Bug Fixes
Status | Item | Platform | Description |
|---|---|---|---|
FIXED | Regression | Azure DevOps | Fixed a regression from the previous version. |
Plugin | Marketplace | Code Repository | Documentation | Changelog |
|---|---|---|---|---|
Azure DevOps | https://marketplace.visualstudio.com/items?itemName=checkmarx.checkmarx-ast-azure-plugin | |||
GitHub Action | https://github.com/marketplace/actions/checkmarx-ast-github-action | |||
TeamCity | https://github.com/CheckmarxDev/checkmarx-ast-teamcity-plugin | |||
Jenkins |
IDE Plugins
In October we released the following IDE plugin versions:
Improvements and Bug Fixes
Status | Item | Platform | Description |
|---|---|---|---|
NEW | General | Eclipse, JetBrains, Visual Studio, VS Code | General improvements and bug fixes. |
Get Latest Version from Marketplace | Changelog | Documentation |
|---|---|---|
Resolved Issues
Item | Description |
|---|---|
AST-114426 | In the Query Editor, result tabs were displayed out of order after more than nine query runs. |
AST-113659 | Failed to create a query in Web Audit. |
AST-109939 | The Analytics > Vulnerabilities by State view opened with an incorrect page count. |
AST-109456 | HTML tags appeared in the DAST report. |
AST-112961 | A SAML authentication error occurred with the message “Unexpected error when authenticating with identity provider.” |
AST-111567 | The manage-access permission did not allow adding or removing users via the authorization tab. |
AST-110552 | The |
AST-115744 | DAST CLI Scans failed with “Exit Status 2”. |
AST-113476 | SAST policy exceptions failed with an error. |
AST-112537 | The Data Origins widget in Global Inventory was missing origin testing. |
AST-112227 | The Project Overview and Scan History sections showed zero results. |
AST-111589 | The Cluster Name column was duplicated in Cloud Insights CSV exports. |
AST-109213 | The Add User to Group dialog displayed empty First and Last Name columns. |
AST-109200 | The Select Group button disappeared from the identity provider mapper. |
AST-108405 | The Authentication Recorder failed on Cx1 but worked on ZAP. |
AST-106143 | In the new IAM UI, the Add Managers to Group function did not allow managing groups or users. |
AST-113049 | The Webhooks API endpoint experienced performance issues. |
AST-109903 | KICS returned a false negative for unrestricted Security Group ingress. |
AST-109902 | KICS returned a false negative for Security Groups with unrestricted SSH access. |
AST-109901 | KICS returned a false positive for generic passwords and secrets. |
AST-109542 | KICS returned a false negative for sensitive ports exposed to the entire network. |
AST-109541 | KICS returned a false negative for open Remote Desktop ports in Terraform. |
AST-82493 | KICS displayed incorrect project and scan counters and summaries. |
AST-45594 | IAC security scans failed due to an engine ETL error. |
AST-44724 | Duplicated SimilarityIDs caused issues in engine ETL processing. |
AST-88062 | Outdated Packages on the Scanners page did not match the scan results. |
AST-110337 | Project reports displayed “Not exploitable” SCA vulnerabilities incorrectly. |
SCA-23863 | Errors occurred in the SCA packages processor. |
SCA-24304 | The presigned AWS token URL used for export expired prematurely. |
SCA-24029 | Binary packages were not detected in some scans. |
SCA-24018 | The Projects service did not correctly handle LastSuccessfulScanId. |
SCA-24017 | Python pip installs caused resource exhaustion in the Source Resolver. |
SCA-23995 | Errors occurred when changing the package state to “Monitored.” |
SCA-23976 | The package state could not be changed when viewing results via the Application Risk Management tab (SCA). |
SCA-23861 | The default SCA PDF report displayed incorrect data. |
SCA-23804 | Scans failed with the error “Scan failed due to internal error.” |
SCA-23846 | The Global Inventory GraphQL API returned 504 errors. |
SCA-24272 | Global Inventory returned zero results due to OIDC authentication issues. |
SCA-24028 | Tag filters did not work in Global Inventory and Risks views. |
SCA-23777 | The Export Service failed when exporting results for specific scans. |
SCA-23677 | Some packages incorrectly indicated that no secure version was available. |
SCA-23640 | Package usage was not detected correctly. |
Item | Description |
|---|---|
AST-119223 | Uploading YAML configurations to API Scans failed. |
AST-116208 | Configuring the Code Repository in project settings got stuck for certain projects. |
AST-113866 | The Assign Tags dropdown did not work under Access Management Phase 1. |
AST-113813 | Group assignment during project creation did not work when Access Management Phase 1 was enabled. |
AST-113481 | The API endpoint |
AST-112222 | Setting incremental scan caused an exception in the log. |
AST-112071 | Integration with self-hosted SCM via CxLink displayed an incorrect error message. |
AST-110745 | Searching for a branch to scan returned: |
AST-110436 | Azure DevOps integration truncated the last character when it was a parenthesis in an optional field. |
AST-109098 | The |
AST-108808 | Setting a primary branch in projects associated with inaccessible applications failed under Access Management Phase 1. |
AST-107278 | Automatic assignment of SCM projects to applications via tag association did not work as expected. |
AST-117026 | The Groups page in IAM displayed only ten subgroups. |
AST-117004 | Each load of the DAST Environment tab generated a new API key. |
AST-116190 | Grouping by path in DAST results broke the UI when the path was very long. |
AST-117961 | The frontend displayed an endless loader when repository information was missing, with no option to refresh. |
SCA-24193 | SBOM-only scans failed to execute. |
SCA-24109 | The Downstream Remediation status remained “scanning” after the scan finished. |
SCA-23891 | The package |
SCA-23804 | Scans failed with the error: |
SCA-24337 | State updates were ignored due to case-sensitive package names. |
AST-116201 | The project conversion process logged information improperly. |
AST-111421 | Loading vulnerabilities in Analytics and Dashboard was slow on specific tenants. |
AST-113506 | The KICS query for “SQL Server Ingress From Any IP” required an update. |
AST-116793 | Changing IaC predicates failed when the username exceeded 50 characters. |
AST-116787 | IaC results did not include the |
AST-111591 | IaC generated a runtime panic error due to “index out of range [4] with length 4.” |
AST-116113 | Assigning a project to an application failed when the Application page was opened in a new tab. |
AST-115875 | A project in the database remained stuck and required manual deletion. |
AST-113695 | Running scans for public repositories in manual projects required a token. |
AST-115388 | The project conversion process remained stuck for 24 hours. |
AST-111113 | Swagger authorization failed for tenants with names shorter than three characters. |
AST-83025 | Scan details were not reflected on the Projects page. |
AST-113375 | Project group filtering did not work for users under Access Management Phase 1. |
AST-110660 | The filter status for |
AST-113656 | ZAP produced excessive duplicate alerts for passive scan rules in DAST |
AST-84342 | The SAST migration process caused service crashes with a Redis error. |
AST-110019 | The Service User account was missing the ast-admin permission. |