Skip to main content

Upcoming Single-Tenant Version | 3.42

New Features and Enhancements

New Authentication for ADO

When setting up a code repository integration with Azure DevOps (ADO), the authentication is now done via Microsoft Entra OAuth (in place of Azure DevOps OAuth which was used previously). The change was made because the previous method is no longer supported by ADO.

To learn more about Entra, see Microsoft documentation.

Warning

IMPORTANT

Your organization's Microsoft admin must first grant access to the Checkmarx One Entra application in order to enable the new OAuth login flow.

Note

Due to a known issue on Microsoft's side (Microsoft Entra), the initial integration attempt following the first consent approval may fail. If this occurs, simply initiate the OAuth flow again. The second attempt should succeed without any issues, and the connection will be established as expected.

New DAST Onboarding | Run Authenticated Scans Without a Config File

Easily start authenticated DAST scans without writing a YAML file. This new flow simplifies onboarding by guiding users through setup and authentication via a user-friendly UI, even when initiated from the CLI.

Webhook Management | Tenant-Level Support

Admins can now manage webhooks at the tenant level, enabling centralized configuration across multiple projects. This reduces manual setup, ensures consistent settings, and streamlines administration for large environments.

New API Methods | PATCH Method for Applications and Projects

The PATCH method is now supported for both Update Applications and Update Projects endpoints, allowing partial updates of specific fields without requiring the full data set.

This improves API efficiency, reduces data transfer, and simplifies workflows by letting users make quick changes - such as adding a tag - without affecting other properties. As a result, updates are faster, more flexible, and require fewer API calls.

See API documentation for the PATCH method in Applications and Projects.

Application Risk Management Shown in IDEs

ASPM risk score results are now shown directly in Checkmarx One IDE plugins, aligning the developer experience with the web app. This eliminates the noise of unprioritized findings by allowing developers to focus on high-risk vulnerabilities first.

The integration streamlines remediation, improves efficiency, and promotes adoption by embedding meaningful risk insights directly into the developer workflow.

This feature is currently available only for VS Code. For more information, see documentation.

SAST Engine Upgrade to Version 9.7.4

The SAST engine in Checkmarx One has been upgraded to version 9.7.3. To discover all the new features and updates in the latest version, refer to this page.

CxLink Client Distribution Update

To simplify and scale CxLink client distribution, customers can now pull the CxLink image directly from Checkmarx's Docker Hub account. This eliminates the need for manual TAR file delivery and local Docker installation steps previously required, providing a more streamlined and scalable deployment process.

SAST Policy Management – Grouped Conditions

SAST Policy rules now support grouping conditions to enable more precise break-build logic. For example, a rule can now break the build if there are over two High severity vulnerabilities that are also older than 10 days.

All conditions in a group must match the same result to evaluate as true. A rule triggers only if all groups are true.

Existing rules will be migrated with each condition placed in its own group to preserve current behavior. New rules default to a single group, with the option to add more.

User-Defined UI Persistency

Users can now return to previously visited pages with their filters, sorting, and view state preserved - whether using the browser's back button or in-app navigation. In addition, users can save custom views as their default, eliminating the need to reapply the same filters and sorting daily.

This enhancement is especially helpful on pages with customizable tables, where many users follow the same steps every day to get started.

Engineering Dashboard for Analytics

The new Engineering Dashboard in Analytics helps organizations manage application security visibility across complex engineering structures. It introduces dynamic data segmentation by project, application, tag, and group (such as teams or departments), aligning key performance indicators with the actual organizational context.

This update enables clearer communication of trends and status across the enterprise, supports identification of responsible teams, and improves decision-making on where attention is needed.

New KPI: Vulnerabilities by Aging and Severity

GA: By August 17, 2025

A new KPI, Vulnerabilities by Aging and Severity, is now available in Analytics to help organizations monitor how vulnerabilities evolve over time based on severity. This metric provides visibility into remediation efficiency, allowing teams to assess alignment with SLA targets and overall risk management goals.

By tracking aging trends, security teams can prioritize efforts on high-severity issues, evaluate remediation performance over time, and identify areas that require intervention. The KPI also includes drill-down functionality, offering a detailed list of vulnerabilities that can be shared directly with development teams for faster resolution.

IDE KPI

The new IDE KPI in Analytics tracks developer activity through IDE plugins and CLI tools to measure the adoption of Shift Left security practices. This KPI helps organizations evaluate how proactively security is being integrated into the development workflow.

Enhanced Project Visibility with Application Associations

To improve visibility into project-application associations, an Applications column has been added to the Projects page. This column displays which applications a project is associated with.

Container Security

Azure Container Registry (ACR) Integration

You can now integrate ACR private registries with Checkmarx One, enabling the Checkmarx One Containers scanner to scan images in the registry. We provide a convenient wizard for setting up the integration.

For more information, see documentation.

Red Hat Quay Integration

You can now integrate Red Hat Quay private registries with Checkmarx One, enabling the Checkmarx One Containers scanner to scan images in the registry. We provide a convenient wizard for setting up the integration.

For more information, see documentation.

SBOM for Containers Scanner

We now support including data identified by the Containers scanner in SBOM reports. When generating an SBOM for an application, you can now select which scanners to include in the report, SCA and/or Containers. This will increase visibility into all of the open source components used in your application.

To learn more about Checkmarx One SBOM Reports, click here.

IaC

  • Updated IaC Engine to version 2.1.11.

  • Fixed an issue that caused unstable scan behavior, where results alternated between pass and fail.

  • Resolved an issue that caused scans to fail with an unexpected error.

  • Addressed a specific case where a JSON file caused the scan to fail.

Resolved issues

Ticket number

Description

AST-100960

An error occurred while updating the webhook.

AST-100551

The DAST CLI crashed due to an unexpected error occurring within the BuildErr function in the utilities module.

AST-99634

APISEC | KICS-runner scan took too long due to incorrect filter.

AST-97047

Project conversion failed due to insufficient permissions.

AST-101268

Scan duration was shown as 00:00:00 when run via CLI.

AST-95090

Highlighting for CORS misconfiguration was not displaying.

SCA-23324

Packages wouldn’t open, UI kept loading indefinitely.

SCA-23085

Scans took almost 4 hours to complete.

SCA-22905

SCA Inventory and Risks were not accessible.

AST-101245

SAST-RM memory leak.

AST-99270

Query Editor was not showing results.

AST-98445

Triage imported from CxSAST was not shared with other projects within the same application.

AST-98413

Project tags always appeared as "..." (collapsed).

AST-91216

Meta-results-processor encountered an error while processing engine ETL results.

AST-100506

In the new IAM UI, the Mapper Name field cleared every time the Mapper Type field was changed.

AST-99907

The Checkmarx service access option was not showing in IAM General Settings.

AST-99927

Query Editor result history inconsistent across identical queries - duplicates or missing results

AST-99690

Duplicate projects appeared on the projects page

AST-99341

Container scans failed starting from 29/05

AST-99301

Publication dates differed between Checkmarx One and the official source

AST-98443

Description for sort parameter at /api/scans in Swagger didn't match the execution

AST-96696

Support was added for new Syft package types in container extractors

AST-96233

Project report generation via API failed

AST-95747

There was a spelling error in the "Initiator" filter on the Scans page

AST-93982

Container scans failed with Exit Code 137

AST-93370

Scan times in the UI were inconsistent

AST-93360

Container scans showed false positives

AST-93287

A non-vulnerable package was incorrectly flagged as vulnerable

AST-93280

Policies were not flagged as violated despite meeting conditions

AST-92439

Old container security scans were not deleted

AST-88922

SAST scans triggered by GitHub scanned the wrong file

AST-88606

Engine log downloads over 500MB returned a file with "undefined"

AST-86772

SAST result statuses were inconsistent (New/Recurrent)

AST-84285

Resolved Vulnerabilities Report showed identical detection and resolution dates in certain scan sequences

AST-90978

Scans got stuck when using the Docker --user flag

SCA-23118

Pod execution stopped responding

SCA-2224

Identical manifests produced different results

AST-95964

Deleting one protected branch removed all protected branches

AST-92180

SCA triage decisions were not reflected in Policy Management

AST-93058

Retrieving sources triggered an invalid port number error

AST-94810

Audit Trail API documentation lacked date range parameters

AST-101847

Code Repository tab was visible for manually created projects via API

AST-101623

The application overview always showed 0% for scanner type/scan origin

AST-84284

The Back button did not work on the IaC results page

AST-100500

The Authorization tab displayed service users incorrectly

AST-93890

SCM import did not save criticality level

AST-99146

PR decoration failed with "RESOURCE_EXHAUSTED" due to large SAST result sets

AST-99906

SCA Auto PullRequest created empty PRs when no remediation was available