- Checkmarx Documentation
- Checkmarx One
- Release Notes
- Upcoming Single-Tenant Version | 3.62
Upcoming Single-Tenant Version | 3.62
New Features and Enhancements
Audit Trail Coverage for SAST Result Triage
The Audit Trail now includes full visibility into SAST result triage activity. All changes to finding severity, state, and notes are captured with before and after values, including the user identity, timestamp, bulk action indication, and triage method (similarity-based or attack-vector-based). Users can access these events via the Audit Trail API.
This enhancement strengthens governance and compliance readiness, enables accurate forensic analysis of finding changes, and provides complete traceability for manual and bulk triage workflows.
Audit Trail Support for Analytics and Reporting
Analytics and Reporting actions are now captured in the Checkmarx One Audit Trail, improving visibility into report-related activities performed by users and system integrations.
Relevant events are logged through the centralized Audit Trail framework using a standardized schema, supporting compliance, security investigations, and operational transparency. This enhancement extends audit coverage to reporting workflows initiated through integrations, APIs, and automation, ensuring consistent tracking across the platform.
Added Scan Scope Settings for AI Supply Chain
You can now control the scope of AI Supply Chain scans by configuring include and exclude rules at both the global and project levels.
Exclude rules always take precedence over include rules, and configuration changes apply to subsequent scans only.
These settings follow the same patterns used by other Checkmarx One scanners, ensuring a consistent configuration experience across the platform. Teams can reduce scan noise by targeting only the files and paths relevant to their work, without changing how scans are executed or results are interpreted.
AI Supply Chain Security Scanner Support in CLI
The Checkmarx One CLI now supports AI Supply Chain Security (AISC) as a standalone scanner type. Organizations can trigger AISC scans using the same workflow and commands used for other supported scanners, providing a consistent scanning experience across the platform.
Scanner availability is controlled by licensing, ensuring that AISC capabilities are available only to entitled customers. This addition does not affect existing scanner types, commands, or workflows.
SAST Attack Vector ID Grouping
Added a new grouping option based on Attack Vector ID, offering more precise, flow‑aware grouping than the default Similarity ID.
Each Attack Vector ID uniquely reflects the programming language, the vulnerability query, and the exact data‑flow path involved. Because any change to language, query, or flow produces a new ID, this grouping provides clearer separation of findings and supports more effective triage. See here for more information.
Risk Orchestration
Risk Orchestration provides a unified view of all scan results across your security engines in a single, consolidated table. Instead of reviewing findings separately in each scanner, you can see everything in one place, organized by severity, and act on it without switching contexts.
Risk Orchestration is designed for everyone involved in application security:
Developers can quickly locate and understand specific vulnerabilities in their code, review fix suggestions, and see exactly which file and line is affected.
AppSec managers can monitor vulnerability trends across projects, track triage activity, and see who initiated each scan, helping identify whether development teams are reducing the vulnerabilities they introduce over time.
CISOs can assess overall risk exposure at a glance, prioritize internet-facing assets, and have confidence that all scanner results are visible in one authoritative view.
For more information, see Risk Orchestration.
AI Triage and Remediation
Notice
This feature is now generally available. Please contact your Checkmarx sales representative for a free trial.
Checkmarx One now offers AI Triage & Remediation, an AI-assisted capability that helps you evaluate and fix vulnerabilities with less manual effort. The AI Triage agent analyzes new risks for reachability and exploitability, distinguishing theoretical risk from concrete, exploitable risk, while the AI Remediation agent generates suggested code fixes, creating a pull request automatically for Code Repository Integration projects, or providing in-app guidance for other project types. There are three ways to run these actions:
Manual Activation – Launch AI Triage or Remediation for a specific risk directly from Risk Orchestration
Automated Workflow – Configure criteria at the account or project level so AI Triage runs automatically whenever a scan completes.
PR Decoration Workflow – For GitHub Code Repository Integration projects, run AI Triage automatically on pull requests and request remediation directly from a pull request comment.
By combining automated risk analysis with AI-generated fixes, this feature reduces the manual effort required to distinguish real risk from noise and speeds up remediation without disrupting existing development workflows. A dedicated dashboard lets you monitor adoption and outcomes across your organization, and a separate credit usage view helps you track and manage consumption.
Note
A Checkmarx Credits license with sufficient available credits is required, as both AI Triage and AI Remediation consume credits per run.
Current limitations:
Supported for the SAST and SCA scanners only.
Initiating AI Triage or Remediation from Risk Orchestration is currently supported for SAST only.
Automatic pull request creation for remediated code is available only for GitHub Code Repository Integration projects.
AI Remediation must be launched manually (via Risk Orchestration or the pull request workflow) — it cannot be triggered through automatic configuration.
For more information, see AI Triage & Remediation.
Credit Consumption Overview Page
Notice
Currently Checkmarx AI Credits are consumed by AI Triage & Remediation activities. We will soon introduce additional AI features that will also consume credits.
Checkmarx One now includes a Credit Consumption Overview page that gives administrators full visibility into AI credit usage across their tenant. Accessible from the administration area, the page consolidates several views into one place:
Remaining credit balance at a glance
Usage patterns over a rolling 30-day window
The top consumers driving credit usage
Cost distribution broken down by action type
A forecast of when credits are expected to be depleted
Non-Dismissible Confidential Header Banner
Checkmarx One now supports a persistent Confidential banner displayed in the header across pages, which cannot be dismissed by users. The banner is enabled per tenant by Checkmarx and supports custom text, such as "Internal Use Only," to match an organization's data classification terminology.
In addition, exported PDF reports now display a Confidential label stamped in the header of every page across all report types, including Scan, Project, Global, and Application reports. The label is centered and consistent with the header banner, ensuring that the confidential classification extends beyond the UI to any report generated and shared outside the platform.
Together, these capabilities help organizations meet internal data classification policies and audit compliance requirements by ensuring that confidential application security data is consistently labeled - whether viewed in the platform or distributed as a document.
AI-BOM Export from Scan Results
Checkmarx One now supports exporting an AI-BOM directly from a project's scan results. Available from the scan results screen or via API, the export generates a CycloneDX-compliant bill of materials that represents the project as the root component, with all AI assets discovered in that scan - such as LLMs, AI SDKs and APIs, AI frameworks, AI agents, and MCP servers and clients - modeled as components connected through dependency relationships.
This gives teams a structured, shareable view of the AI supply chain for an individual project, supporting integration with governance and compliance tools.
LLM Risk Assessment in AI Supply Chain
Checkmarx One now performs deterministic risk assessment for LLMs as part of the AI Supply Chain Engine, with results exposed consistently across the UI, API, and CLI. This gives teams a reliable, unified view of LLM risk wherever they choose to access it.
API to Disconnect Project from Code Repository
An API is now available to disconnect a project's Code Repository Integration and revert it to a manual project, without requiring migration to a different repository. This simplifies the process for teams that need to remove a repository connection, and allows flexible workflows to be built around it rather than relying on repository-to-repository migration.
New Terminology for Code Repository Integration Projects
We have changed the terminology for the two types of Code Repository Integration projects to more accurately reflect the different configuration procedures. Cloud-hosted is now referred to as Managed Setup — indicating that it is a pre-configured procedure prepared by Checkmarx. Self-hosted is now referred to as Custom Setup — indicating that it needs to be configured by the user, but can be used for both self-hosted and cloud-hosted SCM instances. This is a terminology change only; the underlying functionality remains the same.
SCA
Improved Legal Risks Widget Accuracy
The Results by Legal Risks widget in the Scan Overview has been renamed to Legal Risks and now displays only the legal risks shown in the Risks → Legal Risks tab: "Risky effective license", "Package with no effective license", and "Package with no license".
The widget no longer displays "Unknown" categories that do not correspond to any actual risk type. This ensures the Scan Overview accurately reflects your project's legal risk posture and strengthens confidence in the scanner's output.
Combine Net New with SCA Rules
Policy Management now supports combining Net New findings with SCA-specific rules, removing the previous limitation where Net New logic and engine-specific rule configuration were mutually exclusive. When configuring an SCA risk-level rule, you can now select Net New as a status option alongside other filters such as severity and dependency scope. This enables you to create more granular policies, for example, breaking the build only when Net New vulnerabilities are found in production dependencies.
Note
Net New relates only to new vulnerabilities being introduced into the protected branch by a pull request, not to all risks that were identified for the first time by this scan. As such, it is only relevant for Code Repository Integration projects.
Improved npm Dependency Resolution
Improved accuracy of npm dependency resolution for modern projects (npm v7 or later) by leveraging the new native peer dependency resolution when available. This results in more complete dependency trees and broader vulnerability coverage.
Added SCA Package Risk Intelligence API
Checkmarx now offers a new public REST API, POST /api/v1/packages/risks, for querying vulnerability and malware risk data on a batch of software packages in a single call. Consumers submit packages by PURL or by name, type, and version, and use optional parameters to control how much detail is returned, from basic risk scores up to full CVE details and remediation guidance. We also provide a dedicated endpoint for accessing Package Upgrade Recommendations directly from our database.
This gives customers a Checkmarx-native alternative to third-party vulnerability intelligence APIs, simplifying integrations such as SBOM management platforms.
Note
Maximum 100 packages per request.
For more details see the API in our API Reference Guide
Stopped Showing Containers Tab When No Data
The Containers tab is no longer shown in SCA scan results for scans with no container risks, which is now the expected result since Containers scanning runs as a dedicated engine. For scans performed before this change that include container results, the tab continues to be displayed as before. This keeps the scan results view clean and relevant.
IAM
Improved Sorting, Filtering, and Export for Users Table
The Users table in IAM now supports sorting by username, email, status, and last login, along with filtering by status, authentication provider, roles, and groups. Full group membership for each user is visible directly from the table, with the complete list accessible without being limited to a truncated summary. Columns can be resized, and the users list can be exported to CSV, with the export reflecting active filters, sorting, and visible columns.
These enhancements make it easier to analyze users, their access, and identity attributes at scale.
IaC
The IaC version included in this release of Checkmarx One is 2.1.20.
IaC updates are documented in the IaC changelog.
DAST
Dashboard Configuration
Added the ability to hide or display widgets in the Overview tab, with your preferences saved across all environments. Also added a filter-reset option to restore the default view with all widgets visible.
Permission Check Update
Allowed user actions are now validated through their permissions rather than specific roles. Admin users retain their abilities to add, delete, or edit user roles and their associated permissions.
OWASP API Top 10
Added OWASP API Top 10 to Checkmarx One. This includes new tags for OWASP Top Ten 2025 and API Top Ten 2023.
CLI and Plugins Releases of June 2026
CLI Version 2.3.54
The AI Supply Chain Security (AISC) scanner is now supported for use via the CLI. When running the
scan createcommand, you can now addaiscto the list of scanners under--scan-types. You can also retreieve scan results foraiscvia the CLI.Improved SBOM generation capabilities when using SCA Resolver. You can now submit
--sbom-firstunder--sca-resolver-paramsto produce a CycloneDX 1.6 JSON file immediately after dependency resolution completes, covering both manifest-resolved and binary-detected components, and written to the output directory.Additionally, the
scan createcommand now supports a new--no-scanflag. When--no-scanis used together with--sbom-first, the CLI performs dependency resolution and generates an SBOM without submitting a scan to Checkmarx.For more info, see Generating an SBOM During Dependency Resolution
Added the following file extensions to the list of supported files that are included in the .zip archive that is scanned.
*.ac, *.am, *.asax, *.cmake, *.dspf, *.env, *.ftl, *.gsp, *.gtl, *.handlebars, *.ini, *.jade, *.jsf, *.master, *.mf, *.mustache, *.pc, *.ph, *.phk, *.pro, *.rpgle, *.rpg, *.rpg38, *.sqlrpg, *.sqlrpgle, *.toml, *.tsql, *CMakeLists*.txt, *.vue, *.xsaccess, *.xsapp, *.pug, *.lua, *.ec, *.apxc
CI/CD Plugins
In June we released the following CI/CD plugin versions:
Improvements and Bug Fixes
Status | Item | Platform | Description |
|---|---|---|---|
NEW | Scanner | Azure DevOps, GitHub Actions | Added support for AI Supply Chain Security scanner |
Plugin | Marketplace | Code Repository | Documentation | Changelog |
|---|---|---|---|---|
Azure DevOps | https://marketplace.visualstudio.com/items?itemName=checkmarx.checkmarx-ast-azure-plugin | |||
GitHub Actions | https://github.com/marketplace/actions/checkmarx-ast-github-action | |||
Jenkins | ||||
TeamCity | https://github.com/CheckmarxDev/checkmarx-ast-teamcity-plugin |
IDE Plugins
In June we released the following IDE plugin versions:
Improvements and Bug Fixes
Status | Item | Platform | Description |
|---|---|---|---|
NEW | General | Eclipse | General improvements and bug fixes |
NEW | Developer Assist | Visual Studio | We have added Checkmarx Developer Assist to the Visual Studio extension. This new tool empowers developers to identify risks in their code in realtime and harness the power of AI to remediate the risks on the spot. For more information, see documentation |
Get Latest Version from Marketplace | Changelog | Documentation |
|---|---|---|
Resolved Issues
Item | Description |
|---|---|
AST-148797 | The Feedback App failed to create Jira tickets for critical vulnerabilities. |
AST-144975 | Project reports included SAST vulnerabilities in the “Proposed Not Exploitable” state despite the default settings excluding them. |
AST-144685 | Scheduled reports were not delivered by email. |
AST-143810 | Scans failed when importing Azure DevOps On-Prem repositories using a classic TFS-style structure. |
AST-143646 | The Feedback App did not handle Azure Boards users without the bypassRules permission correctly. |
AST-143147 | CSV report generation triggered a panic error. |
AST-143123 | Scan report generation failed when source or destination nodes contained long string values. |
AST-143122 | Repository scan results were inconsistent. |
AST-140361 | Analytics returned a 504 Gateway Timeout error when displaying Mean Time to Resolution by Severity metrics. |
AST-139481 | Query Editor autocomplete for Secret Detection and IaC displayed SAST-related suggestions. |
AST-136498 | Projects list CSV exports ignored the selected application filter. |
AST-135992 | Analytics displayed Secret Detection results in the “To Verify” state even after the state had been changed. |
AST-135246 | Filtering Analytics dashboards by tags did not work. |
AST-133750 | Directly associating a project with an application did not trigger an Analytics update event. |
AST-133534 | Detection dates were calculated incorrectly. |
AST-117726 | Generating CSV reports from SAST Analytics failed or timed out when processing large result sets. |
AST-108645 | Reports did not include all Container Security engine results, resulting in partial data. |
AST-158825 | SAST scans failed when a single MetaResult message exceeded the 16 MiB size limit. |
AST-156165 | Vulnerabilities marked as patched in vendor advisories continued to appear as open issues in Container Security. |
AST-139473 | Project tags disappeared after editing the project. |
AST-122081 | SAST scan configuration parameters displayed incorrect values. |
SCA-26968 | SCA Auto PR changed XML file encoding from UTF-8 to UTF-16 unexpectedly. |
SCA-26669 | Global Inventory recalculation failed when related scans had been deleted. |
SCA-26668 | Fingerprint detection did not work in EU standalone environments. |
SCA-26537 | The SCA results processor failed with an internal error during scan processing. |
SCA-26466 | SCA scans detected packages that were not present in the project. |
SCA-26300 | Maven source resolution fell back to default behavior instead of using the CxLink configuration file. |
Item | Description |
|---|---|
AST-158008 | Access Management pods crashed due to out-of-memory conditions. |
AST-155356 | Audit logs did not capture assignment deletion events. |
AST-151200 | SCA findings were inconsistent across project tabs. |
AST-146176 | Users received an error message after logging in from the Risk Management page, despite being able to continue working. |
AST-144778 | Inconsistent project tagging resulted in duplicate Jira tickets. |
AST-142273 | Filtering the main project list by tag took longer than expected. |
AST-139458 | The SCA "Find Best Package Version" feature in Risk Management used an incorrect artifact name in the Knowledge Center. |
AST-136324 | The displayed scan duration was incorrect. |
AST-133671 | Users could not rename projects linked to external groups unless they were members of those groups. |
AST-144852 | Workflow errors occurred during scans. |
AST-144771 | Patched packages were incorrectly flagged as vulnerable to CVE-2026-24882. |
AST-143853 | Associating DAST environments with applications required permissions that were not available. |
AST-138055 | Remediation recommendations showed an incorrect vulnerability reduction for container image upgrades. |
AST-135081 | API Inventory did not display all endpoints. |
SCA-27209 | The |
AST-160443 | Documentation for audit events required updates. |
AST-160438 | Scans were triggered on the source branch after a pull request was merged. |
AST-160166 | Saving Project Settings rules returned an error. |
AST-158877 | Scans that became stuck in the queue could not be canceled. |
AST-158829 | Container Security incorrectly reported patched packages as vulnerable. |
AST-158685 | The Audit Events API did not record project deletion events. |
AST-158660 | Analytics tag filtering omitted some data when using the enhanced tag model. |
AST-157882 | IAM usernames did not support the + character. |
AST-157834 | Duplicate SAST entries appeared in |
AST-157776 | Project assignments were not applied immediately when DIRECT_APP_ASSOCIATION_ENABLED was disabled. |
AST-156962 | Container scans incorrectly detected patched CVEs. |
AST-156795 | Container Security reported fixed Go CVEs as vulnerable in the latest Go versions. |
AST-156524 | Scans remained in the Running state instead of transitioning to Completed. |
AST-155875 | The Results changelog displayed an incorrect project in the "Done in" field for application-scoped predicate changes. |
AST-152370 | Findings reported in Checkmarx One did not match those reported in ServiceNow. |
AST-151597 | A false positive was reported for CVE-2017-20229. |
AST-151463 | The Java "Reflected XSS" query contained an incomplete description. |
AST-146089 | Scans failed with a "failed to open file for writing" error. |
AST-145342 | Opening an |
AST-145157 | Documentation for the |
AST-145077 | IAM IP address restrictions did not work as expected. |
AST-156693 | Risk Management on the Application page contained a misspelled label. |
SCA-26817 | Previously recurrent SCA vulnerabilities were incorrectly classified as new. |
SCA-26775 | Expected packages were missing from scan results. |