Skip to main content

Upcoming Single-Tenant Version | 3.62

New Features and Enhancements

Audit Trail Coverage for SAST Result Triage

The Audit Trail now includes full visibility into SAST result triage activity. All changes to finding severity, state, and notes are captured with before and after values, including the user identity, timestamp, bulk action indication, and triage method (similarity-based or attack-vector-based). Users can access these events via the Audit Trail API.

This enhancement strengthens governance and compliance readiness, enables accurate forensic analysis of finding changes, and provides complete traceability for manual and bulk triage workflows.

Audit Trail Support for Analytics and Reporting

Analytics and Reporting actions are now captured in the Checkmarx One Audit Trail, improving visibility into report-related activities performed by users and system integrations.

Relevant events are logged through the centralized Audit Trail framework using a standardized schema, supporting compliance, security investigations, and operational transparency. This enhancement extends audit coverage to reporting workflows initiated through integrations, APIs, and automation, ensuring consistent tracking across the platform.

Added Scan Scope Settings for AI Supply Chain

You can now control the scope of AI Supply Chain scans by configuring include and exclude rules at both the global and project levels.

Exclude rules always take precedence over include rules, and configuration changes apply to subsequent scans only.

These settings follow the same patterns used by other Checkmarx One scanners, ensuring a consistent configuration experience across the platform. Teams can reduce scan noise by targeting only the files and paths relevant to their work, without changing how scans are executed or results are interpreted.

AI Supply Chain Security Scanner Support in CLI

The Checkmarx One CLI now supports AI Supply Chain Security (AISC) as a standalone scanner type. Organizations can trigger AISC scans using the same workflow and commands used for other supported scanners, providing a consistent scanning experience across the platform.

Scanner availability is controlled by licensing, ensuring that AISC capabilities are available only to entitled customers. This addition does not affect existing scanner types, commands, or workflows.

SAST Attack Vector ID Grouping

Added a new grouping option based on Attack Vector ID, offering more precise, flow‑aware grouping than the default Similarity ID.

Each Attack Vector ID uniquely reflects the programming language, the vulnerability query, and the exact data‑flow path involved. Because any change to language, query, or flow produces a new ID, this grouping provides clearer separation of findings and supports more effective triage. See here for more information.

Risk Orchestration

Risk Orchestration provides a unified view of all scan results across your security engines in a single, consolidated table. Instead of reviewing findings separately in each scanner, you can see everything in one place, organized by severity, and act on it without switching contexts.

Risk Orchestration is designed for everyone involved in application security:

  • Developers can quickly locate and understand specific vulnerabilities in their code, review fix suggestions, and see exactly which file and line is affected.

  • AppSec managers can monitor vulnerability trends across projects, track triage activity, and see who initiated each scan, helping identify whether development teams are reducing the vulnerabilities they introduce over time.

  • CISOs can assess overall risk exposure at a glance, prioritize internet-facing assets, and have confidence that all scanner results are visible in one authoritative view.

For more information, see Risk Orchestration.

AI Triage and Remediation

Notice

This feature is now generally available. Please contact your Checkmarx sales representative for a free trial.

Checkmarx One now offers AI Triage & Remediation, an AI-assisted capability that helps you evaluate and fix vulnerabilities with less manual effort. The AI Triage agent analyzes new risks for reachability and exploitability, distinguishing theoretical risk from concrete, exploitable risk, while the AI Remediation agent generates suggested code fixes, creating a pull request automatically for Code Repository Integration projects, or providing in-app guidance for other project types. There are three ways to run these actions:

  • Manual Activation – Launch AI Triage or Remediation for a specific risk directly from Risk Orchestration

  • Automated Workflow – Configure criteria at the account or project level so AI Triage runs automatically whenever a scan completes.

  • PR Decoration Workflow – For GitHub Code Repository Integration projects, run AI Triage automatically on pull requests and request remediation directly from a pull request comment.

By combining automated risk analysis with AI-generated fixes, this feature reduces the manual effort required to distinguish real risk from noise and speeds up remediation without disrupting existing development workflows. A dedicated dashboard lets you monitor adoption and outcomes across your organization, and a separate credit usage view helps you track and manage consumption.

Note

A Checkmarx Credits license with sufficient available credits is required, as both AI Triage and AI Remediation consume credits per run.

Current limitations:

  • Supported for the SAST and SCA scanners only.

  • Initiating AI Triage or Remediation from Risk Orchestration is currently supported for SAST only.

  • Automatic pull request creation for remediated code is available only for GitHub Code Repository Integration projects.

  • AI Remediation must be launched manually (via Risk Orchestration or the pull request workflow) — it cannot be triggered through automatic configuration.

For more information, see AI Triage & Remediation.

Credit Consumption Overview Page

Notice

Currently Checkmarx AI Credits are consumed by AI Triage & Remediation activities. We will soon introduce additional AI features that will also consume credits.

Checkmarx One now includes a Credit Consumption Overview page that gives administrators full visibility into AI credit usage across their tenant. Accessible from the administration area, the page consolidates several views into one place:

  • Remaining credit balance at a glance

  • Usage patterns over a rolling 30-day window

  • The top consumers driving credit usage

  • Cost distribution broken down by action type

  • A forecast of when credits are expected to be depleted

Non-Dismissible Confidential Header Banner

Checkmarx One now supports a persistent Confidential banner displayed in the header across pages, which cannot be dismissed by users. The banner is enabled per tenant by Checkmarx and supports custom text, such as "Internal Use Only," to match an organization's data classification terminology.

In addition, exported PDF reports now display a Confidential label stamped in the header of every page across all report types, including Scan, Project, Global, and Application reports. The label is centered and consistent with the header banner, ensuring that the confidential classification extends beyond the UI to any report generated and shared outside the platform.

Together, these capabilities help organizations meet internal data classification policies and audit compliance requirements by ensuring that confidential application security data is consistently labeled - whether viewed in the platform or distributed as a document.

AI-BOM Export from Scan Results

Checkmarx One now supports exporting an AI-BOM directly from a project's scan results. Available from the scan results screen or via API, the export generates a CycloneDX-compliant bill of materials that represents the project as the root component, with all AI assets discovered in that scan - such as LLMs, AI SDKs and APIs, AI frameworks, AI agents, and MCP servers and clients - modeled as components connected through dependency relationships.

This gives teams a structured, shareable view of the AI supply chain for an individual project, supporting integration with governance and compliance tools.

LLM Risk Assessment in AI Supply Chain

Checkmarx One now performs deterministic risk assessment for LLMs as part of the AI Supply Chain Engine, with results exposed consistently across the UI, API, and CLI. This gives teams a reliable, unified view of LLM risk wherever they choose to access it.

API to Disconnect Project from Code Repository

An API is now available to disconnect a project's Code Repository Integration and revert it to a manual project, without requiring migration to a different repository. This simplifies the process for teams that need to remove a repository connection, and allows flexible workflows to be built around it rather than relying on repository-to-repository migration.

New Terminology for Code Repository Integration Projects

We have changed the terminology for the two types of Code Repository Integration projects to more accurately reflect the different configuration procedures. Cloud-hosted is now referred to as Managed Setup — indicating that it is a pre-configured procedure prepared by Checkmarx. Self-hosted is now referred to as Custom Setup — indicating that it needs to be configured by the user, but can be used for both self-hosted and cloud-hosted SCM instances. This is a terminology change only; the underlying functionality remains the same.

SCA

Improved Legal Risks Widget Accuracy

The Results by Legal Risks widget in the Scan Overview has been renamed to Legal Risks and now displays only the legal risks shown in the Risks → Legal Risks tab: "Risky effective license", "Package with no effective license", and "Package with no license".

The widget no longer displays "Unknown" categories that do not correspond to any actual risk type. This ensures the Scan Overview accurately reflects your project's legal risk posture and strengthens confidence in the scanner's output.

Combine Net New with SCA Rules

Policy Management now supports combining Net New findings with SCA-specific rules, removing the previous limitation where Net New logic and engine-specific rule configuration were mutually exclusive. When configuring an SCA risk-level rule, you can now select Net New as a status option alongside other filters such as severity and dependency scope. This enables you to create more granular policies, for example, breaking the build only when Net New vulnerabilities are found in production dependencies.

Note

Net New relates only to new vulnerabilities being introduced into the protected branch by a pull request, not to all risks that were identified for the first time by this scan. As such, it is only relevant for Code Repository Integration projects.

Improved npm Dependency Resolution

Improved accuracy of npm dependency resolution for modern projects (npm v7 or later) by leveraging the new native peer dependency resolution when available. This results in more complete dependency trees and broader vulnerability coverage.

Added SCA Package Risk Intelligence API

Checkmarx now offers a new public REST API, POST /api/v1/packages/risks, for querying vulnerability and malware risk data on a batch of software packages in a single call. Consumers submit packages by PURL or by name, type, and version, and use optional parameters to control how much detail is returned, from basic risk scores up to full CVE details and remediation guidance. We also provide a dedicated endpoint for accessing Package Upgrade Recommendations directly from our database.

This gives customers a Checkmarx-native alternative to third-party vulnerability intelligence APIs, simplifying integrations such as SBOM management platforms.

Note

Maximum 100 packages per request.

For more details see the API in our API Reference Guide

Stopped Showing Containers Tab When No Data

The Containers tab is no longer shown in SCA scan results for scans with no container risks, which is now the expected result since Containers scanning runs as a dedicated engine. For scans performed before this change that include container results, the tab continues to be displayed as before. This keeps the scan results view clean and relevant.

IAM

Improved Sorting, Filtering, and Export for Users Table

The Users table in IAM now supports sorting by username, email, status, and last login, along with filtering by status, authentication provider, roles, and groups. Full group membership for each user is visible directly from the table, with the complete list accessible without being limited to a truncated summary. Columns can be resized, and the users list can be exported to CSV, with the export reflecting active filters, sorting, and visible columns.

These enhancements make it easier to analyze users, their access, and identity attributes at scale.

IaC

The IaC version included in this release of Checkmarx One is 2.1.20.

IaC updates are documented in the IaC changelog.

DAST

Dashboard Configuration

Added the ability to hide or display widgets in the Overview tab, with your preferences saved across all environments. Also added a filter-reset option to restore the default view with all widgets visible.

Permission Check Update

Allowed user actions are now validated through their permissions rather than specific roles. Admin users retain their abilities to add, delete, or edit user roles and their associated permissions.

OWASP API Top 10

Added OWASP API Top 10 to Checkmarx One. This includes new tags for OWASP Top Ten 2025 and API Top Ten 2023.

CLI and Plugins Releases of June 2026

CLI Version 2.3.54

  • The AI Supply Chain Security (AISC) scanner is now supported for use via the CLI. When running the scan create command, you can now add aisc to the list of scanners under --scan-types. You can also retreieve scan results for aisc via the CLI.

  • Improved SBOM generation capabilities when using SCA Resolver. You can now submit --sbom-first under --sca-resolver-params to produce a CycloneDX 1.6 JSON file immediately after dependency resolution completes, covering both manifest-resolved and binary-detected components, and written to the output directory.

    Additionally, the scan create command now supports a new --no-scan flag. When --no-scan is used together with --sbom-first, the CLI performs dependency resolution and generates an SBOM without submitting a scan to Checkmarx.

    For more info, see Generating an SBOM During Dependency Resolution

  • Added the following file extensions to the list of supported files that are included in the .zip archive that is scanned.

    *.ac, *.am, *.asax, *.cmake, *.dspf, *.env, *.ftl, *.gsp, *.gtl, *.handlebars, *.ini, *.jade, *.jsf, *.master, *.mf, *.mustache, *.pc, *.ph, *.phk, *.pro, *.rpgle, *.rpg, *.rpg38, *.sqlrpg, *.sqlrpgle, *.toml, *.tsql, *CMakeLists*.txt, *.vue, *.xsaccess, *.xsapp, *.pug, *.lua, *.ec, *.apxc

CI/CD Plugins

In June we released the following CI/CD plugin versions:

  • Azure DevOps Plugin - 3.0.23 (uses CLI v2.3.54)

  • GitHub Actions Plugin - 2.3.38 (uses CLI v2.3.54)

Improvements and Bug Fixes

Status

Item

Platform

Description

NEW

Scanner

Azure DevOps, GitHub Actions

Added support for AI Supply Chain Security scanner

IDE Plugins

In June we released the following IDE plugin versions:

  • Eclipse - 2.1.16 (uses CLI v2.3.54)

  • Visual Studio - 4.4.14 (uses CLI v2.3.53)

Improvements and Bug Fixes

Status

Item

Platform

Description

NEW

General

Eclipse

General improvements and bug fixes

NEW

Developer Assist

Visual Studio

We have added Checkmarx Developer Assist to the Visual Studio extension. This new tool empowers developers to identify risks in their code in realtime and harness the power of AI to remediate the risks on the spot.

For more information, see documentation

Resolved Issues

Item

Description

AST-148797

The Feedback App failed to create Jira tickets for critical vulnerabilities.

AST-144975

Project reports included SAST vulnerabilities in the “Proposed Not Exploitable” state despite the default settings excluding them.

AST-144685

Scheduled reports were not delivered by email.

AST-143810

Scans failed when importing Azure DevOps On-Prem repositories using a classic TFS-style structure.

AST-143646

The Feedback App did not handle Azure Boards users without the bypassRules permission correctly.

AST-143147

CSV report generation triggered a panic error.

AST-143123

Scan report generation failed when source or destination nodes contained long string values.

AST-143122

Repository scan results were inconsistent.

AST-140361

Analytics returned a 504 Gateway Timeout error when displaying Mean Time to Resolution by Severity metrics.

AST-139481

Query Editor autocomplete for Secret Detection and IaC displayed SAST-related suggestions.

AST-136498

Projects list CSV exports ignored the selected application filter.

AST-135992

Analytics displayed Secret Detection results in the “To Verify” state even after the state had been changed.

AST-135246

Filtering Analytics dashboards by tags did not work.

AST-133750

Directly associating a project with an application did not trigger an Analytics update event.

AST-133534

Detection dates were calculated incorrectly.

AST-117726

Generating CSV reports from SAST Analytics failed or timed out when processing large result sets.

AST-108645

Reports did not include all Container Security engine results, resulting in partial data.

AST-158825

SAST scans failed when a single MetaResult message exceeded the 16 MiB size limit.

AST-156165

Vulnerabilities marked as patched in vendor advisories continued to appear as open issues in Container Security.

AST-139473

Project tags disappeared after editing the project.

AST-122081

SAST scan configuration parameters displayed incorrect values.

SCA-26968

SCA Auto PR changed XML file encoding from UTF-8 to UTF-16 unexpectedly.

SCA-26669

Global Inventory recalculation failed when related scans had been deleted.

SCA-26668

Fingerprint detection did not work in EU standalone environments.

SCA-26537

The SCA results processor failed with an internal error during scan processing.

SCA-26466

SCA scans detected packages that were not present in the project.

SCA-26300

Maven source resolution fell back to default behavior instead of using the CxLink configuration file.

Item

Description

AST-158008

Access Management pods crashed due to out-of-memory conditions.

AST-155356

Audit logs did not capture assignment deletion events.

AST-151200

SCA findings were inconsistent across project tabs.

AST-146176

Users received an error message after logging in from the Risk Management page, despite being able to continue working.

AST-144778

Inconsistent project tagging resulted in duplicate Jira tickets.

AST-142273

Filtering the main project list by tag took longer than expected.

AST-139458

The SCA "Find Best Package Version" feature in Risk Management used an incorrect artifact name in the Knowledge Center.

AST-136324

The displayed scan duration was incorrect.

AST-133671

Users could not rename projects linked to external groups unless they were members of those groups.

AST-144852

Workflow errors occurred during scans.

AST-144771

Patched packages were incorrectly flagged as vulnerable to CVE-2026-24882.

AST-143853

Associating DAST environments with applications required permissions that were not available.

AST-138055

Remediation recommendations showed an incorrect vulnerability reduction for container image upgrades.

AST-135081

API Inventory did not display all endpoints.

SCA-27209

The recommendedVersion field in the Results API was empty for recent scans, although the UI displayed the remediation version.

AST-160443

Documentation for audit events required updates.

AST-160438

Scans were triggered on the source branch after a pull request was merged.

AST-160166

Saving Project Settings rules returned an error.

AST-158877

Scans that became stuck in the queue could not be canceled.

AST-158829

Container Security incorrectly reported patched packages as vulnerable.

AST-158685

The Audit Events API did not record project deletion events.

AST-158660

Analytics tag filtering omitted some data when using the enhanced tag model.

AST-157882

IAM usernames did not support the + character.

AST-157834

Duplicate SAST entries appeared in statusInfoList when SkipSastScan=true and SAST was present in the engine map.

AST-157776

Project assignments were not applied immediately when DIRECT_APP_ASSOCIATION_ENABLED was disabled.

AST-156962

Container scans incorrectly detected patched CVEs.

AST-156795

Container Security reported fixed Go CVEs as vulnerable in the latest Go versions.

AST-156524

Scans remained in the Running state instead of transitioning to Completed.

AST-155875

The Results changelog displayed an incorrect project in the "Done in" field for application-scoped predicate changes.

AST-152370

Findings reported in Checkmarx One did not match those reported in ServiceNow.

AST-151597

A false positive was reported for CVE-2017-20229.

AST-151463

The Java "Reflected XSS" query contained an incomplete description.

AST-146089

Scans failed with a "failed to open file for writing" error.

AST-145342

Opening an mcp.json file triggered an unexpected Copilot Chat prompt.

AST-145157

Documentation for the /api/audit-events REST API required updates.

AST-145077

IAM IP address restrictions did not work as expected.

AST-156693

Risk Management on the Application page contained a misspelled label.

SCA-26817

Previously recurrent SCA vulnerabilities were incorrectly classified as new.

SCA-26775

Expected packages were missing from scan results.