Upcoming Single-Tenant Version | 3.58

The Audit Trail now includes full visibility into scheduled scan activity. This enhancement logs all key actions related to scheduled scans, including creation, updates, enable/disable actions, deletions, and execution events (triggered, failed, or skipped). Users can access these events via the New Audit Trail API.

By extending audit coverage to scheduled scans, this feature strengthens governance and compliance readiness, enables accurate forensic analysis, and provides complete traceability for scan automation workflows.

You can now view the full file path for nodes in SAST Results Viewer, making it easier to understand the scope of a vulnerability and improve triage. Clicking a node reveals its full file path. Multiple nodes may originate from the same file or from different files.

Container scan results now include CVSS score, affected version range, fix version, and advisory rating for OS-level package vulnerabilities, based on official distribution sources (e.g., OVAL, Alpine SecDB, Red Hat advisories). The NVD score serves as the primary severity score, while advisory scores and ratings from individual vendors are shown as supplementary context and may not always match the NVD score.

This data is available across the UI, API (GraphQL, gRPC), CLI, and exports.

With this enhancement, you can quickly determine whether vulnerabilities are fixable, prioritize issues based on authoritative NVD severity scores, and make more informed risk and patching decisions for base image vulnerabilities.

The Microsoft Teams integration used by Feedback Apps has been updated to replace the deprecated Office 365 Connectors with Microsoft’s supported Teams webhook mechanism.

This change ensures continued delivery of feedback notifications to Teams channels following Microsoft’s connector retirement. Customers will need to update their Teams webhook configuration after deployment using the new Microsoft Teams Workflows webhook URL.

Cloud Insights now leverages AI to enhance container image detection and correlation in three key areas:

Cloud Insights now highlights changes in vulnerability counts between the image currently in production and the latest project scan. A new Image → Latest Scan column in the Cloud Insights Inventory clearly shows the delta, helping teams identify risk increases before code is deployed.

You can filter projects by security trend and sort by total delta to quickly pinpoint areas where risk is rising. This makes it easier to assess the impact of upcoming releases, prioritize remediation efforts, and prevent vulnerable code from reaching production.

For more information, see Cloud Insights.

Checkmarx One now suggests relevant documentation articles in real time as users begin typing in the Subject field when creating a support case in the UI.

Suggestions include the article title, a short summary, and a direct link to the documentation, helping users quickly find answers and potentially avoid opening a ticket.

For more information, see Contacting support.

Checkmarx One Risk Management now supports assigning findings to specific users or groups, enabling clear ownership and more efficient remediation workflows.

A new Attribution column allows authorized users to assign or remove users and groups per finding. Assignments are limited to users within the tenant and require appropriate permissions, ensuring only relevant users can be selected. Changes are reflected in real time across all consuming systems.

To support governance, a new permission - manage-vulnerability-assignees - is introduced and must be combined with existing update permissions to modify assignments. Assigned users can optionally receive email notifications, helping ensure timely awareness and action.

This feature improves accountability, reduces duplicate work, and streamlines risk management by ensuring each finding has a clear owner.

For more information, see Risk Attribution.

For Azure DevOps (ADO) Code Repository integrations the use the "Self-Hosted" flow, we now support organization-scoped Personal Access Tokens (PATs). This removes the need to use Global PATs, which grant excessive permissions and are planned for deprecation by Microsoft.

Users can configure integrations by providing a PAT scoped to a specific organization, with validation performed against that organization during setup. Only the organization associated with the PAT is displayed. If you would like to include multiple organizations in a single configuration, you can create a separate PAT for each organization and, in the setup wizard, click Add Organization to submit the additional PATs.

This update improves security, flexibility, and long-term compatibility.

For more information, see Azure DevOps Self-Hosted.

The REST API for creating new Code Repository Integration projects now supports Azure DevOps (ADO) (in addition to existing support for GitHub). For more information, see API documentation.

When source code, engine version, query configuration, and SAST settings are unchanged between scans, a triggered scan previously returned a status of Completed, incorrectly implying that new results were generated. To improve clarity, we have added a new scan status, "No Code Changed," indicating that the scan would have returned no new results. In these cases, the scan is cancelled, the new status is displayed, and the project's findings remain unchanged. This applies to scans triggered through the UI, API, or CI pipelines.

Checkmarx One now supports dependency resolution for Python 3.14 for scans run in the cloud as well as via SCA Resolver. This enables accurate SCA scanning of Python 3.14 projects, helping to maintain continuous visibility into security and license risk for customers who are adopting the newer Python version.

Checkmarx One now supports dependency resolution for .NET 10 (Long-Term Support), enabling teams to scan NuGet dependencies in .NET 10 projects. As an LTS release, .NET 10 is the preferred target for enterprise and production workloads, making reliable SCA coverage essential for maintaining a secure open-source supply chain over its multi-year support lifecycle.

Checkmarx One now supports dependency resolution for Java 25 (Long-Term Support), enabling teams to scan Maven and Gradle dependencies in Java 25 projects. As an LTS release, Java 25 is the preferred target for enterprise and production workloads, making reliable SCA coverage essential for maintaining a secure open-source supply chain over its multi-year support lifecycle.

When a scan recalculation is run, we now preserve Exploitable Path and Package Usage data from the original scan. Previously, scan recalculation would overwrite exploitability and usage data even when the the underlying source code and dependencies had not changed. With this improvement, risk assessment remains accurate and consistent after recalculation.

We added support for identifying the following licenses that apply to OSS packages: AFL-3.0, CPAL-1.0, OSL-3.0, APSL-2.0, Watcom-1.0 and LPPL-1.3c.

SCA remediation now supports Python and NuGet packages. You can download a remediated manifest file (e.g., requirements.txt for Python and *.csproj for NuGet) with secure package versions directly from the UI or via the export service API. In addition, the Auto Pull Request feature will automatically generate pull requests targeting vulnerable Python packages in the correct repository and branch. Each pull request contains only the secure version changes, along with any associated manifest files required for full remediation.

This expansion brings Python and .NET developers into parity with existing Auto-PR workflows, giving teams both automated and manual remediation paths to address open-source vulnerabilities across a broader range of ecosystems.Learn more about Exporting Remediated Manifest Files and SCA Auto Pull Requests.

You can now upload Selenium scripts in the Authentication step in the Environment Setup Wizard. Selenium scripts are executed whenever ZAP launches a browser through Selenium- for example, during an Ajax Spider scan or while performing manual exploration.

These scripts have full access to the active browser instance, allowing them to interact with it directly. This includes running JavaScript, navigating to URLs, filling out forms, clicking buttons, and modifying localStorage or sessionStorage.

The CLI is now fully aligned with the UI. For more on DAST CLI commands, see here.

Added support for custom states in DAST. Custom states are states that you define to help organize and triage your scan results. For more information on Custom States, see here.

DAST now helps you include all required URLs for full scan coverage and successful authentication.

DAST scans start from the main URL you define, but many applications use additional domains or paths. If these URLs are not included, authentication may fail or parts of the application may not be scanned. DAST now prompts you to include authentication URLs during setup and shows all discovered but non‑included URLs in the authentication report, error messages, and configuration settings so you can easily add the paths that matter.

Insights provide important scan‑related information that isn’t classified as a vulnerability. They flag conditions that can affect scan accuracy or indicate external issues such as authentication failures, blocking mechanisms, or repeated server errors.

If a High‑level Insight is detected, the scan stops and is marked Failed to prevent misleading or incomplete results. A full list of the available insights is viewable here.