Upcoming Single-Tenant Version | 3.40
New Features and Enhancements
SAST Engine Upgrade to Version 9.7.3
The SAST engine in Checkmarx One has been upgraded to version 9.7.3. To discover all the new features and updates in the latest version, refer to this page.
Changed Navigation for Viewing SCS Results
The Software Supply Chain tab was removed from the Applications and Projects page. Repository Health and Secret Detection results are now accessed by selecting the SCS scanner in the scan results or on the project details page, similar to all other Checkmarx One scanners.
This will provide a consistent experience across all Checkmarx One scan engines. It is also the first step in a broader product initiative: treating Repository Health and Secret Detection as independent scanners, each with their own scan logic, results, and roadmap.
 |
 |
Feedback Apps Improvements
Support for Multiple Apps in the same system - To improve accuracy and control in multi-app environments, we’ve enhanced the feedback apps functionality to ensure that each app only updates the tickets it originally created, even when multiple apps are configured using the same connection.
Closing tickets when apps are deleted - When you delete a Feedback App, we now automatically close all of the tickets created by that app. This behavior is not supported for GitHub Issues.
Prioritizing high severity results when creating tickets - We now prioritize high severity risks so that if you reach the limit of 2,000 tickets per scanner, the results with the highest priority will be created. For example, if a SAST scan has 1,000 critical + 1,000 high + 1,000 medium results, tickets will only be opened for the critical and high results.
Unique Result ID in Results API Response
The GET /results API response now includes a new field: alternateId. This field provides a unique identifier for each result and is currently supported for the following scanners: IaC, SAST, SCA, SSCS Secret Detection, and SSCS Scorecard.
Note
Container Security results are not yet supported.
Secure Integration with Customer Systems Using CxLink
You can now integrate Checkmarx One with protected customer systems, such as private source code repositories, artifactories, and issue trackers, using CxLink, a secure tunneling proxy powered by Zrok. This new capability eliminates the need to manually configure networks or open firewall ports, making integration faster and easier while preserving security.
Note
This feature will be rolled out gradually to all customers.
Single-tenant users, please contact your CSM to enable it.
Show Info About Matching Algorithms
For each image that was automatically matched with a Checkmarx One project, we now provide a tooltip showing info about how the match was detected.
Mapping an Image to Multiple Source Code Repos
For images that have multiple source code repos associated with them, we now match the image to the main source code project and also show all private packages used by that image. The private package data is shown in the Attack Path visualization as well as in a tooltip in the Inventory table.
In addition to identifying the private packages used by the image, when possible, we also match those packages with Checkmarx One projects of the same name, enabling us to show vulnerability info for those packages.
Export Global API Inventory to CSV
You can now export the full Global API Inventory as a CSV file directly from the UI. The export respects your applied filters and sorting, includes all data across pages, and breaks down risk levels by severity. This makes it easier to share, audit, and analyze API risk data across teams. CSV files are downloaded automatically with a single click.
Cloud Insights | Account Settings
Cloud Insights now allows Checkmarx One admins to configure enrichment settings directly in the UI. Admins can control whether to push SAST or DAST results to Wiz, define the label for extracting repo URLs, and customize blacklist terms to fine-tune the matching algorithm.
This enables greater flexibility for implementing the enrichment.
SCM | CxLink Integration Support
Customers using CxLink can now connect to their SCMs through a secure tunnel instead of relying on direct SCM URLs. This enhancement enables seamless integration in restricted or secured network environments where direct access is blocked, simplifying setup and eliminating the need for firewall or network changes.
Checkmarx One automatically detects when CxLink is in use and routes traffic through the tunnel, ensuring secure and flexible SCM connectivity.
SCA Updates
Application-Level SBOM
Added support for generating SBOM reports on the application level (in addition to existing support for generating an SBOM for a specific project). The report is generated via the Checkmarx One web application (UI) from the Workspace > Projects page.
For more information , see documentation.
Improvements in the Scan Results - Risks Tab
We have added the following improvements to the Scan Results:
Added the Secure Version column, indicating whether or not a remediated version of the package is available. You can sort and filter for this column. This column was added to both the Packages and Risks tabs.
In the Risks tab, the EPSS score is now shown in a separate column (not under Exploitability). You can now sort and filter for EPSS.
Note
These changes are similar to the changes made in the Global Inventory in version 3.33.
New JFrog Plugin
We released a new Checkmarx One plugin for identifying Software Composition Analysis (SCA) risks in your JFrog artifactory. The plugin analyzes each of the open source packages in your artifactory, comparing them against our SCA vulnerability database in order to identify security risks and license requirements. The findings are added as "cx" properties to each artifact, enriching the metadata displayed in the Artifactory UI.
This provides seamless risk visibility within your DevOps workflow, helping you to identify and address vulnerabilities early in the development process.
The plugin allows you to configure compliance thresholds, so that artifacts exceeding these thresholds are automatically marked as non-compliant. Depending on the configuration, such artifacts can be blocked from usage to prevent the use of insecure components.
See complete documentation here
Filter SBOM Content
We added the option when generating an SBOM report to exclude Dev and Test dependencies. See how we identify Dev and Test dependencies here.
We also added the option to exclude all licenses that are not designated as “Effective” for that particular package.
IAM Updates
Keycloak Upgrade
Keycloak was upgraded to version 26.1.
UI Refresh
A newly refreshed UI is coming your way! Starting the gradual rollout this week.
We’ve updated the IAM user interface to align with our evolving platform design. While all existing functionality remains unchanged, you’ll notice:
A redesigned landing page with a cleaner, more modern look
Minor UI adjustments for consistency across the platform
No action is required, and all IAM settings, permissions, and workflows continue to function as before.
API Updates
Important
Please be advised that the following API will be deprecated in 3 months and will be unable to be used:
Known Issues
For some Access Management phase 1 customers, the Authorization Settings page may not appear upon first login after the upgrade. To fix this, please clear your browser cache and refresh the page.
Resolved Issues
Ticket number | Description |
|---|---|
AST-94081 | A null pointer exception occurred during the creation of the Jira issue. |
AST-93503 | An exception was thrown in the new policy management section of the PR decoration flow. |
AST-92700 | Manual scan cancel operations were failing. |
AST-90711 | The |
AST-90688 | The |
AST-89575 | PR comments were not created on Azure DevOps. |
AST-86427 | The Application Risk Management page failed to display results. |
AST-90902 | API secrets were missing in.PLIST files (Secret Detection - [2MS]). |
SCA-22913 | The license list was null instead of an empty list. |
SCA-22893 | The AI Package Finder did not work when using Python. |
SCA-22657 | There was a mismatch between the ScanReport SCA UI and the API regarding |
SCA-22459 | gRPC errors occurred in processors. |
SCA-22303 | The Dev/Test filter did not remove transitive risks that had no vulnerable package path. |
AST-94924 | The |
AST-93294 | Branches could not be fetched using an Azure SSH URL in a manual project. |
AST-93281 | The cache had to be cleared after deploying a new version. |
AST-92725 | A false negative occurred in KICS for an S3 bucket that allowed delete actions from all principals. |
AST-92676 | The IDP Initiated flow URI did not work in the new AIM UI (regression). |
AST-91509 | The Severity Over Time graph in the project overview did not accurately track vulnerability history. |
AST-91156 | The new IAM UI did not show group paths longer than 50 characters under the user → edit group section. |
AST-89465 | Scans did not work in Checkmarx One but worked via CLI. |
AST-85982 | The small scan button triggered an incorrect link, preventing scan initiation. |
AST-85127 | The |
AST-84173 | The |
AST-73710 | The documentation for the Organization Data section in Account Settings needed updating. |
AST-98668 | Retrieving usernames from Bitbucket tokens caused exceptions. |
AST-97122 | Parent search errors occurred while configuring Jira applications. |
AST-95425 | The API for project conversion failed for some organizations. |
AST-95419 | The |
AST-95308 | Double-encoded organization names with spaces caused integration flow errors. |
AST-95093 | PR decoration URLs were generated incorrectly for Azure. |
AST-93965 | Scans intermittently remained stuck in the "Running" state. |
AST-92515 | Analytics dashboard showed result state mismatches. |
AST-90975 | Generated PDF reports duplicated the latest scan ID and LOC across branches. |
AST-89541 | AWS Linux package versions were not parsed correctly. |
AST-86609 | Scans failed on the blazemeter/taurus:latest container image. |
AST-84657 | The CS scanner failed to detect vulnerable old Alpine images. |
AST-79074 | Vulnerability counts differed between the Summary and Overview pages. |
SCA-23056 | Bulk updates of SCA vulnerability risk states did not work as expected. |
SCA-23055 | Bring Your Own Key (BYOE) functionality failed for SCA. |
SCA-23020 | Scan times were too long. |
SCA-22302 | Report generation failed for specific scans. |
AST-96914 | The remote backend was unreachable. |
AST-96688 | Critical severity appeared unexpectedly in the UI. |
AST-96534 | Onboarding failed. |
AST-95864 | The |
AST-93625 | The Application Risk Management page showed "No Risks" on first access. |
AST-93304 | In VSCode, proxy-only users could not enable the scan button. |
AST-89866 | Scans intermittently returned 500 errors. |
AST-89265 | The CxIAM page failed to load. |
AST-78569 | SCM integrations did not display all groups or allow group search. |
AST-64244 | Scan results differed between the ZAP UI and Checkmarx One. |
AST-94943 | The Settings page showed duplicate IaC presets. |
AST-74900 | The IAM "Friendly Name" attribute in SAML mappers behaved inconsistently. |
AST-94951 | The SAML Identity Provider failed to set the Principal Attribute. |
AST-94573 | The Save button in IAM General Settings was disabled for some tenants. |
AST-92091 | The IAM "Groups, Filters and Dependencies" view showed data without enabling actions. |
AST-89908 | OAuth client edits were not saved in the new IAM UI. |
AST-89783 | Duplicate Identity Providers could be created in the new IAM UI. |
AST-89726 | The Endpoints link was removed from the SAML config page in the new IAM UI. |
AST-88486 | Fixed an issue preventing project deletion when an active session exists. |
AST-92842 | Fixed a false negative in KICS for "S3 bucket allows public policy." |
AST-92725 | Fixed a false negative in KICS for "S3 bucket allows delete action from all principals." |
SCA-23218 | Resolved SBOM scan failure caused by Dart package. |
SCA-23136 | Corrected issue where an "unknown" package was incorrectly labeled. |
SCA-23121 | Fixed license URL pointing to the wrong license. |
SCA-23093 | Fixed license URL pointing to the wrong license. |
SCA-23046 | Resolved timeouts when handling GraphQL requests. |
SCA-23033 | Fixed issue where the usage filter was not functioning properly. |
SCA-22991 | Addressed failures in SCA scans. |
AST-98506 | Fixed issue where 'API-Security Only' scan requests were running only SAST. |
AST-92441 | Updated documentation for flows affected by non-production branch data restrictions. |
AST-92131 | Fixed issue where the job spider failed to access URLs due to |
AST-91177 | Resolved regression where the Select Role button was missing in the new AIM UI for SAML Attribute to Role mapping. |
AST-96683 | Fixed issue where container reports failed to generate in PDF format. |
AST-92445 | Resolved issue where empty reports were generated without notifying users when no production branch was present. |
AST-95602 | Fixed intermittent errors occurring during SCS scans. |
AST-96103 | Resolved scan failure caused by Git submodule name mismatch. |
AST-94413 | Fixed issue where private bots were not being filtered correctly. |
AST-93062 | Corrected contributor developer count showing 0 in license usage. |
AST-98824 | Projects count changes were not reflected on the Projects List page. |
AST-96695 | Some UI elements of "Analytics & Dashboard" were incorrectly translated into Traditional Chinese. |
AST-98662 | After upgrading to IAM version 3.35.1, IDP-initiated SSO no longer functioned in single-tenant environments. |
AST-95720 | The API endpoint for retrieving users returned groups parameter as null. |
AST-94354 | CxIAM | New AIM UI: User appeared with an empty username and couldn’t be deleted. |
AST-92552 | CxIAM | OAuth client tooltip was not showing the expiration date. |