Upcoming Single-Tenant Version | 3.44

New Features and Enhancements

Similarity ID Column Added to SAST Results Viewer

The SAST Results Viewer now includes a sortable Similarity ID column, providing quick access to this important attribute.

Redesigned Code Repository Integration Wizard

The new wizard simplifies SCM project setup with a cleaner, more intuitive flow. Core steps are streamlined, while advanced settings are now optional, making it faster and easier for users to connect repositories with minimal configuration.

Cloud Repository Improvements

Show Private Packages Based on SCA

Cloud Insights now determines identification of private packages based on SCA scan results. This is reflected in the private package data shown in the Inventory table and Attack Path graph.

This ensures consistency with the data shown in the SCA Results Viewer and provides a unified view of private package risks across Checkmarx One.

Manually Map Private Packages to Projects

Cloud Insights now supports manual mapping of private packages to Checkmarx One projects. After Cloud Insights provides an initial mapping based on heuristics, the user can manually specify mapping for unmapped packages or override the automatic mapping for specific packages.

The feature enables you to improve mapping accuracy, helping teams make better-informed security decisions.

Added Enrichment Evidence Log

A new Evidence Log tab is now available in Cloud Insights, displaying a searchable table of all enrichment transactions for each integration account. This includes both incoming enrichments from cloud providers and outgoing enrichments sent to them.

You can apply filters and search the logs. This visibility allows users to track and validate enrichment flows without relying on internal logs.

Added Support for AWS ECS Assets

Cloud Insights now retrieves container data for AWS ECS assets, in addition to existing support for Kubernetes. This is currently supported for Wiz integrations.

Also, you can now group and filter the Inventor page by Asset Type (Kubernetes, ECS or Unknown) and Cluster Name.

This enables broader visibility across diverse deployment platforms, helping users manage risk more comprehensively.

Support for Multiple Consumers in Cloud Connections

Cloud Connections now provide a centralized place to configure integrations across multiple consumers. Instead of setting up connections individually within each consumer, users can create and manage them in one unified view.

Feedback Apps Now Support Container Security

You can now enable the Container Security engine in Feedback Apps. This allows customers to scan container images and report vulnerabilities directly through their existing feedback workflows.

Container Security GraphQL API Documentation

The Container Security GraphQL API provides comprehensive access to container security scan data, allowing clients to query information about scans, images, layers, packages, and vulnerabilities. The API implements a hybrid approach, offering both hierarchical access and flat access patterns to provide maximum flexibility for data retrieval.

New KPI in Analytics API: Full Vulnerability List with Severity Counters

A new KPI was added to the Analytics API to provide a full list of all vulnerabilities (queries) with counters broken down by severity. Unlike the existing mostCommonVulnerabilities KPI, which is limited to the top 100, this new KPI returns an exhaustive dataset.

Query Editor: Edit Overridden and New Queries

GA: August 24, 2025

The Query Editor now allows editing additional parameters for new and overridden queries. Previously, only the Severity field could be modified after creation. With this update, users can also edit:

Query name
Severity
Executable (Yes/No toggle)
CWE ID
Description ID

These changes can be made through the UI or via the API.

SCA

Improved Results for Package Usage and Exploitable Path

In Package results, we now distinguish between packages for which no usage was detected (Not Used) as opposed to packages for which we were not able to calculate usage (Not Calculated). For Not Calculated results we provide the reason why it wasn’t calculated (e.g., unsupported language).
Similarly, in Risk results, we now distinguish between risks for which no Exploitable Path was detected (Not Found) as opposed to results for which we were not able to calculate whether or not there is an Exploitable Path (Not Calculated). For Not Calculated results we provide the reason why it wasn’t calculated (e.g., transitive dependencies are not supported).

Note

This info is shown in the scan results as well as in the Global Inventory.

This improvement will prevent users from mistakenly assuming that their project is safe, when in fact we don’t have enough information to draw that conclusion

CLI and Plugins Releases of July 2025

CLI Version 2.3.29

Status	Item	Description
NEW	Pre-Receive Secret Detection Scans	Added support for running pre-receive secret detection scans, to detect exposed secrets before they are received in your repo. For detailed information about how to use this feature, see documentation. Tip Supported for self‑hosted instances of GitHub, GitLab, and Bitbucket.
NEW	SBOM Only Flag	Added the flag `--sbom-only` to the `scan create` command. This enables running a scan only on the sbom at the specified file path. Supported for CycloneDX (v1.0-1.6) and SPDX (v2.2) in xml or json format. For more information, see SBOM documentation. Tip Relevant only when running scans using the SCA scanner.
UPDATED	PublishedAt Attribute	The `PublishedAt` attribute is now returned in the results for supported scanner types.

Status

Item

Description

NEW

Pre-Receive Secret Detection Scans

Added support for running pre-receive secret detection scans, to detect exposed secrets before they are received in your repo.

For detailed information about how to use this feature, see documentation.

Tip

Supported for self‑hosted instances of GitHub, GitLab, and Bitbucket.

NEW

SBOM Only Flag

Added the flag --sbom-only to the scan create command. This enables running a scan only on the sbom at the specified file path.

Supported for CycloneDX (v1.0-1.6) and SPDX (v2.2) in xml or json format. For more information, see SBOM documentation.

Tip

Relevant only when running scans using the SCA scanner.

UPDATED

PublishedAt Attribute

The PublishedAt attribute is now returned in the results for supported scanner types.

CLI Version 2.3.28

Status	Item	Description
NEW	Primary Branch Flag	Added a new flag, `--branch-primary`, which sets the specified branch as "primary". This flag can be used with the `project create` and `scan create` commands.
NEW	Log Files Flag	Added a new flag, `--log-file`, which enables specifying a custom file location for log files. Alternatively, `--log-file-console`, enables sending logs both to a file location and also to the console.
UPDATED	Image Resolution	By default, resolution of images for Container Security scans is now done in the cloud. This enables scans run via CLI to access private registries using the Private Registry Integrations set up in Checkmarx One. There is still an option to run scans locally, using the `--containers-local-resolution` flag.
FIXED	IaC Security Scan Files	Fixed issue that `Directory.Build.props`, `.bicepparam`, and `.bicep` files were not being included in IaC Security scans when they were initiated via CLI.

CLI Version 2.3.27

General improvements and bug fixes.

CI/CD Plugins

In July we released the following CI/CD plugin versions:

Azure DevOps Plugin - 3.0.13 (uses CLI v2.3.27)
GitHub Actions - 2.3.21 (uses CLI v2.3.27)
Jenkins - 2.0.13-811.v7b_b_98716e646 (uses CLI v2.3.29)

Improvements and Bug Fixes

Status	Item	Platform	Description
UPDATED	Logo	Azure DevOps	Updated the logo
UPDATED	README File	Azure DevOps, GitHub Actions	Updated the README file.

Plugin	Marketplace	Code Repository	Documentation	Changelog
Azure DevOps	https://marketplace.visualstudio.com/items?itemName=checkmarx.checkmarx-ast-azure-plugin	https://github.com/CheckmarxDev/checkmarx-ast-azure-plugin	Checkmarx One Azure DevOps Plugin	Checkmarx One Azure DevOps Plugin - Changelog
GitHub Action	https://github.com/marketplace/actions/checkmarx-ast-github-action	https://github.com/Checkmarx/ast-github-action	Checkmarx One GitHub Actions	GitHub Actions - Changelog
TeamCity	https://plugins.jetbrains.com/plugin/17610-checkmarx-ast	https://github.com/CheckmarxDev/checkmarx-ast-teamcity-plugin	Checkmarx One TeamCity Plugin	TeamCity Plugin - Changelog
Jenkins	https://plugins.jenkins.io/checkmarx-ast-scanner/	https://github.com/jenkinsci/checkmarx-ast-scanner-plugin/	Checkmarx One Jenkins Plugin	Jenkins Plugin - Changelog

Resolved issues

Ticket number	Description
AST-101425	Resolved the Containers AWS ECR integration issue.
AST-101042	Experienced UI freezes when clicking the "filters" button in the Container Scan Results window.
AST-99625	"Containers-file-folder-filter" did not filter as expected.
AST-99627	"If-in-group" permissions did not allow changing state.
AST-98449	Found inconsistencies in Containers Security results in Checkmarx One.
AST-98384	CLI scans failed due to insufficient space when writing to the /tmp folder.
AST-98382	Dockerfile.ubi9 scan returned zero results via GitHub Actions.
AST-89854	Displayed confusing or unclear information on the Containers Security scanner UI page.
AST-98433	Identified a false positive for Terraform IAM Group Without Users in KICS.
AST-98288	Flagged a false negative for IAM Policy granting full permissions in KICS.
AST-94893	Improved volume mount handling with OS directory write permissions.
AST-92897	Flagged a false positive for Storage Account not enforcing HTTPS in KICS.
AST-87254	Flagged a false positive for generic private keys in Passwords and Secrets.
AST-85090	Flagged a false positive for Terraform MSSQL Server Auditing Disabled in KICS.
AST-84874	Identified a false positive for IAM Group Without Users.
AST-82101	Flagged a false negative for Passwords and Secrets.
AST-82029	Flagged a false positive for Storage Account not enforcing HTTPS.
AST-81770	Identified a false positive for missing flag in DNF install.
AST-74743	Flagged a false positive for generic passwords in Passwords and Secrets in KICS.
AST-68530	Flagged various false positives in KICS.
SCA-23468	Improved responsiveness and performance in SCA inventory and risk views.
SCA-22720	Resolved issues when hiding Dev and Test dependencies.
SCA-23383	Encountered errors when downloading an SCA report.
AST-103953	Application Risk Management page appeared empty.
AST-102782	Clicking Vulnerabilities by Scan Type in Project Overview opened a blank tab.
AST-98399	Encountered thousands of exceptions during data retention flow following project deletion.
AST-102548	The Save button in project settings did not display a notification, though settings were saved.
AST-92509	Updated documentation for the project conversion API.
AST-106760	The Auto PR feature removed customer’s branches.
AST-104422	It was not possible to update a custom item type with an inherited field in ADO using the pipeline's additional parameter `tags`.
AST-103867	Jira integration failed to get server info from Jira (during the scan in flow-publisher) but the connection was established successfully in the configuration.
AST-102576	Customer's tags in an Azure Boards work item were removed after a new scan.
AST-100922	The search for a protected branch couldn’t find all branches when their number exceeded 400.

AST-102556	A potential memory leak in `ast-reports-processing`.
AST-101367	Corrected issue where exporting CSV results from drill-down views included all vulnerabilities instead of only filtered ones.
AST-100775	Missing data in the container report.
AST-89801	Improved report generation to support large reports without failure.
SCA-23512	Scan results failed to save to the database after multiple retry attempts.
SCA-23493	Fixed a Windows-specific issue where ScaResolver failed to resolve Bower manifest files.
SCA-23402	Corrected SourceResolver to properly save the dependency name in ScanResults.
AST-107746	Scans were getting stuck in the scan queue.
AST-105998	Resolved a configuration issue causing private (CLI) DAST scans to fail report generation.
AST-105847	Fixed an issue preventing the ZAP recorder from working with public web targets.
AST-105206	The Environments page was creating an API Key on every open.
AST-105076	Authentication was failing due to session and verification mismatches.
AST-104811	Corrected handling of the default backslash (\) in DAST run commands for terminals where it was not interpreted correctly.
AST-100786	Updated KICS query to correctly identify inline rules.
AST-100634	DAST failed to upload scan results.
AST-100062	Fixed a false positive in KICS for "Image Version Not Explicit".
AST-98817	Fixed a false negative in KICS for terraform.S3 buckets missing public access restrictions.
AST-98792	Updated KICS query to correctly detect when a web app is not using the latest TLS version on ARM platforms.
AST-98286	Fixed false positive in KICS for "API Gateway Method Does Not Contain an API Key".
AST-95994	An error in iac-runner-nv was causing scans to fail unexpectedly.
AST-94816	Updated Audit Trail API documentation to include the optional parameters "From" and "To".
AST-94574	Fixed false positive in KICS for "S3 Bucket Logging Disabled".
AST-91007	Applied overrides to common KICS queries for cloud providers.
AST-105792	Fixed issue where tagging a project in the project list page cleared the primary branch setting.
AST-104964	Enabled opening SCA Results in a separate tab, aligning behavior with SAST Results.
AST-104482	Resolved issue where the app did not display results in the Risk Management tab in Singapore production.
AST-98340	Fixed issue where projects with assigned groups displayed an empty value in the "Groups" column on the Projects page.

In this section: