- Checkmarx Documentation
- Checkmarx One
- Release Notes
- Current Multi-Tenant Version | 3.36
Current Multi-Tenant Version | 3.36
Multi-Tenant release date: April 27, 2025
Warning
The content and dates of these Release Notes are provisional and subject to change.
All new features, enhancements, and resolved issues will be available upon version deployment in the multi-tenant environment unless explicitly stated otherwise in the respective section's sub-heading.
Release number | Resolved issues |
|---|---|
3.36.28 | Fixed an issue that caused the |
3.36.26 | Fixed an issue with the left-side navigation panel related to accessing Codebashing from Checkmarx One. |
General Availability Features
Customizable IaC Query Execution with Preset Configurations
Configure the queries IaC executes using preset configurations at the Tenant, Project, CLI, or Config file level. This gives you greater flexibility and control over your security scans, allowing you to tailor query execution to fit your specific workflows and environments.
Cleaner Drilldown View in BYOR Interface
Improved the drilldown view in the Bring Your Own Risk (BYOR) interface. Resolutions are displayed in a cleaner, more readable format, and URLs are now clickable - no more copying and pasting. This improvement makes accessing the right actions or resources faster and easier, simplifying your workflow and making everything more user-friendly.
For more information, see documentation.
Pre-Commit Secret Scanning
The Pre-Commit Secret Scanning feature helps prevent accidental exposure of sensitive information such as passwords, API keys, and access tokens. If secrets are detected, the commit is blocked, and developers receive a detailed report to help remediate the issue.
Note
The feature is available to users with a Secret Detection license.
For more information, see documentation.
Container Security
AWS ECR Integration for Container Security
We now provide an integration with AWS ECR, enabling users to automatically pull images from private ECR repos and scan them using the Checkmarx One Container Security scanner. The integration is done by creating an "Assume Role" in ECR (Role ARN), which grants access to Checkmarx to pull images from your repos.
We provide a convenient wizard on the Checkmarx One Integrations page that enables you to create the integration by submitting info about the "Assume Role" (Role ARN and External ID) that you created, and the repo that you are granting access to.
For more information, see documentation.
Support for .tar Files
Added support for uploading source code as a .tar files (in addition to existing support for .zip) for Container Security scans.
Notice
This feature is not related to the capability of scanning images that are built as .tar files. That capability is supported only when running scans via the CLI.
SCA
SPDX SBOM Scan Improvement
We have improved the accuracy of identification of direct and transitive packages when running an SCA scan on an SPDX format SBOM.
IaC Security
Updated the IaC Security scanner to version 2.1.6.
Updates and Bug Fixes:
Updated the link on the AWS queries to refer to the proper documentation on docs.aws.amazon.com.
Fixed an issue that was causing a false positive on the OpenAPI query.
Fixed an issue that was causing a false positive on the password and secrets query.
Phased Availability Features
Automate Full Project Scans via API
GA: May 4
Schedule full project scans via the API, eliminating the need to manually trigger them through the UI. Configure scans based on specific times, recurrence patterns, and preferred scanners. The API provides clear response codes for success or failure and includes options to disable scheduled scans when needed. This update helps ensure important scans aren't missed, reduces manual effort, and fits seamlessly into your automation workflows.
For more information, see documentation.
ASPM Risk Prioritization Now in Your IDE
GA: May 4
View ASPM risk-scored results directly in your IDE, bringing critical vulnerability prioritization into your daily workflow. Instead of sifting through every finding, you will see what matters most—high-risk issues first, helping you remediate faster and more efficiently. This update aligns the IDE experience with the ASPM model in the web app and reduces noise while enhancing developer adoption.
Container Security
Remediation for Base Images
GA: May 4
We now show remediation suggestions for specific base images. We provide easy navigation between remediation suggestions for the overall image and for the specific base images used in the image.
Package and Image Level Triage
GA: May 4
We now support marking images and packages that were identified by the Container Security as Muted or temporarily Snoozed. This functionality applies in the same manner that it applies to packages identified by the SCA scanner, as explained here.
Status Column
GA: May 4
We added the “Status” column to the results table. This column indicates whether the status of an image has been changed to Muted or Snoozed. It also indicates if a package is “Unresolved”. For Unresolved images, hovering over the status indicator shows a tooltip with an explanation of why the image wasn’t resolved.
SCA
Permission for Management of Licenses
GA: May 4
We now limit who can make changes to a license state. We created a new IAM permission for this action, update-license-state(-if-in-group). By default, this is included in the role ast-risk-manager.
Branch-Based Identification of New Vulnerabilities
GA: May 4
We now enable identification of new vulnerabilities based on comparison to previous scans of the specific branch. The default behavior is now to use the new branch-based approach. There is still an option to apply the previous methodology of project-based identification of new vulnerabilities. This configuration can be set on the tenant, project or scan level.
Bulk Action Triage
GA: May 4
Added a bulk action for triaging (i.e., changing state, severity and adding comments) for multiple SCA risks at once. This is done by selecting the checkbox next to each of the risks and then making the change.
Note
Only risks of the same type (Vulnerability, Suspected Malware, Legal Risk) can be included in a single bulk action.
Similarly, in the Licenses tab, you can now use a bulk action to triage license states (effective/not effective).
CLI and Plugins Releases of April 2025
CLI Version 2.3.20
General Improvements and bug fixes
CLI Version 2.3.19
Status | Item | Description |
|---|---|---|
NEW | CLI Configuration File | Users can now define a distinct CLI configuration file for each CLI instance. This is done using an environment variable, |
CLI Version 2.3.18
Status | Item | Description |
|---|---|---|
NEW | Secret Detection | Added support for running pre-commit secret detection scans, to detect exposed secrets before they are committed to a repo. For more info, see documentation. |
CI/CD Plugins
In April we released the following CI/CD plugin versions:
Jenkins Plugin - 2.0.13-797.v3e165b_5b_6ce5 (uses CLI v2.3.18)
TeamCity Plugin - 2.0.31 (uses CLI v2.3.18)
GitHub Actions Plugin - 2.3.19 (uses CLI v2.3.19)
Azure DevOps Plugin - 3.0.9 (uses CLI v2.3.9)
Improvements and Bug Fixes
Status | Item | Platform | Description |
|---|---|---|---|
NEW | General | Jenkins, TeamCity, GitHub Actions, Azure DevOps | General improvements and bug fixes. |
Plugin | Marketplace | Code Repository | Documentation | Changelog |
|---|---|---|---|---|
Azure DevOps | https://marketplace.visualstudio.com/items?itemName=checkmarx.checkmarx-ast-azure-plugin | |||
GitHub Action | https://github.com/marketplace/actions/checkmarx-ast-github-action | |||
TeamCity | https://github.com/CheckmarxDev/checkmarx-ast-teamcity-plugin | |||
Jenkins |
Resolved issues
Ticket number | Description |
|---|---|
AST-86751 | GitLab OnPrem Integrated project scan had errors when the base URL contained multiple path segments separated by slashes. |
AST-86802 | Pull request decoration for BitBucket failed due to a key duplication exception in the method |
AST-87976 | The View findings button failed to refresh the request data, displaying outdated information. |
AST-90805 | Secret detection experienced a Context Deadline Exceeded error while inserting results, causing incomplete or failed analysis. |
AST-91291 | Resolved a bug where the project rules API stopped functioning. |
AST-91398 | Fixed issue where WebAudit failed to scan a project. |
AST-65357 | False positive due to an undefined pattern when handling the enum and date format. |
AST-65360 | False positive for undefined maximum length in fields using an enum format. |
AST-65365 | False positive triggered by invalid media type value, suggesting misconfiguration or insufficient validation. |
AST-70809 | Description and expected value were swapped, causing confusion or test failures. |
AST-73206 | False positives were identified for generic passwords and secrets, indicating that sensitivity detection needed refinement. |
AST-75459 | Fixed a bug where error messages showed technical details. |
AST-77315 | The /api/scan-summary endpoint did not account for muted packages, leading to misleading results. |
AST-81789 | The UI displayed zero lines of code for partial scans, though code was present. |
AST-83168 | SAST results were missing changelogs and notes, making it difficult to track scan history. |
AST-83171 | Projects could not be assigned to applications when using custom queries. |
AST-83672 | Project or branch overview page loaded extremely slowly, affecting usability. |
AST-84120 | The scan type shown in the project scan history was incorrect, leading to inconsistencies with the scans list. |
AST-84692 | Project overview failed to load due to a scan summary timeout. |
AST-86484 |
|
AST-88911 | An unrelated checkbox that appeared in the global SCA settings was removed. |
AST-93140 | Scans took an additional 30+ minutes during the fetch-sources stage, impacting performance. |
SCA-20810 | The publish date was modified unexpectedly, possibly affecting audit trails or versioning. |
SCA-21398 | Conflicts between the container configurations of the system and the client project led to scan issues. |
SCA-21718 | A development-only parent package caused errors when transitive packages were treated as production. |
SCA-21986 | Pod stopped responding, which in turn caused the source resolver to timeout. |
SCA-22049 | Transaction commit failed in the scaPackagesProcessor, resulting in incomplete processing. |
SCA-22051 | Fixed error where |
SCA-22129 | License information appeared unspecified in the CXSCA report. |
SCA-22296 | Searching by package name on the risk list page did not work, hindering usability. |
SCA-22336 | Scans failed when using SBOM format SPDX-2.2. |
SCA-22364 | Fixed a problem with SBOM export. |
SCA-22406 | Fixed a problem with SBOM SPDX scan where it had incorrect or missing package relationships, such as direct or transitive links. |
SCA-22458 | ContainerResultsProcessor was causing scans to fail. |
SCA-22709 | Automated test Topaz_ScanNugetProjectGetReport_HappyFlowTest failed due to hash matching logic introduced in the new flow. |
AST-88083 | When a group had more than 100 members, it was not possible to search for a newly added account in the member list. |
AST-88315 | In SAML group mappings, when sync mode = force, the "override user groups" toggle was disabled in the UI by default, but it acted as enabled. |
AST-89122 | Users with the Manage-Clients role only were able to delete clients from other users. |
AST-89420 | An internal server error occurred while accessing "Lost Authenticator device". |
AST-90807 | New IAM UI: First SAML login with user creation, was generating application user email. |
AST-70809 | Descriptions of value and expected value were swapped. |