- Checkmarx Documentation
- Checkmarx One
- Release Notes
- Current Multi-Tenant Version | 3.44
Current Multi-Tenant Version | 3.44
New Features and Enhancements
New KPI in Analytics API: Full Vulnerability List with Severity Counters
A new KPI was added to the Analytics API to provide a full list of all vulnerabilities (queries) with counters broken down by severity. Unlike the existing mostCommonVulnerabilities
KPI, which is limited to the top 100, this new KPI returns an exhaustive dataset.
Query Editor: Edit Overridden and New Queries
GA: August 24, 2025
The Query Editor now allows editing additional parameters for new and overridden queries. Previously, only the Severity field could be modified after creation. With this update, users can also edit:
Query name
Severity
Executable (Yes/No toggle)
CWE ID
Description ID
These changes can be made through the UI or via the API.
SCA
Improved Results for Package Usage and Exploitable Path
GA: August 24, 2025
In Package results, we now distinguish between packages for which no usage was detected (Not Used) as opposed to packages for which we were not able to calculate usage (Not Calculated). For Not Calculated results we provide the reason why it wasn’t calculated (e.g., unsupported language).
Similarly, in Risk results, we now distinguish between risks for which no Exploitable Path was detected (Not Found) as opposed to results for which we were not able to calculate whether or not there is an Exploitable Path (Not Calculated). For Not Calculated results we provide the reason why it wasn’t calculated (e.g., transitive dependencies are not supported).
Note
This info is shown in the scan results as well as in the Global Inventory.
This improvement will prevent users from mistakenly assuming that their project is safe, when in fact we don’t have enough information to draw that conclusion
IaC
Updated IaC Engine to version 2.1.12.
This version includes enhancements that resolve the following issues:
False Positives (FP)
ECS Cluster Not Encrypted At Rest (when using task definition ref).
Last User Is 'root'.
Trusted Microsoft Services Not Enabled.
API Gateway Method Does Not Contain an API Key.
Web App Not Using Latest TLS Version (ARM).
Image Version Not Explicit.
S3 Bucket Logging Disabled.
False Negatives (FN)
Ansible: CloudTrail Multi Region Disabled.
Terraform: S3 Bucket Without Restriction of Public Bucket.
SSH and RDP exposed to the internet.
Query Updates
Improved detection of inline rules.
Overrides to cloud provider common queries.
Performance and Stability
High response time and failures when updating multiple KICS results.
"Bad Gateway" errors when KICS_COMPUTE_NEW_SIMID feature flag is enabled.
Flaky compose tests in kics-results-handler.
Scan summary counters not applied to all platforms.
IaC scans displaying incorrect results in UI.
Files causing IaC scan failures.
Unexpected error in iac-runner-nv causing scan failures.
Incorrect results in UI.
Miscellaneous Fixes
Added type assertion verification to certificate element processing.
Updated Debian Dockerfile to use stable-slim version.
Fixed flaky TestCounter_Start unit test.
Updated Go version to address Grype vulnerabilities.
Improved symlink handling with early exit return statements.
Resolved issues
Ticket number | Description |
---|---|
AST-102556 | A potential memory leak in |
AST-101367 | Corrected issue where exporting CSV results from drill-down views included all vulnerabilities instead of only filtered ones. |
AST-100775 | Missing data in the container report. |
AST-89801 | Improved report generation to support large reports without failure. |
SCA-23512 | Scan results failed to save to the database after multiple retry attempts. |
SCA-23493 | Fixed a Windows-specific issue where ScaResolver failed to resolve Bower manifest files. |
SCA-23402 | Corrected SourceResolver to properly save the dependency name in ScanResults. |
AST-107746 | Scans were getting stuck in the scan queue. |
AST-105998 | Resolved a configuration issue causing private (CLI) DAST scans to fail report generation. |
AST-105847 | Fixed an issue preventing the ZAP recorder from working with public web targets. |
AST-105206 | The Environments page was creating an API Key on every open. |
AST-105076 | Authentication was failing due to session and verification mismatches. |
AST-104811 | Corrected handling of the default backslash (\) in DAST run commands for terminals where it was not interpreted correctly. |
AST-100786 | Updated KICS query to correctly identify inline rules. |
AST-100634 | DAST failed to upload scan results. |
AST-100062 | Fixed a false positive in KICS for "Image Version Not Explicit". |
AST-98817 | Fixed a false negative in KICS for terraform.S3 buckets missing public access restrictions. |
AST-98792 | Updated KICS query to correctly detect when a web app is not using the latest TLS version on ARM platforms. |
AST-98286 | Fixed false positive in KICS for "API Gateway Method Does Not Contain an API Key". |
AST-95994 | An error in iac-runner-nv was causing scans to fail unexpectedly. |
AST-94816 | Updated Audit Trail API documentation to include the optional parameters "From" and "To". |
AST-94574 | Fixed false positive in KICS for "S3 Bucket Logging Disabled". |
AST-91007 | Applied overrides to common KICS queries for cloud providers. |
AST-105792 | Fixed issue where tagging a project in the project list page cleared the primary branch setting. |
AST-104964 | Enabled opening SCA Results in a separate tab, aligning behavior with SAST Results. |
AST-104482 | Resolved issue where the app did not display results in the Risk Management tab in Singapore production. |
AST-98340 | Fixed issue where projects with assigned groups displayed an empty value in the "Groups" column on the Projects page. |