Skip to main content

Current Multi-Tenant Version | 3.49

New Features and Enhancements

CxLink Migration to Zrok v1

Migrating to Zrok v1 provides added proxy support for CxLink, enabling connections to Checkmarx One while using corporate/network proxies.

User-Controlled Incremental Scan for Branches

Incremental scan support for branch configurations is now fully exposed to users in the UI. Previously, this capability was controlled only through a feature flag, limiting visibility and user control. With this release, the feature flag has been removed, and users can now directly manage their incremental scan settings.

For more information, see documentation

Results Metadata Grouping Available in UI

The Results Metadata Grouping setting, previously controlled by a feature flag, is now available in the UI, giving customers direct control over how results are grouped for triaging.

For more information, see Result scope level in the configuration options.

Manual Bearer Token Entry for API Scans

GA: December 7, 2025

In some cases, bearer tokens in the API specification may not grant access to API docs, causing scans to fail. To ensure scans succeed, now you can manually add bearer tokens using + Add custom headers and confirm your headers and target URL are correct.

Predefined Scan Configurations in DAST

GA: December 7, 2025

Added predefined scan configurations to the Environment Setup Wizard and Environment settings, so you no longer need to manage configuration files or ZAP.

IaC

Updated to version 2.1.16

Fixes and Improvements

  • Corrected false positives for SNS topic public accessibility in Terraform/AWS, Ansible/AWS, and CloudFormation/AWS.

  • Added support for database resources in two Azure queries.

  • Included cases for Azure App Service resources (azurerm_linux_web_app and azurerm_windows_web_app).

  • Prevented panic when parsing recursive YAML anchors or aliases.

  • Added support for arrays and minor fixes in queries.

CLI and Plugins Releases of November 2025

CLI Version 2.3.40

Status

Item

Description

NEW

Supported Files

Added file extension .xhtml to the list of supported files that are included in the .zip archive that is scanned.

NEW

Multi-Part CLI Uploads

Added support for multi-part CLI uploads, which enables you to bypass the 5 GB API limit and scan source folders up to 6 GB by using configurable 1–5 GB chunk sizes via multipart_file_size (default value 2GB).

CLI Version 2.3.39

Status

Item

Description

NEW

AI Security Champion

The AI Security Champion feature in IDE plugins will now support use of Azure AI instances that are accessed via a proxy or gateway (e.g., Kong).

Notice

When using a proxy or gateway, you must ensure that the API Request URL, Request Payload, Response Payload and Authentication are compliant with the required specifications.

For more info, see documentation

NEW

File Extension

Added file extensions .xsjs.cjs and .xsjsli to the list of supported files that are included in the .zip archive that is scanned.

UPDATED

Installation Folder

Changed the folder location where the ASCA scanner and SCA Resolver are installed. They are now installed at <windows user home>\.checkmarx for Windows, and at <home directory>\checkmarx for Linux.

UPDATED

IaC Security

IaC Security scanner updated to use kics version from 2.1.15.

CI/CD Plugins

In November we released the following CI/CD plugin versions:

  • Azure DevOps Plugin - 3.0.20 (uses CLI v2.3.40)

  • GitHub Actions - 2.3.28 (uses CLS v2.3.39)

Improvements and Bug Fixes

Status

Item

Platform

Description

NEW

CLI Parameters

GitHub Actions

We have improved the way that additional CLI parameters are submitted in GitHub Action in order to support a wide range of scenarios.

Instead of submitting all additional params under additional_params, we now provide separate parameters as follows:

  • global_params - for submitting CLI global flags

  • scan_params - for submitting scan create flags

  • utils_params - for submitting utils pr flags

  • results_params - for submitting results show flags

Resolved Issues

Item

Description

AST-120770

Establishing a connection failed after multiple attempts.

AST-120359

Authentication to certain web applications in DAST failed.

AST-119984

Establishing a connection did not work as expected.

AST-119074

Generic API Key (ClientSecret) produced false negatives.

AST-118991

Generic API Key (SecretKey) produced false negatives.

AST-118979

Authentication to public web applications in DAST failed.

AST-117177

SAST results were missing descriptions.

AST-116382

Predefined Azure role identifiers (RBAC) were incorrectly flagged as secrets.

AST-115570

Generic API Key produced false positives.

AST-120044

The “Download Logs” option did not appear for specific tenants.

AST-119647

Authentication to additional public web applications in DAST failed.

AST-118856

DAST vulnerability reports contained duplicate compliance data.

AST-118034

Constant error messages appeared in the UI even though scans completed successfully.

AST-117997

Certain users were unable to tag scans.

AST-117993

Projects could not be deleted.

AST-116320

Generating DAST scan reports failed when scans contained a large number of vulnerabilities.

AST-116212

SAST worker failed to read results due to an XML parsing error.

AST-108655

The UI displayed an unclear message when the primary branch was not set.

AST-98430

SAST worker failed to read scan status due to a deserialization error (EOF).

AST-114083

Changing the preset setting at the project level was not possible.

AST-114444

GitLab projects did not convert via API, though creation and updates worked through the UI with the same credentials.

In this section: