Current Multi-Tenant Version | 3.55

We have updated the definition of Contributing Developer in our Legal Terms & Conditions and aligned it fully with system logic and the Licensing UI to create a single, authoritative source of truth.

A Contributing Developer now explicitly includes an individual, bot, or agent, all of which are counted toward license usage according to the scenarios defined in the authoritative counting guidelines.

In addition, the Domains page (in Global Settings > Settings tab) allows adding up to 20 validated domains/subdomains to support parent companies, subsidiaries, and associated domains. Personal email domains are not permitted.

This ensures accurate association and deduplication across complex enterprise structures.

Secret Detection and Repository Health scanners are now fully supported in both Scan and Project reports. These scanners can now be included in CSV scan reports as well as in Project reports across all supported formats (PDF and JSON), bringing them to full parity with existing scanners.

You can now select Secret Detection and Repository Health when generating reports, ensuring a consistent reporting experience across all scan types. This update provides a single, consolidated view of security findings and improves visibility across your organization’s security posture.

Global Reports now include Container Security results. When enabled, this scanner can be selected in the Global Report UI and is fully supported via API, with its findings included alongside existing scanners.

We’ve introduced Custom Secret Detection Rules, enabling organizations to define, manage, and enforce tailored secret detection logic across their codebase and development workflows.

Built on the powerful CxOne Query Editor (also used by SAST and IaC), this capability allows security teams to create precise detection patterns aligned with their unique security, compliance, and governance requirements.

For more information, see Secret Detection Query Editor.

API-type environments now support uploading GraphQL API definition files in addition to existing formats. Supported file types:

This enhancement enables security testing of GraphQL-based APIs directly within API environments, expanding coverage for modern API architectures.

Checkmarx One now automatically retrieves and applies the default branch when importing Bitbucket repositories. During import, the backend calls the Bitbucket API to detect the repository’s default branch and uses it for scans and PR workflows.

This enhancement simplifies repository onboarding and aligns Bitbucket behavior with other supported SCM integrations for a consistent user experience.

Assign tags to scans automatically triggered by SCM events such as pushes and pull requests.

You can now define tags - either simple values or key:value pairs - during project creation or in Project Settings and associate them with protected branches or branch wildcards.

When a scan is triggered via an SCM webhook, Checkmarx One checks whether the scanned branch matches a tagged protected branch and automatically applies the relevant tags.

This enhancement improves scan traceability, enables better categorization and reporting, and allows organizations to align scan metadata with their internal processes and policies.

Groups in DAST now function the same way they do in other scanners, serving as a form of access control rather than a tag.

When creating an environment, you can assign groups from a pre-existing list. You can also assign groups to an existing environment through its Advanced Settings.

See here for more information.

DAST Environments in Checkmarx One now support IAM-based fine-grained authorization, ensuring that only users with the appropriate roles and group assignments can view, configure, or trigger environment-related actions.

DAST environments associated with applications are now visible in Application Risk Management.

This enhancement improves risk visibility by consolidating DAST findings with other testing results, helping security teams more effectively prioritize vulnerabilities.

We have updated the Contributor Developer CSV export to support the new standalone developer solution. A unique developer ID is now included to enable consistent and reliable tracking across environments.

Because certain fields (such as project name, branch, contributor email, and last commit) are specific to CxOne services and not available in the standalone context, the CSV structure remains unchanged, but these fields will be populated as “NA” when not applicable.

This update ensures consistent reporting across CxOne and the standalone solution, provides a clear and accurate usage baseline for licensing and ROI tracking, and strengthens transparency and monetization governance while avoiding customer confusion.