- Checkmarx Documentation
- Checkmarx One
- Release Notes
- Current Multi-Tenant Version | 3.42
Current Multi-Tenant Version | 3.42
Multi-Tenant release date: July 20, 2025
New Features and Enhancements
SAST Engine Upgrade to Version 9.7.4
GA: July 21, 2025
The SAST engine in Checkmarx One has been upgraded to version 9.7.3. To discover all the new features and updates in the latest version, refer to this page.
CxLink Client Distribution Update
To simplify and scale CxLink client distribution, customers can now pull the CxLink image directly from Checkmarx's Docker Hub account. This eliminates the need for manual TAR file delivery and local Docker installation steps previously required, providing a more streamlined and scalable deployment process.
SAST Policy Management – Grouped Conditions
SAST Policy rules now support grouping conditions to enable more precise break-build logic. For example, a rule can now break the build if there are over two High severity vulnerabilities that are also older than 10 days.
All conditions in a group must match the same result to evaluate as true. A rule triggers only if all groups are true.
Existing rules will be migrated with each condition placed in its own group to preserve current behavior. New rules default to a single group, with the option to add more.
User-Defined UI Persistency
Users can now return to previously visited pages with their filters, sorting, and view state preserved - whether using the browser's back button or in-app navigation. In addition, users can save custom views as their default, eliminating the need to reapply the same filters and sorting daily.
This enhancement is especially helpful on pages with customizable tables, where many users follow the same steps every day to get started.
For more information, see documentation.
Engineering Dashboard for Analytics
GA: July 27, 2025
The new Engineering Dashboard in Analytics helps organizations manage application security visibility across complex engineering structures. It introduces dynamic data segmentation by project, application, tag, and group (such as teams or departments), aligning key performance indicators with the actual organizational context.
This update enables clearer communication of trends and status across the enterprise, supports identification of responsible teams, and improves decision-making on where attention is needed.
New KPI: Vulnerabilities by Aging and Severity
GA: July 27, 2025
A new KPI, Vulnerabilities by Aging and Severity, is now available in Analytics to help organizations monitor how vulnerabilities evolve over time based on severity. This metric provides visibility into remediation efficiency, allowing teams to assess alignment with SLA targets and overall risk management goals.
By tracking aging trends, security teams can prioritize efforts on high-severity issues, evaluate remediation performance over time, and identify areas that require intervention. The KPI also includes drill-down functionality, offering a detailed list of vulnerabilities that can be shared directly with development teams for faster resolution.
IDE KPI
GA: July 27, 2025
The new IDE KPI in Analytics tracks developer activity through IDE plugins and CLI tools to measure the adoption of Shift Left security practices. This KPI helps organizations evaluate how proactively security is being integrated into the development workflow.
Enhanced Project Visibility with Application Associations
GA: July 27, 2025
To improve visibility into project-application associations, an Applications column has been added to the Projects page. This column displays which applications a project is associated with.
SCA
Configurable Python and Java Versions
Users can now optimize SCA scans by specifying the Python and Java versions used in their projects. This can be configured on the tenant and project levels. Supported versions are:
Python (PIP and Poetry) - 2.7.18, 3.11, 3.12, and 3.13 (default)
Java (gradle) - 8, 11, 17, and 21 (default)
Note
By default, the latest supported versions, i.e, Python 3.13 and Java 21 are used. Support for these version was recently added as part of this initiative.
This can be configured via the UI or API.
IaC
Updated IaC Engine to version 2.1.11.
New Features and Enhancements
Refactored the results processor to include improvements for better performance and maintainability.
Enhanced the engine detection logic for Volume Mount With OS Directory Write Permissions to reduce noise and improve precision.
False Positive Fixes
Passwords and Secrets
Generic Password
Generic Private Key
Terraform
MSSQL Server Auditing Disabled
IAM Group Without Users
Storage Account
Not Forcing HTTPS (multiple improvements)
IAM
Group Without Users (non-Terraform)
Dnf Install
Missing Flag detection improved to avoid false positives
False Negative Fixes
Passwords and Secrets: Improved detection to reduce missed vulnerabilities.
IAM Policy: Now correctly flags policies that grant full permissions.
Platform Updates
Checkmarx One Integration: Updated KICS version in CxOne to 2.1.11 for consistency and access to the latest improvements.
Resolved issues
Ticket number | Description |
---|---|
AST-99927 | Query Editor result history inconsistent across identical queries - duplicates or missing results |
AST-99690 | Duplicate projects appeared on the projects page |
AST-99341 | Container scans failed starting from 29/05 |
AST-99301 | Publication dates differed between Checkmarx One and the official source |
AST-98443 | Description for sort parameter at |
AST-96696 | Support was added for new Syft package types in container extractors |
AST-96233 | Project report generation via API failed |
AST-95747 | There was a spelling error in the "Initiator" filter on the Scans page |
AST-93982 | Container scans failed with Exit Code 137 |
AST-93370 | Scan times in the UI were inconsistent |
AST-93360 | Container scans showed false positives |
AST-93287 | A non-vulnerable package was incorrectly flagged as vulnerable |
AST-93280 | Policies were not flagged as violated despite meeting conditions |
AST-92439 | Old container security scans were not deleted |
AST-88922 | SAST scans triggered by GitHub scanned the wrong file |
AST-88606 | Engine log downloads over 500MB returned a file with "undefined" |
AST-86772 | SAST result statuses were inconsistent (New/Recurrent) |
AST-84285 | Resolved Vulnerabilities Report showed identical detection and resolution dates in certain scan sequences |
AST-90978 | Scans got stuck when using the Docker |
SCA-23118 | Pod execution stopped responding |
SCA-2224 | Identical manifests produced different results |
AST-95964 | Deleting one protected branch removed all protected branches |
AST-92180 | SCA triage decisions were not reflected in Policy Management |
AST-93058 | Retrieving sources triggered an invalid port number error |
AST-94810 | Audit Trail API documentation lacked date range parameters |
AST-101847 | Code Repository tab was visible for manually created projects via API |
AST-101623 | The application overview always showed 0% for scanner type/scan origin |
AST-84284 | The Back button did not work on the IaC results page |
AST-100500 | The Authorization tab displayed service users incorrectly |
AST-93890 | SCM import did not save criticality level |
AST-99146 | PR decoration failed with "RESOURCE_EXHAUSTED" due to large SAST result sets |
AST-99906 | SCA Auto PullRequest created empty PRs when no remediation was available |