Current Multi-Tenant Version | 3.39
Multi-Tenant release date: June 8, 2025
Release number | Resolved issues |
|---|---|
3.39.7 | SAML role mappers were not working as expected in the new IAM UI. |
3.39.6 | Fixed an issue that prevented to view vulnerability details for IaC vulnerabilities. |
New Features and Enhancements
SAST Engine Upgrade to Version 9.7.3
The SAST engine in Checkmarx One has been upgraded to version 9.7.3. To discover all the new features and updates in the latest version, refer to this page.
Changed Navigation for Viewing SCS Results
The Software Supply Chain tab was removed from the Applications and Projects page. Repository Health and Secret Detection results are now accessed by selecting the SCS scanner in the scan results or on the project details page, similar to all other Checkmarx One scanners.
This will provide a consistent experience across all Checkmarx One scan engines. It is also the first step in a broader product initiative: treating Repository Health and Secret Detection as independent scanners, each with their own scan logic, results, and roadmap.
 |
 |
Feedback Apps Improvements
Support for Multiple Apps in the same system - To improve accuracy and control in multi-app environments, we’ve enhanced the feedback apps functionality to ensure that each app only updates the tickets it originally created, even when multiple apps are configured using the same connection.
Closing tickets when apps are deleted - When you delete a Feedback App, we now automatically close all of the tickets created by that app. This behavior is not supported for GitHub Issues.
Prioritizing high severity results when creating tickets - We now prioritize high severity risks so that if you reach the limit of 2,000 tickets per scanner, the results with the highest priority will be created. For example, if a SAST scan has 1,000 critical + 1,000 high + 1,000 medium results, tickets will only be opened for the critical and high results.
Unique Result ID in Results API Response
The GET /results API response now includes a new field: alternateId. This field provides a unique identifier for each result and is currently supported for the following scanners: IaC, SAST, SCA, SSCS Secret Detection, and SSCS Scorecard.
Note
Container Security results are not yet supported.
Secure Integration with Customer Systems Using CxLink
You can now integrate Checkmarx One with protected customer systems, such as private source code repositories, artifactories, and issue trackers, using CxLink, a secure tunneling proxy powered by Zrok. This new capability eliminates the need to manually configure networks or open firewall ports, making integration faster and easier while preserving security.
Note
This feature will be rolled out gradually to all customers.
Show Info About Matching Algorithms
For each image that was automatically matched with a Checkmarx One project, we now provide a tooltip showing info about how the match was detected.
SCA Updates
Application-Level SBOM
Added support for generating SBOM reports on the application level (in addition to existing support for generating an SBOM for a specific project). The report is generated via the Checkmarx One web application (UI) from the Workspace > Projects page.
For more info about Checkmarx One SBOMs, see SBOM documentation.
Improvements in the Scan Results - Risks Tab
We have added the following improvements to the Scan Results:
Added the Secure Version column, indicating whether or not a remediated version of the package is available. You can sort and filter for this column. This column was added to both the Packages and Risks tabs.
In the Risks tab, the EPSS score is now shown in a separate column (not under Exploitability). You can now sort and filter for EPSS.
Note
These changes are similar to the changes made in the Global Inventory in version 3.33.
API Updates
Important
Please be advised that the following API will be deprecated in 3 months and will be unable to be used:
Known Issues
For some Access Management phase 1 customers, the Authorization Settings page may not appear upon first login after the upgrade. To fix this, please clear your browser cache and refresh the page.
Resolved Issues
Ticket number | Description |
|---|---|
AST-94081 | A null pointer exception occurred during the creation of the Jira issue. |
AST-93503 | An exception was thrown in the new policy management section of the PR decoration flow. |
AST-92700 | Manual scan cancel operations were failing. |
AST-90711 | The |
AST-90688 | The |
AST-89575 | PR comments were not created on Azure DevOps. |
AST-86427 | The Application Risk Management page failed to display results. |
AST-90902 | API secrets were missing in.PLIST files (Secret Detection - [2MS]). |
SCA-22913 | The license list was null instead of an empty list. |
SCA-22893 | The AI Package Finder did not work when using Python. |
SCA-22657 | There was a mismatch between the ScanReport SCA UI and the API regarding |
SCA-22459 | gRPC errors occurred in processors. |
SCA-22303 | The Dev/Test filter did not remove transitive risks that had no vulnerable package path. |
AST-94924 | The |
AST-93294 | Branches could not be fetched using an Azure SSH URL in a manual project. |
AST-93281 | The cache had to be cleared after deploying a new version. |
AST-92725 | A false negative occurred in KICS for an S3 bucket that allowed delete actions from all principals. |
AST-92676 | The IDP Initiated flow URI did not work in the new AIM UI (regression). |
AST-91509 | The Severity Over Time graph in the project overview did not accurately track vulnerability history. |
AST-91156 | The new IAM UI did not show group paths longer than 50 characters under the user → edit group section. |
AST-89465 | Scans did not work in Checkmarx One but worked via CLI. |
AST-85982 | The small scan button triggered an incorrect link, preventing scan initiation. |
AST-85127 | The |
AST-84173 | The |
AST-73710 | The documentation for the Organization Data section in Account Settings needed updating. |
AST-98668 | Retrieving usernames from Bitbucket tokens caused exceptions. |
AST-97122 | Parent search errors occurred while configuring Jira applications. |
AST-95425 | The API for project conversion failed for some organizations. |
AST-95419 | The |
AST-95308 | Double-encoded organization names with spaces caused integration flow errors. |
AST-95093 | PR decoration URLs were generated incorrectly for Azure. |
AST-93965 | Scans intermittently remained stuck in the "Running" state. |
AST-92515 | Analytics dashboard showed result state mismatches. |
AST-90975 | Generated PDF reports duplicated the latest scan ID and LOC across branches. |
AST-89541 | AWS Linux package versions were not parsed correctly. |
AST-86609 | Scans failed on the blazemeter/taurus:latest container image. |
AST-84657 | The CS scanner failed to detect vulnerable old Alpine images. |
AST-79074 | Vulnerability counts differed between the Summary and Overview pages. |
SCA-23056 | Bulk updates of SCA vulnerability risk states did not work as expected. |
SCA-23055 | Bring Your Own Key (BYOE) functionality failed for SCA. |
SCA-23020 | Scan times were too long. |
SCA-22302 | Report generation failed for specific scans. |
AST-96914 | The remote backend was unreachable. |
AST-96688 | Critical severity appeared unexpectedly in the UI. |
AST-96534 | Onboarding failed. |
AST-95864 | The |
AST-93625 | The Application Risk Management page showed "No Risks" on first access. |
AST-93304 | In VSCode, proxy-only users could not enable the scan button. |
AST-89866 | Scans intermittently returned 500 errors. |
AST-89265 | The CxIAM page failed to load. |
AST-78569 | SCM integrations did not display all groups or allow group search. |
AST-64244 | Scan results differed between the ZAP UI and Checkmarx One. |
AST-94943 | The Settings page showed duplicate IaC presets. |
AST-74900 | The IAM "Friendly Name" attribute in SAML mappers behaved inconsistently. |
AST-94951 | The SAML Identity Provider failed to set the Principal Attribute. |
AST-94573 | The Save button in IAM General Settings was disabled for some tenants. |
AST-92091 | The IAM "Groups, Filters and Dependencies" view showed data without enabling actions. |
AST-89908 | OAuth client edits were not saved in the new IAM UI. |
AST-89783 | Duplicate Identity Providers could be created in the new IAM UI. |
AST-89726 | The Endpoints link was removed from the SAML config page in the new IAM UI. |