Skip to main content

Current Multi-Tenant Version | 3.36

Multi-Tenant release date: April 27, 2025

Warning

The content and dates of these Release Notes are provisional and subject to change.

All new features, enhancements, and resolved issues will be available upon version deployment in the multi-tenant environment unless explicitly stated otherwise in the respective section's sub-heading.

Release number

Resolved issues

3.36.28

Fixed an issue that caused the GET /api/results API endpoint to result in a "504 Gateway Timeout" error.

3.36.26

Fixed an issue with the left-side navigation panel related to accessing Codebashing from Checkmarx One.

General Availability Features

Customizable IaC Query Execution with Preset Configurations

Configure the queries IaC executes using preset configurations at the Tenant, Project, CLI, or Config file level. This gives you greater flexibility and control over your security scans, allowing you to tailor query execution to fit your specific workflows and environments.

Cleaner Drilldown View in BYOR Interface

Improved the drilldown view in the Bring Your Own Risk (BYOR) interface. Resolutions are displayed in a cleaner, more readable format, and URLs are now clickable - no more copying and pasting. This improvement makes accessing the right actions or resources faster and easier, simplifying your workflow and making everything more user-friendly.

For more information, see documentation.

Pre-Commit Secret Scanning

The Pre-Commit Secret Scanning feature helps prevent accidental exposure of sensitive information such as passwords, API keys, and access tokens. If secrets are detected, the commit is blocked, and developers receive a detailed report to help remediate the issue.

Note

The feature is available to users with a Secret Detection license.

For more information, see documentation.

Container Security

AWS ECR Integration for Container Security

We now provide an integration with AWS ECR, enabling users to automatically pull images from private ECR repos and scan them using the Checkmarx One Container Security scanner. The integration is done by creating an "Assume Role" in ECR (Role ARN), which grants access to Checkmarx to pull images from your repos.

We provide a convenient wizard on the Checkmarx One Integrations page that enables you to create the integration by submitting info about the "Assume Role" (Role ARN and External ID) that you created, and the repo that you are granting access to.

For more information, see documentation.

Support for .tar Files

Added support for uploading source code as a .tar files (in addition to existing support for .zip) for Container Security scans.

Notice

This feature is not related to the capability of scanning images that are built as .tar files. That capability is supported only when running scans via the CLI.

SCA

SPDX SBOM Scan Improvement

We have improved the accuracy of identification of direct and transitive packages when running an SCA scan on an SPDX format SBOM.

IaC Security

Updated the IaC Security scanner to version 2.1.6.

Updates and Bug Fixes:

  • Updated the link on the AWS queries to refer to the proper documentation on docs.aws.amazon.com.

  • Fixed an issue that was causing a false positive on the OpenAPI query.

  • Fixed an issue that was causing a false positive on the password and secrets query.

Phased Availability Features

Automate Full Project Scans via API

GA: May 4

Schedule full project scans via the API, eliminating the need to manually trigger them through the UI. Configure scans based on specific times, recurrence patterns, and preferred scanners. The API provides clear response codes for success or failure and includes options to disable scheduled scans when needed. This update helps ensure important scans aren't missed, reduces manual effort, and fits seamlessly into your automation workflows.

For more information, see documentation.

ASPM Risk Prioritization Now in Your IDE

GA: May 4

View ASPM risk-scored results directly in your IDE, bringing critical vulnerability prioritization into your daily workflow. Instead of sifting through every finding, you will see what matters most—high-risk issues first, helping you remediate faster and more efficiently. This update aligns the IDE experience with the ASPM model in the web app and reduces noise while enhancing developer adoption.

Container Security

Remediation for Base Images

GA: May 4

We now show remediation suggestions for specific base images. We provide easy navigation between remediation suggestions for the overall image and for the specific base images used in the image.

Package and Image Level Triage

GA: May 4

We now support marking images and packages that were identified by the Container Security as Muted or temporarily Snoozed. This functionality applies in the same manner that it applies to packages identified by the SCA scanner, as explained here.

Status Column

GA: May 4

We added the “Status” column to the results table. This column indicates whether the status of an image has been changed to Muted or Snoozed. It also indicates if a package is “Unresolved”. For Unresolved images, hovering over the status indicator shows a tooltip with an explanation of why the image wasn’t resolved.

SCA

Permission for Management of Licenses

GA: May 4

We now limit who can make changes to a license state. We created a new IAM permission for this action, update-license-state(-if-in-group). By default, this is included in the role ast-risk-manager.

Branch-Based Identification of New Vulnerabilities

GA: May 4

We now enable identification of new vulnerabilities based on comparison to previous scans of the specific branch. The default behavior is now to use the new branch-based approach. There is still an option to apply the previous methodology of project-based identification of new vulnerabilities. This configuration can be set on the tenant, project or scan level.

Bulk Action Triage

GA: May 4

Added a bulk action for triaging (i.e., changing state, severity and adding comments) for multiple SCA risks at once. This is done by selecting the checkbox next to each of the risks and then making the change.

Note

Only risks of the same type (Vulnerability, Suspected Malware, Legal Risk) can be included in a single bulk action.

Similarly, in the Licenses tab, you can now use a bulk action to triage license states (effective/not effective).

CLI and Plugins Releases of April 2025

CLI Version 2.3.20

  • General Improvements and bug fixes

CLI Version 2.3.19

Status

Item

Description

NEW

CLI Configuration File

Users can now define a distinct CLI configuration file for each CLI instance. This is done using an environment variable, CX_CONFIG_FILE_PATH.

CLI Version 2.3.18

Status

Item

Description

NEW

Secret Detection

Added support for running pre-commit secret detection scans, to detect exposed secrets before they are committed to a repo. For more info, see documentation.

CI/CD Plugins

In April we released the following CI/CD plugin versions:

Improvements and Bug Fixes

Status

Item

Platform

Description

NEW

General

Jenkins, TeamCity, GitHub Actions, Azure DevOps

General improvements and bug fixes.

Resolved issues

Ticket number

Description

AST-86751

GitLab OnPrem Integrated project scan had errors when the base URL contained multiple path segments separated by slashes.

AST-86802

Pull request decoration for BitBucket failed due to a key duplication exception in the method addScaResultsExploitablePath.

AST-87976

The View findings button failed to refresh the request data, displaying outdated information.

AST-90805

Secret detection experienced a Context Deadline Exceeded error while inserting results, causing incomplete or failed analysis.

AST-91291

Resolved a bug where the project rules API stopped functioning.

AST-91398

Fixed issue where WebAudit failed to scan a project.

AST-65357

False positive due to an undefined pattern when handling the enum and date format.

AST-65360

False positive for undefined maximum length in fields using an enum format.

AST-65365

False positive triggered by invalid media type value, suggesting misconfiguration or insufficient validation.

AST-70809

Description and expected value were swapped, causing confusion or test failures.

AST-73206

False positives were identified for generic passwords and secrets, indicating that sensitivity detection needed refinement.

AST-75459

Fixed a bug where error messages showed technical details.

AST-77315

The /api/scan-summary endpoint did not account for muted packages, leading to misleading results.

AST-81789

The UI displayed zero lines of code for partial scans, though code was present.

AST-83168

SAST results were missing changelogs and notes, making it difficult to track scan history.

AST-83171

Projects could not be assigned to applications when using custom queries.

AST-83672

Project or branch overview page loaded extremely slowly, affecting usability.

AST-84120

The scan type shown in the project scan history was incorrect, leading to inconsistencies with the scans list.

AST-84692

Project overview failed to load due to a scan summary timeout.

AST-86484

GET projects-overview API response was missing repoId for projects whose latest scans were older than 21 days.

AST-88911

An unrelated checkbox that appeared in the global SCA settings was removed.

AST-93140

Scans took an additional 30+ minutes during the fetch-sources stage, impacting performance.

SCA-20810

The publish date was modified unexpectedly, possibly affecting audit trails or versioning.

SCA-21398

Conflicts between the container configurations of the system and the client project led to scan issues.

SCA-21718

A development-only parent package caused errors when transitive packages were treated as production.

SCA-21986

Pod stopped responding, which in turn caused the source resolver to timeout.

SCA-22049

Transaction commit failed in the scaPackagesProcessor, resulting in incomplete processing.

SCA-22051

Fixed error where io.netty:netty-handler 4.1.115.Final was considered missing when scanning the ZIP package.

SCA-22129

License information appeared unspecified in the CXSCA report.

SCA-22296

Searching by package name on the risk list page did not work, hindering usability.

SCA-22336

Scans failed when using SBOM format SPDX-2.2.

SCA-22364

Fixed a problem with SBOM export.

SCA-22406

Fixed a problem with SBOM SPDX scan where it had incorrect or missing package relationships, such as direct or transitive links.

SCA-22458

ContainerResultsProcessor was causing scans to fail.

SCA-22709

Automated test Topaz_ScanNugetProjectGetReport_HappyFlowTest failed due to hash matching logic introduced in the new flow.

AST-88083

When a group had more than 100 members, it was not possible to search for a newly added account in the member list.

AST-88315

In SAML group mappings, when sync mode = force, the "override user groups" toggle was disabled in the UI by default, but it acted as enabled.

AST-89122

Users with the Manage-Clients role only were able to delete clients from other users.

AST-89420

An internal server error occurred while accessing "Lost Authenticator device".

AST-90807

New IAM UI: First SAML login with user creation, was generating application user email.

AST-70809

Descriptions of value and expected value were swapped.