Current Multi-Tenant Version | 3.57

The Audit Trail now includes full visibility into scheduled scan activity. This enhancement logs all key actions related to scheduled scans, including creation, updates, enable/disable actions, deletions, and execution events (triggered, failed, or skipped). Users can access these events via the New Audit Trail API.

By extending audit coverage to scheduled scans, this feature strengthens governance and compliance readiness, enables accurate forensic analysis, and provides complete traceability for scan automation workflows.

You can now view the full file path for nodes in SAST Results Viewer, making it easier to understand the scope of a vulnerability and improve triage. Clicking a node reveals its full file path. Multiple nodes may originate from the same file or from different files.

Container scan results now include CVSS score, affected version range, and fix version for OS-level package vulnerabilities, based on official distribution sources (e.g., OVAL, Alpine SecDB, Red Hat advisories).

This data is available across the UI, API (GraphQL, gRPC), CLI, and exports.

With this enhancement, you can quickly determine whether vulnerabilities are fixable and how to remediate them, prioritize issues based on severity, and make more informed risk and patching decisions for base image vulnerabilities.

Checkmarx One now supports dependency resolution for Python 3.14 for scans run in the cloud as well as via SCA Resolver. This enables accurate SCA scanning of Python 3.14 projects, helping to maintain continuous visibility into security and license risk for customers who are adopting the newer Python version.

Checkmarx SCA now supports dependency resolution for .NET 10 (Long-Term Support), enabling teams to scan NuGet dependencies in .NET 10 projects. As an LTS release, .NET 10 is the preferred target for enterprise and production workloads, making reliable SCA coverage essential for maintaining a secure open-source supply chain over its multi-year support lifecycle.

Checkmarx SCA now supports dependency resolution for Java 25 (Long-Term Support), enabling teams to scan Maven and Gradle dependencies in Java 25 projects. As an LTS release, Java 25 is the preferred target for enterprise and production workloads, making reliable SCA coverage essential for maintaining a secure open-source supply chain over its multi-year support lifecycle.

When a scan recalculation is run, we now preserve Exploitable Path and Package Usage data from the original scan. Previously, scan recalculation would overwrite exploitability and usage data even when the the underlying source code and dependencies had not changed. With this improvement, risk assessment remains accurate and consistent after recalculation.

You can now upload Selenium scripts in the Authentication step in the Environment Setup Wizard. Selenium scripts are executed whenever ZAP launches a browser through Selenium- for example, during an Ajax Spider scan or while performing manual exploration.

These scripts have full access to the active browser instance, allowing them to interact with it directly. This includes running JavaScript, navigating to URLs, filling out forms, clicking buttons, and modifying localStorage or sessionStorage.

The CLI is now fully aligned with the UI. For more on DAST CLI commands, see here.

Added support for custom states in DAST. Custom states are states that you define to help organize and triage your scan results. For more information on Custom States, see here.