Current Multi-Tenant Version | 3.51

The new AI Query Builder helps customers create and refine CxQL queries more quickly and intuitively by leveraging ChatGPT in the Queries Editor.

Use guided example prompts, on-demand regeneration, and easy code copying to customize queries with less effort and fewer errors - improving productivity and reducing time spent on manual query tuning.

Access to this feature is limited to users with Edit Query permissions.

For details, see our documentation.

We now support custom states for risks identified by the SCA and IaC Security scanners.

For more information about custom states, see our Documentation Portal.

Applications can now be classified as Business or Internal, enabling more accurate risk prioritization.

Internal applications are excluded from meaningful risk impact, reducing noise, while Business applications continue to factor criticality into risk scoring.

This ensures that risk insights and top-risk views focus on applications that truly impact the business.

A new Partial scan status has been added to scan history to better reflect scans that produced results but failed later in the process.

Their results remain available for review by downloading the scan log, providing clearer visibility and reducing confusion during scan analysis.

We’ve addressed Severity 1 accessibility issues identified during enterprise validation to improve compliance with ADA and WCAG 2.2 standards.

These fixes focus on critical areas such as keyboard navigation, focus order, and error identification, ensuring the platform is more accessible and usable for all users.

You can now mark container images in the Cloud Insights inventory as Ignored to reduce noise from images that don’t require remediation.

From the inventory table, select one or more images and choose Ignore to hide them from the main view. Ignored images remain accessible through the Show Ignored Images filter, where you can review them and restore them to the inventory at any time.

This helps keep your inventory focused and actionable while preserving full control and visibility.

For more information, see documentation.

You can now define protected branches using wildcard patterns for pull request scanning.

Instead of listing individual branch names, you can use flexible patterns (e.g., *, release*, *release) to automatically include matching branches.

This reduces manual configuration, improves coverage, and scales easily for repositories with dynamic or convention-based branching strategies.

In order to speed up the process of adding newly identified CVEs to our database, we have introduced a new automated process that identifies and publishes CVEs in a timely manner. However, this does not replace the need for our AppSec Research team to thoroughly analyze each CVE. Therefore, when the initial automated results are available, we publish the CVE with a note indicating that it is "pending manual review”. Once our AppSec team has completed their manual analysis they publish an updated version of the CVE details in which they correct any imprecise information and add important remarks about their analysis.

Our AppSec Research team often adds remarks based on their expert analysis. These remarks give important information about exploitability and remediation options. We now highlight these comments by showing them in a separate info box both in the scan results Risk Details page and in our AppSec Knowledge Center.

We added new fields that provide additional information about the packages used in your project. This will help organizations meet regulatory requirements and improve the transparency and security of their software supply chain.

The Packages section of Checkmarx SCA reports now includes Component Description, Component Supplier and Executable Properties fields. And, SBOM reports (CycloneDX and SPDX) now include the Component Description field.

You can now view Suspected Malware risk information in the AppSec Knowledge Center. It is presented similarly to vulnerabilities. This enables users to learn about specific risks without needing to scan a project with the risky package.

Added proxy support for DAST, enabling you to scan internal, non‑public, or firewall‑protected applications from the cloud without whitelisting or exposing external IPs. This provides secure, temporary, on‑demand access for full dynamic testing while removing complex firewall configurations and accelerating security validation across cloud‑native and hybrid environments. For more information, see here.

You can now run your full DAST workflow directly from the CLI, removing the need for UI interaction or tunneling setups. A REST‑API‑driven script handles authentication, session creation, scanning, and results retrieval. For more information on the DAST CLI, see here.

The following new queries have been added: