- Checkmarx Documentation
- Checkmarx One
- Release Notes
- Current Multi-Tenant Version | 3.50
Current Multi-Tenant Version | 3.50
New Features and Enhancements
SAST Application Column Management UI Persistency
Clicking the Set to default button in the table UI saves the current column configuration, including visibility, order, pin state, whether a column is marked as default, and column width.
When you revisit the page, whether by logging in, refreshing the browser, or opening a new tab of the table, these settings will persist, ensuring your customized view remains intact.
Complete SAST Results Viewer Enabled in UI
All columns are now available directly in the SAST Result Viewer UI, rather than just the API.
To enhance customization, a new column management button has been introduced. This feature allows you to show or hide columns, pin key ones to lock their position in the table, and drag others to reorder them for better visibility. See here for more information.
Custom States for Container Security
We now support custom states for risks identified by the Container Security scanner.
Note
This capability is available for new IAM customers only.
File Upload Limit via UI Increased to 6GB
We have increased the maximum binary file upload size from 100MB to 6GB for enterprise customers.
The expanded limit enables efficient transfer and management of large files and strengthens our upload infrastructure for future scalability.
Ability to Export SCA and IaC Scan Results in CSV Format
SCA, IaC, and Containers scan results can now be exported in CSV format, providing greater flexibility for reporting and data processing.
Split Secret Detection and Repository Health Licensing
The Code Repository Integrations feature now supports separate licenses for Secret Detection and Repository Health. This provides more granular control over these features.
Analytics: Added State Filter Across Dashboards
A new State filter has been added to Vulnerabilities, Executive Overview, and the Engineering dashboards, enabling users to refine analytics based on vulnerability states, including both system and custom states.
This enhancement provides more precise insights, improves triage workflows, and allows teams to focus on the vulnerability states most relevant to their analysis.
Feedback Apps: Added “Resolution” Field for Closing Issues
You can now specify a required Resolution when closing issues through the Feedback Apps integration with Jira or Azure DevOps.
This enhancement ensures issues can be closed correctly according to your workflows and compliance requirements. It improves lifecycle automation, prevents integration errors, and aligns the Feedback App with existing issue management processes.
SCA
Support for package.lock.json
For .NET projects, we added support for scanning packages.lock.json files.
Triage in Global Inventory
In the SCA Global Inventory, you can now do bulk-action triage on multiple item, by selecting all relevant items and then clicking on Manage States. This applies to the Packages, Vulnerabilities and Malware, and Licenses tabs. This makes it easy to apply triage across the entire tenant.
For example, if you decide that a particular package is not a concern, you can search for all instances of that package in the Packages tab and mark them all as Muted.
This feature streamlines large-scale triage workflows and saves time by allowing you to apply consistent decisions with a single action.
For more information, see documentation
Private Repository Configuration via API
When integrating Checkmarx One projects with private registries for SCA scanning, it is now possible to manage the configurations via API instead of adding them to the project’s config files. The Private Registry APIs enable creating and editing configurations, assigning tags to configurations, and associating configurations with projects.
Note
Currently supported only for JFrog Artifactory.
Learn about private registry integrations here.
See complete API documentation here.
IaC
Updated to version 2.1.16.
New Features and Enhancements
Corrected false positives for SNS topic public accessibility in Terraform/AWS, Ansible/AWS, and CloudFormation/AWS.
Added support for database resources in two Azure queries.
Included cases for Azure App Service resources (
azurerm_linux_web_appandazurerm_windows_web_app).Prevented panic when parsing recursive YAML anchors or aliases.
Added support for arrays and minor fixes in queries.
IAM
Keycloak has been updated to version 26.4.
New Features and Enhancements
New Role: plugin-scanner for CI/CD and IDE Integrations
A new IAM role, plugin-scanner, is now available to support secure, least-privileged access for plugin-based integrations. This role provides minimal, scoped permissions required for:
Checkmarx CLI
CI/CD pipeline integrations
IDE plugins
This addition improves security by limiting access to only what is necessary for scanning operations, while simplifying configuration for teams using automation and development tooling.
New Role: analytics-developer-assist-view
A new role, analytics-developer-assist-view, has been introduced to provide users with view-only access to the Developer Assist dashboard. This role enables controlled visibility into developer-focused analytics while maintaining proper access governance.
New Role for Developer Standalone Plugin
A new least-privileged role has been added to support the Developer Standalone plugin without requiring tenant-level permissions. The role:
Can generate API Keys for authentication
Can view the License page and download the contributor developers CSV
Cannot create projects, applications, or trigger scans
This enables secure, fully decoupled plugin operation while preventing unnecessary access.
Resolved IAM Issues
Item | Description |
|---|---|
AST-114556 | Users cannot login with SAML or SSO on the DEU environment. |
AST-118003 | Adding groups during the project creation is not working properly when subgroups are involved. |
AST-119795 | Reset password event is shown in Audit Trail as |
AST-120182 | Group name can contain special character "/" that is used as a subgroup divider. |
AST-120187 | It is allowed to create groups with identical names differing by letter case. |
AST-120549 | OAuth Client with permission manage-access is getting internal error 500 when calling the users API. |
AST-121294 | Two or more parallel mappers "Teams to Group Mapper" with "force" sync mode and "Override User Groups" remove all other mapper groups. |
AST-121789 | Multiple tenant owners appearing in the UI for the |
AST-121792 | It is possible to add a user without an email address. |
Resolved Issues
Item | Description |
|---|---|
AST-123607 | Fixed vulnerabilities by severity displayed today’s date in the Detected First and Detected Last fields. |
AST-122322 | DAST provided an incorrect secret key during two-factor authentication.. |
AST-122103 | Grouping by path in DAST results broke the UI when the path was very long. |
AST-120573 | The Containers Realtime API did not recognize |
AST-118573 | Container scans reported remediation images as vulnerable. |
AST-116707 | Confirming a malicious package flagged in a container was not possible. |
AST-116035 | Critical vulnerabilities were reported in |
AST-115617 | The Source Extractor channel in FIS shut down unexpectedly. |
AST-115463 | The Container Security GraphQL API returned incorrect counters.rs. |
AST-114094 | The Container Security GraphQL API did not function properly. |
AST-114081 | CSV SAST Results reports did not display the full vulnerability URL. |
AST-114049 | In Analytics, the “Vulnerabilities by State” drill-down data did not match the CSV report. |
AST-108903 | Container scans failed from CLI version 2.3.21 onward. |
AST-107697 | Container image scans failed and returned an error. |
AST-105819 | The Scan History page displayed zero results and showed a “Failed to get Containers summaries” message. |
AST-101532 | Input validation for AWS ECR integration in Container Security was not working correctly. |
AST-100434 | Container scans failed due to a timeout error ( |
AST-96382 | Scanning containers via CLI and UI produced inconsistent results. |
SCA-24730 | The feature flag |
SCA-24666 | The Scan Runner marked scans as failed even after successful retries. |
SCA-24644 | NuGet sources were removed unexpectedly. |
SCA-24469 | The |
SCA-24445 | Some packages did not appear in the UI. |
SCA-24417 | Incorrect version and dependency details were shown for |
SCA-24408 | The SCA Resolver scanned the |
SCA-24362 | SCA scans failed after JFrog integration. |
AST-122242 | DAST was missing a record for the “Login” button click event. |
AST-120822 | Pull Request comments showed unclear messaging when attempting to connect to an LLM, even when the feature was not licensed. |
AST-120766 | The SAST worker encountered failures that required RCA analysis. |
AST-116925 | The PUT method returned HTTP 500 on the release candidate under Access Management. |
AST-115620 | Terraform Plan files did not return results in IaC. |
AST-115005 | Setting the primary branch in project settings failed. |
AST-114868 | IaC generated a false positive for “SNS Topic is Publicly Accessible.” |
AST-114807 | Branches containing special characters did not appear in Scan History. |
AST-111151 | Filtering the scan queue took longer than 15 seconds. |
AST-109896 | Filter performance on certain project pages was slow. |
AST-105352 | IaC results returned outdated severity information. |
AST-121115 | Application reports generated empty lists of applications and scanners. |
AST-120024 | Authorization was granted to an incorrect group name under Access Management Phase 1. |
AST-120549 | Internal server errors (500) occurred for OAuth clients with the manage-access permission. |
AST-119795 | Reset password events appeared as user.mfa.updated in the Audit Trail. |
AST-118003 | Adding groups during project creation did not work properly when subgroups were involved. |
AST-114556 | Users could not log in via SAML or SSO in the DEU environment. |
AST-120097 | A Keycloak issue occurred during the Import Tool run in IAM. |