Skip to main content

Upcoming Multi-Tenant Version | 3.36

Multi-Tenant release date: April 27, 2025

Warning

The content and dates of these Release Notes are provisional and subject to change.

All new features, enhancements, and resolved issues will be available upon version deployment in the multi-tenant environment unless explicitly stated otherwise in the respective section's sub-heading.

New features and enhancements

Customizable IaC Query Execution with Preset Configurations

Configure the queries IaC executes using preset configurations at the Tenant, Project, CLI, or Config file level. This gives you greater flexibility and control over your security scans, allowing you to tailor query execution to fit your specific workflows and environments.

Cleaner Drilldown View in BYOR Interface

Improved the drilldown view in the Bring Your Own Risk (BYOR) interface. Resolutions are displayed in a cleaner, more readable format, and URLs are now clickable - no more copying and pasting. This improvement makes accessing the right actions or resources faster and easier, simplifying your workflow and making everything more user-friendly.

Automate Full Project Scans via API

Schedule full project scans via the API, eliminating the need to manually trigger them through the UI. Configure scans based on specific times, recurrence patterns, and preferred scanners. The API provides clear response codes for success or failure and includes options to disable scheduled scans when needed. This update helps ensure important scans aren't missed, reduces manual effort, and fits seamlessly into your automation workflows.

For more information, see documentation.

ASPM Risk Prioritization Now in Your IDE

View ASPM risk-scored results directly in your IDE, bringing critical vulnerability prioritization into your daily workflow. Instead of sifting through every finding, you will see what matters most—high-risk issues first, helping you remediate faster and more efficiently. This update aligns the IDE experience with the ASPM model in the web app and reduces noise while enhancing developer adoption.

Pre-Commit Secret Scanning

The Pre-Commit Secret Scanning feature helps prevent accidental exposure of sensitive information such as passwords, API keys, and access tokens. If secrets are detected, the commit is blocked, and developers receive a detailed report to help remediate the issue.

Note

The feature is available to users with a Secret Detection license.

For more information, see documentation.

Container Security Updates

AWS ECR Integration for Container Security

We now provide an integration with AWS ECR, enabling users to automatically pull images from private ECR repos and scan them using the Checkmarx One Container Security scanner. The integration is done by creating an "Assume Role" in ECR (Role ARN), which grants access to Checkmarx to pull images from your repos.

We provide a convenient wizard on the Checkmarx One Integrations page that enables you to create the integration by submitting info about the "Assume Role" (Role ARN and External ID) that you created, and the repo that you are granting access to.

For more information, see documentation.

Remediation for Base Images

We now show remediation suggestions for specific base images. We provide easy navigation between remediation suggestions for the overall image and for the specific base images used in the image.

Package and Image Level Triage

We now support marking images and packages that were identified by the Container Security as Muted or temporarily Snoozed. This functionality applies in the same manner that it applies to packages identified by the SCA scanner, as explained here.

Status Column

We added the “Status” column to the results table. This column indicates whether the status of an image has been changed to Muted or Snoozed. It also indicates if a package is “Unresolved”. For Unresolved images, hovering over the status indicator shows a tooltip with an explanation of why the image wasn’t resolved.

Support for .tar Files

Added support for scanning .tar files using the Container Security scanner.

SCA Updates

Permission for Management of Licenses

We now limit who can make changes to a license state. We created a new IAM permission for this action, update-license-state(-if-in-group). By default, this is included in the role ast-risk-manager.

SPDX SBOM Scan Improvement

We have improved the accuracy of results when running an SCA scan on an SPDX format SBOM.

Branch-Based Identification of New Vulnerabilities

We now enable identification of new vulnerabilities based on comparison to previous scans of the specific branch. The default behavior is now to use the new branch-based approach. There is still an option to apply the previous methodology of project-based identification of new vulnerabilities. This configuration can be set on the tenant, project or scan level.

Bulk Action Triage

Added a bulk action for triaging (i.e., changing state, severity and adding comments) for multiple SCA risks at once. This is done by selecting the checkbox next to each of the risks and then making the change.

Note

Only risks of the same type (Vulnerability, Suspected Malware, Legal Risk) can be included in a single bulk action.

Similarly, in the Licenses tab, you can now use a bulk action to triage license states (effective/not effective).

Resolved issues

Ticket number

Description

AST-86751

GitLab OnPrem Integrated project scan had errors when the base URL contained multiple path segments separated by slashes.

AST-86802

Pull request decoration for BitBucket failed due to a key duplication exception in the method addScaResultsExploitablePath.

AST-87976

The View findings button failed to refresh the request data, displaying outdated information.

AST-90805

Secret detection experienced a Context Deadline Exceeded error while inserting results, causing incomplete or failed analysis.

AST-91291

Resolved a bug where the project rules API stopped functioning.

AST-91398

Fixed issue where WebAudit failed to scan a project.

AST-65357

False positive due to an undefined pattern when handling the enum and date format.

AST-65360

False positive for undefined maximum length in fields using an enum format.

AST-65365

False positive triggered by invalid media type value, suggesting misconfiguration or insufficient validation.

AST-70809

Description and expected value were swapped, causing confusion or test failures.

AST-73206

False positives were identified for generic passwords and secrets, indicating that sensitivity detection needed refinement.

AST-75459

Fixed a bug where error messages showed technical details.

AST-77315

The /api/scan-summary endpoint did not account for muted packages, leading to misleading results.

AST-81789

The UI displayed zero lines of code for partial scans, though code was present.

AST-83168

SAST results were missing changelogs and notes, making it difficult to track scan history.

AST-83171

Projects could not be assigned to applications when using custom queries.

AST-83672

Project or branch overview page loaded extremely slowly, affecting usability.

AST-84120

The scan type shown in the project scan history was incorrect, leading to inconsistencies with the scans list.

AST-84692

Project overview failed to load due to a scan summary timeout.

AST-86484

GET projects-overview API response was missing repoId for projects whose latest scans were older than 21 days.

AST-88911

An unrelated checkbox that appeared in the global SCA settings was removed.

AST-93140

Scans took an additional 30+ minutes during the fetch-sources stage, impacting performance.

SCA-20810

The publish date was modified unexpectedly, possibly affecting audit trails or versioning.

SCA-21398

Conflicts between the container configurations of the system and the client project led to scan issues.

SCA-21718

A development-only parent package caused errors when transitive packages were treated as production.

SCA-21986

Pod stopped responding, which in turn caused the source resolver to timeout.

SCA-22049

Transaction commit failed in the scaPackagesProcessor, resulting in incomplete processing.

SCA-22051

Fixed error where io.netty:netty-handler 4.1.115.Final was considered missing when scanning the ZIP package.

SCA-22129

License information appeared unspecified in the CXSCA report.

SCA-22296

Searching by package name on the risk list page did not work, hindering usability.

SCA-22336

Scans failed when using SBOM format SPDX-2.2.

SCA-22364

Fixed a problem with SBOM export.

SCA-22406

Fixed a problem with SBOM SPDX scan where it had incorrect or missing package relationships, such as direct or transitive links.

SCA-22458

ContainerResultsProcessor was causing scans to fail.

SCA-22709

Automated test Topaz_ScanNugetProjectGetReport_HappyFlowTest failed due to hash matching logic introduced in the new flow.

AST-88083

When a group had more than 100 members, it was not possible to search for a newly added account in the member list.

AST-88315

In SAML group mappings, when sync mode = force, the "override user groups" toggle was disabled in the UI by default, but it acted as enabled.

AST-89122

Users with the Manage-Clients role only were able to delete clients from other users.

AST-89420

An internal server error occurred while accessing "Lost Authenticator device".

AST-90807

New IAM UI: First SAML login with user creation, was generating application user email.

AST-70809

Descriptions of value and expected value were swapped.