- Checkmarx Documentation
- Checkmarx One
- Release Notes
- Upcoming Multi-Tenant Version | 3.36
Upcoming Multi-Tenant Version | 3.36
Multi-Tenant release date: April 27, 2025
Warning
The content and dates of these Release Notes are provisional and subject to change.
All new features, enhancements, and resolved issues will be available upon version deployment in the multi-tenant environment unless explicitly stated otherwise in the respective section's sub-heading.
New features and enhancements
Customizable IaC Query Execution with Preset Configurations
Configure the queries IaC executes using preset configurations at the Tenant, Project, CLI, or Config file level. This gives you greater flexibility and control over your security scans, allowing you to tailor query execution to fit your specific workflows and environments.
Cleaner Drilldown View in BYOR Interface
Improved the drilldown view in the Bring Your Own Risk (BYOR) interface. Resolutions are displayed in a cleaner, more readable format, and URLs are now clickable - no more copying and pasting. This improvement makes accessing the right actions or resources faster and easier, simplifying your workflow and making everything more user-friendly.
Automate Full Project Scans via API
Schedule full project scans via the API, eliminating the need to manually trigger them through the UI. Configure scans based on specific times, recurrence patterns, and preferred scanners. The API provides clear response codes for success or failure and includes options to disable scheduled scans when needed. This update helps ensure important scans aren't missed, reduces manual effort, and fits seamlessly into your automation workflows.
For more information, see documentation.
ASPM Risk Prioritization Now in Your IDE
View ASPM risk-scored results directly in your IDE, bringing critical vulnerability prioritization into your daily workflow. Instead of sifting through every finding, you will see what matters most—high-risk issues first, helping you remediate faster and more efficiently. This update aligns the IDE experience with the ASPM model in the web app and reduces noise while enhancing developer adoption.
Pre-Commit Secret Scanning
The Pre-Commit Secret Scanning feature helps prevent accidental exposure of sensitive information such as passwords, API keys, and access tokens. If secrets are detected, the commit is blocked, and developers receive a detailed report to help remediate the issue.
Note
The feature is available to users with a Secret Detection license.
For more information, see documentation.
Container Security Updates
AWS ECR Integration for Container Security
We now provide an integration with AWS ECR, enabling users to automatically pull images from private ECR repos and scan them using the Checkmarx One Container Security scanner. The integration is done by creating an "Assume Role" in ECR (Role ARN), which grants access to Checkmarx to pull images from your repos.
We provide a convenient wizard on the Checkmarx One Integrations page that enables you to create the integration by submitting info about the "Assume Role" (Role ARN and External ID) that you created, and the repo that you are granting access to.
For more information, see documentation.
Remediation for Base Images
We now show remediation suggestions for specific base images. We provide easy navigation between remediation suggestions for the overall image and for the specific base images used in the image.
Package and Image Level Triage
We now support marking images and packages that were identified by the Container Security as Muted or temporarily Snoozed. This functionality applies in the same manner that it applies to packages identified by the SCA scanner, as explained here.
Status Column
We added the “Status” column to the results table. This column indicates whether the status of an image has been changed to Muted or Snoozed. It also indicates if a package is “Unresolved”. For Unresolved images, hovering over the status indicator shows a tooltip with an explanation of why the image wasn’t resolved.
Support for .tar Files
Added support for scanning .tar files using the Container Security scanner.
SCA Updates
Permission for Management of Licenses
We now limit who can make changes to a license state. We created a new IAM permission for this action, update-license-state(-if-in-group). By default, this is included in the role ast-risk-manager
.
SPDX SBOM Scan Improvement
We have improved the accuracy of results when running an SCA scan on an SPDX format SBOM.
Branch-Based Identification of New Vulnerabilities
We now enable identification of new vulnerabilities based on comparison to previous scans of the specific branch. The default behavior is now to use the new branch-based approach. There is still an option to apply the previous methodology of project-based identification of new vulnerabilities. This configuration can be set on the tenant, project or scan level.
Bulk Action Triage
Added a bulk action for triaging (i.e., changing state, severity and adding comments) for multiple SCA risks at once. This is done by selecting the checkbox next to each of the risks and then making the change.
Note
Only risks of the same type (Vulnerability, Suspected Malware, Legal Risk) can be included in a single bulk action.
Similarly, in the Licenses tab, you can now use a bulk action to triage license states (effective/not effective).
Resolved issues
Ticket number | Description |
---|---|
AST-86751 | GitLab OnPrem Integrated project scan had errors when the base URL contained multiple path segments separated by slashes. |
AST-86802 | Pull request decoration for BitBucket failed due to a key duplication exception in the method |
AST-87976 | The View findings button failed to refresh the request data, displaying outdated information. |
AST-90805 | Secret detection experienced a Context Deadline Exceeded error while inserting results, causing incomplete or failed analysis. |
AST-91291 | Resolved a bug where the project rules API stopped functioning. |
AST-91398 | Fixed issue where WebAudit failed to scan a project. |
AST-65357 | False positive due to an undefined pattern when handling the enum and date format. |
AST-65360 | False positive for undefined maximum length in fields using an enum format. |
AST-65365 | False positive triggered by invalid media type value, suggesting misconfiguration or insufficient validation. |
AST-70809 | Description and expected value were swapped, causing confusion or test failures. |
AST-73206 | False positives were identified for generic passwords and secrets, indicating that sensitivity detection needed refinement. |
AST-75459 | Fixed a bug where error messages showed technical details. |
AST-77315 | The /api/scan-summary endpoint did not account for muted packages, leading to misleading results. |
AST-81789 | The UI displayed zero lines of code for partial scans, though code was present. |
AST-83168 | SAST results were missing changelogs and notes, making it difficult to track scan history. |
AST-83171 | Projects could not be assigned to applications when using custom queries. |
AST-83672 | Project or branch overview page loaded extremely slowly, affecting usability. |
AST-84120 | The scan type shown in the project scan history was incorrect, leading to inconsistencies with the scans list. |
AST-84692 | Project overview failed to load due to a scan summary timeout. |
AST-86484 |
|
AST-88911 | An unrelated checkbox that appeared in the global SCA settings was removed. |
AST-93140 | Scans took an additional 30+ minutes during the fetch-sources stage, impacting performance. |
SCA-20810 | The publish date was modified unexpectedly, possibly affecting audit trails or versioning. |
SCA-21398 | Conflicts between the container configurations of the system and the client project led to scan issues. |
SCA-21718 | A development-only parent package caused errors when transitive packages were treated as production. |
SCA-21986 | Pod stopped responding, which in turn caused the source resolver to timeout. |
SCA-22049 | Transaction commit failed in the scaPackagesProcessor, resulting in incomplete processing. |
SCA-22051 | Fixed error where |
SCA-22129 | License information appeared unspecified in the CXSCA report. |
SCA-22296 | Searching by package name on the risk list page did not work, hindering usability. |
SCA-22336 | Scans failed when using SBOM format SPDX-2.2. |
SCA-22364 | Fixed a problem with SBOM export. |
SCA-22406 | Fixed a problem with SBOM SPDX scan where it had incorrect or missing package relationships, such as direct or transitive links. |
SCA-22458 | ContainerResultsProcessor was causing scans to fail. |
SCA-22709 | Automated test Topaz_ScanNugetProjectGetReport_HappyFlowTest failed due to hash matching logic introduced in the new flow. |
AST-88083 | When a group had more than 100 members, it was not possible to search for a newly added account in the member list. |
AST-88315 | In SAML group mappings, when sync mode = force, the "override user groups" toggle was disabled in the UI by default, but it acted as enabled. |
AST-89122 | Users with the Manage-Clients role only were able to delete clients from other users. |
AST-89420 | An internal server error occurred while accessing "Lost Authenticator device". |
AST-90807 | New IAM UI: First SAML login with user creation, was generating application user email. |
AST-70809 | Descriptions of value and expected value were swapped. |