- Checkmarx Documentation
- Checkmarx One
- Release Notes
- Upcoming Multi-Tenant Version | 3.43
Upcoming Multi-Tenant Version | 3.43
Multi-Tenant release date: August 3, 2025
Warning
The content and dates of these Release Notes are provisional and subject to change.
All new features, enhancements, and resolved issues will be available upon version deployment in the multi-tenant environment unless explicitly stated otherwise in the respective section's sub-heading.
New Features and Enhancements
Similarity ID Column Added to SAST Results Viewer
The SAST Results Viewer now includes a sortable Similarity ID column, providing quick access to this important attribute.
Redesigned Code Repository Integration Wizard
The new wizard simplifies SCM project setup with a cleaner, more intuitive flow. Core steps are streamlined, while advanced settings are now optional, making it faster and easier for users to connect repositories with minimal configuration.
Cloud Repository Improvements
Show Private Packages Based on SCA
Cloud Insights now determines identification of private packages based on SCA scan results. This is reflected in the private package data shown in the Inventory table and Attack Path graph.
This ensures consistency with the data shown in the SCA Results Viewer and provides a unified view of private package risks across Checkmarx One.
Manually Map Private Packages to Projects
Cloud Insights now supports manual mapping of private packages to Checkmarx One projects. After Cloud Insights provides an initial mapping based on heuristics, the user can manually specify mapping for unmapped packages or override the automatic mapping for specific packages.
The feature enables you to improve mapping accuracy, helping teams make better-informed security decisions.
Added Enrichment Evidence Log
A new Evidence Log tab is now available in Cloud Insights, displaying a searchable table of all enrichment transactions for each integration account. This includes both incoming enrichments from cloud providers and outgoing enrichments sent to them.
You can apply filters and search the logs. This visibility allows users to track and validate enrichment flows without relying on internal logs.
Added Support for AWS ECS Assets
Cloud Insights now retrieves container data for AWS ECS assets, in addition to existing support for Kubernetes. This is currently supported for Wiz integrations.
Also, you can now group and filter the Inventor page by Asset Type (Kubernetes, ECS or Unknown) and Cluster Name.
This enables broader visibility across diverse deployment platforms, helping users manage risk more comprehensively.
Support to Multiple Consumers in Cloud Connections
Cloud Connections now provide a centralized place to configure integrations across multiple consumers. Instead of setting up connections individually within each consumer, users can create and manage them in one unified view.
Feedback Apps Now Support Container Security
You can now enable the Container Security engine in Feedback Apps. This allows customers to scan container images and report vulnerabilities directly through their existing feedback workflows.
IAM
Keycloak Upgrade
Keycloak was upgraded to version 26.1.
New Permission: send-report-email
A new permission, send-report-email
, has been added under the Analytics category. It allows users to send reports via email. This permission is assigned by default to the ast-admin
role.
New Permission: assign-project-all-groups
A new permission, assign-project-all-groups
, has been introduced under the Projects category. It allows assigning any existing group when creating or updating a project.
During migration, this permission is added to users, groups, OAuth clients, and composite roles only if they already have the create-project
permission. This permission is assigned by default to the ast-admin
role.
Enforcing SSO-Only Access for Application Users
GA: August 10, 2025
To address security concerns when application and SSO users share the same email, organization administrators can now enforce SSO-only access by disabling username/password login.
Authentication is restricted to OIDC or SAML, ensuring users sign in exclusively through SSO and helping organizations maintain stricter access control and simplified account management.
Resolved issues
Ticket number | Description |
---|---|
AST-101425 | Resolved the Containers AWS ECR integration issue. |
AST-101042 | Experienced UI freezes when clicking the "filters" button in the Container Scan Results window. |
AST-99625 | "Containers-file-folder-filter" did not filter as expected. |
AST-99627 | "If-in-group" permissions did not allow changing state. |
AST-98449 | Found inconsistencies in Containers Security results in Checkmarx One. |
AST-98384 | CLI scans failed due to insufficient space when writing to the /tmp folder. |
AST-98382 | Dockerfile.ubi9 scan returned zero results via GitHub Actions. |
AST-89854 | Displayed confusing or unclear information on the Containers Security scanner UI page. |
AST-98433 | Identified a false positive for Terraform IAM Group Without Users in KICS. |
AST-98288 | Flagged a false negative for IAM Policy granting full permissions in KICS. |
AST-94893 | Improved volume mount handling with OS directory write permissions. |
AST-92897 | Flagged a false positive for Storage Account not enforcing HTTPS in KICS. |
AST-87254 | Flagged a false positive for generic private keys in Passwords and Secrets. |
AST-85090 | Flagged a false positive for Terraform MSSQL Server Auditing Disabled in KICS. |
AST-84874 | Identified a false positive for IAM Group Without Users. |
AST-82101 | Flagged a false negative for Passwords and Secrets. |
AST-82029 | Flagged a false positive for Storage Account not enforcing HTTPS. |
AST-81770 | Identified a false positive for missing flag in DNF install. |
AST-74743 | Flagged a false positive for generic passwords in Passwords and Secrets in KICS. |
AST-68530 | Flagged various false positives in KICS. |
SCA-23468 | Improved responsiveness and performance in SCA inventory and risk views. |
SCA-22720 | Resolved issues when hiding Dev and Test dependencies. |
SCA-23383 | Encountered errors when downloading an SCA report. |
AST-103953 | Application Risk Management page appeared empty. |
AST-102782 | Clicking Vulnerabilities by Scan Type in Project Overview opened a blank tab. |
AST-98399 | Encountered thousands of exceptions during data retention flow following project deletion. |
AST-102548 | The Save button in project settings did not display a notification, though settings were saved. |
AST-92509 | Updated documentation for the project conversion API. |
AST-101534 | The Keycloak API ( |
AST-99133 | Import process was failing due to a duplicate resource error. |
AST-96377 | Identity provider name was duplicated in the User tab. |
AST-106760 | The Auto PR feature removed customer’s branches. |
AST-104422 | It was not possible to update a custom item type with an inherited field in ADO using the pipeline's additional parameter |
AST-103867 | Jira integration failed to get server info from Jira (during the scan in flow-publisher) but the connection was established successfully in the configuration. |
AST-102576 | Customer's tags in an Azure Boards work item were removed after a new scan. |
AST-100922 | The search for a protected branch couldn’t find all branches when their number exceeded 400. |