Upcoming Multi-Tenant Version | 3.58

AI Supply Chain Security (AISC) provides visibility into the AI components embedded in your code, helping address the growing challenge of Shadow AI - untracked models, agents, and integrations that introduce risk, unclear data flows, and compliance concerns.

AISC discovers and classifies AI assets directly from source code and configuration, identifying components such as MCP clients and servers, AI agents (e.g., LangChain, Semantic Kernel), AI models, core ML libraries (e.g., PyTorch, TensorFlow), and AI SDKs (e.g., OpenAI, Anthropic, Vertex AI, Hugging Face).

The feature includes end-to-end capabilities to operationalize this visibility: scan orchestration for consistent analysis across projects, a dedicated results viewer to explore detected AI assets, CLI support for CI/CD integration, and policy management to enforce governance and compliance.

With AISC, teams can uncover hidden AI usage, assess risk early, and maintain control over AI adoption across their software supply chain. For more information, click here.

Cloud Insights now leverages AI to enhance container image detection and correlation in three key areas:

Cloud Insights now highlights changes in vulnerability counts between the image currently in production and the latest project scan. A new Image → Latest Scan column in the Cloud Insights Inventory clearly shows the delta, helping teams identify risk increases before code is deployed.

You can filter projects by security trend and sort by total delta to quickly pinpoint areas where risk is rising. This makes it easier to assess the impact of upcoming releases, prioritize remediation efforts, and prevent vulnerable code from reaching production.

For more information, see Cloud Insights.

Checkmarx One now suggests relevant documentation articles in real time as users begin typing in the Subject field when creating a support case in the UI.

Suggestions include the article title, a short summary, and a direct link to the documentation, helping users quickly find answers and potentially avoid opening a ticket.

For more information, see Contacting support.

Checkmarx One Risk Management now supports assigning findings to specific users or groups, enabling clear ownership and more efficient remediation workflows.

A new Assignee column allows authorized users to assign or remove users and groups per finding. Assignments are limited to users within the tenant and require appropriate permissions, ensuring only relevant users can be selected. Changes are reflected in real time across all consuming systems.

To support governance, a new permission - manage-vulnerability-assignees - is introduced and must be combined with existing update permissions to modify assignments. Assigned users can optionally receive email notifications, helping ensure timely awareness and action.

This feature improves accountability, reduces duplicate work, and streamlines risk management by ensuring each finding has a clear owner.

For Azure DevOps (ADO) Code Repository integrations the use the "Self-Hosted" flow, we now support organization-scoped Personal Access Tokens (PATs). This removes the need to use Global PATs, which grant excessive permissions and are planned for deprecation by Microsoft.

Users can configure integrations by providing a PAT scoped to a specific organization, with validation performed against that organization during setup. Only the organization associated with the PAT is displayed. If you would like to include multiple organizations in a single configuration, you can create a separate PAT for each organization and, in the setup wizard, click Add Organization to submit the additional PATs.

This update improves security, flexibility, and long-term compatibility.

For more information, see Azure DevOps Self-Hosted.

The REST API for creating new Code Repository Integration projects now supports Azure DevOps (ADO) (in addition to existing support for GitHub). For more information, see API documentation.

We added support for identifying the following licenses that apply to OSS packages: AFL-3.0, CPAL-1.0, OSL-3.0, APSL-2.0, Watcom-1.0 and LPPL-1.3c.

SCA remediation now supports Python and NuGet packages. You can download a remediated manifest file (e.g., requirements.txt for Python and *.csproj for NuGet) with secure package versions directly from the UI or via the export service API. In addition, the Auto Pull Request feature will automatically generate pull requests targeting vulnerable Python packages in the correct repository and branch. Each pull request contains only the secure version changes, along with any associated manifest files required for full remediation.

This expansion brings Python and .NET developers into parity with existing Auto-PR workflows, giving teams both automated and manual remediation paths to address open-source vulnerabilities across a broader range of ecosystems.Learn more about Exporting Remediated Manifest Files and SCA Auto Pull Requests.

DAST now helps you include all required URLs for full scan coverage and successful authentication.

DAST scans start from the main URL you define, but many applications use additional domains or paths. If these URLs are not included, authentication may fail or parts of the application may not be scanned. DAST now prompts you to include authentication URLs during setup and shows all discovered but non‑included URLs in the authentication report, error messages, and configuration settings so you can easily add the paths that matter.

Insights provide important scan‑related information that isn’t classified as a vulnerability. They flag conditions that can affect scan accuracy or indicate external issues such as authentication failures, blocking mechanisms, or repeated server errors.

If a High‑level Insight is detected, the scan stops and is marked Failed to prevent misleading or incomplete results. A full list of the available insights is viewable here.