Upcoming Multi-Tenant Version | 3.60

Checkmarx One now includes a native MCP Server, enabling developers and AppSec teams to interact with security workflows directly from AI assistants and IDE chat interfaces such as Claude, Cursor, Windsurf, Kiro, and Copilot Chat.

Using a set of purpose-built tools, users can manage applications and projects, trigger and monitor scans across SAST, SCA, IaC, and Secrets Detection, and investigate security findings - all through natural language without leaving their development environment. An intelligent scan orchestration workflow allows developers to start with a simple command such as "scan this project" and seamlessly progress to prioritized results and remediation guidance. Vulnerabilities can also be reviewed and remediated directly within the chat interface using natural language interactions.

The MCP Server leverages Checkmarx One's existing authentication and role-based access control (RBAC) model, supporting both the pre-defined OAuth client (cx-mcp-client) and Dynamic Client Registration for flexible integration across different environments. It requires no additional licensing and includes comprehensive audit logging.

The AI Supply Chain scanner is now available when configuring Code Repository Integration projects, providing visibility into AI assets used across your codebase. You can enable it alongside existing scanners during project import, project migration, and through project-level settings. Once enabled, AI Supply Chain scans are triggered automatically by SCM events such as push and pull requests, consistent with the behavior of other scanners.

This ensures comprehensive AI asset coverage across your projects without requiring additional configuration.

Repository URL management for Code Repository Integration projects has been improved to ensure consistent behavior across all APIs and views. The repository URL is now controlled exclusively by the SCM integration for imported projects - manual edits to the repository URL are blocked to prevent data inconsistencies and silent scan failures.

The URL is now reflected consistently across project views.

Unsecured TLS connections now trigger an alert, prompting you to correct the server’s configuration. These alerts also appear in your scan results and are automatically included in the default policy when you set up your environment.

The Policy Violations Download API endpoint - GET /api/policy_management_service_uri/policy_violations - is now available, providing programmatic access to policy-violating findings from SCA and SAST scans. The endpoint auto-detects the relevant scanner from the provided Scan ID, returning SCA package violations, SAST vulnerability violations, or both when a project includes multiple scanners.

Container scan results now support package-level muting and snoozing, allowing triage actions to be applied to a specific package across all images rather than being tied to a specific image name and tag. This is available both via the web application (UI) as well as API.

Managing triage at the package level lets teams apply one consistent decision across their entire image estate, cutting repetitive triage work and keeping pipelines from failing on vulnerabilities that have already been reviewed.