Upcoming Multi-Tenant Version | 3.30

Checkmarx One now allows users to execute bulk actions on multiple projects, enabling the assignment of tags to several projects simultaneously.

Analytics now prioritize the default Main branch (e.g., "main" or "master") of each project to enhance clarity and performance. This update ensures faster load times and more relevant data, and reduced confusion by focusing only on critical security issues from production branches, avoiding noise from test or non-production data.

We have added support for CVSS 4.0 for SCA vulnerabilities. Since the vulnerabilitiesDetails object returned by the GET /results API differs depending on the version of CVSS used for each vulnerability, you may need to adjust your workflows to accomodate the schema for 4.0 results. Details about the schema for CVSS 4.0 can be seen here.

The Cloud Insights integration for enriching the data shown in your Wiz Vulnerability Findings now supports projects that don’t have Code Repository integrations.

Checkmarx now uses the URL or zip archive used to submit your source code (either via the UI or CLI) to identify correlations between Checkmarx One projects and the related Wiz scanned repos, enabling us to enrich the relevant repos with vulnerability info from Checkmarx One SAST scans.

These updates apply to all supported code repositories: GitHub, GitLab, Bitbucket and Azure DevOps (except that Bitbucket doesn’t support collapsible tabs).

The ability to configure a policy violation to break the build (i.e., fail the PR) for a Code Repository Integration project is now being released as GA together with the other features in version 3.30 (it had previously been released to BETA customers).

Now, as part of the policy configuration, you can turn on the Break Build toggle for each policy for which you want a violation to prevent the PR from being merged.

For more information see documentation.

Fast Scan mode and File Exclusion are now enabled by default for all new projects, improving scan execution time while maintaining flexibility to meet security needs prioritizing speed over accuracy. For more information about how this will affect existing workflows, see here.

To address cases where 0 developers are counted due to inaccessible private repositories, users can now enter repository access tokens in the project settings. This allows the system to call APIs and accurately fetch contributing developers, even for CLI scans with excluded .git folders or CI/CD scans without repository access.

Users can now unset the primary branch for a project. This allows results on the primary projects page to reflect the most recently scanned branch rather than being tied to a predefined primary branch

Starting with version 3.30, notes in Results Viewer can only be added; editing or deleting existing notes is no longer allowed. This change ensures better traceability and record integrity.

The Visual Studio Code Plugin and CLI now feature guided remediation that integrates with the customer’s Azure AI environment, providing a secure alternative to the OpenAI platform.

For more information, see documentation.

The system now supports Bicep language for deploying Azure resources. This enables customers to define and deploy Azure resources using a simpler, more concise syntax compared to traditional ARM templates.

Checkmarx One now fully supports DAST scan history, allowing users to access results from all previous successful scans, not just the latest one. Users can update results (such as severity and status) across all scans, with changes automatically reflected in all related scan results.

The DAST similarity ID mechanism has been updated to utilize a new set of fields and apply targeted transformations to specific fields, enhancing consistency and accuracy.

Codebashing links are now shown in the SAST results viewer only when the following conditions are met:

Checkmarx One now offers robust filter settings to enhance container security by enabling users to configure their scans for precision and relevance. Filters can be applied to files, folders, packages and images.

Filters can be applied both on the global (account) level as well as for specific projects. Filters can be set via the web application (UI) or API.

For detailed information about the filters that can be applied, see documentation.

In the context of the Checkmarx One Policy Management feature, we now support creation of policy conditions for the Container Security scanner. We have added a specialized set of conditions for the Container Security scanner which can be used to create complex conditions using Condition Groups.

For more information, see Container Security Conditions.

We’ve streamlined the onboarding process for customers using our Sysdig integration by enabling them to easily connect their accounts with a Spotlight token.

Once connected, customers with a Sysdig license can access runtime data to prioritize container risks effectively.

We added quick filters to enable users to easily focus on key results. The quick filters are:

We have added support for the CVSS 4.0 scoring system, which uses additional metrics to provide better granularity and further refine the scoring methodology. We now show the CVSS 4.0 score for each vulnerability that has such a score. When no CVSS 4.0 score is available, we continue to use the most recent available score from previous scoring systems (3.1 or 2.0). Additional details about this change are available here.

We have added several new policy conditions, enabling granular detection of specific risk factors:

Four new permissions have been added under the Integrations category:

Keycloak was upgraded to version 26.

Users can now set a limit on the number of concurrent sessions per user, providing greater control and compliance with organizational policies.