Version 3.40 | June 22, 2025

You can now export the full Global API Inventory as a CSV file directly from the UI. The export respects your applied filters and sorting, includes all data across pages, and breaks down risk levels by severity. This makes it easier to share, audit, and analyze API risk data across teams. CSV files are downloaded automatically with a single click.

For images that have multiple source code repos associated with them, we now match the image to the main source code project and also show all private packages used by that image. The private package data is shown in the Attack Path visualization as well as in a tooltip in the Inventory table.

In addition to identifying the private packages used by the image, when possible, we also match those packages with Checkmarx One projects of the same name, enabling us to show vulnerability info for those packages.

Cloud Insights now allows Checkmarx One admins to configure enrichment settings directly in the UI. Admins can control whether to push SAST or DAST results to Wiz, define the label for extracting repo URLs, and customize blacklist terms to fine-tune the matching algorithm.

This enables greater flexibility for implementing the enrichment.

The GET /results API response now includes a new field: alternateId. This field provides a unique identifier for each result and is currently supported for the following scanners: IaC, SAST, SCA, SSCS Secret Detection, and SSCS Scorecard.

Customers using CxLink can now connect to their SCMs through a secure tunnel instead of relying on direct SCM URLs. This enhancement enables seamless integration in restricted or secured network environments where direct access is blocked, simplifying setup and eliminating the need for firewall or network changes.

Checkmarx One automatically detects when CxLink is in use and routes traffic through the tunnel, ensuring secure and flexible SCM connectivity.

We released a new Checkmarx One plugin for identifying Software Composition Analysis (SCA) risks in your JFrog artifactory. The plugin analyzes each of the open source packages in your artifactory, comparing them against our SCA vulnerability database in order to identify security risks and license requirements. The findings are added as "cx" properties to each artifact, enriching the metadata displayed in the Artifactory UI.

This provides seamless risk visibility within your DevOps workflow, helping you to identify and address vulnerabilities early in the development process.

The plugin allows you to configure compliance thresholds, so that artifacts exceeding these thresholds are automatically marked as non-compliant. Depending on the configuration, such artifacts can be blocked from usage to prevent the use of insecure components.

See complete documentation here

We added the option when generating an SBOM report to exclude Dev and Test dependencies. See how we identify Dev and Test dependencies here.

We also added the option to exclude all licenses that are not designated as “Effective” for that particular package.

Keycloak was upgraded to version 26.1.

A new predefined role, Manage SCM Configuration, is now available for self-hosted environments using the new Access Management system. This role includes permissions to create, update, delete, and view SCM configurations, simplifying access control for SCM-related tasks.

Additionally, the description for the existing create-scm-configuration permission has been updated for clarity. All permissions are categorized under Integrations.