Version 3.43 | August 3, 2025

New Features and Enhancements

Similarity ID Column Added to SAST Results Viewer

The SAST Results Viewer now includes a sortable Similarity ID column, providing quick access to this important attribute.

Redesigned Code Repository Integration Wizard

The new wizard simplifies SCM project setup with a cleaner, more intuitive flow. Core steps are streamlined, while advanced settings are now optional, making it faster and easier for users to connect repositories with minimal configuration.

Cloud Repository Improvements

Show Private Packages Based on SCA

Cloud Insights now determines identification of private packages based on SCA scan results. This is reflected in the private package data shown in the Inventory table and Attack Path graph.

This ensures consistency with the data shown in the SCA Results Viewer and provides a unified view of private package risks across Checkmarx One.

Manually Map Private Packages to Projects

Cloud Insights now supports manual mapping of private packages to Checkmarx One projects. After Cloud Insights provides an initial mapping based on heuristics, the user can manually specify mapping for unmapped packages or override the automatic mapping for specific packages.

The feature enables you to improve mapping accuracy, helping teams make better-informed security decisions.

Added Enrichment Evidence Log

A new Evidence Log tab is now available in Cloud Insights, displaying a searchable table of all enrichment transactions for each integration account. This includes both incoming enrichments from cloud providers and outgoing enrichments sent to them.

You can apply filters and search the logs. This visibility allows users to track and validate enrichment flows without relying on internal logs.

Added Support for AWS ECS Assets

Cloud Insights now retrieves container data for AWS ECS assets, in addition to existing support for Kubernetes. This is currently supported for Wiz integrations.

Also, you can now group and filter the Inventor page by Asset Type (Kubernetes, ECS or Unknown) and Cluster Name.

This enables broader visibility across diverse deployment platforms, helping users manage risk more comprehensively.

Support for Multiple Consumers in Cloud Connections

Cloud Connections now provide a centralized place to configure integrations across multiple consumers. Instead of setting up connections individually within each consumer, users can create and manage them in one unified view.

Feedback Apps Now Support Container Security

You can now enable the Container Security engine in Feedback Apps. This allows customers to scan container images and report vulnerabilities directly through their existing feedback workflows.

Container Security GraphQL API Documentation

The Container Security GraphQL API provides comprehensive access to container security scan data, allowing clients to query information about scans, images, layers, packages, and vulnerabilities. The API implements a hybrid approach, offering both hierarchical access and flat access patterns to provide maximum flexibility for data retrieval.

IAM

Keycloak Upgrade

Keycloak was upgraded to version 26.2.

New Permission: send-report-email

A new permission, send-report-email, has been added under the Analytics category. It allows users to send reports via email. This permission is assigned by default to the ast-admin role.

New Permission: assign-project-all-groups

A new permission, assign-project-all-groups, has been added under the Projects category. It allows assigning any existing group when creating or updating a project.

During migration, this permission is added to users, groups, OAuth clients, and composite roles only if they already have the create-project permission. This permission is assigned by default to the ast-admin role.

Enforcing SSO-Only Access for Application Users

GA: August 17, 2025

To address security concerns when application and SSO users share the same email, organization administrators can now enforce SSO-only access by disabling username/password login.

Authentication is restricted to OIDC or SAML, ensuring users sign in exclusively through SSO and helping organizations maintain stricter access control and simplified account management.

CLI and Plugins Releases of July 2025

CLI Version 2.3.29

Status	Item	Description
NEW	Pre-Receive Secret Detection Scans	Added support for running pre-receive secret detection scans, to detect exposed secrets before they are received in your repo. For detailed information about how to use this feature, see documentation. Tip Supported for self‑hosted instances of GitHub, GitLab, and Bitbucket.
NEW	SBOM Only Flag	Added the flag `--sbom-only` to the `scan create` command. This enables running a scan only on the sbom at the specified file path. Supported for CycloneDX (v1.0-1.6) and SPDX (v2.2) in xml or json format. For more information, see SBOM documentation. Tip Relevant only when running scans using the SCA scanner.
UPDATED	PublishedAt Attribute	The `PublishedAt` attribute is now returned in the results for supported scanner types.

Status

Item

Description

NEW

Pre-Receive Secret Detection Scans

Added support for running pre-receive secret detection scans, to detect exposed secrets before they are received in your repo.

For detailed information about how to use this feature, see documentation.

Tip

Supported for self‑hosted instances of GitHub, GitLab, and Bitbucket.

NEW

SBOM Only Flag

Added the flag --sbom-only to the scan create command. This enables running a scan only on the sbom at the specified file path.

Supported for CycloneDX (v1.0-1.6) and SPDX (v2.2) in xml or json format. For more information, see SBOM documentation.

Tip

Relevant only when running scans using the SCA scanner.

UPDATED

PublishedAt Attribute

The PublishedAt attribute is now returned in the results for supported scanner types.

CLI Version 2.3.28

Status	Item	Description
NEW	Primary Branch Flag	Added a new flag, `--branch-primary`, which sets the specified branch as "primary". This flag can be used with the `project create` and `scan create` commands.
NEW	Log Files Flag	Added a new flag, `--log-file`, which enables specifying a custom file location for log files. Alternatively, `--log-file-console`, enables sending logs both to a file location and also to the console.
UPDATED	Image Resolution	By default, resolution of images for Container Security scans is now done in the cloud. This enables scans run via CLI to access private registries using the Private Registry Integrations set up in Checkmarx One. There is still an option to run scans locally, using the `--containers-local-resolution` flag.
FIXED	IaC Security Scan Files	Fixed issue that `Directory.Build.props`, `.bicepparam`, and `.bicep` files were not being included in IaC Security scans when they were initiated via CLI.

CLI Version 2.3.27

General improvements and bug fixes.

CI/CD Plugins

In July we released the following CI/CD plugin versions:

Azure DevOps Plugin - 3.0.13 (uses CLI v2.3.27)
GitHub Actions - 2.3.21 (uses CLI v2.3.27)
Jenkins - 2.0.13-811.v7b_b_98716e646 (uses CLI v2.3.29)

Improvements and Bug Fixes

Status	Item	Platform	Description
UPDATED	Logo	Azure DevOps	Updated the logo
UPDATED	README File	Azure DevOps, GitHub Actions	Updated the README file.

Plugin	Marketplace	Code Repository	Documentation	Changelog
Azure DevOps	https://marketplace.visualstudio.com/items?itemName=checkmarx.checkmarx-ast-azure-plugin	https://github.com/CheckmarxDev/checkmarx-ast-azure-plugin	Checkmarx One Azure DevOps Plugin	Checkmarx One Azure DevOps Plugin - Changelog
GitHub Action	https://github.com/marketplace/actions/checkmarx-ast-github-action	https://github.com/Checkmarx/ast-github-action	Checkmarx One GitHub Actions	GitHub Actions - Changelog
TeamCity	https://plugins.jetbrains.com/plugin/17610-checkmarx-ast	https://github.com/CheckmarxDev/checkmarx-ast-teamcity-plugin	Checkmarx One TeamCity Plugin	TeamCity Plugin - Changelog
Jenkins	https://plugins.jenkins.io/checkmarx-ast-scanner/	https://github.com/jenkinsci/checkmarx-ast-scanner-plugin/	Checkmarx One Jenkins Plugin	Jenkins Plugin - Changelog

Resolved issues

Ticket number	Description
AST-101425	Resolved the Containers AWS ECR integration issue.
AST-101042	Experienced UI freezes when clicking the "filters" button in the Container Scan Results window.
AST-99625	"Containers-file-folder-filter" did not filter as expected.
AST-99627	"If-in-group" permissions did not allow changing state.
AST-98449	Found inconsistencies in Containers Security results in Checkmarx One.
AST-98384	CLI scans failed due to insufficient space when writing to the /tmp folder.
AST-98382	Dockerfile.ubi9 scan returned zero results via GitHub Actions.
AST-89854	Displayed confusing or unclear information on the Containers Security scanner UI page.
AST-98433	Identified a false positive for Terraform IAM Group Without Users in KICS.
AST-98288	Flagged a false negative for IAM Policy granting full permissions in KICS.
AST-94893	Improved volume mount handling with OS directory write permissions.
AST-92897	Flagged a false positive for Storage Account not enforcing HTTPS in KICS.
AST-87254	Flagged a false positive for generic private keys in Passwords and Secrets.
AST-85090	Flagged a false positive for Terraform MSSQL Server Auditing Disabled in KICS.
AST-84874	Identified a false positive for IAM Group Without Users.
AST-82101	Flagged a false negative for Passwords and Secrets.
AST-82029	Flagged a false positive for Storage Account not enforcing HTTPS.
AST-81770	Identified a false positive for missing flag in DNF install.
AST-74743	Flagged a false positive for generic passwords in Passwords and Secrets in KICS.
AST-68530	Flagged various false positives in KICS.
SCA-23468	Improved responsiveness and performance in SCA inventory and risk views.
SCA-22720	Resolved issues when hiding Dev and Test dependencies.
SCA-23383	Encountered errors when downloading an SCA report.
AST-103953	Application Risk Management page appeared empty.
AST-102782	Clicking Vulnerabilities by Scan Type in Project Overview opened a blank tab.
AST-98399	Encountered thousands of exceptions during data retention flow following project deletion.
AST-102548	The Save button in project settings did not display a notification, though settings were saved.
AST-92509	Updated documentation for the project conversion API.
AST-101534	The Keycloak API (`PUT /authentication/required-actions/CONFIGURE_TOTP`) could disable 2FA and potentially corrupt the database.
AST-99133	Import process was failing due to a duplicate resource error.
AST-96377	Identity provider name was duplicated in the User tab.
AST-106715	New IAM UI: API Key remained active after deleting.
AST-106760	The Auto PR feature removed customer’s branches.
AST-104422	It was not possible to update a custom item type with an inherited field in ADO using the pipeline's additional parameter `tags`.
AST-103867	Jira integration failed to get server info from Jira (during the scan in flow-publisher) but the connection was established successfully in the configuration.
AST-102576	Customer's tags in an Azure Boards work item were removed after a new scan.
AST-100922	The search for a protected branch couldn’t find all branches when their number exceeded 400.

In this section: