Version 3.45 | September 14, 2025

Email notifications sent by Checkmarx One Feedback Apps are now sent from notifications@checkmarx.com. This replaces the address “ast-bot@checkmarx.com” that had been used previously. Please adjust your mail filters accordingly.

The DAST results viewer now has a compliance column. After a scan, vulnerabilities are tagged with their relevant compliance standards. You can filter the results viewer according to a vulnerability’s compliance tag or generate specific compliance reports in PDF or JSON formats.

When creating a new project, you can now set up automated scan schedules. The new Schedules Management page gives you a single place to create, edit, and monitor schedules, helping you ensure regular code analysis without manual effort.

You can now connect Feedback Apps to a self-hosted Jira instance via CxLink. During the Feedback App configuration, just enter the CxLink in place of the regular Jira URL. CxLink will act as a proxy, to ensure secure communication between Jira and Checkmarx One.

We’ve added Git blame information to the Application Risk Management table for the IaC engine, making it easier to see who made specific code changes. A new dedicated column shows the author of each change, helping you better understand ownership and context when reviewing risks.

This update also improves risk prioritization by letting you focus on the changes with the highest potential impact. In addition, having Git blame details available speeds up incident investigations and makes communication with the right team members simpler.

The enhancement includes updates to the Risk Management API and introduces a new Git Blame API for accessing this data programmatically.

You can now manage imports more efficiently with enhanced flexibility. Users can start imports for different projects in parallel while another import is in progress. For the same project, a new import can only begin once the current one is completed or aborted.

Additionally, you can now abort an ongoing import at any time, ensuring that no partial or incorrect data is saved. This update improves control, reduces waiting times, and makes handling multiple projects faster and more convenient.

We added a new endpoint for retrieving SAST predicates in bulk, enabling retrieval of all predicates for a particular project or scan with a single API call. There is an option to retrieve the complete history or only the current state of each predicate.For more info, see our API documentation.

You now have the flexibility to control the incremental scan trigger threshold for SAST scans at both the tenant and project levels. Previously, the threshold was fixed at 7%, meaning any code change above that size automatically triggered a full scan.

With this enhancement, you can define your own threshold using the new Incremental Threshold setting, available in General Settings and in Project Settings under Rules. The threshold can be set anywhere between 0.5% and 10% in 0.5% intervals.

By customizing this value, you can better optimize scan performance for large monorepos and high-volume projects, reducing unnecessary full scans while maintaining accuracy.

You can now communicate with Checkmarx One by adding comments in the PR decoration. This enables you to ask Checkmarx One for more details about risks in your project or request a re-scan of your code. Currently supported only for GitHub repos.

For more information, see documentation.

As part of onboarding, you will receive an Authentication Report. It gives you a clear overview of your authentication setup, complete with key insights and screenshots, so your team can make informed decisions right from the start.

The new Checkmarx One Developer Assist feature empowers developers to identify risks in their code in realtime and harness the power of AI to remediate the risks on the spot. This feature is initially released as part of the Checkmarx One plugin for VS Code, Cursor and Windsurf IDEs.

CxOne Assist comprises two main elements:

For more information, see documentation.

We added support for SPDX version 2.3.

SBOM reports generated by Checkmarx One in SPDX format now use version 2.3. When submitting SBOM files to be scanned, we now support both version 2.2 and 2.3.

On the Risk Details page for SCA results, we now show details about the vulnerable methods that expose the vulnerability to exploitation. When the relevant details are available, we show the vulnerable file path, class, and method. This visibility increases transparency into how we evaluate exploitable paths, and provides actionable data for cases where full exploitable path analysis is not possible.

This feature ensures that during project creation, via both UI and API, the groups assigned to a project are limited to those the user has permissions for. It strengthens IAM alignment and avoids incorrect access configuration, enhancing security and consistency across the platform.

Custom states are now supported in Analytics and Feedback Apps. You can use them to refine tracking, reporting, and insights based on your specific workflows.