Version 3.45 | September 14, 2025
New Features and Enhancements
New Email Address for Notifications
Email notifications sent by Checkmarx One Feedback Apps are now sent from notifications@checkmarx.com. This replaces the address “ast-bot@checkmarx.com” that had been used previously. Please adjust your mail filters accordingly.
Compliance Column
The DAST results viewer now has a compliance column. After a scan, vulnerabilities are tagged with their relevant compliance standards. You can filter the results viewer according to a vulnerability’s compliance tag or generate specific compliance reports in PDF or JSON formats.
Scheduled Scans
When creating a new project, you can now set up automated scan schedules. The new Schedules Management page gives you a single place to create, edit, and monitor schedules, helping you ensure regular code analysis without manual effort.
Note
This feature will only be available for accounts with the new Access Management (Phase 1) activated.
Connect Feedback Apps via CxLink
You can now connect Feedback Apps to a self-hosted Jira instance via CxLink. During the Feedback App configuration, just enter the CxLink in place of the regular Jira URL. CxLink will act as a proxy, to ensure secure communication between Jira and Checkmarx One.
Git Blame Integration in Risk Management
We’ve added Git blame information to the Application Risk Management table for the IaC engine, making it easier to see who made specific code changes. A new dedicated column shows the author of each change, helping you better understand ownership and context when reviewing risks.
This update also improves risk prioritization by letting you focus on the changes with the highest potential impact. In addition, having Git blame details available speeds up incident investigations and makes communication with the right team members simpler.
The enhancement includes updates to the Risk Management API and introduces a new Git Blame API for accessing this data programmatically.
BYOR (Bring Your Own Repository): Multiple Imports and Abort Option
You can now manage imports more efficiently with enhanced flexibility. Users can start imports for different projects in parallel while another import is in progress. For the same project, a new import can only begin once the current one is completed or aborted.
Additionally, you can now abort an ongoing import at any time, ensuring that no partial or incorrect data is saved. This update improves control, reduces waiting times, and makes handling multiple projects faster and more convenient.
API for Bulk SAST Predicates
We added a new endpoint for retrieving SAST predicates in bulk, enabling retrieval of all predicates for a particular project or scan with a single API call. There is an option to retrieve the complete history or only the current state of each predicate.For more info, see our API documentation.
Configurable Threshold for Incremental Scans
You now have the flexibility to control the incremental scan trigger threshold for SAST scans at both the tenant and project levels. Previously, the threshold was fixed at 7%, meaning any code change above that size automatically triggered a full scan.
With this enhancement, you can define your own threshold using the new Incremental Threshold setting, available in General Settings and in Project Settings under Rules. The threshold can be set anywhere between 0.5% and 10% in 0.5% intervals.
By customizing this value, you can better optimize scan performance for large monorepos and high-volume projects, reducing unnecessary full scans while maintaining accuracy.
Note
Project-level configurations override tenant-level settings.
Communicate with Checkmarx via PR Comments
You can now communicate with Checkmarx One by adding comments in the PR decoration. This enables you to ask Checkmarx One for more details about risks in your project or request a re-scan of your code. Currently supported only for GitHub repos.
For more information, see documentation.
DAST Authentication Report
As part of onboarding, you will receive an Authentication Report. It gives you a clear overview of your authentication setup, complete with key insights and screenshots, so your team can make informed decisions right from the start.
Agentic AI Developer
The new Checkmarx One Developer Assist feature empowers developers to identify risks in their code in realtime and harness the power of AI to remediate the risks on the spot. This feature is initially released as part of the Checkmarx One plugin for VS Code, Cursor and Windsurf IDEs.
Note
This feature is only available for accounts with the Checkmarx One Assist license.
CxOne Assist comprises two main elements:
Realtime Scanning - Identify vulnerabilities in realtime during IDE development of both human-generated and AI-generated code. Our super-fast scanners run in the background whenever you open or edit a relevant file. Our scanners identify vulnerabilities and unmasked secrets in your code. We also identify vulnerable or malicious container images and open source packages used in your project. Results are marked as Problems which are highlighted in the code and annotated with identifying icons.
Agentic-AI Remediation – Initiate an Agentic-AI session to receive remediation suggestions. Checkmarx feeds all relevant info to the AI agent which accesses our MCP server to gather data from our proprietary databases and customized AI models. The AI assistant then uses this data to generate remediated code for your project. You can accept the suggested changes or you can chat with the AI agent to learn more about the vulnerability and fine-tune the remediation suggestion.
For more information, see documentation.
SCA
SBOM Supported Formats
We added support for SPDX version 2.3.
SBOM reports generated by Checkmarx One in SPDX format now use version 2.3. When submitting SBOM files to be scanned, we now support both version 2.2 and 2.3.
Show Exploitable Method Details
On the Risk Details page for SCA results, we now show details about the vulnerable methods that expose the vulnerability to exploitation. When the relevant details are available, we show the vulnerable file path, class, and method. This visibility increases transparency into how we evaluate exploitable paths, and provides actionable data for cases where full exploitable path analysis is not possible.
IaC
IaC has been upgraded to version 2.1.13.
IAM
SCM | Assign Groups in Project Creation Aligned with IAM
This feature ensures that during project creation, via both UI and API, the groups assigned to a project are limited to those the user has permissions for. It strengthens IAM alignment and avoids incorrect access configuration, enhancing security and consistency across the platform.
Note
This feature is only available for accounts using new Access Management.
Custom States in Analytics and Feedback Apps
Custom states are now supported in Analytics and Feedback Apps. You can use them to refine tracking, reporting, and insights based on your specific workflows.
Note
This feature is only available for accounts in IAM Phase 1 using Custom States.
CLI and Plugins Releases of August 2025
CLI Version 2.3.33
Status | Item | Description |
|---|---|---|
NEW | Gl SAST Report | Added additional info to the |
CLI Version 2.3.32
General improvements and bug fixes.
CLI Version 2.3.31
Status | Item | Description |
|---|---|---|
UPDATED | Comment Mandatory | When triaging SAST results, in order to change the state to Not Exploitable or Proposed Not Exploitable, it is now mandatory to submit a comment. TipThis feature will only be activated for customers who specifically request it from their support agent. |
NEW | Use Gitignore flag | We added the flag |
NEW | JSON results report fields | Added additional fields to the json scan results report. |
CLI Version 2.3.30
Status | Item | Description |
|---|---|---|
FIXED | Http Proxy Variable | Environment variable |
CI/CD Plugins
In August we released the following CI/CD plugin versions:
Improvements and Bug Fixes
Status | Item | Platform | Description |
|---|---|---|---|
NEW | Container Security | GitHub | Added support for running local Container Security scans on private container registries. |
UPDATED | README File | Jenkins | Updated the README file. |
UPDATED | Checkmarx Logo | Jenkins | Updated the Checkmarx Logo |
IDE Plugins
In August we released the following IDE plugin versions:
Improvements and Bug Fixes
Status | Item | Platform | Description |
|---|---|---|---|
UPDATED | Grouping Options | Visual Studio | In the Checkmarx One results navigation pane, the number of vulnerabilities is now shown for each grouping. Also, we added additional option for grouping results. New grouping options are: State (new or recurrent), Language (for SAST), Direct Dependency (for SCA). |
UPDATED | Checkmarx Logo | Visual Studio, Jetbrains, Eclipse | Updated the Checkmarx logo. |
UPDATED | README File | Visual Studio, Eclipse | Updated the content of the README.md file |
NEW | Proxy Server | VS Code | Added support for setting up a proxy server for communicating with Checkmax One. For more info, see documentation |
NEW | Checkmarx One Dev Assist | VS Code | We have added Checkmarx One Developer Assist to the VS Code plugin. This new tool empowers developers to identify risks in their code in realtime and harness the power of AI to remediate the risks on the spot. CxOne Assist comprises two main elements:
|
NEW | SCA Scanner | Jetbrains | Added a filter to hide vulnerabilities identified by the SCA scanner in "Dev" and "Test" dependencies. Learn more here |
NEW | Oauth | Jetbrains | We added the option to connect the JetBrains extension to your Checkmarx One account using an OAuth login flow. If you select this option, you will need to submit the base URL of your system and your Tenant Name. You can then log in using your Username and Password or via SSO. NoticeThe option to connect via an API Key is still supported. However, if you had previously submitted an API Key, after installing this version of the extension you will need to re-submit your API Key. |
NEW | CWE Links | Jetbrains, Eclipse | In the Learn More and Remediation Examples sections for specific results, we now give a link to the relevant CWE page. |
UPDATED | Triage | Jetbrains, Eclipse | In the "Triage" section, changed the terminology from "comments" to "notes". |
Resolved Issues
Item | Description |
|---|---|
AST-109465 | PDF reports failed to generate for scans with a large number of results. |
AST-108316 |
|
AST-107328 | ASA Premium preset did not appear in the list when editing a project. |
AST-105892 | Analytics Dashboard filters mismatched when selecting applications. |
AST-102419 | Projects Overview – Aging Summary displayed incorrect information. |
AST-100897 | PUT |
AST-100758 | Import project failed after aggregating SCM access tokens for self-hosted GitHub. |
AST-100669 | Recorder did not work during onboarding. |
AST-99571 | Jira feedback app failed when Jira was set to Spanish. |
AST-99562 | Project was assigned to multiple applications when application-level custom queries were used. |
AST-99553 |
|
AST-95930 | Duplicate projects were returned by “Get a list of projects” API endpoint. |
AST-91408 | Notes popup window truncated URLs. |
AST-109938 | New IAM UI: Login & Session Management tab was visible to users with default permissions. |
AST-109135 | URL-encoded attack vector was not highlighted. |
AST-106133 | SCM integration (Bitbucket): Previously onboarded repositories reappeared as new. |
AST-105687 |
|
AST-103580 | Global Report from Analytics did not show group names. |
AST-103519 | Import code repository API timed out with large numbers of repositories. |
AST-100722 | [IaC] Runtime error occurred: |
AST-98823 | [IaC] Query update issue with “Website with Client Certificate Auth Disabled (ARM)”. |
AST-98730 | Swagger docs for |
AST-96743 | Documentation update was needed for integrating forked GitHub projects. |
AST-95111 | IaC preset: CloudFormation vulnerability had incorrect severity. |
AST-94942 | IaC false positive: S3 bucket access was flagged as open to any principal. |
AST-94482 | SAML configuration documentation was outdated (based on old IAM UI) and unclear for generic IdPs. |
AST-94164 | Proxy Disclosure issue: highlighting did not display. |
AST-93478 | Error occurred: “Remote backend is unreachable.” |
AST-92827 | “ReposManager generic exception” error was displayed frequently. |
AST-81967 | False positive occurred for “Passwords and Secrets – Generic Token.” |
AST-104517 | Container Security scan result UI was unresponsive or crashed. |
AST-102692 | Policy rule could not be created for container security scanner. |
AST-102333 | Edit package window did not close properly. |
AST-107570 | Tags in |
AST-107477 | Scans failed with “deadline exceeded” error in sources-processor. |
SCA-23916 | AST scan service did not return results to SCA. |
SCA-23878 | Two CVEs were added but only one email notification was sent. |
SCA-23846 | Global Inventory GraphQL endpoint returned 504. |
SCA-23785 | Global Inventory failed consistently. |
SCA-23385 | Incorrect licenses were associated with |
SCA-23559 | Generated SCA scan reports contained discrepancies. |
AST-109347 | OS Vulnerabilities false positives occurred in Amazon Linux PCRE2 package 10.40-1.amzn2023.0.3. |
AST-108481 | Container Scanner detected incorrect Golang version (1.24 instead of 1.24.5). |
AST-108392 | Snoozed or muted container vulnerabilities still appeared in reports. |
AST-108323 |
|
AST-107997 | “NONE” distribution in resolution JSON caused scan failures. |
AST-107979 | Container Security results were inconsistent between Scan Summary and Result Viewer. |
AST-106967 | RockyLinux 8.9 image was missing multiple packages. |
AST-106943 |
|
AST-105913 | SBOM report generation for containers failed. |
AST-102319 | Containers CVE issue: UBI 8.10 image base was incorrectly marked as critical. |
AST-101261 | Vulnerabilities reported for OpenLDAP package differed between scans. |
AST-99828 | Error occurred when analyzing |