Version 3.47 | November 2, 2025
New Features and Enhancements
Legacy API Deprecation
The Legacy API endpoint /api/presets (SAST Queries Audit Presets) will be deprecated on December 31, 2025.
Please transition to the new API endpoint /api/preset-manager (Preset Manager), which provides improved functionality and enhanced management of SAST presets.
Integration of DAST Metrics into Analytics Module
The Analytics page has been enhanced to incorporate data from DAST, allowing you to view your organization's security posture across all environments.
By combining DAST insights with other analytics, you can identify, assess, and prioritize risks more effectively.
Advanced filtering and customization help you focus on high-risk findings or compliance-sensitive areas for sharper, actionable analysis.
CxLink | Regenerate Broken or Disconnected Links
The new Regenerate feature lets users quickly restore disconnected CxLinks without changing the link alias. Instead of manually recreating links and updating projects, users can regenerate the connection in one step.
CxLink Client Metadata Visibility
The CxLink Client Metadata feature improves observability and simplifies troubleshooting for customers and support teams. Tenant and Link client information - such as client type, version, and URL - is now visible in the UI through tooltips when hovering over the status column.
This enhancement helps customers quickly identify and resolve connection issues, reduces dependency on support for diagnosis, and provides clearer insight into link configuration for more reliable connection management.
Drill Down from Fix Vulnerabilities
The Drill Down from Fix Vulnerabilities feature adds interactivity to the Vulnerabilities charts, allowing users to click directly from the dashboard to view detailed fixable vulnerabilities aligned with the selected KPI.
Users can refine results with Severity and State filters, group vulnerabilities dynamically by KPI (e.g., Severity or Status), and view essential details such as Application, Project, Branch, Scanner, Time to Fix, and Date of Fix. Data updates instantly without page reloads and can be exported to CSV, preserving all applied filters.
This enhancement provides a faster, more intuitive way to explore and act on vulnerabilities, improving visibility and accelerating remediation. The first release focuses on the “Vulnerabilities by Severity” KPI.
Analytics | Filter by Group
The Filter by Group enhancement adds a new filtering option to the Analytics page, allowing users to refine data by Group directly from the More Filters list.
Tags and Groups are now consolidated into a single filtering level, providing a unified experience. The Tag filter has also been updated to match the same checkbox + select component, ensuring consistent and intuitive UI/UX across all filter options.
This update streamlines data exploration and improves usability for users managing multiple groups or tag-based configurations.
Checkmarx One SAST Importer | Support for Custom States in Migration
Note
This capability is available for new IAM customers only.
The Checkmarx One SAST Importer now supports migrating custom states and corresponding custom permissions from on-premises Checkmarx SAST to Checkmarx One.
During the migration process, all custom states and their associated permissions are automatically extracted from Checkmarx SAST and ingested into Checkmarx One per tenant, ensuring full feature parity between the two environments.
SCA
Added Policy Condition for Vulnerability Status
We added a new “status” policy condition for the SCA scanner. This enables setting status (New or Recurrent) as a condition in a complex SCA scanner policy. For example, you can now create a policy that is triggered by new SCA vulnerabilities, but filters out dev and test dependencies.
Bulk Action Change Package State
Added a bulk action for changing the state (Monitored, Muted, Snoozed) and adding comments for multiple packages at once. This is done by selecting the checkbox next to each of the relevant packages and then making the change.
Global Inventory and Risks Improvements
The Global Inventory screen has been redesigned to deliver a faster, more intuitive experience aligned with the Checkmarx One design system. Key enhancements include:
Improved performance and responsiveness for smoother navigation and faster data loading
Refreshed look and feel consistent with the overall Checkmarx One UX
New columns displaying associated Groups and Applications for better context
Refined column titles and data to make information easier to understand and filter
These updates provide a clearer, more efficient view of your organization’s inventory and risks.
Improved License Reporting
We have dramatically revamped how licenses are represented in SCA scan reports. This change applies to SCA Scan Reports generated via the web application (UI) or Export Service (REST) APIs.The following are some of the key improvements:
Added data about license Permissions, Limitations and Conditions.
Added a new Package Licenses section that provides data about licenses in the context of specific packages in your project. (Included in CSV, XML and JSON but not PDF.)
Added a new Legal Risks section that provides data about risks posed by the license usage in your project. (Included in CSV, XML and JSON but not PDF.)
Added an option to filter results to show only data for licenses marked as "Effective".
IaC
Updated to version 2.1.14
New Features and Enhancements
New SimID Implementation
Updated
POST /api/kics-results-predicatesrequest to includescanId
Bug Fixes
Runtime and Engine Stability
Fixed panic error: runtime index out of range
Resolved inconsistencies between scan history and scan summary results
Addressed duplicated SimilarityID issues affecting ETL processing
Platform and UI
Fixed error when adding Bicep platform to platform list
Corrected query editor showing empty queries under Bicep instead of ARM
Addressed misbehavior in project & scan counters/summaries
Corrected False Negatives (FN) for:
Unrestricted Security Group Ingress
Security Group With Unrestricted Access To SSH
Sensitive Port Exposed To Entire Network
Remote Desktop Port Open To Internet
S3 Bucket Allows Public Policy
IAM Policies With Full Privileges
ECS Services assigned with public IP
Neptune Logging Disabled
Launch Configuration Not Encrypted
Trusted Microsoft Services Not Enabled
Secretsmanager Secret Without KMS
EKS Cluster Encryption Disabled
Instance uses metadata service IMDSv1
Lambda Function Without Dead Letter Queue
Redshift Cluster Without VPC
ELBv2 ALB Access Log Disabled
Elasticsearch Domain Not Encrypted Node To Node
ECR Repository Not Encrypted With CMK
Cloudformation queries missing results
App Service Authentication and HTTP2 Disabled
Tags not copied to RDS Cluster snapshot
IAM DB Cluster Auth Not Enabled
Postgres RDS logging disabled
ECS Cluster Not Encrypted At Rest
DAX Cluster Not Encrypted
S3 bucket notifications disabled
Security alert policy missing
Storage Share File ACL permissions misflagged
SQL Server Database retention settings not detected
IAM policy allows data exfiltration
Passwords and Secrets queries missing flags
Corrected False Positives (FP) for:
Passwords And Secrets - Generic Secret
Passwords And Secrets - Generic Password
Storage Share File ACL permissions
Resolved Issues
Item | Description |
|---|---|
AST-114426 | In the Query Editor, result tabs were displayed out of order after more than nine query runs. |
AST-113659 | Failed to create a query in Web Audit. |
AST-109939 | The Analytics > Vulnerabilities by State view opened with an incorrect page count. |
AST-109456 | HTML tags appeared in the DAST report. |
AST-112961 | A SAML authentication error occurred with the message “Unexpected error when authenticating with identity provider.” |
AST-111567 | The manage-access permission did not allow adding or removing users via the authorization tab. |
AST-110552 | The |
AST-115744 | DAST CLI Scans failed with “Exit Status 2”. |
AST-113476 | SAST policy exceptions failed with an error. |
AST-112537 | The Data Origins widget in Global Inventory was missing origin testing. |
AST-112227 | The Project Overview and Scan History sections showed zero results. |
AST-111589 | The Cluster Name column was duplicated in Cloud Insights CSV exports. |
AST-109213 | The Add User to Group dialog displayed empty First and Last Name columns. |
AST-109200 | The Select Group button disappeared from the identity provider mapper. |
AST-108405 | The Authentication Recorder failed on Cx1 but worked on ZAP. |
AST-106143 | In the new IAM UI, the Add Managers to Group function did not allow managing groups or users. |
AST-113049 | The Webhooks API endpoint experienced performance issues. |
AST-109903 | KICS returned a false negative for unrestricted Security Group ingress. |
AST-109902 | KICS returned a false negative for Security Groups with unrestricted SSH access. |
AST-109901 | KICS returned a false positive for generic passwords and secrets. |
AST-109542 | KICS returned a false negative for sensitive ports exposed to the entire network. |
AST-109541 | KICS returned a false negative for open Remote Desktop ports in Terraform. |
AST-82493 | KICS displayed incorrect project and scan counters and summaries. |
AST-45594 | IAC security scans failed due to an engine ETL error. |
AST-44724 | Duplicated SimilarityIDs caused issues in engine ETL processing. |
AST-88062 | Outdated Packages on the Scanners page did not match the scan results. |
AST-110337 | Project reports displayed “Not exploitable” SCA vulnerabilities incorrectly. |
SCA-23863 | Errors occurred in the SCA packages processor. |
SCA-24304 | The presigned AWS token URL used for export expired prematurely. |
SCA-24029 | Binary packages were not detected in some scans. |
SCA-24018 | The Projects service did not correctly handle LastSuccessfulScanId. |
SCA-24017 | Python pip installs caused resource exhaustion in the Source Resolver. |
SCA-23995 | Errors occurred when changing the package state to “Monitored.” |
SCA-23976 | The package state could not be changed when viewing results via the Application Risk Management tab (SCA). |
SCA-23861 | The default SCA PDF report displayed incorrect data. |
SCA-23804 | Scans failed with the error “Scan failed due to internal error.” |
SCA-23846 | The Global Inventory GraphQL API returned 504 errors. |
SCA-24272 | Global Inventory returned zero results due to OIDC authentication issues. |
SCA-24028 | Tag filters did not work in Global Inventory and Risks views. |
SCA-23777 | The Export Service failed when exporting results for specific scans. |
SCA-23677 | Some packages incorrectly indicated that no secure version was available. |
SCA-23640 | Package usage was not detected correctly. |