Version 3.52 | January 25, 2026

Reports now support Container Security scan results.

When generating a project or application report, you can now select the Container Security scanner alongside the existing scanner options. This delivers a unified reporting experience, presenting all scan types in a consistent format and ensuring a single, consolidated view of security insights.

Analytics dashboards now show metrics from the Container Security scanner.

You can now view container-related findings and KPIs alongside existing analytics data from other scanners. This creates a unified analytics experience, giving you consistent visibility across all supported scan types.

A new Developer Assist Usage dashboard is now available in Analytics (for customers with an AI license). The dashboard introduces multiple KPIs that surface how developers interact with AI-generated remediations, including AI Suggestions, Fix Clicked, and Unique Users. It also includes a donut widget that breaks down Developer Assist usage by scanner, and a bar graph showing real-time vulnerability detection by scanner.

This consolidated view improves transparency and highlights adoption trends without requiring custom reporting.

For more information, see our Documentation Portal.

BYOR (Bring Your Own Results) now includes a web-based import experience, making it easier and faster for customers to bring external scan results into Checkmarx One. Users can import SARIF files from the UI, associate them with projects, and track progress and status in real time.

This enhancement improves visibility and enables security teams to review issue counts and severity breakdowns immediately after import.

Customers can now delete BYOR imports and their associated results. Deletion is available for completed, failed, or canceled imports and can be performed via the UI or API, including bulk deletion where permitted.

BYOR imports now identify and display the author (blamer) and commit ID for vulnerabilities when this information is provided by external tools. When blame data is unavailable or invalid, the author is shown as N/A.

By parsing blame metadata directly from imported files, customers can see who introduced a vulnerability and in which commit, without relying on additional Git queries.

Checkmarx One now supports GitHub App–based authentication for code repository integrations as a more secure and modern alternative to Personal Access Tokens and OAuth apps. This update enables short-lived, scoped tokens, automatic token rotation, and granular permission control, significantly reducing the risk of credential leakage and simplifying integration management.

This enhancement also unlocks compatibility with GitHub Enterprise Managed Users (EMU), allowing enterprise customers with strict identity and access controls to integrate GitHub repositories.

For more information, see our Documentation Portal.

The allowed character set for OAuth client identifiers has been expanded to include the @ character.

You can now create and delete custom states directly from Global Settings in the web application. After a state is defined, it becomes available tenant-wide for vulnerability triage. This streamlines configuration and removes the need to manage custom states through the API.

For more information about custom states, see our Documentation Portal.

A new Git commit history setting in Settings > Secret Detection lets users control whether Secret Detection scans Git commit history.

When set to true (default: false), Secret Detection scans both the working tree and Git commit history, providing full historical coverage for compliance and deeper analysis.

The setting is available in:

Secret Detection now supports scanning Confluence content via API-triggered scans, with results shown in the Secrets Detection viewer alongside other scan sources.

You can scan individual pages, entire spaces, or all Confluence spaces to identify exposed secrets in collaboration content. Findings include severity, page location, detection context (current or history), and standard remediation guidance.

Download the latest version here.

New Paths, Mode, and Initiator columns re now available in the Scans History tab.

Added support for viewing DAST vulnerabilities by Alert on the Environments page, in addition to the existing Instance view.

Viewing by Alert aligns with industry standards by displaying the underlying vulnerability, while viewing by Instance shows how many times that vulnerability was detected.

Added ways to associate the application with an environment. You can now associate applications to the environment through the Environment tab, Application tab, an environment’s settings, or through the application’s Overview tab.

The Overview tab displays an at‑a‑glance summary of an environment, including associated applications, groups, and users; scan dates and times; and high‑level dashboards of the discovered vulnerabilities and compliance postures.

DAST environments associated with applications are now visible in Application Risk Management.

This enhancement improves risk visibility by consolidating DAST findings with other testing results, helping security teams more effectively prioritize vulnerabilities.

Added support for uploading SOAP API files in DAST. When configuring your API-type environment, in addition to Postman, OpenAPI, and HAR files, you can now upload SOAP API files.

For more information, refer to this page.