Version 3.58 | May 24, 2026

The Microsoft Teams integration used by Feedback Apps has been updated to replace the deprecated Office 365 Connectors with Microsoft’s supported Teams webhook mechanism.

This change ensures continued delivery of feedback notifications to Teams channels following Microsoft’s connector retirement. Customers will need to update their Teams webhook configuration after deployment using the new Microsoft Teams Workflows webhook URL.

Cloud Insights now leverages AI to enhance container image detection and correlation in three key areas:

Cloud Insights now highlights changes in vulnerability counts between the image currently in production and the latest project scan. A new Image → Latest Scan column in the Cloud Insights Inventory clearly shows the delta, helping teams identify risk increases before code is deployed.

You can filter projects by security trend and sort by total delta to quickly pinpoint areas where risk is rising. This makes it easier to assess the impact of upcoming releases, prioritize remediation efforts, and prevent vulnerable code from reaching production.

For more information, see Cloud Insights.

Checkmarx One now suggests relevant documentation articles in real time as users begin typing in the Subject field when creating a support case in the UI.

Suggestions include the article title, a short summary, and a direct link to the documentation, helping users quickly find answers and potentially avoid opening a ticket.

For more information, see Contacting support.

Checkmarx One Risk Management now supports assigning findings to specific users or groups, enabling clear ownership and more efficient remediation workflows.

A new Attribution column allows authorized users to assign or remove users and groups per finding. Assignments are limited to users within the tenant and require appropriate permissions, ensuring only relevant users can be selected. Changes are reflected in real time across all consuming systems.

To support governance, a new permission - manage-vulnerability-assignees - is introduced and must be combined with existing update permissions to modify assignments. Assigned users can optionally receive email notifications, helping ensure timely awareness and action.

This feature improves accountability, reduces duplicate work, and streamlines risk management by ensuring each finding has a clear owner.

For more information, see Risk Attribution.

For Azure DevOps (ADO) Code Repository integrations the use the "Self-Hosted" flow, we now support organization-scoped Personal Access Tokens (PATs). This removes the need to use Global PATs, which grant excessive permissions and are planned for deprecation by Microsoft.

Users can configure integrations by providing a PAT scoped to a specific organization, with validation performed against that organization during setup. Only the organization associated with the PAT is displayed. If you would like to include multiple organizations in a single configuration, you can create a separate PAT for each organization and, in the setup wizard, click Add Organization to submit the additional PATs.

This update improves security, flexibility, and long-term compatibility.

For more information, see Azure DevOps Self-Hosted.

The REST API for creating new Code Repository Integration projects now supports Azure DevOps (ADO) (in addition to existing support for GitHub). For more information, see API documentation.

When source code, engine version, query configuration, and SAST settings are unchanged between scans, a triggered scan previously returned a status of Completed, incorrectly implying that new results were generated. To improve clarity, we have added a new scan status, "No Code Changed," indicating that the scan would have returned no new results. In these cases, the scan is cancelled, the new status is displayed, and the project's findings remain unchanged. This applies to scans triggered through the UI, API, or CI pipelines.

We added support for identifying the following licenses that apply to OSS packages: AFL-3.0, CPAL-1.0, OSL-3.0, APSL-2.0, Watcom-1.0 and LPPL-1.3c.

SCA remediation now supports Python and NuGet packages. You can download a remediated manifest file (e.g., requirements.txt for Python and *.csproj for NuGet) with secure package versions directly from the UI or via the export service API. In addition, the Auto Pull Request feature will automatically generate pull requests targeting vulnerable Python packages in the correct repository and branch. Each pull request contains only the secure version changes, along with any associated manifest files required for full remediation.

This expansion brings Python and .NET developers into parity with existing Auto-PR workflows, giving teams both automated and manual remediation paths to address open-source vulnerabilities across a broader range of ecosystems.Learn more about Exporting Remediated Manifest Files and SCA Auto Pull Requests.

DAST now helps you include all required URLs for full scan coverage and successful authentication.

DAST scans start from the main URL you define, but many applications use additional domains or paths. If these URLs are not included, authentication may fail or parts of the application may not be scanned. DAST now prompts you to include authentication URLs during setup and shows all discovered but non‑included URLs in the authentication report, error messages, and configuration settings so you can easily add the paths that matter.

Insights provide important scan‑related information that isn’t classified as a vulnerability. They flag conditions that can affect scan accuracy or indicate external issues such as authentication failures, blocking mechanisms, or repeated server errors.

If a High‑level Insight is detected, the scan stops and is marked Failed to prevent misleading or incomplete results. A full list of the available insights is viewable here.