Version 3.61 | June 28, 2026
New Features and Enhancements
Audit Trail Coverage for SAST Result Triage
The Audit Trail now includes full visibility into SAST result triage activity. All changes to finding severity, state, and notes are captured with before and after values, including the user identity, timestamp, bulk action indication, and triage method (similarity-based or attack-vector-based). Users can access these events via the Audit Trail API.
This enhancement strengthens governance and compliance readiness, enables accurate forensic analysis of finding changes, and provides complete traceability for manual and bulk triage workflows.
Audit Trail Support for Analytics and Reporting
Analytics and Reporting actions are now captured in the Checkmarx One Audit Trail, improving visibility into report-related activities performed by users and system integrations.
Relevant events are logged through the centralized Audit Trail framework using a standardized schema, supporting compliance, security investigations, and operational transparency. This enhancement extends audit coverage to reporting workflows initiated through integrations, APIs, and automation, ensuring consistent tracking across the platform.
Added Scan Scope Settings for AI Supply Chain
You can now control the scope of AI Supply Chain scans by configuring include and exclude rules at both the global and project levels.
Exclude rules always take precedence over include rules, and configuration changes apply to subsequent scans only.
These settings follow the same patterns used by other Checkmarx One scanners, ensuring a consistent configuration experience across the platform. Teams can reduce scan noise by targeting only the files and paths relevant to their work, without changing how scans are executed or results are interpreted.
AI Supply Chain Security Scanner Support in CLI
The Checkmarx One CLI now supports AI Supply Chain Security (AISC) as a standalone scanner type. Organizations can trigger AISC scans using the same workflow and commands used for other supported scanners, providing a consistent scanning experience across the platform.
Scanner availability is controlled by licensing, ensuring that AISC capabilities are available only to entitled customers. This addition does not affect existing scanner types, commands, or workflows.
SAST Attack Vector ID Grouping
Added a new grouping option based on Attack Vector ID, offering more precise, flow‑aware grouping than the default Similarity ID.
Each Attack Vector ID uniquely reflects the programming language, the vulnerability query, and the exact data‑flow path involved. Because any change to language, query, or flow produces a new ID, this grouping provides clearer separation of findings and supports more effective triage. See here for more information.
SCA
Improved Legal Risks Widget Accuracy
The Results by Legal Risks widget in the Scan Overview has been renamed to Legal Risks and now displays only the legal risks shown in the Risks → Legal Risks tab: "Risky effective license", "Package with no effective license", and "Package with no license".
The widget no longer displays "Unknown" categories that do not correspond to any actual risk type. This ensures the Scan Overview accurately reflects your project's legal risk posture and strengthens confidence in the scanner's output.
Combine Net New with SCA Rules
Policy Management now supports combining Net New findings with SCA-specific rules, removing the previous limitation where Net New logic and engine-specific rule configuration were mutually exclusive. When configuring an SCA risk-level rule, you can now select Net New as a status option alongside other filters such as severity and dependency scope. This enables you to create more granular policies, for example, breaking the build only when Net New vulnerabilities are found in production dependencies.
Note
Net New relates only to new vulnerabilities being introduced into the protected branch by a pull request, not to all risks that were identified for the first time by this scan. As such, it is only relevant for Code Repository Integration projects.
IaC
The IaC version included in this release of Checkmarx One is 2.1.20.
IaC updates are documented in the IaC changelog.
DAST
Dashboard Configuration
Added the ability to hide or display widgets in the Overview tab, with your preferences saved across all environments. Also added a filter-reset option to restore the default view with all widgets visible.
Permission Check Update
Allowed user actions are now validated through their permissions rather than specific roles. Admin users retain their abilities to add, delete, or edit user roles and their associated permissions.
OWASP API Top 10
Added OWASP API Top 10 to Checkmarx One. This includes new tags for OWASP Top Ten 2025 and API Top Ten 2023.
Resolved Issues
Item | Description |
|---|---|
AST-148797 | The Feedback App failed to create Jira tickets for critical vulnerabilities. |
AST-144975 | Project reports included SAST vulnerabilities in the “Proposed Not Exploitable” state despite the default settings excluding them. |
AST-144685 | Scheduled reports were not delivered by email. |
AST-143810 | Scans failed when importing Azure DevOps On-Prem repositories using a classic TFS-style structure. |
AST-143646 | The Feedback App did not handle Azure Boards users without the bypassRules permission correctly. |
AST-143147 | CSV report generation triggered a panic error. |
AST-143123 | Scan report generation failed when source or destination nodes contained long string values. |
AST-143122 | Repository scan results were inconsistent. |
AST-140361 | Analytics returned a 504 Gateway Timeout error when displaying Mean Time to Resolution by Severity metrics. |
AST-139481 | Query Editor autocomplete for Secret Detection and IaC displayed SAST-related suggestions. |
AST-136498 | Projects list CSV exports ignored the selected application filter. |
AST-135992 | Analytics displayed Secret Detection results in the “To Verify” state even after the state had been changed. |
AST-135246 | Filtering Analytics dashboards by tags did not work. |
AST-133750 | Directly associating a project with an application did not trigger an Analytics update event. |
AST-133534 | Detection dates were calculated incorrectly. |
AST-117726 | Generating CSV reports from SAST Analytics failed or timed out when processing large result sets. |
AST-108645 | Reports did not include all Container Security engine results, resulting in partial data. |
AST-158825 | SAST scans failed when a single MetaResult message exceeded the 16 MiB size limit. |
AST-156165 | Vulnerabilities marked as patched in vendor advisories continued to appear as open issues in Container Security. |
AST-139473 | Project tags disappeared after editing the project. |
AST-122081 | SAST scan configuration parameters displayed incorrect values. |
SCA-26968 | SCA Auto PR changed XML file encoding from UTF-8 to UTF-16 unexpectedly. |
SCA-26669 | Global Inventory recalculation failed when related scans had been deleted. |
SCA-26668 | Fingerprint detection did not work in EU standalone environments. |
SCA-26537 | The SCA results processor failed with an internal error during scan processing. |
SCA-26466 | SCA scans detected packages that were not present in the project. |
SCA-26300 | Maven source resolution fell back to default behavior instead of using the CxLink configuration file. |