Skip to main content

Version 3.61 | June 28, 2026

New Features and Enhancements

Audit Trail Coverage for SAST Result Triage

The Audit Trail now includes full visibility into SAST result triage activity. All changes to finding severity, state, and notes are captured with before and after values, including the user identity, timestamp, bulk action indication, and triage method (similarity-based or attack-vector-based). Users can access these events via the Audit Trail API.

This enhancement strengthens governance and compliance readiness, enables accurate forensic analysis of finding changes, and provides complete traceability for manual and bulk triage workflows.

Audit Trail Support for Analytics and Reporting

Analytics and Reporting actions are now captured in the Checkmarx One Audit Trail, improving visibility into report-related activities performed by users and system integrations.

Relevant events are logged through the centralized Audit Trail framework using a standardized schema, supporting compliance, security investigations, and operational transparency. This enhancement extends audit coverage to reporting workflows initiated through integrations, APIs, and automation, ensuring consistent tracking across the platform.

Added Scan Scope Settings for AI Supply Chain

You can now control the scope of AI Supply Chain scans by configuring include and exclude rules at both the global and project levels.

Exclude rules always take precedence over include rules, and configuration changes apply to subsequent scans only.

These settings follow the same patterns used by other Checkmarx One scanners, ensuring a consistent configuration experience across the platform. Teams can reduce scan noise by targeting only the files and paths relevant to their work, without changing how scans are executed or results are interpreted.

AI Supply Chain Security Scanner Support in CLI

The Checkmarx One CLI now supports AI Supply Chain Security (AISC) as a standalone scanner type. Organizations can trigger AISC scans using the same workflow and commands used for other supported scanners, providing a consistent scanning experience across the platform.

Scanner availability is controlled by licensing, ensuring that AISC capabilities are available only to entitled customers. This addition does not affect existing scanner types, commands, or workflows.

SAST Attack Vector ID Grouping

Added a new grouping option based on Attack Vector ID, offering more precise, flow‑aware grouping than the default Similarity ID.

Each Attack Vector ID uniquely reflects the programming language, the vulnerability query, and the exact data‑flow path involved. Because any change to language, query, or flow produces a new ID, this grouping provides clearer separation of findings and supports more effective triage. See here for more information.

SCA

Improved Legal Risks Widget Accuracy

The Results by Legal Risks widget in the Scan Overview has been renamed to Legal Risks and now displays only the legal risks shown in the Risks → Legal Risks tab: "Risky effective license", "Package with no effective license", and "Package with no license".

The widget no longer displays "Unknown" categories that do not correspond to any actual risk type. This ensures the Scan Overview accurately reflects your project's legal risk posture and strengthens confidence in the scanner's output.

Combine Net New with SCA Rules

Policy Management now supports combining Net New findings with SCA-specific rules, removing the previous limitation where Net New logic and engine-specific rule configuration were mutually exclusive. When configuring an SCA risk-level rule, you can now select Net New as a status option alongside other filters such as severity and dependency scope. This enables you to create more granular policies, for example, breaking the build only when Net New vulnerabilities are found in production dependencies.

Note

Net New relates only to new vulnerabilities being introduced into the protected branch by a pull request, not to all risks that were identified for the first time by this scan. As such, it is only relevant for Code Repository Integration projects.

IaC

The IaC version included in this release of Checkmarx One is 2.1.20.

IaC updates are documented in the IaC changelog.

DAST

Dashboard Configuration

Added the ability to hide or display widgets in the Overview tab, with your preferences saved across all environments. Also added a filter-reset option to restore the default view with all widgets visible.

Permission Check Update

Allowed user actions are now validated through their permissions rather than specific roles. Admin users retain their abilities to add, delete, or edit user roles and their associated permissions.

OWASP API Top 10

Added OWASP API Top 10 to Checkmarx One. This includes new tags for OWASP Top Ten 2025 and API Top Ten 2023.

Resolved Issues

Item

Description

AST-148797

The Feedback App failed to create Jira tickets for critical vulnerabilities.

AST-144975

Project reports included SAST vulnerabilities in the “Proposed Not Exploitable” state despite the default settings excluding them.

AST-144685

Scheduled reports were not delivered by email.

AST-143810

Scans failed when importing Azure DevOps On-Prem repositories using a classic TFS-style structure.

AST-143646

The Feedback App did not handle Azure Boards users without the bypassRules permission correctly.

AST-143147

CSV report generation triggered a panic error.

AST-143123

Scan report generation failed when source or destination nodes contained long string values.

AST-143122

Repository scan results were inconsistent.

AST-140361

Analytics returned a 504 Gateway Timeout error when displaying Mean Time to Resolution by Severity metrics.

AST-139481

Query Editor autocomplete for Secret Detection and IaC displayed SAST-related suggestions.

AST-136498

Projects list CSV exports ignored the selected application filter.

AST-135992

Analytics displayed Secret Detection results in the “To Verify” state even after the state had been changed.

AST-135246

Filtering Analytics dashboards by tags did not work.

AST-133750

Directly associating a project with an application did not trigger an Analytics update event.

AST-133534

Detection dates were calculated incorrectly.

AST-117726

Generating CSV reports from SAST Analytics failed or timed out when processing large result sets.

AST-108645

Reports did not include all Container Security engine results, resulting in partial data.

AST-158825

SAST scans failed when a single MetaResult message exceeded the 16 MiB size limit.

AST-156165

Vulnerabilities marked as patched in vendor advisories continued to appear as open issues in Container Security.

AST-139473

Project tags disappeared after editing the project.

AST-122081

SAST scan configuration parameters displayed incorrect values.

SCA-26968

SCA Auto PR changed XML file encoding from UTF-8 to UTF-16 unexpectedly.

SCA-26669

Global Inventory recalculation failed when related scans had been deleted.

SCA-26668

Fingerprint detection did not work in EU standalone environments.

SCA-26537

The SCA results processor failed with an internal error during scan processing.

SCA-26466

SCA scans detected packages that were not present in the project.

SCA-26300

Maven source resolution fell back to default behavior instead of using the CxLink configuration file.