Checkmarx

Enterprise application security testing across the SDLC

Application Security May 11, 2026 14 min read

1. Tool Overview

What does this tool do?

Checkmarx is an enterprise-grade Application Security Testing (AST) platform designed to secure code across the Software Development Life Cycle (SDLC). It is mainly used as a shift-left security platform, analyzing source code, open-source dependencies, APIs, secrets, and Infrastructure as Code before software is compiled or deployed.

What problem does it solve?

  • Identifies critical code flaws such as SQL injection, XSS, and buffer overflows during development.
  • Scans third-party open-source libraries for known CVEs, license issues, and malicious packages.
  • Prevents hardcoded secrets, cloud misconfigurations, IaC risks, and API vulnerabilities from reaching production.
  • Consolidates AppSec signals into an Application Security Posture Management (ASPM) dashboard for centralized prioritization.

Where is it used in the cybersecurity lifecycle?

  • Identify & Protect: Integrated into IDEs such as VS Code and IntelliJ, and into CI/CD pipelines such as GitHub Actions, Jenkins, and GitLab CI to catch vulnerabilities early.
  • Detect: Used in testing and staging workflows, including DAST and API testing, to detect issues in running applications and services.

2. How the Tool Works

Working mechanism

Checkmarx SAST parses uncompiled source code and builds a logical representation of code elements and data flows. The engine performs data-flow and control-flow analysis to trace whether data moves from an untrusted source, such as user input, to a sensitive sink, such as a database query, without passing through a sanitizer.

Checkmarx uses CxQL, a C#-derived proprietary query language, to run security queries against the code graph. Security teams can use built-in rules or write custom CxQL queries for business-specific logic flaws and internal coding standards.

Architecture components

Checkmarx One

  • SaaS, cloud-native platform hosted on AWS.
  • API-driven integrations with SCM, CI/CD, IDEs, and ticketing systems.
  • Combines SAST, SCA, IaC security, API security, secrets detection, DAST, and ASPM capabilities.

CxSAST on-premises

  • CxManager: Central orchestrator for user requests, integrations, and scan queues.
  • CxEngine: Scanning engine that analyzes code graphs and runs security queries.
  • SQL Server database: Stores scan results, configuration, users, and scan history.
  • Web portal: Used by analysts to triage findings, mark false positives, and generate reports.

Data flow

Developer commits code to SCM -> CI/CD triggers a Checkmarx API call -> code package is sent securely to the Checkmarx engine -> the engine parses code and creates a logical graph -> CxQL queries run against the graph -> vulnerabilities are identified -> results are correlated in the dashboard -> Jira tickets, PR comments, or notifications are generated for developers.

Type

  • Agentless: Integrates through APIs, webhooks, SCM apps, and CI/CD jobs.
  • Signature and heuristic based: Uses predefined CxQL queries, SCA CVE databases, malicious package intelligence, and policy checks.

3. Features & Capabilities

Core features

  • SAST: Deep source-code analysis for 35+ languages and 100+ frameworks without requiring compilation.
  • SCA: Detects vulnerable dependencies, license risks, and malicious open-source packages.
  • API Security: Discovers undocumented APIs and checks for OWASP API Top 10 risks.
  • IaC Security: Scans Terraform, CloudFormation, Kubernetes manifests, and Dockerfiles, powered by KICS.

Advanced features

  • ASPM: Correlates SAST, SCA, DAST, secrets, API, and IaC findings to deduplicate and prioritize risk.
  • AI-powered AppSec: Assists with threat detection in AI-generated code, fix validation, and auto-remediation.
  • Custom CxQL: Lets security engineers write custom detection rules for proprietary logic and internal frameworks.
  • Secrets detection: Uses 2ms technology to detect API keys, passwords, and tokens in source code.

Limitations

  • Initial scans can be noisy and require tuning to reduce false positives.
  • Full SAST scans can be slower on large monoliths than lightweight linters.
  • Pricing is enterprise-focused and not transparent publicly.
  • Older CxSAST interfaces can feel dated compared with Checkmarx One.

4. Deployment Models

Supported environments

  • On-premises: CxSAST deployed on Windows Server for regulated or air-gapped environments.
  • Cloud: Checkmarx One SaaS, available as managed cloud tenancy.
  • SaaS: Fully managed Checkmarx One platform.

Deployment types

  • Single node: CxManager, CxEngine, and database on one server for labs or POCs.
  • Distributed: Separate CxManager, multiple CxEngine servers, and dedicated SQL Server for scale.
  • Agentless: API and webhook driven CI/CD and SCM integration.

5. System Requirements

Typical CxSAST on-premises requirements:

Component Requirement
OS Windows Server 2019 or 2022
CPU Minimum 8 cores; 16+ cores recommended for CxEngine servers
RAM 32 GB minimum for CxManager; 64+ GB for CxEngine servers
Storage 500 GB+ SSD; NVMe recommended for fast parsing and scan history
Network Ports 80/443 for portal/API, 1433 for SQL Server, access to SCM and AD/LDAP

6. Installation & Setup

Local setup: CxSAST on-premises

  1. Provision a Windows Server VM and install SQL Server.
  2. Download the CxSetup.exe package.
  3. Install prerequisites such as Java JRE, IIS, and .NET Framework.
  4. Run CxSetup.exe as Administrator.
  5. Select Advanced Installation for distributed setup, or All-In-One for a lab.
  6. Point the installer to the SQL Server instance.
  7. Configure IIS bindings and SSL certificates.
  8. Apply the Checkmarx license file.
  9. Open http://localhost/cxwebclient and log in as administrator.

Cloud setup: Checkmarx One SaaS

  1. Log in to the Checkmarx One tenant URL, such as https://eu.ast.checkmarx.net.
  2. Configure SSO/OIDC using Entra ID, Okta, or another identity provider.
  3. Generate a Personal Access Token for CI/CD integration.
  4. Connect the SCM platform from the Integrations page.
  5. Authorize the Checkmarx GitHub App if using GitHub.
  6. Add the Checkmarx AST CLI command to the pipeline YAML file.

7. Configuration

Basic configuration

  • Group repositories into business units and projects.
  • Map Checkmarx to GitHub or GitLab organizations.
  • Exclude paths such as tests/, mock/, vendor/, and generated code.
  • Configure SAST, SCA, secrets, IaC, and API scanners per project.

Advanced configuration

  • Write custom CxQL rules for internal security standards.
  • Create scan presets such as OWASP Top 10 Only, PCI-DSS High Risk, or Fast Scan.
  • Add quality gates such as failing builds when high-risk vulnerabilities exceed policy thresholds.

Integrations

  • APIs: REST APIs for scan triggers, results export, user management, and automation.
  • Third-party tools: Jira, ServiceNow, Slack, Teams, GitHub Actions, GitLab CI, Jenkins, and SonarQube.

8. Hands-On Usage

Web workflow

  1. Open Checkmarx One.
  2. Go to Projects and create a project.
  3. Link the repository and target branch.
  4. Select scanners such as SAST, SCA, and Secrets.
  5. Start the scan.
  6. Review findings in the triage screen.

CLI workflow

cx scan create \
  --project-name "MyDemoApp" \
  --sast-preset-name "Checkmarx Default" \
  --branch "main" \
  --file-filter "\!*test.py" \
  -s .

Output

  • Triage screen: Shows vulnerability name, file, line, data flow, and best fix location.
  • Reports: Exports PDF/CSV reports mapped to PCI-DSS, HIPAA, NIST, and OWASP Top 10.
  • Alerts: Sends Jira tickets or PR comments with remediation advice.

9. Lab Setup

Lab environment

  • Target vulnerable applications: OWASP WebGoat or OWASP Juice Shop.
  • Platform: Checkmarx One SaaS trial tenant connected to a GitHub repository.

What was tested

  • Multi-engine scan with SAST, SCA, and Secrets.
  • GitHub Action quality gate blocking pull requests with new high-severity SQL injection flaws.

Results

  • Checkmarx mapped the data flow from a Juice Shop login input to an unsafe SQLite query.
  • SCA flagged vulnerable Express and JSONWebToken packages with associated CVEs.
  • A pull request containing a hardcoded AWS key was blocked by the secrets engine in about 45 seconds.

10. Use Case Mapping

  • Target users: AppSec engineers, DevSecOps architects, software developers, and compliance auditors.
  • Company size: Enterprise, government, and mature mid-market engineering teams.
  • Industries: Finance, healthcare, defense, technology, and ecommerce.

Real-world scenarios

  • Developer assist: IDE plugin highlights a vulnerable endpoint and suggests safer code.
  • Pipeline security: Incremental scans verify only changed files to keep urgent patches moving.
  • Supply chain risk: SCA identifies which microservices use a newly disclosed vulnerable package.

11. Pricing & Subscription Model

Checkmarx uses commercial enterprise pricing with custom quotes. Licensing is typically based on contributing developers and concurrent scans.

Estimated annual ranges:

Organization size Estimated cost
Up to 100 developers USD 75,000-150,000
Around 250 developers Around USD 500,000
1000+ developers USD 1,000,000+

Hidden costs may include on-prem compute, add-on modules such as DAST and AI features, and professional services for tuning.

12. Free vs Paid Comparison

Checkmarx has no permanent free tier or community edition. Evaluation usually happens through a formal proof of concept with the Checkmarx sales and solutions engineering team.

13. Competitor Analysis

Veracode

Veracode is a direct enterprise AppSec competitor. Veracode is known for managed compliance workflows and strong out-of-box accuracy, while Checkmarx gives AppSec engineers deeper control through source-code analysis and CxQL tuning.

Snyk

Snyk is developer-first, fast, and has a freemium model. Checkmarx is more enterprise-governed, broader across AppSec capabilities, and better suited to strict compliance programs.

SonarQube

SonarQube focuses strongly on code quality and has security rules, while Checkmarx is a dedicated AppSec testing platform with deeper vulnerability analysis and enterprise reporting.

14. Advantages & Disadvantages

Advantages

  • Scans raw source code without requiring a build.
  • Flexible custom rule creation through CxQL.
  • Unifies SAST, SCA, DAST, API, IaC, secrets, and ASPM capabilities.
  • Strong incremental scanning support for CI/CD pipelines.
  • Recognized by major analyst reports in AppSec categories.

Disadvantages

  • High cost makes it unsuitable for many small organizations.
  • Initial scans can produce many false positives.
  • Full SAST scans can slow rapid DevOps workflows.
  • Lack of transparent pricing reduces organic developer adoption.

15. Issues & Troubleshooting

Issue Fix
CI/CD timeout during full scans Use incremental scans for PRs and schedule full scans nightly or weekly
False positives from internal sanitizers Mark trusted validation functions as sanitizers in CxQL configuration
License exhaustion Limit scans to key branches, queue scans, or expand concurrent scan licensing

16. Security & Compliance

Checkmarx One temporarily parses source code in a managed cloud environment and stores vulnerability metadata and relevant snippets. For strict data residency or air-gapped requirements, CxSAST keeps source code inside the corporate network.

Compliance reporting supports common frameworks such as SOC 2, ISO 27001, PCI-DSS, HIPAA, GDPR, NIST, and OWASP Top 10 mappings.

17. Scalability & Performance

Checkmarx One scales through cloud-native services. CxSAST scales horizontally by adding CxEngine servers. Deep data-flow analysis is computationally expensive, so organizations typically use fast presets and incremental scans for pull requests while scheduling full scans outside peak development hours.

18. Deployment SOP

  1. Determine the number of contributing developers and concurrent scan needs.
  2. Map target SCM repositories, languages, and frameworks.
  3. Select Checkmarx One unless strict residency requires CxSAST.
  4. Configure SSO/SAML and role-based access.
  5. Deploy IDE plugins.
  6. Connect SCM and CI/CD systems.
  7. Define global exclusions for generated code, tests, and vendor folders.
  8. Run baseline scans.
  9. Tune sanitizers and false-positive handling.
  10. Add quality gates to CI/CD.
  11. Train developers on triage, remediation, and SLA expectations.

19. Demo Summary

The demo integrated Checkmarx One with GitHub Actions. A pull request introduced a vulnerable dependency and a SQL injection flaw. The pipeline ran SAST and SCA together, failed within minutes, and added PR feedback with the affected code location. The dashboard also correlated the vulnerable package to the exact dependency file, showing first-party and third-party risk in one place.

20. Video Walkthroughs

Source Code Review with Checkmarx — SAST Walkthrough

Checkmarx SAST for Developers and Penetration Testers