Checkmarx One

Checkmarx One helps you deliver secure software faster with an integrated Application Security Testing platform deployed as a service. A single event, like a code commit or build stage, can trigger scans of your source code, dependencies, and IaC templates, with results aggregated in one place.

4.1

View purchase options

Overview

Try agent mode

Create proposal

Ask question

Checkmarx One is an integrated Application Security Testing (AST) platform delivered by Checkmarx, an AWS Advanced Tier partner with Security and DevOps Competencies. We're a global leader in software security solutions, trusted by 1,700+ organizations and consistently recognized by Gartner as a Leader in AST. Checkmarx One delivers three essential AST services on a platform that's easy to integrate into your existing dev tools: Static application security testing: Checkmarx One is a flexible, accurate solution able to identify hundreds of vulnerabilities and weaknesses in custom code, with support for 25+ languages and frameworks. Software composition analysis: CxSCA enables you to mitigate risks in open source software and third-party libraries. Users can identify and prioritize open source vulnerabilities, take inventory of open source components and dependencies in use, and evaluate the risk of open source licenses. Infrastructure as code analysis: KICS detects security misconfigurations in IaC templates, helping prevent errors such as open storage buckets, insecure databases, and excessive privileges. Checkmarx One is easy to integrate: one event can trigger all scan types for your project, and scan results are aggregated, giving you fast triage of your project's security posture. Checkmarx One Developer Assist is an advanced security agent that delivers real-time context-aware prevention, remediation, and guidance to developers from the IDE. It empowers developers to identify risks in their code in realtime and harness the power of AI to remediate the risks on the spot. This feature is initially being released as part of the Checkmarx One plugin for VS Code, Cursor and Windsurf IDEs.

CXONE ASSIST comprises two main elements: Realtime Scanning - Identify vulnerabilities in realtime during IDE development of both human-generated and AI-generated code. Our super-fast scanners run in the background whenever you edit a relevant file. Our scanners identify vulnerabilities and unmasked secrets in your code. We also identify vulnerable or malicious container images and open source packages used in your project. Results are marked as Problems which are highlighted in the code and annotated with identifying icons. Agentic-AI Remediation-Initiate an Agentic-AI session to receive remediation suggestions. Checkmarx feeds all relevant info to the AI agent which accesses our MCP server to gather data from our proprietary databases and customized AI models. The AI assistant then uses this data to generate remediated code for your project. You can accept the suggested changes or you can chat with the AI agent to learn more about the vulnerability and fine-tune the remediation suggestion.

If you're an AWS customer interested in Checkmarx One and wish to purchase over AWS Marketplace in a different quantity or configuration, visit http://www.checkmarx.com/contact-us-aws IMPORTANT INFORMATION ABOUT PRODUCTS AND SERVICES.

Please note that add-ons be purchased only when the base product is purchased.
Description of Base product: Checkmarx One Start with SAST. Description of available Add-ons: CxOne Start with SAST NG-API Security Addon, CxOne Start with SAST NG-IaC (KICS) Add on, Checkmarx One Start with SAST NG- AI Add on
Description of Base product: Checkmarx One Essential Description of available Add-ons: CxOne Essential-Containers Add on, Cx One Essential-Malicious Packages Add on, Cx One Essential-IaC (KICS) Add on, CxOne Essential-AI Protection Add on
Description of Base product: Checkmarx One Professional Description of available Add-ons: Checkmarx One Professional - IaC (KICS) Add on, Checkmarx One Professional - Enterprise Secrets Add on, Checkmarx One Professional - AI Protection Add on
Checkmarx One Codebashing is available both as standalone and add-on with Base products mentioned above.
CxOne Premium Service Package is available @ 20% of SaaS subscription fee. Checkmarx One Premium Service package fee shall be calculated as higher of: a) 20% of SaaS subscription fee OR b) USD 10,000 in case of 1 year term / USD 30,000 for 3 year term.
Cx-SCS Threat API Malicious (per package) : Minimum quantity is 2 (two) and listed price is for 2 (two) units. SCS Threat API for Malicious OSS Packages Threat Information only (limited to 10,000 packages lookup per month). Each version/sub-version of the same package is considered a unique package.
Minimum deal size shall be USD 30,000 for a one year term and USD 90,000 for three year term. Minimum deal size excludes Checkmarx One Premium Service Package and Checkmarx One PS days.
Checkmarx reserves the right to revise prices periodically.
Prices exclude applicable VAT/GST and WHT, if any.
Refund Policy: no Refunds. Please reach out to aws-marketplace@checkmarx.com for further information about the add-ons available under various base products.

Highlights

FIND THREATS AND SAVE TIME : Identify open source risks. Get severity metrics and remediation guidance. Identify potential license and compliance issues. See which libraries are adding to maintenance burdens. Get risk reports or extract data via API.
SPOT INSECURE CODE EARLIER: Our industry-leading source code analysis covers a wide range of languages. Checkmarx One finds vulnerabilities faster by scanning uncompiled code and only re-scanning new or modified code.
Prevent misconfigurations from reaching production: Scan your IaC templates for valid but insecure configurations before deployment to prevent catastrophic security misconfigurations.

Details

Sold by

Checkmarx

Introducing multi-product solutions

You can now purchase comprehensive solutions tailored to use cases and industries.

Learn more

Explore multi-product solutions

Features and programs

Buyer guide

Gain valuable insights from real users who purchased this product, powered by PeerSpot.

Get the buyer guide

Financing for AWS Marketplace purchases

AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.

View financing details

Pricing

Checkmarx One

Info

View purchase options

Pricing is based on the duration and terms of your contract with the vendor. This entitles you to a specified quantity of use for the contract duration. If you choose not to renew or replace your contract before it ends, access to these entitlements will expire.

Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.

12-month contract (17)

Info

Dimension	Description	Cost/12 months
CxOne Start with SAST NG	Checkmarx One Start with SAST-price per license per year	$1,035.00
CxOne API Security	CxOne Start with SAST NG-API Security Addon-price per license per year	$276.00
CxOne IaC (KICS)	CxOne Start with SAST NG-IaC (KICS) Add on-price per license per year	$240.00
CxOne DevAssist	Checkmarx One Start with SAST NG- DevAssist Add on-price per license per year	$300.00
Checkmarx One Codebashing	Checkmarx One Codebashing	$345.00
CxOne Essential	Checkmarx One Essential - price per license per year	$1,564.00
CxAST-CONTAINERS	CxOne Essential-Containers Add on-price per license per year	$240.00
CxOne Malicious Packages	Cx One Essential-Malicious Packages Add on-price per license per year	$276.00
CxAST-IAC-KICS	Cx One Essential-IaC (KICS) Add on-price per license per year	$240.00
CxOne DevAssist	CxOne Essential-DevAssist Add on-price per license per year	$120.00

Vendor refund policy

Minimum Deal size shall be USD 30,000 for 1 year term & USD 90,000 for 3 year term, excluding Checkmarx One Premium Service Package and Checkmarx one PS days.
Checkmarx One Premium Service package fee shall be calculated as higher of: a) 20% of SaaS subscription fee OR b) USD 10,000 in case of 1 year term / USD 30,000 for 3 year term.

Checkmarx reserves the right to revise prices, without advance notice.
Prices quoted are exclusive of VAT/GST and WHT, if applicable.
No refunds.

How can we make this page better?

We'd like to hear your feedback and ideas on how to improve this page.

Legal

Vendor terms and conditions

Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .

Content disclaimer

Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.

Usage information

Info

Delivery details

Software as a Service (SaaS)

SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.

Resources

Vendor resources

About Checkmarx One

About Checkmarx

Why Checkmarx and AWS

Support

Vendor support

Checkmarx technical support, online support https://support.checkmarx.com Checkmarx One Standard Support is Included within the price of software subscription and Checkmarx One Premium Service Package available by paying 20% SaaS subscription fee.

AWS infrastructure support

AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.

Get support

Product comparison

Info

Updated weekly

Checkmarx One

By Checkmarx

Secure Applications & Scale your AppSec Practices with OX Active ASPM

By Ox Security

Fortinet Lacework FortiCNAPP

By Fortinet Inc.

Accolades

Info

Top

In Testing

Top

In Continuous Integration and Continuous Delivery

Top

In Cloud Governance

Customer reviews

Info

Sentiment is AI generated from actual customer reviews on AWS and G2

Reviews

Functionality

Ease of use

Customer service

Cost effectiveness

39 reviews

Positive

Mixed

0 reviews

Insufficient data

386 reviews

Positive

Mixed

Positive reviews

Mixed reviews

Negative reviews

Overview

Info

AI generated from product descriptions

Static Application Security Testing

Comprehensive vulnerability scanning for custom code across 25+ programming languages and frameworks

Software Composition Analysis

Automated identification and prioritization of vulnerabilities in open source software and third-party library dependencies

Infrastructure as Code Analysis

Detection of security misconfigurations in infrastructure template deployments to prevent potential security risks

Real-time IDE Security Scanning

Background vulnerability scanning during code development with immediate identification of risks in human and AI-generated code

AI-Powered Remediation

Context-aware AI agent that generates code remediation suggestions using proprietary databases and customized AI models

Application Security Scanning

Continuous end-to-end security scanning across source control, CI/CD, registry, and cloud environments with real-time monitoring

Vulnerability Prioritization

Advanced threat assessment using contextual analysis of vulnerability exploitability, reachability, and business impact

Pipeline Security Tracking

Proprietary Pipeline Bill of Materials (PBOM) framework for tracking complete software lineage and ensuring build integrity

Automated Remediation

No-code workflow capabilities for automatically blocking vulnerabilities, risky code, and configuration changes

Software Supply Chain Protection

Comprehensive security coverage across software development lifecycle with integrated risk prevention mechanisms

Code Security

Integrated code security with Software Composition Analysis (SCA), Static Application Security Testing (SAST), and Infrastructure as Code (IaC) security with continuous runtime application behavior monitoring

Cloud Security Posture Management

Robust Cloud Service Posture Management (CSPM) and Kubernetes Security Posture Management (KSPM) with attack path analysis and visualization of interconnected infrastructure risks

Cloud Infrastructure Entitlement Management

Comprehensive visibility and assessment of AWS IAM users, groups, roles, policies, and machine entitlements with automatic discovery and excessive permission identification

Behavioral Analytics

Continuous monitoring of AWS workloads using advanced anomaly detection techniques with comparison of past and present states to identify unusual behaviors

Threat Correlation

Automated correlation of multiple security alerts into high-confidence composite alerts using behavioral analytics, anomaly detection, and threat intelligence from AWS CloudTrail and GuardDuty

Contract

Info

Standard contract

Customer reviews

Leave a review

Ratings and reviews

Info

4.1

55 ratings

5 star

4 star

3 star

2 star

1 star

11%

73%

13%

4 AWS reviews

51 external reviews

External reviews are from G2 and PeerSpot .

reviewer2783283

Automated security scans have strengthened pipeline checks and now need better noise reduction and IDE integration

Reviewed on Nov 29, 2025

Review provided by PeerSpot

What is our primary use case?

Checkmarx One is primarily used for SAST scans in my organization. A specific example of how I use Checkmarx One for SAST scans is in applications that require scanning both static and dynamic vulnerabilities. For the static vulnerabilities, Checkmarx One identifies SQL injections and other static vulnerabilities in the code.

Checkmarx One has been included in the CI/CD pipelines, so it runs automatically for all components and microservices across various applications. The tool indicates severity levels from one, two, three, and so on, and is integrated within the pipeline.

What is most valuable?

Checkmarx One offers several standout features. The tool summarizes CWE reports so I can identify what is exploitable and what is non-exploitable. It is well-integrated with other internal tools where I can disposition false positives and provides vulnerability resolutions and guidance on how to fix them, which are sometimes very helpful.

The CWE report summaries assist in my daily work by showing up in reports, allowing me to see all types of vulnerabilities at once. The tool indicates when there are multiple vulnerabilities in specific legacy code, for example, by showing that there are 12 findings for CVE X.X, and I can fix them all at once.

Checkmarx One has positively impacted the organization by providing resolution strategies and indicating which vulnerabilities need to be fixed. It is beneficial to catch vulnerabilities early in the pipeline so that any false positives can be addressed later, which is especially important for security in a banking environment.

What needs improvement?

Checkmarx One can be improved by reducing noise and improving false positive filtering. There are instances when false positives appear, such as when the word 'password' appears in a file, which actually refers to a code variable elsewhere. Checkmarx One could provide better reports, and the UI could be made more user-friendly.

Integration into the IDE being used would be beneficial so that code does not need to be uploaded to the website and an IDE-friendly report could be generated.

For how long have I used the solution?

Checkmarx One has been used for approximately three years.

What do I think about the stability of the solution?

Checkmarx One has been stable with no observed issues with downtime or reliability.

What do I think about the scalability of the solution?

Checkmarx One has handled increased workloads adequately.

How are customer service and support?

There has been no interaction with the support team.

How would you rate customer service and support?

What other advice do I have?

Checkmarx One saves significant time because it is directly integrated into the CI/CD pipeline, although specific metrics are not available. The overall rating for Checkmarx One is seven out of ten, primarily based on the previously mentioned features and capabilities. Checkmarx One is a solid program that has a secure-first mentality, and no specific advice comes to mind for others considering the product. There is no business relationship with the vendor other than being a customer.

Adarkum Kumar

Early detection with custom queries has improved secure coding practices and continuously prevents critical vulnerabilities from reaching deployment

Reviewed on Nov 29, 2025

Review from a verified AWS customer

What is our primary use case?

My main use case for Checkmarx One is as a SAST product. In the Jenkins pipeline, we use it to build or confirm the Checkmarx result. Whenever we find any high or critical severity vulnerability, we break the pipeline and the product does not go to deployment. I use Checkmarx audit a lot. Whenever I find a zero-day vulnerability, we go to Checkmarx audit and write some custom query so that we can find the particular vulnerability in a particular library. Checkmarx One can give us the exact code where that library is deployed and we replace the server version and the library version.

What is most valuable?

The best features Checkmarx One offers are Checkmarx audit and the ability to write custom queries.

Checkmarx One has positively impacted our organization as we tend to find vulnerabilities very early in the development cycle. The initial scans allowed the teams to catch the vulnerabilities early. But after some time, they got used to it and started writing more secure code. In a way, it has saved a lot of time.

What needs improvement?

For Checkmarx One, I think that adding repositories and scanning impromptu code could improve it. Suppose an impromptu team comes and provides the code in a GitLab repo, there should be a quick scan button. You just link the repo and can get a result instantly.

For how long have I used the solution?

I have been using it for five years.

What do I think about the stability of the solution?

Checkmarx One is stable.

What do I think about the scalability of the solution?

Checkmarx One's scalability is good.

How are customer service and support?

We had Checkmarx office hours for customer support, and that helps a lot.

How would you rate customer service and support?

Which solution did I use previously and why did I switch?

We did not previously use a different solution. We were using the free version of Semgrep .

What was our ROI?

I'm not in a position to provide a return on investment because I'm at a lower level, such as Product Security Engineer. I don't deal with these details.

What other advice do I have?

My advice to others looking into using Checkmarx One is to go for the demo version first and see. If it fits into your pipeline, then go for it.

Checkmarx One is a great tool. SAST-wise, I love it. It's integrating into the pipeline, Checkmarx audit, and manually marking the results as false positive. After the rescan, it does not appear. So that works great.

I found this interview to be good, but I think there should be a pause button. Anyone can take a break and doesn't have to continue for the whole length. You can hit pause and continue whenever you come back.

I would rate this review an 8.

Which deployment model are you using for this solution?

On-premises

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS )

Gideon Anichi

Reselling has delivered fast secure-code training and streamlined code review for development teams

Reviewed on Nov 28, 2025

Review from a verified AWS customer

What is our primary use case?

My main use case for Checkmarx One is that I am a reseller, and the company I work for is a reseller. What I typically do with Checkmarx One is implementation, helping our clients or customers to meet their use cases, support, and setting up, and also using it to show the customer how to use the product.

A very recent implementation I can think of is that we had a client that wanted to do SAST , and we sold Checkmarx One to them for their SAST implementation. I was able to walk the clients through how to use the platform, how to review the source code with Checkmarx One, and most especially how to use the one-fix remediation features of Checkmarx whereby you can use the recommendation from Checkmarx One to fix the issues found in the source code.

What is most valuable?

The best features that Checkmarx One offers in my experience include its reliability in managing false positives, the integration to the CI/CD pipeline, and most importantly, the Codebashing feature that Checkmarx One has where developers can learn how to code better and securely.

In terms of usability, Checkmarx One is one of those solutions where implementation is very straightforward and within the next few minutes after implementing Checkmarx One, you can actually start getting results almost instantly. The ease of use is there, and the usability shows that the time to generate returns on your investment is very quick.

From my point of view as a professional service or support engineer, Checkmarx One has positively impacted my organization and clients. The fact that clients come back to renew their Checkmarx One subscription means that it is valuable to them, and winning new deals means that the solution is actually meeting the need in the market. I have deployed Checkmarx One for different clients and resold Checkmarx One to different clients, and that can only be because the solution does exactly what it says it does.

After implementing Checkmarx One, the time it takes for clients to come up with secure code has been a lot faster. Once you implement Checkmarx One, you can be sure that you're getting value from the solution almost immediately because Checkmarx One also handles false positives very effectively, saving you time and saving your developers time. This has really improved the client's experience.

Additionally, Checkmarx One also has the Codebashing feature that helps to provide further knowledge to the customer on how to write secure codes, and that's a very outstanding feature of Checkmarx One.

What needs improvement?

Checkmarx One is doing a lot already, and what I would just ask is for Checkmarx One, as a company, to look into investing in RASP because being a very good SAST to DAST solution, RASP is becoming increasingly needed, especially from the reseller vendor side. If Checkmarx One could start development of a RASP platform, that would do us a lot of good.

RASP is the key one for me.

For how long have I used the solution?

I have been working in my current field for about over eight years.

What do I think about the stability of the solution?

Checkmarx One is very stable in my experience.

What do I think about the scalability of the solution?

Checkmarx One's scalability is good; it can handle growing needs or larger environments easily.

How are customer service and support?

I have relied on Checkmarx One customer support hundreds of times for several things, and Checkmarx One support is very proactive and very responsive. You can rely on them.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I have not previously used a different solution for my clients; it has most times always been Checkmarx One.

How was the initial setup?

The ease of use is there, and the usability shows that the time to generate returns on your investment is very quick. That is something that is outstanding about Checkmarx One.

What about the implementation team?

Due to the number of years I've implemented Checkmarx One, there are rebates and discounts from the OEM which makes it a lot more profitable, and in terms of setup costs, it's already factored into the cost of the solution. The clients we are deploying for usually manage that cost. We have a good relationship with generating a license and all of that, so the experience is seamless and really good.

What was our ROI?

I have to mention again that I am not a direct user of Checkmarx One, as I implement Checkmarx One for clients and use it in clients' environments. The person who has the most accurate answer around return on investment would be the client. However, based on my interactions with the clients, I can tell that there is a return on investment because if something is not profitable and it's not helping to save costs or vulnerabilities, clients wouldn't come back to renew their license year after year. I would say that while I may not have direct metrics, I can affirm that there is a good return on investment for our clients' environments.

What's my experience with pricing, setup cost, and licensing?

Which other solutions did I evaluate?

Before choosing Checkmarx One, we did not evaluate other options for clients; in most cases, clients really wanted Checkmarx One themselves, so we just implement Checkmarx One for them.

What other advice do I have?

I would rate Checkmarx One an eight out of ten.

I choose eight out of ten because Checkmarx One is outstanding; truthfully, Checkmarx One is really, really good.

My advice for others looking into using Checkmarx One is to come to me; let me sell Checkmarx One to you. I have good experience using Checkmarx One, and I can help you set up your Checkmarx One to ensure that you're getting your return on value quickly. If you're looking for a SAST solution that would provide a return on investment and assist with source code scanning to improve your entire SDLC cycle, Checkmarx One is a tool that you can rely on. My overall rating for Checkmarx One is eight out of ten.

Which deployment model are you using for this solution?

Private Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS )

Swetha Dhanasekar

Improves collaboration between teams and embeds security directly into development workflows

Reviewed on Nov 26, 2025

Review provided by PeerSpot

What is our primary use case?

Checkmarx One is my main tool for vulnerability detection and smooth integration over the things to be scanned. It helps me to perform smooth vulnerability detection. The primary use case that fits into my workflow is to see the vulnerabilities in Checkmarx One dashboard, and then we can fix them. It depends on the vulnerability that we have in our code, and then we do the same until we achieve the desired latency.Checkmarx One dashboard is helpful for scanning, integration, and vulnerability detection.

What is most valuable?

I have been using Checkmarx One for three years.Checkmarx One positively impacts my organization by detecting vulnerabilities. This is a significant impact when we are going into the coding part. It helps us to do proper coding and deploy with improved performance.The features that help me in my work include CI/CD pipeline integration and code repository integration that are automated with triggering. I can also get scanning results as feedback and testing integration. It supports board security coverage. Checkmarx One is basically embedding security into the developer workflow, which means IDE , plus source code management, plus CI/CD.Checkmarx One has significantly reduced the time we spend identifying vulnerabilities because the scan runs automatically in our CI/CD pipeline. The results are centralized in a single dashboard. This eliminates manual checking and gives us faster visibility into high-risk problems and issues. In terms of collaboration, it helps us improve coordination between development and security teams. We use a shared dashboard. The clear remediation guidelines and automated ticket creation make communication smoother and ensure both teams are aligned on priorities and timelines. Overall, the tool has helped streamline our DevSecOps workflow.

What needs improvement?

Scanning speed optimization is an area where improvements can be made, and we can reduce false positives. The tool still requires manual verification in some cases, which could be improved. I recommend stronger integration with modern development tools. Other tools might include GitHub Actions , GitLab Runner, and Azure DevOps pipelines.The improvements needed are in scan speed, reducing false positives, and more detailed remediation guidelines. These are the areas where improvements can be made.

For how long have I used the solution?

I have been using Checkmarx One for three years.

What do I think about the stability of the solution?

Checkmarx One is very stable, so we switched to it.

What do I think about the scalability of the solution?

Checkmarx One's scalability has changed my organization because the strong collaboration between the development and security team helps us to do things much faster.

How are customer service and support?

I have reached out to customer support for Checkmarx One, and they are very helpful when needed.

How would you rate customer service and support?

Which solution did I use previously and why did I switch?

We were using a combination of open scanners before Checkmarx One. We might have used SonarQube for code quality and basic security checks, and a tool for dependency checking for vulnerability scanning. While they were very useful, they were not fully integrated. There was a significant gap between them. Overall, when moving to Checkmarx One, it helped us to unify all security checks under one tool, improve visibility, reduce manual effort, and have strong collaboration between the development and security teams.

How was the initial setup?

The setup eliminates a lot of manual coding reviews and reduces the dependency on a dedicated security analyst for the initial stage.

What was our ROI?

I have seen a return on investment with Checkmarx One as fewer employees are needed and time is also saved.Checkmarx One has definitely helped us to save time and reduce the need for additional security resources, meaning employees. One of the biggest advantages is that the scan runs automatically in our CI/CD pipeline. The results go right to the dashboard or the ticketing system. This eliminates a lot of manual coding reviews and reduces the dependency on a dedicated security analyst for the initial stage. In terms of saving time, I estimate that we have roughly saved twenty to thirty percent of the effort we spent in manual code reviews. For example, in our recent project, I reviewed around two thousand-plus lines of changes, which would naturally take a senior person three to four hours to review. Checkmarx One identified two major vulnerabilities within a second, and the developer fixed them before the migration. This automation protects us from needing additional code reviewers for peak release cycles. Overall, between the fast scanning, automation, automatic reporting, and easy detection, it has reduced manual effort enough that we did not need an extra reviewer, even as our codebase or team size grew.

What's my experience with pricing, setup cost, and licensing?

I am experiencing pricing, setup cost, and licensing for Checkmarx One. I did not see any challenges; the pricing should be reasonable, matching what we are paying for. It is actually reasonable.

Which other solutions did I evaluate?

Before choosing Checkmarx One, I evaluated other options such as SonarQube .

What other advice do I have?

My advice to others looking into using Checkmarx One would be to look at it. Overall, the tool delivery gives the best result. If your plan is rolled out well, integrate it deeply into the workflow and fine-tune it in your environment so that you can see a better result in Checkmarx One. I would rate this review an eight out of ten.

Shahzad Shahzad

Enable secure development workflows while identifying opportunities for faster scans and improved AI guidance

Reviewed on Nov 25, 2025

Review provided by PeerSpot

What is our primary use case?

I would like to refer Checkmarx One as I have been working with it for a long time. I led the implementation of Checkmarx One as the centralized AppSec platform during a large cloud modernization project. We onboarded 200 plus repositories, standardized security policies across teams, and introduced branch-level gating so that no code could reach production unless it passed SAST and SCA quality thresholds. This reduced critical findings by over 70% within the first quarter and aligned engineering with a major, repeatable, secure SDLC process. Overall, I use Checkmarx One as a strategic control point to improve developer velocity while strengthening application security across the full software lifecycle.

What is most valuable?

I can talk about SAST , which is static application security testing with correlation and prioritization. It automates and identifies insecure coding patterns early in development. The correlation engine links SAST and SCA and API vulnerability, reducing noise. It helps developers fix what is actually exploitable instead of drowning in false positives, improving the developer productivity and accelerating secure SDLC.

The second case I can give is SCA, software composition analysis for open source risk. It monitors CVE, licensing issues, and vulnerable libraries. It helps quickly identify supply chain risk, which is very important in 2025, and automatic PRs to upgrade vulnerable dependencies, saving engineering time and strengthening SBOM and supply chain security postures.

I can talk about IAC security. Terraform , ARM, CloudFormation , Kubernetes manifest detection finds misconfiguration before cloud resources go live, providing fast fixes directly to developers, which eliminates potential cloud exposure at the design stage. It is important for DevSecOps and preventing cloud drift.

I do use the IDE plugin for VS Code and IntelliJ, where a developer gets immediate feedback inside their editor. Issues are fixed at their cheapest point before committing code, which reduces friction between AppSec and engineering, shifting security left in a practical, low-resistance way.

Another example is the CI/CD continuous integration and continuous delivery integration and branch-level gating, which enforces and automates policies. No merge to main unless scans pass removes the manual review bottleneck and ensures consistent governance across teams and environments, creating a repeatable, scalable, secure SDLC.

Checkmarx One's API automation workflows enable automated reporting, custom dashboards, and Slack and Jira alerts, powering enterprise-level orchestration and compliance reporting. It allows integration with SIEM and SOAR for unified visibility and turns Checkmarx One into a security automation powerhouse.

The unified dashboard and risk overview provide a centralized view of SAST, SCA, IAC, and API findings that help AppSec teams prioritize across multiple codebases, allowing managers to get instant insight for audit or executive reporting that provides clarity and data-driven decision making. The day-to-day Checkmarx One features I rely on most are SAST and SCA with the correlation engines because they drastically reduce false positives and help me focus on real exploitable risk. I also use IAC scanning to catch cloud misconfiguration early and IDE plugins to shift security left for developers.

CI/CD gating and the Checkmarx One API are essential because they automate governance and create a consistent, scalable, secure SDLC across teams. The unified dashboard brings everything together, making risk visibility very clear at both engineering and leadership levels.

What needs improvement?

Checkmarx One is a very strong platform, but there are several areas where it can improve to support modern DevSecOps workflows even better. For example, better real-time developer guidance is needed. The IDE plugin should offer richer AI-powered auto-fixes similar to SNYK Code or GitHub Copilot Security, as current guidance is good but not deeply contextual for large-scale enterprise codebases. This matters because it reduces developer friction and accelerates shift-left adoption.

More transparency control over the correlation engines is another need. The correlation engine is powerful but not fully transparent. Users want to understand why vulnerabilities were correlated or de-prioritized, which helps AppSec teams trust the prioritization logic.

Faster SAST scan and more language coverage is needed since SAST scan can still be slow for very large mono-repos and there is limited deep support for new language frameworks like Rust and Go, along with advanced coverage for serverless-specific frameworks. This matters because large organizations want sub-minute scans in CI/CD as cloud-native ecosystems evolve fast.

A strong API security module is another area for enhancement. API security scanning could be improved with active testing, API discovery, full Swagger, OpenAPI, drift detection, and schema-based fuzzing. This is important as API attacks are one of the biggest AppSec risks in 2025.

Checkmarx One is strong, but I see a few areas for improvement including faster SAST scanning for large mono-repos, deeper language framework support, more transparent correlation logic, and stronger API security that includes discovery and runtime context. The IDE plugin could offer more AI-assisted fixes, and the SBOM lifecycle tracking can evolve further. Enhancing integration with SIEM and SOAR would also make enterprise adoption smoother, and these improvements would help developers and AppSec teams move faster with more accuracy.

For how long have I used the solution?

I have been working in this field for 15 years and I am a subject matter expert.

What do I think about the scalability of the solution?

Checkmarx One is a scalable product and handles the workload. It depends on the licensing being used, which scales accordingly. Since it is cloud-based, the infrastructure and PaaS, IaaS , and SaaS are taken care of by the cloud marketplace. In our case, we have Azure and everything we are running is managed through Azure .

How are customer service and support?

The customer support team is amazing and they provide on-phone call, email support, and on-website support. It has been a really great experience.

How would you rate customer service and support?

Which solution did I use previously and why did I switch?

I have used other helpful solutions including SNYK, Veracode , GitHub Advanced Security , and SonarQube before Checkmarx One. These competitors have helped improve my experience with Checkmarx One due to the balance between depth versus speed, policy versus developer experience, and unified AppSec strategy with tuning prioritization.

How was the initial setup?

The deployment was smooth and aligned well with our Azure ecosystem. The Marketplace offering gave us a pre-configured SaaS environment, simplified licensing, and allowed direct integration with Azure AD , Azure DevOps , and Git repos. I initiated the deployment from Azure Marketplace , selected the subscription, resource group, and tenant, and linked it to our enterprise Azure AD . The main feature was fast provisioning through SaaS with no infrastructure to maintain, automatically identifying integration using Azure AD and SSO , with native billing through Azure subscription and pre-configured API endpoint optimized for the Microsoft cloud. The Marketplace deployment eliminated a lot of manual setup compared to traditional AppSec setups.

What about the implementation team?

We deployed Checkmarx One using phases including scale, rollout, monitoring, covering, planning, integration, onboarding, governance, and organization. First, we used discovery and planning, then platform setup and access based on Azure. We integrated CI/CD, developer workflow integration, SAST, SCA, IAC configuration tuning, and dashboard reporting. A full optimization rollout was done.

First, we set up SSO , RBAC, and CI/CD integration. Then, we onboarded repos, tuned SAST, SCA, IAC rules, and rolled out IDE plugins to developers. We automated Jira tickets, enabled branch gating for critical apps, and built risk dashboards using the API. Within a few months, we achieved over 90% repo coverage, reduced false positives significantly, and embedded secure coding directly into developer workflows.

What's my experience with pricing, setup cost, and licensing?

I would like to talk about setup, pricing, and licensing with Checkmarx One. The licensing module is modular consumption-based, and organizations typically license the platform in three ways: module-based licensing, repo-based or LOC-based licensing, and Enterprise Agreement-based licensing. When it goes to Azure Marketplace , billing is directly through Azure subscription, allowing the ability to pay using Microsoft credits and easier contract approval, which procurement loves. Marketplace deals offer pre-configured SaaS tenant in Azure, faster onboarding with native integrations including AAD, Entra, ADO, ARM, or AKS. The Marketplace also offers monthly or annual SKU, add-on modules as needed, and custom quotes for enterprise workloads.

For a small team under 50 developers, normal expenses come under 30 to 60K. For a mid-size team with 50 to 250 developers, the range is 80 to 250K depending on the number of modules. For enterprises with 250 to 2,000 developers, costs range from 250K to 1 million and include SAST, SCA, IAC, and API. Azure Marketplace gives organizations a savings of 10 to 20% by consolidating billing through their Microsoft Enterprise Agreement.

What other advice do I have?

My best advice, a top practical advice to share is to start with governance first, which reduces noise early, integrate everywhere developers work, automate pull request gates, provide developer training, use the analytics dashboard, and align it with your secure SDLC. Checkmarx One works best when implemented as a part of your systematic, automated, developer-first AppSec program. Tune early, automate everything, integrate everywhere, and pair it with proper developer education. The tool's power is in consistency and governance, not just scanning. I would rate this solution a 7 out of 10.

View all reviews