My main use case for Checkmarx One is as a SAST product. In the Jenkins pipeline, we use it to build or confirm the Checkmarx result. Whenever we find any high or critical severity vulnerability, we break the pipeline and the product does not go to deployment. I use Checkmarx audit a lot. Whenever I find a zero-day vulnerability, we go to Checkmarx audit and write some custom query so that we can find the particular vulnerability in a particular library. Checkmarx One can give us the exact code where that library is deployed and we replace the server version and the library version.
Checkmarx One
CheckmarxExternal reviews
51 reviews
from
and
External reviews are not included in the AWS star rating for the product.
Early detection with custom queries has improved secure coding practices and continuously prevents critical vulnerabilities from reaching deployment
What is our primary use case?
What is most valuable?
The best features Checkmarx One offers are Checkmarx audit and the ability to write custom queries.
Checkmarx One has positively impacted our organization as we tend to find vulnerabilities very early in the development cycle. The initial scans allowed the teams to catch the vulnerabilities early. But after some time, they got used to it and started writing more secure code. In a way, it has saved a lot of time.
What needs improvement?
For Checkmarx One, I think that adding repositories and scanning impromptu code could improve it. Suppose an impromptu team comes and provides the code in a GitLab repo, there should be a quick scan button. You just link the repo and can get a result instantly.
For how long have I used the solution?
I have been using it for five years.
What do I think about the stability of the solution?
Checkmarx One is stable.
What do I think about the scalability of the solution?
Checkmarx One's scalability is good.
How are customer service and support?
We had Checkmarx office hours for customer support, and that helps a lot.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
We did not previously use a different solution. We were using the free version of Semgrep.
What was our ROI?
I'm not in a position to provide a return on investment because I'm at a lower level, such as Product Security Engineer. I don't deal with these details.
What other advice do I have?
My advice to others looking into using Checkmarx One is to go for the demo version first and see. If it fits into your pipeline, then go for it.
Checkmarx One is a great tool. SAST-wise, I love it. It's integrating into the pipeline, Checkmarx audit, and manually marking the results as false positive. After the rescan, it does not appear. So that works great.
I found this interview to be good, but I think there should be a pause button. Anyone can take a break and doesn't have to continue for the whole length. You can hit pause and continue whenever you come back.
I would rate this review an 8.
Which deployment model are you using for this solution?
On-premises
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Reselling has delivered fast secure-code training and streamlined code review for development teams
What is our primary use case?
My main use case for Checkmarx One is that I am a reseller, and the company I work for is a reseller. What I typically do with Checkmarx One is implementation, helping our clients or customers to meet their use cases, support, and setting up, and also using it to show the customer how to use the product.
A very recent implementation I can think of is that we had a client that wanted to do SAST, and we sold Checkmarx One to them for their SAST implementation. I was able to walk the clients through how to use the platform, how to review the source code with Checkmarx One, and most especially how to use the one-fix remediation features of Checkmarx whereby you can use the recommendation from Checkmarx One to fix the issues found in the source code.
What is most valuable?
The best features that Checkmarx One offers in my experience include its reliability in managing false positives, the integration to the CI/CD pipeline, and most importantly, the Codebashing feature that Checkmarx One has where developers can learn how to code better and securely.
In terms of usability, Checkmarx One is one of those solutions where implementation is very straightforward and within the next few minutes after implementing Checkmarx One, you can actually start getting results almost instantly. The ease of use is there, and the usability shows that the time to generate returns on your investment is very quick.
From my point of view as a professional service or support engineer, Checkmarx One has positively impacted my organization and clients. The fact that clients come back to renew their Checkmarx One subscription means that it is valuable to them, and winning new deals means that the solution is actually meeting the need in the market. I have deployed Checkmarx One for different clients and resold Checkmarx One to different clients, and that can only be because the solution does exactly what it says it does.
After implementing Checkmarx One, the time it takes for clients to come up with secure code has been a lot faster. Once you implement Checkmarx One, you can be sure that you're getting value from the solution almost immediately because Checkmarx One also handles false positives very effectively, saving you time and saving your developers time. This has really improved the client's experience.
Additionally, Checkmarx One also has the Codebashing feature that helps to provide further knowledge to the customer on how to write secure codes, and that's a very outstanding feature of Checkmarx One.
What needs improvement?
Checkmarx One is doing a lot already, and what I would just ask is for Checkmarx One, as a company, to look into investing in RASP because being a very good SAST to DAST solution, RASP is becoming increasingly needed, especially from the reseller vendor side. If Checkmarx One could start development of a RASP platform, that would do us a lot of good.
RASP is the key one for me.
For how long have I used the solution?
I have been working in my current field for about over eight years.
What do I think about the stability of the solution?
Checkmarx One is very stable in my experience.
What do I think about the scalability of the solution?
Checkmarx One's scalability is good; it can handle growing needs or larger environments easily.
How are customer service and support?
I have relied on Checkmarx One customer support hundreds of times for several things, and Checkmarx One support is very proactive and very responsive. You can rely on them.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I have not previously used a different solution for my clients; it has most times always been Checkmarx One.
How was the initial setup?
The ease of use is there, and the usability shows that the time to generate returns on your investment is very quick. That is something that is outstanding about Checkmarx One.
What about the implementation team?
Due to the number of years I've implemented Checkmarx One, there are rebates and discounts from the OEM which makes it a lot more profitable, and in terms of setup costs, it's already factored into the cost of the solution. The clients we are deploying for usually manage that cost. We have a good relationship with generating a license and all of that, so the experience is seamless and really good.
What was our ROI?
I have to mention again that I am not a direct user of Checkmarx One, as I implement Checkmarx One for clients and use it in clients' environments. The person who has the most accurate answer around return on investment would be the client. However, based on my interactions with the clients, I can tell that there is a return on investment because if something is not profitable and it's not helping to save costs or vulnerabilities, clients wouldn't come back to renew their license year after year. I would say that while I may not have direct metrics, I can affirm that there is a good return on investment for our clients' environments.
What's my experience with pricing, setup cost, and licensing?
Due to the number of years I've implemented Checkmarx One, there are rebates and discounts from the OEM which makes it a lot more profitable, and in terms of setup costs, it's already factored into the cost of the solution. The clients we are deploying for usually manage that cost.
Which other solutions did I evaluate?
Before choosing Checkmarx One, we did not evaluate other options for clients; in most cases, clients really wanted Checkmarx One themselves, so we just implement Checkmarx One for them.
What other advice do I have?
I would rate Checkmarx One an eight out of ten.
I choose eight out of ten because Checkmarx One is outstanding; truthfully, Checkmarx One is really, really good.
My advice for others looking into using Checkmarx One is to come to me; let me sell Checkmarx One to you. I have good experience using Checkmarx One, and I can help you set up your Checkmarx One to ensure that you're getting your return on value quickly. If you're looking for a SAST solution that would provide a return on investment and assist with source code scanning to improve your entire SDLC cycle, Checkmarx One is a tool that you can rely on. My overall rating for Checkmarx One is eight out of ten.
Which deployment model are you using for this solution?
Private Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Improves collaboration between teams and embeds security directly into development workflows
What is our primary use case?
Checkmarx One is my main tool for vulnerability detection and smooth integration over the things to be scanned. It helps me to perform smooth vulnerability detection. The primary use case that fits into my workflow is to see the vulnerabilities in Checkmarx One dashboard, and then we can fix them. It depends on the vulnerability that we have in our code, and then we do the same until we achieve the desired latency.Checkmarx One dashboard is helpful for scanning, integration, and vulnerability detection.
What is most valuable?
I have been using Checkmarx One for three years.Checkmarx One positively impacts my organization by detecting vulnerabilities. This is a significant impact when we are going into the coding part. It helps us to do proper coding and deploy with improved performance.The features that help me in my work include CI/CD pipeline integration and code repository integration that are automated with triggering. I can also get scanning results as feedback and testing integration. It supports board security coverage. Checkmarx One is basically embedding security into the developer workflow, which means IDE, plus source code management, plus CI/CD.Checkmarx One has significantly reduced the time we spend identifying vulnerabilities because the scan runs automatically in our CI/CD pipeline. The results are centralized in a single dashboard. This eliminates manual checking and gives us faster visibility into high-risk problems and issues. In terms of collaboration, it helps us improve coordination between development and security teams. We use a shared dashboard. The clear remediation guidelines and automated ticket creation make communication smoother and ensure both teams are aligned on priorities and timelines. Overall, the tool has helped streamline our DevSecOps workflow.
What needs improvement?
Scanning speed optimization is an area where improvements can be made, and we can reduce false positives. The tool still requires manual verification in some cases, which could be improved. I recommend stronger integration with modern development tools. Other tools might include GitHub Actions, GitLab Runner, and Azure DevOps pipelines.The improvements needed are in scan speed, reducing false positives, and more detailed remediation guidelines. These are the areas where improvements can be made.
For how long have I used the solution?
I have been using Checkmarx One for three years.
What do I think about the stability of the solution?
Checkmarx One is very stable, so we switched to it.
What do I think about the scalability of the solution?
Checkmarx One's scalability has changed my organization because the strong collaboration between the development and security team helps us to do things much faster.
How are customer service and support?
I have reached out to customer support for Checkmarx One, and they are very helpful when needed.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
We were using a combination of open scanners before Checkmarx One. We might have used SonarQube for code quality and basic security checks, and a tool for dependency checking for vulnerability scanning. While they were very useful, they were not fully integrated. There was a significant gap between them. Overall, when moving to Checkmarx One, it helped us to unify all security checks under one tool, improve visibility, reduce manual effort, and have strong collaboration between the development and security teams.
How was the initial setup?
The setup eliminates a lot of manual coding reviews and reduces the dependency on a dedicated security analyst for the initial stage.
What was our ROI?
I have seen a return on investment with Checkmarx One as fewer employees are needed and time is also saved.Checkmarx One has definitely helped us to save time and reduce the need for additional security resources, meaning employees. One of the biggest advantages is that the scan runs automatically in our CI/CD pipeline. The results go right to the dashboard or the ticketing system. This eliminates a lot of manual coding reviews and reduces the dependency on a dedicated security analyst for the initial stage. In terms of saving time, I estimate that we have roughly saved twenty to thirty percent of the effort we spent in manual code reviews. For example, in our recent project, I reviewed around two thousand-plus lines of changes, which would naturally take a senior person three to four hours to review. Checkmarx One identified two major vulnerabilities within a second, and the developer fixed them before the migration. This automation protects us from needing additional code reviewers for peak release cycles. Overall, between the fast scanning, automation, automatic reporting, and easy detection, it has reduced manual effort enough that we did not need an extra reviewer, even as our codebase or team size grew.
What's my experience with pricing, setup cost, and licensing?
I am experiencing pricing, setup cost, and licensing for Checkmarx One. I did not see any challenges; the pricing should be reasonable, matching what we are paying for. It is actually reasonable.
Which other solutions did I evaluate?
Before choosing Checkmarx One, I evaluated other options such as SonarQube.
What other advice do I have?
My advice to others looking into using Checkmarx One would be to look at it. Overall, the tool delivery gives the best result. If your plan is rolled out well, integrate it deeply into the workflow and fine-tune it in your environment so that you can see a better result in Checkmarx One. I would rate this review an eight out of ten.
Improves security workflows with deep pipeline integration and supports faster release cycles
What is our primary use case?
I have mostly been working in DevOps, infrastructure, cloud, and all three hyperscalers: AWS, Azure, and GCP.
I have used Checkmarx One for almost six to seven years now. Initially, when I started my career, I worked with different companies, especially in the financial domain, where I worked for financial and investment-based companies that typically had Black Duck and Checkmarx as security tools.
My main use case for Checkmarx One is that I have implemented it into my DevSecOps workflows, wherein we have Checkmarx scan enabled for our application components that were being developed by the developers. I have also been responsible for setting up Checkmarx installation, installing it into our own data centers because I have worked with many financial clients. From the infrastructure side, I have also been responsible for implementing Checkmarx into Windows and Linux servers. I have also been responsible for setting up the DevSecOps pipeline.
The most common use case that I think everyone uses with Checkmarx One is SAST, or Static Application Security Testing. We scan our source code and all the binaries to check for any injection or insecure authentication before we create any Docker builds. We also have SCA, or Software Composition Analysis, where we identify vulnerabilities and license or compliance risks in the open-source components that developers are working on. CI/CD integration is one workflow that we use, and now we are also working on AI remediation, where we provide developers with contextual explanations and secure code suggestions directly in their IDEs so they can fix their issues while coding. Additionally, policy enforcement and role-based access are also among the use cases that we currently have.
What is most valuable?
The best features Checkmarx One offers, over the past years, include broad language and technical support that Checkmarx provides, covering most languages. The framework compatibility is really great, even with monolithic applications, microservices applications, and container-based applications that are more cloud-native. All of those are compatible, and it also has IDE integration, which is more of a developer assist feature that has recently launched. We are already leveraging that. The deep pipeline integration is something that also has templates aligned with Jenkins and Jenkins plugins available. We are migrating to GitHub Actions, and that is something we are looking at too.
The dashboard and reporting part in Checkmarx One is valuable. We have a unified dashboard and reporting, which is a single pane for all the vulnerabilities and trends with respect to vulnerabilities. On the dashboard side, things could be improved a bit.
Checkmarx One has positively impacted my organization, especially in our CI/CD integration, where when we try to build any feature, they are always scanned by Checkmarx before they get released. If they do not fulfill the compliance guidelines as per the organization or the compliance and governance requests, we also have responsible AI guidelines because, at SAP, we currently have a GenAI platform, so all those requirements are fulfilled only when features are released into our team.
What needs improvement?
Checkmarx One can be improved on the side of faster scans, especially when our CI pipelines are scanning for vulnerabilities. Performance improvements can be made, but it depends on which kind of offering we are adapting for Checkmarx, whether it is cloud-based or in-house installation.
Reducing false positives is something I would suggest, but again, it depends on how Checkmarx One is set up. It already uses data flow design and has more precise vulnerability detection, which could improve developer trust.
Currently, we are consuming Checkmarx One from AWS. We have a few use cases through AWS CodePipeline, and the integration is very smooth there. We have opted for the offering available in the AWS Marketplace.
What do I think about the stability of the solution?
Checkmarx One is stable.
What do I think about the scalability of the solution?
The scalability of Checkmarx One depends on meeting the initial hardware requirements specified in Checkmarx's official documentation. Hardware performance affects scalability, but we have not faced any issues.
How are customer service and support?
We have worked with the Checkmarx support team, and the experience was very smooth. If you raise a support case with Checkmarx, it is handled smoothly. There have been instances where they agreed to join meetings and help us out. I have not faced any issues personally up to now.
How would you rate customer service and support?
Positive
What was our ROI?
I have not been able to calculate ROI as I am more focused on technical aspects as a software engineer. The management of different organizations calculates ROI, but we have observed reduced costs when using the SaaS offerings in AWS.
Which other solutions did I evaluate?
We have not used a different solution for now, although some financial clients I worked with previously used both Black Duck and Checkmarx.
What other advice do I have?
The effects on my team's productivity and risk reduction include faster release cycles. We have a dedicated security team who fetches reports from Checkmarx One and works closely with developers to resolve all the issues, leading to improvements in vulnerabilities and timelines.
The pricing, setup cost, and licensing aspects are handled by the central team in large organizations. For instance, I worked at Accenture at the start of my career and later at Infosys. I worked on projects related to financial clients but cannot reveal the client names; those matters are taken care of by clients or the central team, and I am not privy to them because I focus more on technical expertise.
Performance also depends on the infrastructure where Checkmarx One is set up. We have a few AWS use cases where Checkmarx One is offered as a SaaS, but I have also experienced in-house setups in previous organizations, leading to performance degradation, which is not the responsibility of Checkmarx One software itself. Performance also depends on the engineers or stakeholders setting it up on the appropriate hardware and infrastructure.
Checkmarx One is a global security tool for scanning vulnerabilities and ensuring compliance. Every organization has its own compliance and governance requirements, and Checkmarx One fits well. Many organizations widely use Checkmarx One, and it is compatible with all compliance and governance requirements. I would rate this product nine out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Performing security scans across 2,000 applications has become a seamless part of our CI/CD pipeline
What is our primary use case?
My main use case for Checkmarx One is to perform SAST and SCA scans to web applications.
When a development team needs to scan the code before going to production, I use Checkmarx One to perform the SAST and SCA to evaluate the code security.
After evaluation, if findings are discovered, the team works to fix them.
Checkmarx One is now fully integrated in the CI/CD pipeline. We perform SAST and SCA for more than 2,000 applications globally.
What is most valuable?
The best features Checkmarx One offers include good integration with SCM tools such as GitHub, Azure DevOps, and Bitbucket.
Whenever a code modification is performed, it scans automatically. The results are retrieved and a dashboard is created for the product owners and application owners to evaluate their security posture.
The dashboard feature helps product and application owners evaluate whether they are achieving the KPI that was implemented. No code with critical or high issues can be accepted in production.
The reporting in Checkmarx One is not comprehensive, so the reports are retrieved and integrated with scan reports to provide an overall overview of each application.
Checkmarx One has positively impacted the organization. Since replacing the previous tool, SAST and SCA scans are conducted in a couple of minutes instead of hours or days. Overall, time has been saved and the speed to market has increased, reducing the timeline from three or four days to one day only.
What needs improvement?
Checkmarx One can be improved by having editable reporting, so a report creator could be developed to decide what information to provide instead of using only the available templates.
A more efficient dashboard would be beneficial so that views in Checkmarx One can be customized.
The integration part is working easily, and integration with all SCM providers has been completed. Code is now being scanned in Bitbucket, Azure DevOps, and GitHub. The integration is fantastic.
For how long have I used the solution?
Checkmarx One has been used for the past three years.
What do I think about the stability of the solution?
Checkmarx One is often down when the cloud provider experiences issues. A more fail-tolerant solution needs to be created.
What do I think about the scalability of the solution?
Checkmarx One's scalability is good for the organization as it handles global needs well. Approximately four billion lines of code are being scanned monthly.
How are customer service and support?
Customer support for Checkmarx One would be rated a seven due to a lack of proactivity.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
Before Checkmarx One, a different solution called FOD was previously used. The decision was made to switch because FOD caused significant delays in the CI/CD pipeline.
Which other solutions did I evaluate?
Before choosing Checkmarx One, other options were evaluated, including FOD and Snyk.
What other advice do I have?
The advice for others looking into using Checkmarx One is to use more automation scripts instead of the web interface, as it makes it easier to handle all features and integrate them in CI/CD pipelines such as onboarding applications, creating project applications, onboarding users, and using the available API. This approach works best for large organizations. The onboarding of almost 2,000 applications has been completed and is working well. The overall review rating for Checkmarx One is nine.
Automated code validation has saved our team over 16 hours weekly and improved security checks
What is our primary use case?
My main case to use Checkmarx One was to streamline validation and quality check across our code, and we are quickly verifying our PCI compliances, identifying inconsistencies, and ensuring that our output meets the required standard before we move on to the next stage.
The platform is integrated into our CI/CD pipelines (Bitbucket/Jenkins), allowing scans to run automatically on every commit or pull request. This ensures vulnerabilities are detected early and fixes are incorporated before code reaches production.
How has it helped my organization?
Checkmarx One has significantly improved our organization’s security posture. We now catch vulnerabilities much earlier in the development cycle, which has reduced remediation time and lowered the number of issues reaching production. This has also improved developer efficiency and given us greater confidence in our releases.
Checkmarx One has improved visibility across our codebases. We now have centralized dashboards and consistent scanning across projects, which makes governance and compliance much easier to manage.
What is most valuable?
Checkmarx One has become an essential part of our current project because in every process of code it checks what type of errors are there, what type of code quality is there, these types of checks and visibility to developers really help and make our project easy to work.
I appreciate most features of Checkmarx One including automated checks, code quality checks, checking the rule-based validation, what type of code coverage is there, whether it's covering or not, whether it's applied or not, these types of issues and triage, what type of triage we will get before merging the code in our production. Logging functionality is also very good, as it will tell if this code is flexible for your current scenario or not. Alert and notification to each customer and each developer is also a big task here. These are the good features, audit and traceability we can say.
Checkmarx One has had a positive impact on our organization, especially in terms of productivity. When we went with manual checks, we spent a lot of time, but automated checks by using Checkmarx One make fixing our issues easier, faster and save our team's time. We save a lot of time here.
By using the automated testing in Checkmarx One, we have saved around one or two days in a full week of our team because we have a lot of code to do with seven markets. In this market, we have to daily push around 20 to 30 tickets per day. This saves us a lot of time, mostly around 16 hours a week.
What needs improvement?
Checkmarx One is doing great, but there is a need for UI improvement so we can get the exact error over there on our Bitbucket itself. Additionally, if you can improve the speed optimization, it takes around 30 to 40 minutes for checking a build. If you can make it within five minutes or 10 minutes, that would be great. This feature is something I want from your side.
Integration with Checkmarx One is easy, so it is not complicated. However, reporting is complicated because it takes a lot of time to report the errors and it makes around 40 to 50 minutes for a build. After we push the code, it will give around 40 to 50 minutes. Therefore, you need to work on the reporting part and apart from that, it is doing a great job here.
You are doing a great job in checking the code quality, bug fixing, vulnerabilities, and security aspects. However, one thing you have to improve is your reporting time should be less. It takes around 40 to 50 minutes, so you need to reduce it to within 10 to 20 minutes.
For how long have I used the solution?
In my current project, I am using Checkmarx One and from the last four years, we have been working with Checkmarx.
What do I think about the stability of the solution?
The solution has been very stable. Scans run reliably, the platform is consistently available, and we haven’t experienced unexpected downtime. It’s dependable enough to integrate directly into our CI/CD workflow.
What do I think about the scalability of the solution?
Overall, scalability has been solid. The platform supports our growing workloads and additional applications without requiring major configuration changes. A bit of tuning was needed in the beginning, but after that it has been smooth.
How are customer service and support?
Customer support has been excellent. The team is responsive, knowledgeable, and quick to assist when issues arise. Whether it’s configuration questions or troubleshooting, they consistently provide clear and actionable guidance.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
How was the initial setup?
What about the implementation team?
We implemented Checkmarx One using our in-house team. The setup was manageable with the documentation provided, and we were able to configure the platform without needing external assistance.
What was our ROI?
Our ROI has been strong. We’ve reduced manual code review time by around 25–30%, allowing developers to focus more on feature delivery. The automation and early detection of vulnerabilities have noticeably lowered rework costs.
What's my experience with pricing, setup cost, and licensing?
Checkmarx One is a premium solution, so budget accordingly. Make sure you understand how licensing scales with additional applications and users. I advise negotiating multi-year contracts or bundles, as these can reduce costs and simplify licensing.
Which other solutions did I evaluate?
Yes, we evaluated a few other application security platforms, but Checkmarx One provided the best combination of accuracy, ease of integration, and centralized scanning capabilities
What other advice do I have?
I find this interview great, and there is nothing that I think should change for the future. You are doing a great job here.
If someone is looking for code quality, then my advice is to use Checkmarx One. This is the best solution to provide efficiency in your work, code compliance, security, and scalability in your code. You can also save a lot of time by using Checkmarx One to scan your code. I would recommend you, if you are looking to save time checking the code, then Checkmarx One is the best solution for you. I would rate this product a 9 out of 10.
Partner experiences excellent technical support and seamless initial setup
What is our primary use case?
I am a partner of the vendor, and I can say that one of the clients with whom I am working has bought the licenses for Checkmarx One, and we are actually doing the security scans of their whole application base, code base, and everything.
Whatever solutions were provided by, or suggested by, Checkmarx One, we are going through them and implementing them. Some were valid and some were not applicable for us based on the scenario. That is the work experience I have working on Checkmarx One.
What is most valuable?
My experience with the initial setup of Checkmarx One is straightforward; it is not complex compared to other tools that I have tried.
Checkmarx One was deployed in a hybrid manner because they were scanning their production-based systems and then fixing the code base. It was hybrid, maybe on-premises with them, not completely on cloud.
My clients for Checkmarx One are usually enterprise-sized businesses. I have seen a return on investment from Checkmarx One.
What needs improvement?
In my opinion, if we are able to extract or show the report, and because everything is going towards agent tech and GenAI, it would be beneficial if it could get integrated with our code base and do the fix automatically.
It could suggest how the code base is written and automatically populate the source code with three different solution options to choose from. This would be really helpful.
What do I think about the stability of the solution?
I would rate the stability of this solution a nine on a scale of 1 to 10 where one is low stability and 10 is high.
What do I think about the scalability of the solution?
I would rate the scalability of this solution an eight on a scale of 1 to 10, where one is low scalability and 10 is high scalability.
How are customer service and support?
I would rate technical support a nine from 1 to 10, where one is low quality of their technical support and 10 is high quality.
What was our ROI?
I have seen a return on investment from Checkmarx One.
What other advice do I have?
The price of Checkmarx One should be fine as of now.
I would rate this solution a nine overall, from 1 to 10, where one is the worst solution and 10 is the best solution.
Brilliant Code to Cloud Application
What do you like best about the product?
Is so user friendly and it is very easy to become familiar with all the numerous features. Although I wasn't around for the implementation, I've found that it is relatively straightforward to integrate further functionality. The Scanning tools (IaC, SAST, SCA, API etc.) are all excellent and provide us with all the staus and visibility that we require. If we ever have issues that can't be resolved the Customer Support team at Checkmarx always are there to help us out.
What do you dislike about the product?
The dahsboards layour and display could be improved.
What problems is the product solving and how is that benefiting you?
Checkmarx is being used mainly for the scanning and checking of code before it makes the journey to the Cloud (AWS). We are using it to look at all the languages and frameworks that we have in our Tech/Data Stack that are incorporated into our IT Landscape. One of the main benefits is that it allows our developers to identify, detect and remediate vulnerabilities at source. It also allows them to edit queries easily and quickly.
Enhanced security with robust feature set for comprehensive protection
What is our primary use case?
I am representing Checkmarx as a reseller. I work with both the cloud and on-premises versions. I have been working with Checkmarx for more than twelve years.
How has it helped my organization?
Checkmarx is a must-use product due to the increasing number of cyber-attacks nowadays. The product's quality and performance justify its pricing, making it a worthwhile investment.
What is most valuable?
Checkmarx offers many valuable features, including Static Application Security Testing (SAST), Software Composition Analysis (SCA), Infrastructure as Code (IAC), Supply Chain Security, and API Security.
What needs improvement?
The Dynamic Application Security Testing (DAST) feature should be better. The technical support service could also improve in terms of their response time.
For how long have I used the solution?
I have been working with Checkmarx since the early days of Checkmarx, which is more than 12 years.
What do I think about the stability of the solution?
I would rate the stability of Checkmarx at nine out of ten.
What do I think about the scalability of the solution?
Checkmarx is scalable, and I would rate its scalability at nine out of ten.
How are customer service and support?
The customer service and support should be quicker from my point of view. I would rate them eight out of ten.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I have been working with Checkmarx for over 12 years without switching to a competitor due to Checkmarx being the best product in the market.
How was the initial setup?
The initial setup is straightforward, especially with the cloud version where no deployment is needed. The on-premises version requires some time and depends on the customer's environment.
What about the implementation team?
In typical circumstances, one senior engineer is enough for implementation, but in special cases, maybe two engineers are needed.
What was our ROI?
Checkmarx is cost-effective. It is a must-use product in today's cyber security environment.
What's my experience with pricing, setup cost, and licensing?
The pricing is relatively expensive due to the product's quality and performance, but it is worth it.
Which other solutions did I evaluate?
I chose Checkmarx over competitors due to ethical considerations and its superior functionality.
What other advice do I have?
Checkmarx is plug-and-play and the best product in the market at the moment, as evidenced by reports such as Gartner's.
I'd rate the solution nine out of ten.
Integrated security for streamlined code scanning with scope for dynamic and API improvements
What is our primary use case?
We have integrated Checkmarx into all the company's development pipelines. We use it to scan more than 4,000 repositories and around 25,000 pipelines.
The integration is particularly useful as it works directly with several common SCM solutions in the market, such as GitHub and Bitbucket, and with CI/CD tools like Jenkins and GoCD. This allows us to register repositories quickly and scan code efficiently in our development process.
How has it helped my organization?
Checkmarx helps developers improve the maturity of their coding practices and brings a security mindset to development teams, product managers, and business areas.
It aids in identifying and mitigating vulnerabilities early in the development cycle, enhancing the overall security posture of the organization.
What is most valuable?
The most valuable features of Checkmarx are its integration with multiple SCM solutions and CICD tools, its ability to scale according to user licenses, and the quick scanning process. Specifically, the Static Application Security Test (SAST) and Software Composition Analysis (SCA) are highly established and useful in identifying numerous vulnerabilities.
What needs improvement?
Checkmarx needs improvement in its Dynamic Application Security Testing (DAST) and API security features. The DAST solution uses the OWASP Zap engine, which is less powerful compared to other market solutions like Fortify's WebInspect.
Additionally, the API security solution does not provide comprehensive results, and the secret scanning feature also needs enhancement. Furthermore, the container security and infrastructure as code scanning features are not mature enough and require significant improvements.
For how long have I used the solution?
I have been working with Checkmarx for about two years.
What do I think about the scalability of the solution?
Checkmarx scales very well according to the user licenses. The solution supports concurrent scans based on the number of committers, which is a significant improvement over the previous CXSAST solution that only supported a limited number of simultaneous scans.
The scans are quick, but the time taken can vary based on the amount of code and the frequency of scans.
How are customer service and support?
The technical support from the vendor is generally good, rated at about 8.5 out of ten. Checkmarx utilizes partners as integrators who offer enterprise support, including a dedicated technical account manager. The support from Checkmarx's team has improved, offering a four-hour SLA and 24/7 availability.
How would you rate customer service and support?
Positive
How was the initial setup?
The initial setup is simple and quick due to its SaaS nature. It involves setting up the tenant, registering applications, and integrating with the company's SSO. The integration with CI/CD tools takes a bit more time and effort.
What about the implementation team?
The implementation is typically done with the help of a partner who acts as an integrator and offers enterprise support. This includes the allocation of a dedicated professional as a technical account manager or customer success manager.
What was our ROI?
Checkmarx provides a good return on investment by preventing breaches and vulnerabilities that could be much more costly. It adds significant value by improving the security practices and mindset across the development lifecycle.
What's my experience with pricing, setup cost, and licensing?
Checkmarx is not a cheap solution. For around 250 users or committers, the cost is approximately $500,000. However, the investment is justified considering the potential costs of security breaches and the benefits of improved security practices.
What other advice do I have?
To achieve better results, consider performing both native integration in the SCM tool and integration using the CI/CD solution. This helps gain visibility into the deployment stages and ensures comprehensive code scanning. I'd rate the solution eight out of ten.
showing 1 - 10