Checkmarx SAST Reviews

Our main use cases with Checkmarx SAST are currently in the implementation stage where we have utilized integrations with IDEs and have already integrated within the entire organization, which will scan any of the pull or push requests from the GitHub side. This helps us a lot in identifying vulnerabilities in early stages, and the integration within the IDEs helps developers get the results into their IDE itself, making it easier for them to fix vulnerabilities.

There are also possibilities that we can integrate with AI as well. In our organization, we utilize multiple programming languages, including Scala, .NET, Python, PHP, Java, JavaScript, Node.js, and Ruby, resulting in a vast language coverage.

The best features of Checkmarx SAST include great integrations and a customizable rule set, which are both excellent parts of the solution. Even though the ID plugin is not up to standard, it still makes developers' lives much easier, and those are the main features from the SAST.

Checkmarx SAST helps benefit our project coverage since it covers most of the languages we use, although there are a couple of missing languages from our stack, but it covers most of the repositories.

When assessing the accuracy and efficiency of Checkmarx SAST scanning capabilities, they are currently recommending that doing the full scan is the main, correct way of scanning the repositories. However, based on the repository size we have, it sometimes takes more than 10 minutes for larger repositories, which is a downside. The accuracy of the results depends on various factors, as some of the test folders tend to give us false positives, which makes a huge impact on the vulnerabilities.

Those are the major things that we have to fine-tune from our end. I would rate Checkmarx SAST around a seven, as it does have some false positives we have to work with, which are the major concerning things. The number of false positives is significant because we cannot implement policies because of this.

Concerning the stability of the product, I would rate it highly as the build is really stable; however, the number of concurrent scans available for us occasionally becomes a bottleneck when we utilize scripts to start scanning from our end manually. The actual scans for the pull and push requests might be stuffed during that time, which is an issue for us, but other than that, the stability is really good.

In terms of scalability of Checkmarx SAST, it is evident that they have a wide variety of integrations, including GitLab, GitHub, and other source code management solutions. They also integrate with Jenkins, AWS, and other delivery platforms we have. The scalability looks really good, and they offer other solutions that can be purchased if needed.

Regarding the pricing of the solution, Checkmarx SAST came to us as a package that covers Codebashing, SCA scanning, and the SAST product.

When comparing it with GitHub security and other solutions we tested, it was a really fair price for us.

On a scale of one to ten, I rate Checkmarx SAST a seven.

I manage the application security side of the products here, currently utilizing solutions such as Checkmarx, Akamai, Traceable, and Invicti, which are the security scanning tools that we use.

In the organization where I'm working, we are using Checkmarx SAST as well as SCA, and for the SCA solution, we have moved to Checkmarx One, which provides both options. I joined here two years ago, but even before I joined, I heard that from 2020 or something, this company has been using Checkmarx for the SAST solution.

Checkmarx SAST is deployed using a cloud-based model, and it is not on-premises.

Checkmarx SAST is primarily used for post-development activities in our organization, and we want to integrate it into the user interface itself. Checkmarx plug-ins are being worked on, and they still work on the IDE part of it. If that is also provided, to some extent, they have Checkmarx IDE plug-ins, but how useful it is to the development teams, we still do not know. For now, once the development activities are done and when they build their repositories, that is where Checkmarx SAST gets triggered.

The deployment for Checkmarx SAST requires no more than five minutes since we are working on all web services type of applications, and it will not take longer. Only for legacy applications where we have heard concerns from the development teams does it take about thirty minutes or more.

I am not totally aware of CI/CD pipeline integration with Checkmarx SAST because we have CI/CD, but I still do not know. That may be on the roadmap for twenty twenty-six.

I assess the accuracy and efficiency of Checkmarx SAST and notice that sometimes there are false positives, so we bring it up to the vendor and ask them to add ignore rules to prevent it from appearing again when they see a particular pattern. This is how we have been notifying Checkmarx SAST about false positives.

The detailed reports from Checkmarx SAST help with our security process by showing details about which line is actually vulnerable, which is beneficial for the developers, and I do not have any suggestions or inputs on that area.

The ability to generate actionable insights from Checkmarx SAST impacts our software development lifecycle by allowing developers to generate reports. We have explained the options for generating both detailed reports and executive reports, and once they generate it, they get JIRA tickets to work off, although I doubt they open Checkmarx SAST user interface frequently.

I believe that nothing in particular could be improved about Checkmarx SAST, only the turnaround time and the fact that technical account managers keep moving around, which leads to some lag in communication. Apart from that, there are regular touch-base calls with the vendor where we bring up our concerns, and feature requests take some time since they do not work only for our client.

I joined here two years ago, but even before I joined, I heard that from 2020 or something, this company has been using Checkmarx for the SAST solution.

We utilize AWS as our cloud provider.

I would rate the technical support of Checkmarx SAST as a seven, as concerns are related to zero-day attacks or any new features, and the turnaround time along with technical account managers moving around affects this. We had asked for one person from the IST time zone and that has been provided.

Positive

The ability to generate actionable insights from Checkmarx SAST impacts our software development lifecycle by allowing developers to generate reports. We have explained the options for generating both detailed reports and executive reports, and once they generate it, they get JIRA tickets to work off, although I doubt they open Checkmarx SAST user interface frequently.

Checkmarx SAST support is used for multiple programming languages.

I would rate this review a six overall.

I am currently working with Checkmarx SAST as technical partners. Our customers are from insurance and depository backgrounds. Checkmarx SAST is one of the branded solutions, and according to the Magic Quadrant, it's in the leader space. It has a reputation in the market, and many clients are aware of the solution.

Our customers are mainly using an on-premise deployment model with Checkmarx SAST. They are using only on-prem because there are some banks and organizations where it's very difficult to sell on cloud due to regulations and bank regulations.

The CX1 is a unified platform that covers all components such as SAST, SCA, DAST, container scanning, and infrastructure code. This is quite beneficial because some clients need one-stop solutions for all their needs.

Checkmarx SAST supports modern languages as needed. They are also flexible in terms of designing models that suit the CISO's needs. Recently, they have introduced CX1 where you have SAST, DAST, container scanning, infrastructure as code scanning, and code scanning, all in one platform, which is also AI-enabled. They conduct extensive research on industry and technological challenges that CISOs encounter. Based on these challenges, the R&D team provides feedback to the marketing team, leading to new innovative product features that suit compliance and security needs.

As a sales professional, I have never used the Checkmarx SAST integration with CI/CD pipelines as my role focuses on lead generation rather than technical aspects.

The main challenge with Checkmarx SAST is the price. The price is a challenge because Checkmarx SAST is a very big brand, and many mid-sized companies cannot afford it as they are very price-conscious. A 20 to 30% reduction in price would be beneficial.

Checkmarx SAST could invest more in digital marketing, particularly in ad sales on platforms such as LinkedIn, which could be a valuable tool.

I have been working with Checkmarx SAST for approximately two years as a partner.

Deployment is not easy and requires significant time for the initial setup. It could take one, two, or even three months to complete.

I have not heard any complaints regarding the stability of Checkmarx SAST.

Checkmarx SAST is scalable, even for enterprise companies.

I would rate the support of Checkmarx SAST as a seven out of ten. This rating is based on the fact that Metionic is the first point of contact for any technical support, and at times we need assistance from the Checkmarx SAST team.

Positive

For some organizations, it is very difficult to deploy Checkmarx SAST. Hence, they want technology partners to help them. Some organizations have developers who are not advanced in terms of deployment and require a technology partner. Metionic is a technology partner with expertise in deployment. We have supported the Checkmarx SAST team in successfully deploying the software on their premises.

I cannot comment on the ROI for Checkmarx SAST. When it comes to software security, it is very difficult to calculate the ROI, and it is also very confidential, so I have not received any indication in terms of the ROI. However, customers are happy and satisfied with the Checkmarx SAST tool.

Some customers are using Checkmarx SAST, but their information is confidential and cannot be shared. As a sales professional rather than an engineer, I can provide feedback about working with the Checkmarx SAST team regarding client collaboration, POC, POC support, and scheduling of meetings, but cannot provide technical feedback.

The reviewer gave Checkmarx SAST a rating of 9 out of 10.

We integrated Checkmarx with our pipelines in Jenkins. We had it fully automated for static security scanning to protect our company against attacks.

At the beginning of implementation, Checkmarx found many vulnerabilities, however, by the end, we had none in production.

The most important feature is that Checkmarx protects our company against attacks. Checkmarx detects a lot of the code leakages, which is important. It's a very good tool in those features.

We had some issues where Checkmarx did not recognize a vulnerability. We had to talk with the vendor, and they had to include an improvement in the tool to resolve this issue.

I have used the solution for six to seven years.

I think the tool is stable.

I do not remember that the tool has a problem.

In my case, being in a small country, we interacted with the central team, who then contacted Checkmarx. The tool is stable, and I don't recall having any major issues requiring extensive support.

It's easy. My understanding is that Checkmarx is easier to maintain compared to other solutions.

We went to the central team for technical support, however, not directly to Checkmarx.

I am not sure how to express this in English, however, we needed to put the code into production after the scanning. In the end, we had no vulnerabilities in production.

We were users in a small country, and we paid one consolidated bill for all the tools, so I don't know the specific amount for Checkmarx.

I am familiar with Sonar, TypeIQ, Net Packer, and Crypto Wire. Each scans different aspects of applications.

I really like Checkmarx. I would rate it eight or nine out of ten. We did find an issue, however, it was fixed quickly by the vendor, which is good.

The primary use case of Checkmarx SAST is application security, specifically static application security testing. It is essential and the root of this concept.

I did not find measurable information about the financial benefits or return on investment.

The most important competitive advantage and benefit is the ability to identify vulnerabilities in the source code immediately without needing to complete the coding.

There is a need for improvement in terms of technical support, pricing policy, and configuration. The on-premises version is more expensive compared to the cloud version.

I have been working with Checkmarx SAST for 12 years.

I rate the stability of the solution as a ten out of ten. It is very stable.

The scalability of the solution is rated ten out of ten.

Technical support is rated as an eight. There is room for improvement.

Positive

The initial setup is straightforward yet requires preparing infrastructure, especially for large user bases.

In normal circumstances, one senior engineer is enough. However, for large companies, you might need two or three engineers.

The ROI is not measurable for us. 

The on-premises version is expensive. It should not be as expensive as announced.

I'd rate the solution ten out of ten.