Checkmarx One Reviews

Checkmarx One is primarily used for SAST scans in my organization. A specific example of how I use Checkmarx One for SAST scans is in applications that require scanning both static and dynamic vulnerabilities. For the static vulnerabilities, Checkmarx One identifies SQL injections and other static vulnerabilities in the code.

Checkmarx One has been included in the CI/CD pipelines, so it runs automatically for all components and microservices across various applications. The tool indicates severity levels from one, two, three, and so on, and is integrated within the pipeline.

Checkmarx One offers several standout features. The tool summarizes CWE reports so I can identify what is exploitable and what is non-exploitable. It is well-integrated with other internal tools where I can disposition false positives and provides vulnerability resolutions and guidance on how to fix them, which are sometimes very helpful.

The CWE report summaries assist in my daily work by showing up in reports, allowing me to see all types of vulnerabilities at once. The tool indicates when there are multiple vulnerabilities in specific legacy code, for example, by showing that there are 12 findings for CVE X.X, and I can fix them all at once.

Checkmarx One has positively impacted the organization by providing resolution strategies and indicating which vulnerabilities need to be fixed. It is beneficial to catch vulnerabilities early in the pipeline so that any false positives can be addressed later, which is especially important for security in a banking environment.

Checkmarx One can be improved by reducing noise and improving false positive filtering. There are instances when false positives appear, such as when the word 'password' appears in a file, which actually refers to a code variable elsewhere. Checkmarx One could provide better reports, and the UI could be made more user-friendly.

Integration into the IDE being used would be beneficial so that code does not need to be uploaded to the website and an IDE-friendly report could be generated.

Checkmarx One has been used for approximately three years.

Checkmarx One has been stable with no observed issues with downtime or reliability.

Checkmarx One has handled increased workloads adequately.

There has been no interaction with the support team.

Checkmarx One saves significant time because it is directly integrated into the CI/CD pipeline, although specific metrics are not available. The overall rating for Checkmarx One is seven out of ten, primarily based on the previously mentioned features and capabilities. Checkmarx One is a solid program that has a secure-first mentality, and no specific advice comes to mind for others considering the product. There is no business relationship with the vendor other than being a customer.

My main use case for Checkmarx One is that we have a Git repository, and we are implementing and integrating Checkmarx One to our Git repository to manage vulnerabilities and scan for vulnerabilities inside the repository. We are scanning this repo on a monthly or quarterly basis to keep our repositories clean and secured.

A specific example of how I use Checkmarx One with my Git repository is that in the last two months, we first integrated Checkmarx One into our repository and discovered Spring Security vulnerabilities that were causing a lot of issues in our application. Because of Checkmarx One, we easily found which vulnerability was causing the issues in our application. After the scanning, we immediately got the vulnerability list detailing whatever vulnerabilities were present in the repository, and we started working on that. This was really helpful at that time.

The best features Checkmarx One offers include the SAST report, which really helps us during the scan. This report also aids us from a security point of view because there are some IMA controllers included. After getting the report, we have to submit it to the security team, and they scan it. This helps us for security purposes as well.

When I explore Checkmarx One, I find that the SAST capability, accurate findings, and clean UI are very notable. It is a very dependable performance and a highly effective platform for our organization and our company.

Checkmarx One has positively impacted my organization because in the past, when Checkmarx One scan was not implemented, we faced a lot of issues finding vulnerabilities inside the repository. But now, since we have integrated Checkmarx One into our repository, we can smoothly and very easily find vulnerabilities and manage those effectively.

One way Checkmarx One could be improved is if it could automatically run scans every month after implementation. If it is possible to set it in the SAST portal to scan the repositories automatically, that would help us because currently, we have to run Checkmarx One scan manually every time.

From the perspective of needed improvements, first-line support is also necessary for Checkmarx One because sometimes people encounter issues while implementing Checkmarx One. At that time, they need help from Checkmarx team, so that support is also needed.

I am using Checkmarx One for the last one year, and the experience has been very good.

Checkmarx One is stable.

Regarding Checkmarx One's scalability, I have implemented it in two projects, and we are using Checkmarx One in both of those projects.

I can share specific outcomes with Checkmarx One. Before we did not have Checkmarx One scan, so we tried to find vulnerabilities via the G-SOC report, but that was very difficult due to a lot of troubles. However, now, because of Checkmarx One, we easily find scans for particular repositories, which helps us and it consumes very little time, making it efficient for our team as well.

My advice for others looking into using Checkmarx One is that it is good to use. If they want to implement it, I recommend they do so as it saves time and is efficient as well. I would rate Checkmarx One highly based on my positive experience with the product.

My main use case for Checkmarx One is as a SAST product. In the Jenkins pipeline, we use it to build or confirm the Checkmarx result. Whenever we find any high or critical severity vulnerability, we break the pipeline and the product does not go to deployment. I use Checkmarx audit a lot. Whenever I find a zero-day vulnerability, we go to Checkmarx audit and write some custom query so that we can find the particular vulnerability in a particular library. Checkmarx One can give us the exact code where that library is deployed and we replace the server version and the library version.

The best features Checkmarx One offers are Checkmarx audit and the ability to write custom queries.

Checkmarx One has positively impacted our organization as we tend to find vulnerabilities very early in the development cycle. The initial scans allowed the teams to catch the vulnerabilities early. But after some time, they got used to it and started writing more secure code. In a way, it has saved a lot of time.

For Checkmarx One, I think that adding repositories and scanning impromptu code could improve it. Suppose an impromptu team comes and provides the code in a GitLab repo, there should be a quick scan button. You just link the repo and can get a result instantly.

I have been using it for five years.

Checkmarx One is stable.

Checkmarx One's scalability is good.

We had Checkmarx office hours for customer support, and that helps a lot.

We did not previously use a different solution. We were using the free version of Semgrep.

I'm not in a position to provide a return on investment because I'm at a lower level, such as Product Security Engineer. I don't deal with these details.

My advice to others looking into using Checkmarx One is to go for the demo version first and see. If it fits into your pipeline, then go for it.

Checkmarx One is a great tool. SAST-wise, I love it. It's integrating into the pipeline, Checkmarx audit, and manually marking the results as false positive. After the rescan, it does not appear. So that works great.

I found this interview to be good, but I think there should be a pause button. Anyone can take a break and doesn't have to continue for the whole length. You can hit pause and continue whenever you come back.

I would rate this review an 8.

On-premises

Amazon Web Services (AWS)

We have integrated Checkmarx into all the company's development pipelines. We use it to scan more than 4,000 repositories and around 25,000 pipelines. 

The integration is particularly useful as it works directly with several common SCM solutions in the market, such as GitHub and Bitbucket, and with CI/CD tools like Jenkins and GoCD. This allows us to register repositories quickly and scan code efficiently in our development process.

Checkmarx helps developers improve the maturity of their coding practices and brings a security mindset to development teams, product managers, and business areas. 

It aids in identifying and mitigating vulnerabilities early in the development cycle, enhancing the overall security posture of the organization.

The most valuable features of Checkmarx are its integration with multiple SCM solutions and CICD tools, its ability to scale according to user licenses, and the quick scanning process. Specifically, the Static Application Security Test (SAST) and Software Composition Analysis (SCA) are highly established and useful in identifying numerous vulnerabilities.

Checkmarx needs improvement in its Dynamic Application Security Testing (DAST) and API security features. The DAST solution uses the OWASP Zap engine, which is less powerful compared to other market solutions like Fortify's WebInspect. 

Additionally, the API security solution does not provide comprehensive results, and the secret scanning feature also needs enhancement. Furthermore, the container security and infrastructure as code scanning features are not mature enough and require significant improvements.

I have been working with Checkmarx for about two years.

Checkmarx scales very well according to the user licenses. The solution supports concurrent scans based on the number of committers, which is a significant improvement over the previous CXSAST solution that only supported a limited number of simultaneous scans. 

The scans are quick, but the time taken can vary based on the amount of code and the frequency of scans.

The technical support from the vendor is generally good, rated at about 8.5 out of ten. Checkmarx utilizes partners as integrators who offer enterprise support, including a dedicated technical account manager. The support from Checkmarx's team has improved, offering a four-hour SLA and 24/7 availability.

The initial setup is simple and quick due to its SaaS nature. It involves setting up the tenant, registering applications, and integrating with the company's SSO. The integration with CI/CD tools takes a bit more time and effort.

The implementation is typically done with the help of a partner who acts as an integrator and offers enterprise support. This includes the allocation of a dedicated professional as a technical account manager or customer success manager.

Checkmarx provides a good return on investment by preventing breaches and vulnerabilities that could be much more costly. It adds significant value by improving the security practices and mindset across the development lifecycle.

Checkmarx is not a cheap solution. For around 250 users or committers, the cost is approximately $500,000. However, the investment is justified considering the potential costs of security breaches and the benefits of improved security practices.

To achieve better results, consider performing both native integration in the SCM tool and integration using the CI/CD solution. This helps gain visibility into the deployment stages and ensures comprehensive code scanning. I'd rate the solution eight out of ten.

Public Cloud

Other

We use the solution to validate the source code and do SAST and security analysis. Checkmarx dynamics code analysis improved our software security posture by showcasing vulnerabilities within the code and identifying or providing recommendations on how to improve.

The solution's user interface could be improved because it seems outdated. The solution should integrate with AI and machine learning.

I have been using Checkmarx for three to four months.

I rate the solution a nine out of ten for stability.

Checkmarx is a scalable solution. Around 200 users are using the solution in our organization.

I rate the solution a nine out of ten for scalability.

The solution’s technical support is good and responsive.

Positive

The solution’s deployment might take 10 to 15 minutes.

Before choosing Checkmarx, we evaluated SonarQube. We chose Checkmarx because SonarQube does not show the security analysis.

We integrate Checkmarx into our software development cycle using GitLab's CI/CD pipeline. Checkmark has been the most helpful for us in the development stage. The solution's incremental scanning feature has impacted our development speed.

The solution's vulnerability detection is around 80% to 90% accurate. I would recommend Checkmarx to other users because it is one of the good tools for doing security analysis and security identification within the source code.

Overall, I rate Checkmarx a nine out of ten.

Public Cloud

Whenever a web application needs to be moved into production, a static code analysis or source code review must be done. The analyst runs several tools on the web application and collects details. Completing a source code review for a particular application will take around five working days.

Since we moved to Checkmarx, it has reduced the time significantly. Usually, we get the report within a day. It lists all the critical vulnerabilities and provides remediation. We provide suggestions to the customers and the project owners to fix the loopholes immediately so that we can move to production. Sometimes, the life cycle is reduced from five days to one day.

Static code reviews are small projects. Previously, with a team of four analysts, we did two project reviews every month. Since we started using the solution, we could do four projects every week with the same team.

It is very easy for the analyst to have everything in a consolidated single pane of glass. Previously, they ran multiple tools. They used one tool for source code analysis and another for static code review. Then, I manually verified each result. Since we moved to Checkmarx, it has been very easy for the analyst.

The tool gives us a shareable report that can be easily shared with management once the product is done. The solution’s performance and the consolidated information it provides are valuable. The platform is completely on the cloud. There are no scalability or connectivity issues. The platform is stable. It can be accessed from anywhere.

We used open-source tools before. We had to deploy the tools in the customers' environment to establish the connection between the tools and their product application. Since Checkmarx is a SaaS-based platform, we need only the forward connection from Checkmarx to the tool. The tool handles everything else. We just need a single firewall rule to be enabled on the platform to establish the connection.

The deployment is very simple. We need just one rule to forward the web application to Checkmarx. The scanning engine is very good. Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%. The tool has greatly reduced the time and effort our analysts need to do their tasks. It's very useful if we need to perform a short-term project. It is greatly helpful in fixing loopholes and vulnerabilities swiftly.

We can run only one project at a time. We haven't tested multiple projects at the same time. Currently, not all the projects are visible under one pane. We handle one-time projects. As a manager, I do not have the overall visibility of all projects simultaneously. I have already raised a support ticket requesting the ability to manage all projects from a single pane. There may be an option for it. However, I am not aware of it. The solution must provide more integration with different platforms.

I have been using the solution for three months.

I rate the tool's stability an eight out of ten.

The tool is scalable since it is a cloud-based solution. We have served over 100 customers.

The setup is straightforward. Our analysts had a training for half a day. They were able to use the product form the next day. We just need to purchase a license. Since it is a SaaS-based solution, no additional deployment is required. We only need to enable the firewall rule.

The solution helps us push the application into production much sooner than anticipated. If we have a web application that needs to go live, traditionally, it takes 15 days to a month to push it into production after all the security checks. If the other teams can patch the vulnerabilities as soon as we suggest them, Checkmarx can help us push the product into production within a week. It's very easy to rescan.

If someone has too many applications, they can directly integrate Checkmarx into the CI/CD pipeline. We got the license and are running the solution for our customers. We do not charge our customers for the solution. Overall, I rate the product an eight out of ten.

One use case is when a development team finishes, or even in the middle of, development. They run Checkmarx, which shows potential vulnerabilities. If they don't understand something, they consult with me. 

I explain what Checkmarx is highlighting, why it's "shouting" as we say, the specific vulnerability, and the problem it found in the code. Then, together, we explore the code and decide if it's a valid issue requiring a fix. 

We also discuss how to fix it, or if it's a false positive because, in their environment, the problem either cannot exist or doesn't exist in the way they use their software.

We also have another use case. When a software company, like an integration company, does a project for us, we request them to run their code through Checkmarx. If they don't have their own tool, we run it on our Checkmarx and provide them with the report. We request, or rather insist, that they fix most, if not all, of the problems Checkmarx finds. 

These might be issues they didn't consider, but we put it in the contract that they have to submit their software to a "code check," meaning they can use Checkmarx or another approved tool. If they don't have a tool or refuse, then it's okay. The key is to have it in the contract and signed. 

Otherwise, fixing the software later becomes difficult, especially when the project is nearing completion. That's why we do it when the integration begins, so there's still time to address the issues. If you wait until the very end, it's too late.

The solution improved the efficiency of our code security reviews. It helps tremendously because it finds hundreds of potential problems sometimes. When the development teams fix them, or even some of them, it significantly enhances the security of the software. 

For example, we had a project, an outsourced one, that provided code written in PHP and included dozens of open-source utilities, libraries, and the like. Their server-side code was in PHP, and their client-side was in JavaScript. Both sides also used many libraries and utilities.

When we ran Checkmarx, it found numerous problems in both their code and the third-party software, including hundreds of high- and medium-severity issues in the PHP code. I didn't dig into the specifics; I just said, "Look, it found hundreds of high and medium problems. You need to reduce them. Before testing starts, you need to provide us the code again, and we'll run it again."

They started fixing it, and while I didn't follow up on the specific fixes, perhaps they removed some libraries. As long as the number of high and medium problems in the Checkmarx report decreased, it meant they were making progress. They hadn't finished yet, though.

After they fixed about half of the problems, we allowed them to start integration. However, they still need to fix the remaining issues, and hopefully, they will.

The most valuable feature is that Checkmarx specifies the exact line of code where it finds the problem. They show it in the report, the exact line or two lines. They also show where the problem starts and where it's used. 

Even if it's used later in routines or messages during the computation, they show both sides. For example, they show the user input and where it's being used, even if it's saved in a different file. 

They follow the code, the function code, the method code, and all the calls until it's used because they have all the code mapped. So, they show where it starts, where it's being used, and they say it hasn't been checked all the way. They prove it, not just say it, by showing exactly where the issue is. 

Even if you don't know the software, like third-party software you want to fix or modify, you know where to start looking in the code.

As for the UI, it's okay. You give it the code, it runs, and it's pretty good.

There's one thing Checkmarx can maybe fix, actually two things.

First, when we first ran it on a big project, there wasn't enough memory on the computer. It originally ran with eight gigabytes, and now it runs with 32. The software stopped at some point, and while I don't think it said it ran out of memory, it just said "stopped" and something else. 

We had to go to the logs and send them to the integrator, and eventually, they found a memory issue in the logs and recommended increasing the memory. We doubled it once, and it didn't seem enough. We doubled it again, and it helped.

So, even if the software reaches capacity on the computer, even though it writes it in the logs, it should also give an indication in the GUI to the person running it, saying "not enough memory" or "not enough disk space."

Another problem is that when it's scanning and it has an internal problem, for example, it cannot check something, or an internal bug or internal problem, it's being found in the logs, but there's no indication to the user. Now, this is good for them because the user runs it, gets a report, everything's fine.

But in a way, it's not good for them because the user doesn't know there's a problem since they don't check the logs. Because mostly, only the manager looks at the logs and only if there's a problem being reported. You run a process, get a report, but in the logs, there might be an indication that it couldn't check several files or understand something. There's a problem, an internal problem that can be fixed, but nobody knows about it because we don't look at the code. The user doesn't look at the logs; only the business manager does, but they don't know because the user doesn't report it, because the user doesn't know.

So, my suggestion for them is this: if they have problems, they should say, 'Here is the report,' but also indicate to the user somewhere, perhaps in the GUI, not necessarily in the report itself, 'We found 100 problems while looking at your code. Please provide us the logs so we can try to fix those.' Then they can ask if the user has any problems. This way, users would know to send them their logs, and they could improve their software, meaning fix the problems.

Now, they may not want to do this because they'll get flooded with millions of responses and millions of problems from all over the world. They would have to fix them, and people might get angry, asking why they provided a report when there were hidden problems. People might say, 'How come you gave me a report with seven or eight problems when analyzing it, there were internal problems with your code? So it's not a perfect report.'"

So, these internal issues are logged but not communicated to the user through the Checkmarx interface (GUI) or report.

The solution also has a few false positives. So, if they had an easier way for users to send an email directly, instead of just opening a ticket. Because when we open a ticket, they want all the logs and everything, and it becomes a hassle.

Perhaps they could implement an easier system where users can send a snippet of the code, along with an explanation of why they believe it's a false positive, referencing the specific report. 

This way, Checkmarx could analyze the information and the development team could potentially fix the product in those areas. It wouldn't require them to necessarily respond to the user, but I'm not sure if that's feasible for most companies. 

I have been using it for one year. 

If you have enough memory, it's scalable. You need a lot of memory for it to be scalable. 

Once you have enough memory, it is stable and scalable, and there are one or two parameters you can modify to make it even more scalable. Scalability is relatively fine.

For the scanning option, the default is to use only one main language, but you can request multiple languages. It's scalable.

Nowadays, nearly all the developers, when they finish development, either they or the team leader runs it, and they have to fix the problems.

The customer service and support are okay because the thing is, we spoke with the integrator, so we didn't reach Checkmarx tech support.

Positive

The setup was done by an integration company. 

I would definitely recommend it. It's an excellent solution.  

Overall, I would rate the solution a nine out of ten because there is always room for improvement. 

Checkmarx could perhaps give more examples of solutions in the reports. It's very good, but sometimes the solutions they give are not necessarily relevant to the code or how it's written. 

So, Checkmarx should give more examples of solutions. Although, it's not that bad because they give a few, one or two. And if you want more, you can look online. But it would help if they could refine it and give additional options for solutions.

Our company uses the solution to check the vulnerabilities in our products at the build level. We capture, identify potential issues and fixes, and publish reports on a weekly basis. 

We work in the banking industry and have a license for 100 users.

The report function is the solution's greatest asset. We can configure reports in our build pipeline. We set them to publish scores and consolidate all the pod answers. We go through reports to understand issues and next steps. We get availability of code by clicking on that particular section. 

We are able to speed up services because the semi-application is done in the report.

The solution is very easy to navigate. 

The solution sometimes reports a false auditable code or false positive. This is not a bug but something within the software's operation that should be addressed. 

I have been using the solution for four years. 

The stability is rated an eight out of ten. 

The solution is scalable and we can use the VCM feature for multiple projects or incidents. Scalability is rated an eight out of ten. 

Technical support is very helpful so is rated a seven out of ten. 

Neutral

We did not previously use a different solution. 

Our finance team handled the setup so I don't have details. 

Our finance team implemented the solution. 

I rate the solution a seven out of ten. 

On-premises