Technology RadarTechnology Radar

Checkmarx

sastscanning
Assess

Checkmarx One is the most comprehensive enterprise AppSec platform — SAST, DAST, SCA, secrets detection, IaC scanning, and ASPM in a single product. Its March 2026 release deploys five AI agents across the DevSecOps workflow, including an autonomous triage agent and AI-powered SAST for AI-generated and emerging languages.

Why It Matters for AI-Assisted Development

Checkmarx is investing heavily in agentic security:

  • AI SAST (March 2026): Hybrid LLM + query-based analysis that extends detection to emerging and AI-generated languages beyond traditional rules.
  • DAST for AI: Dynamic analysis engine specifically designed to verify AI-generated code behaves securely at runtime — a capability most competitors lack entirely.
  • Triage Assist Agent: Autonomously prioritizes vulnerabilities based on real-world exploitability, not just static severity.
  • AI Query Builder: Uses GenAI to generate and customize SAST queries, lowering the barrier for custom detection.

Strengths

  • Most comprehensive single platform (SAST + DAST + SCA + IaC + ASPM + secrets)
  • 7-time Leader in Gartner Magic Quadrant for AST
  • DAST capabilities that competitors like Semgrep and Snyk lack
  • 35+ languages, 80+ frameworks
  • Claims 90% faster scans with 80% lower false positives

Limitations

  • High minimum cost (~$59K/year starting) — inaccessible for small teams
  • Enterprise-focused procurement with long sales cycles
  • No free tier or open-source edition
  • Heavy platform that can feel complex compared to developer-first tools

Supply Chain Incident Context (March + April 2026)

Checkmarx was hit twice by TeamPCP within a single month — a pattern that should inform how you evaluate trust in this tooling's distribution channels.

March 23, 2026 — GitHub Actions compromise: TeamPCP used credentials stolen from the prior Trivy breach to hijack all 35 tags of Checkmarx/kics-github-action and tags in Checkmarx/ast-github-action, injecting the "TeamPCP Cloud stealer" payload with a new C2 domain (checkmarx[.]zone). Two OpenVSX extensions were also poisoned. Checkmarx remediated within ~4 hours.

April 22, 2026 — Docker Hub + VS Code extension compromise: TeamPCP struck again, overwriting the v2.1.20 and alpine Docker Hub tags for checkmarx/kics and introducing a fake v2.1.21 tag. The modified KICS binary harvests and exfiltrates credentials when scans run — a particularly dangerous blast radius since KICS reads IaC files that often contain secrets. VS Code extension versions 1.17.0 and 1.19.0 contained mcpAddon.js, a ~10 MB obfuscated credential stealer executed via Bun runtime; version 1.18.0 was clean. Detection credit: Docker internal monitoring + Socket.

Neither incident reflects on the Checkmarx One product's AppSec capabilities, but both demonstrate that even enterprise security tooling distribution channels are high-value targets. See Security Headlines for the full campaign timeline. Mitigation: Pin Docker image refs to known-good SHA digests, not floating tags; verify GitHub Action commit SHAs; audit VS Code extension versions in your dev policy.

Why Assess (Not Trial)

Despite being a leader in enterprise AppSec, Checkmarx's pricing and complexity put it out of reach for most teams exploring AI-assisted development. Assess it if you're in a regulated enterprise that needs unified SAST + DAST + ASPM and can justify the investment. For most teams, Semgrep + CodeQL covers SAST needs at a fraction of the cost.

Assess

Checkmarx One is the most comprehensive enterprise AppSec platform — SAST, DAST, SCA, secrets detection, IaC scanning, and ASPM in a single product. Its March 2026 release deploys five AI agents across the DevSecOps workflow, including an autonomous triage agent and AI-powered SAST for AI-generated and emerging languages.

Why It Matters for AI-Assisted Development

Checkmarx is investing heavily in agentic security:

  • AI SAST (March 2026): Hybrid LLM + query-based analysis that extends detection to emerging and AI-generated languages beyond traditional rules.
  • DAST for AI: Dynamic analysis engine specifically designed to verify AI-generated code behaves securely at runtime — a capability most competitors lack entirely.
  • Triage Assist Agent: Autonomously prioritizes vulnerabilities based on real-world exploitability, not just static severity.
  • AI Query Builder: Uses GenAI to generate and customize SAST queries, lowering the barrier for custom detection.

Strengths

  • Most comprehensive single platform (SAST + DAST + SCA + IaC + ASPM + secrets)
  • 7-time Leader in Gartner Magic Quadrant for AST
  • DAST capabilities that competitors like Semgrep and Snyk lack
  • 35+ languages, 80+ frameworks
  • Claims 90% faster scans with 80% lower false positives

Limitations

  • High minimum cost (~$59K/year starting) — inaccessible for small teams
  • Enterprise-focused procurement with long sales cycles
  • No free tier or open-source edition
  • Heavy platform that can feel complex compared to developer-first tools

Why Assess (Not Trial)

Despite being a leader in enterprise AppSec, Checkmarx's pricing and complexity put it out of reach for most teams exploring AI-assisted development. Assess it if you're in a regulated enterprise that needs unified SAST + DAST + ASPM and can justify the investment. For most teams, Semgrep + CodeQL covers SAST needs at a fraction of the cost.