AI Query Builder for SAST: Now Generally Available 

When we first introduced AI Query Builder in early 2023, AI-assisted development was just beginning to reshape how teams wrote code. Fast forward to 2026, and the landscape has completely transformed. 

Today, developers don’t just use AI to write code, they’re relying on AI coding assistants like GitHub Copilot, Cursor, and Windsurf to generate entire functions, suggest architecture patterns, and accelerate feature development.  

To support this shift, the security industry must evolve – and Checkmarx is leading the way with new AI capabilities like Checkmarx One Assist and Checkmarx Developer Assist. These tools autonomously prevent and remediate vulnerabilities across the SDLC, catching issues pre-commit and enforcing security policies throughout pipelines. 

While agentic AI can automate much of application security, there’s still a critical piece of security that teams need: the ability to customize SAST detection to the unique patterns, frameworks, and business logic of their applications. 

That’s why AI Query Builder for SAST, now generally available, is more important than ever. 

Why SAST Customization Matters More in 2026 

When developers use AI assistants to build applications, they end up creating highly diverse implementations across custom frameworks, internal libraries, and organization-specific patterns that standard security rules often miss. 

Out-of-the-box SAST queries are built to detect common vulnerabilities in standard code patterns  – they’re excellent at finding SQL injections in typical database calls or XSS in well-known frameworks. But your organization doesn’t just use standard patterns anymore. You have: 

Custom security frameworks that sanitize inputs in ways traditional SAST doesn’t recognize, leading to false positives that waste developer time 

Internal libraries that introduce organization-specific vulnerabilities that standard queries miss, creating coverage gaps

Business-critical logic with unique security requirements that need tailored detection such as industry-specific handling of PII patterns When SAST tools aren’t tuned to reality, two things happen: 

• False positives erode trust. Developers get flagged for using approved sanitizer because SAST doesn’t know it exists. Too many false positives cause developers to ignore security findings. 
• Coverage gaps leave vulnerabilities. Your team built a custom authentication system, but your SAST can’t detect flaws in it, so vulnerabilities slip through to production. 

The traditional solution to these problems was to hire SAST experts who understood query languages and security patterns and then wait for them to manually write custom detection rules. This solution doesn’t scale – especially when AI is accelerating development velocity and security teams are already stretched thin.

Something needed to change.

The Value: Making Security Expertise Scalable 

AI Query Builder removes the expertise barrier that has long limited SAST customization. 

For security teams, this means you can respond to threats at the speed your organization moves. When developers adopt a new internal framework, you don’t need to wait weeks for a query expert to write new detection rules. You describe what you want to detect and AI generates the CxQL query in minutes. Want to iterate on it or test against your codebase? No problem – and you’ll still be able to deploy it the same day. 

For developers, this means fewer false positives and more relevant security guidance. When your security team can quickly finetune SAST to understand your code patterns (sanitzers, frameworks, security controls), you stop getting flagged false positive. And, the findings you do get are more likely to be real issues that need your attention. 

For AppSec managers, this means you can scale security coverage without scaling headcount. Your team doesn’t need deep CxQL expertise to create custom queries, enabling more people to contribute to security tuning and make your program more responsive and comprehensive. 

Checkmarx’s AI Journey Since 2023 

When we launched early access to AI Query Builder in 2023, we already saw how rapidly AI would transform security tooling – and since then, we’ve continued to push that AI innovation forward across our platform.  

We introduced AI-powered remediation that automatically suggests fixes for vulnerabilities across SAST, SCA, secrets, and IaC. Our agentic AI capabilities, Checkmarx One and Checkmarx Developer Assist,  autonomously prevent and remediate security issues, from real-time protection in the IDE to continuous policy enforcement across CI/CD pipelines. AI Query Builder was ahead of its time. Today, in a world where AI touches every part of the development and security lifecycle, it’s exactly the right capability at exactly the right time. 

While AI agents automate prevention and remediation, AI Query Builder lets security teams customize the intelligence behind that detection itself. It ensures that your SAST scans –  whether triggered manually, in CI/CD, or as part of broader security workflows – understand your unique code patterns and security requirements. 

Because AI in security isn’t just about automation, it’s about democratizing expertise. Making it possible for more people on your team to do work that previously required specialized knowledge, enabling security to scale with development velocity instead of being perpetually behind. 

How AI Query Builder Works 

AI Query Builder is built for SAST query creation. 

The Basic Workflow 

1. Describe the security concern in natural language 

Instead of writing CxQL syntax, you describe what you want to detect. For example: 

• “Detect SQL injection vulnerabilities in our custom DatabaseWrapper class when user input flows into the executeQuery method” 
• “Find authentication bypass risks when JWT tokens are validated using our internal TokenValidator library”
• “Identify command injection when shell commands are constructed using string concatenation in our deployment scripts” 

2. AI generates the CxQL query 

The system translates your description into proper query syntax, understanding: 

• Data flow analysis (how user input moves through your code)
• Sanitization patterns (what makes input safe or unsafe)
• Framework-specific APIs (your custom classes and methods)
• Security patterns (what makes something a vulnerability) 

You can then adapt or customize as needed. 

3. Test against your codebase 

The generated query runs immediately against your actual code, so you see real results, not theoretical examples. This helps you ascertain that the query catches what you want and isn’t flagging false positives. 

4. Refine and iterate 

If the query isn’t quite right, you can: 

• Adjust your natural language description and regenerate
• Manually edit the CxQL for finetuned control
• Test different variations to find the best balance of coverage and precision 

5. Deploy to your scanning presets 

Once validated, the custom query becomes part of your SAST scanning configuration, and every subsequent scan can use this customized detection logic. 

What Makes This Different? 

Most “AI for code” tools are general-purpose language models trying to generate any kind of code. But AI Query Builder is specialized: 

Domain-specific intelligence: Trained specifically on security patterns and CxQL syntax, not general-purpose coding 

Context-aware: Understands the relationship between sources (user input), sanitizers (validation), and sinks (dangerous operations) 

Framework-flexible: Can adapt to your custom frameworks and libraries, not just public ones 

Integration-native: Works directly in Checkmarx One. No export/import workflows, no separate tools to learn

For example, when you say “SQL injection in our custom database wrapper,” the system know that it needs to: 

1. Identify where user input enters your application 
2. Trace data flow through your specific DatabaseWrapper class 
3. Check if input passes through sanitization before reaching the database call 
4. Generate a query that catches this specific pattern without flagging safe uses 

This level of specialization is what makes AI Query Builder reliable for production security work. 

Example: Tuning for False Positive Reduction 

Picture this scenario: Your organization uses an in-house sanitization library, called SecureValidator, that properly prevents XSS attacks. However, your SAST doesn’t know about this library, so it flags every use as a potential vulnerability. 

Without AI Query Builder, you’d need to: 

1. Find a query expert who understands CxQL 
2. Locate the existing XSS detection query 
3. Manually add your SecureValidator methods to the sanitizer list 
4. Test the modified query 
5. Deploy it 

This would take hours – even or days, assuming you actually have someone with the expertise available. 

With AI Query Builder, you: 

1. Describe: “Update the XSS query to recognize SecureValidator.sanitizeHtml() as a valid sanitization method”
2. Generate the modified query 
3. Test it immediately 
4. Deploy 

This takes minutes. Your developers See immediate impact and security findings become more trustworthy. 

Example: Expanding Coverage for Custom Code 

And here’s another example: Your team built a custom authentication system with a method called AuthManager.validateSession(). You want to detect when session tokens are used without proper validation. 

Without AI Query Builder, you’d either: 

1. Accept that SAST won’t catch this vulnerability pattern, or 
2. Hire a consultant to write a custom query, or 
3. Wait for your internal query expert to have bandwidth (probably weeks) 

With AI Query Builder, you: 

1. Describe: “Create a query to detect when session tokens are used without calling
2. AuthManager.validateSession() first” 
3. Generate and test the query 
4. Deploy it to production scanning 

Your coverage expands to include organization-specific security patterns that no standard tool would catch. 

The Bigger Picture: Security Adapting to AI-Accelerated Development 

When developers use AI to code faster, security also needs AI to adapt faster. AI Query Builder ensures your SAST detection evolves just as quickly as your applications do. 

The same way AI coding assistants have made developers more productive, AI security tools make security teams more responsive, comprehensive, and effective. 

AI-powered remediation helps fix vulnerabilities faster and AI-powered prioritization helps team focus on what matters. AI-powered query building is the final piece of properly leveraging AI by detecting the right things in the first place. All together, these AI capabilities enable security programs to scale alongside modern development practices instead of being left behind. 

Getting Started 

AI Query Builder is available now to all Checkmarx One customers with SAST. 

To start using it: 

1. Navigate to your SAST workspace in Checkmarx One
2. Access the Query Builder interface 
3. Describe a security concern you want to detect 
4. Generate, test, and refine your query 
5. Deploy it to your scanning presets

Full documentation available here 

For teams just getting started with SAST customization, we recommend beginning with false positive reduction. Identify the most common false positives your developers encounter and use AI Query Builder to tune queries to recognize your security controls. This immediate impact on developer experience builds trust and demonstrates value quickly. 

For teams already doing query customization, AI Query Builder accelerates your existing workflow. You can prototype queries faster, test more variations, and expand coverage to more frameworks and patterns than was previously feasible. 

The future of application security is AI-assisted at every level. With AI Query Builder, your SAST detection becomes as adaptive and intelligent as the development teams you’re protecting.