Skip to main content

Version 3.2

Multi-tenant version released on: December 4, 2023

Single-tenant version released on: January 5, 2024

New features and enhancements

Incremental scan support in manual scans

The Manual Scan feature now supports incremental scans when initiated with a ZIP and Branch. This avoids the need to treat each manual upload as a new scan for users working on the same branch with changes to be scanned.

Changes to LOC scan limitations

LOC calculations now occur after filtering is applied during scans, including within the CLI. This workflow modification aims to prevent premature termination of scans in Checkmarx One due to exceeding the maximum allowed LOC limit.

API Security updates

Using rules for API Security

In addition to selecting your source for file scanning locally or through a repository URL, you can use rules to streamline your upload process, for example, with Swagger files, without navigating away or re-uploading projects, and scan with greater efficiency. Rules can be flexible and used in scanning multiple, similar named projects.

API Security integration with DAST

API Security, integrated with DAST security scanning, provides real-time scanning of the API documentation, code, and testing, and provides a deeper and more comprehensive analysis of the risks found in your project. It displays all of your APIs (documented and undocumented) and their vulnerabilities in one place.

KICS updates (version 1.7.10)

  • The engine error handling process was improved for the Self-reference in yaml/json files process.

  • The panic handling process was improved to increase IaC Security scan resiliency.

  • IaC Security has now the ability to scan Github workflows.

  • New queries added to the engine:

    • Unpinned actions full length commit -> Github workflows

    • Ansible hosts ansible tower exposed to internet.

    • Ansible config allow unsafe lookups.

    • Ansible playbooks communication over http

    • Ansible config communication_over_http

    • Ansible config privilege_escalation_using_become_plugin

    • Ansible config logging_of_sensitive_data

    • Ansible playbooks privilege escalation using become plugin

    • Ansible playbooks Unpinned Package Version

    • Ansible playbooks Insecure Relative Path Resolution

    • Ansible playbooks Logging of Sensitive Data

    • Ansible playbooks risky file permissions

    • Experimental features queries scan in

    • Github workflows script injection query

    • Added cicd github query unsecured commands

    • Github workflows run injection query

Resolved issues

  • Endpoint /api/inventory returns meaningless HTML content and a (404 Not Found) status.

  • Poor formatting in vulnerability descriptions and a missing query.

  • Users without tenant-level permissions cannot run a manual scan.

  • ETL: Context deadline exceeded on meta-results-processor and sast-results-events.

  • ADO custom field with the # character for an issue type doesn't appear in the Feedback App integration.

  • Case-sensitive email issue in the /api/contributors/csv endpoint.

  • Scan details from an old scan suddenly switch to displaying currently running scan data.

  • Getting a 403 error when trying to change the severity of results that already exist.

  • Empty SCA report when multiple reports are being generated.

  • 500 Internal Server Error when trying to open a project or a scan.

  • Git token is not saved.

  • Global SSH Key clears on any subsequent edit of Account Settings.

  • Scan toggle button for hiding Dev & Test Dependencies is not working in the Remediation tab.

  • Global Catalog features are not subject to IAM permission control.

  • Fixed an issue that incorrectly enabled the Copy Scan and Scan History buttons.

  • Fixed an issue that incorrectly checked user permissions when deleting a scan.

  • Fixed an issue that caused a long delay in scans when multiple scans for the same environment were canceled.

  • The Correlate button in BOM incorrectly appeared enabled without create-scan permission.