Skip to main content

Engine Pack Version 9.6.4

CxSAST Engine

Languages & Frameworks

All supported code Languages & Frameworks versions are on the dedicated page here.

New SAST Engine - Fast Scan

Execution Time Optimization

Fast Scan incorporates an enhanced configuration to optimize execution time for Kotlin, Go, Scala, Python, Dart, PHP, and Rust languages.

Scanned Languages

Fast Scan mode is designed to scan the primary languages.

For subsequent language groups, the primary language for scanning is determined based on the criteria:

  • JVM languages:(Java, Scala, Kotlin, and Groovy) -only the language with the higher number of files is selected. In case of a tie, the order of choice is Java, Groovy, Scala, Kotlin;

  • IOS composed projects: (Swift and ObjC) - only the language with more files is selected. In case of a tie, the order of choice is Swift, ObjC;

  • Flutter projects: only the language with more files is selected. In case of a tie, the order of choice is Java, Swift, ObjC, CPP, Kotlin, and Dart;

  • Scripting Languages only projects: only the language with the higher number of files is selected. In case of a tie, the order of choice is JavaScript, VbScript, and Plsql.


This version includes significant enhancements for C++ language support:

  • Update to the most recent version of ANTLR (version 4.13.1).

  • Improvements have been made to support various expressions, particularly reference declarations and pointers.

  • Parsing issues associated with more recent C++ syntax have been addressed.

  • Added support for .pc extension (pro*C files) to enhance C++ parsing (Note: SQL queries are ignored).

  • Added code to distinguish ObjC files that were previously misidentified as C files.


To fully leverage C++ support, ensuring accurate code parsing by defining any custom macros is important.

The C++ parser cannot adequately support macros throughout the program unless properly defined.


This engine pack introduces enhancements in JavaScript language parsing resulting from the update to the ANTLR version 4.13.1.


The Rust support has been improved by adding additional queries.

The following queries are available as part of this version:

  • Rust_Medium_Threat

    • Empty_Password_In_Connection_String

    • Hardcoded_Password_in_Connection_String

    • Password_In_Comment

    • SSRF

    • Unrestricted_Delete_S3

    • Unrestricted_Read_S3

    • Unrestricted_Write_S3

    • Use_Of_Hardcoded_Password

  • Rust_Low_Visibility

    • Missing_Password_Field_Masking


Technology Preview features provide early access to upcoming product innovations, enabling you to test functionality and provide feedback during development. However, these features are not fully supported, might not be functionally complete, and are not intended for production use.

As Checkmarx considers making future iterations of Technology Preview features generally available, we will attempt to resolve any issues customers experience when using these features.


This version introduces the support of fully free format.


OWASP API Top 10 2023

A new preset and category for the OWASP API Top 10 2023 is available out-of-the-box with this Engine Pack.

New return codes


In the upcoming version 9.6.5, the following use cases which have the return code denoted as “-1“ will be replaced by a new return code:

  • No code changes - new return code will be 58

  • Empty files - new return code will be 59

  • Error on the setup of the logs - new return code will be 61

  • Project not found - new return code will be 62

  • Error on file extension initialization (includes files having no extension defined) - new return code will be 63

  • Error on queries deserialization (a step that occurs before queries compilation) - new return code will be 64

  • Error on queries compilation - new return code will be 65

  • Error on queries execution - new return code will be 66

  • Error on the license validation - new return code will be 67

  • Error while scanning (such as parsing, Resolver) - new return code will be 68

To ensure a seamless transition and prevent potential errors, we strongly recommend the following:

  • Carefully review your existing pipelines and workflows.

  • Identify whether there are any configurations or dependencies currently relying on the current error code.

Making the necessary configuration adjustments before upgrading to version 9.6.3 is essential. By making these changes, you'll be able to avoid any disruptions caused by the change in error code and ensure the continued smooth operation of your processes.

Base Preset


Based on thorough tests and comparisons to internal benchmarks, we've decided to improve the base preset and fine-tune it for enhancement. Because of this, in the upcoming version 9.6.5, support for the following languages will be removed from the preset: Cobol, Go, Groovy, Perl, PLSQL, RPG, Ruby, and VB.Net.

We will focus on enhancing coverage for Java, JavaScript, C#, CPP, and Python languages. Additionally, we'll gradually include support for other languages with improved coverage and accuracy.

Removal of deprecated queries from Presets

Actions to be executed in the upcoming version 9.6.5:

  • Deprecated queries are going to be removed from the presets according to the following list:

    (Language, Query ID, Query Name)