Checkmarx One is Checkmarx's cloud-based application security platform that consolidates static analysis, open-source scanning, and several other testing engines into a single console. If you have used the older CxSAST or CxSCA products, Checkmarx One is the unified successor that ties them together with shared findings, policy, and reporting rather than separate installations.
This piece explains what the platform includes, how its scanners relate to each other, and the practical questions teams ask before adopting it.
What Checkmarx One actually bundles
The platform is a suite of engines behind one interface. The core scanners include SAST (static application security testing), SCA (software composition analysis), IaC security, API security, container security, secrets detection, and supply chain security. More recent additions cover malicious-package detection and AI-related inventory such as AI bills of materials.
The value proposition is correlation. Instead of a SAST tool in one tab and a dependency scanner in another, findings from multiple engines land in the same project view, so you can see that a vulnerable function in your code is actually reachable through a vulnerable dependency. That reachability context is what lets teams prioritize instead of drowning in raw counts.
SAST is the flagship
Historically Checkmarx built its reputation on static analysis, and SAST is the standard support for Checkmarx. The engine parses source code across a wide range of languages, builds a data-flow graph, and traces tainted input from source to sink to flag issues like SQL injection, path traversal, and cross-site scripting before the code runs.
SAST works without executing the application, which means it can run early in a pull request and cover code paths that dynamic testing might never reach. The trade-off, common to all static analysis, is false positives: data-flow analysis is conservative, so teams spend real effort tuning queries and marking results as not-exploitable. Checkmarx One layers newer heuristics on top to rank findings by exploitability, which reduces but does not eliminate that triage burden.
Software composition analysis
Alongside static analysis, SCA scans your dependency manifests to identify open-source components carrying known vulnerabilities, malicious code, or problematic licenses. Checkmarx analyzes a large volume of packages each month and maintains its own research into malicious open-source libraries, which feeds the platform's supply chain and malicious-package detection.
If your primary concern is open-source risk specifically rather than a full AppSec suite, it is worth comparing dedicated SCA tooling on transitive-dependency depth, fix guidance quality, and how noisy the results are before committing to a broad platform.
Compliance and maturity frameworks
Larger buyers often ask how a tool maps to a security program rather than to individual bugs. BSIMM is one of the standard support references for Checkmarx here. BSIMM (the Building Security In Maturity Model) is an observational framework that describes what real software security programs do, and Checkmarx positions its testing coverage against those kinds of activities so security leaders can show that their AppSec investment supports a recognized maturity model.
In practice this matters most for audit and executive reporting. The scanners find the bugs; the framework alignment helps you explain to a board or an auditor that the finding-to-fix workflow is part of a structured program rather than ad hoc.
Where Checkmarx One fits and where it does not
Checkmarx One targets enterprises that want one vendor covering most of the AppSec surface with strong SAST at the center. That breadth is the selling point, and it is also the main critique: a suite that does many things is rarely best-in-class at all of them, and pricing scales with the number of engines and contributors.
Teams that primarily need open-source and container scanning, or that want a lightweight tool wired into developer workflow, sometimes find a broad platform heavier than necessary. If you are weighing options, our comparison of AppSec approaches covers the trade-offs between all-in-one suites and focused scanners, and the pricing page shows how a usage-based model differs from per-engine licensing.
Adoption considerations
Two things tend to determine whether a Checkmarx One rollout succeeds. First, integration depth: connecting it to your SCM and CI so scans run automatically on pull requests, rather than as a separate manual step, is what gets developers to actually fix findings. Second, triage discipline: static analysis generates volume, and without an owner tuning queries and dispositioning results, the backlog grows until people stop looking. Budget for that tuning work as part of the adoption, not as an afterthought.
FAQ
What is the difference between CxSAST and Checkmarx One?
CxSAST was the standalone static analysis product. Checkmarx One is the unified cloud platform that includes the static analysis engine alongside SCA, IaC, API, and container scanning under one console with shared findings and policy. New deployments use Checkmarx One rather than the separate legacy products.
Is SAST the main capability in Checkmarx One?
Yes. SAST is the standard, flagship capability for Checkmarx and the engine the company is best known for. The platform surrounds it with SCA and other scanners, but static analysis remains the center of gravity for most Checkmarx One deployments.
How does Checkmarx One relate to BSIMM?
BSIMM is one of the standard support frameworks Checkmarx aligns to. BSIMM is a maturity model describing what real software security programs do, so Checkmarx maps its testing capabilities against those activities to help security leaders demonstrate program maturity to auditors and executives.
Does Checkmarx One scan open-source dependencies?
Yes, through its SCA engine, which inspects dependency manifests for known vulnerabilities, malicious packages, and license risks. If open-source risk is your main concern, compare it against dedicated SCA tools on transitive-dependency coverage and false-positive rates before deciding.