Safeguard
Security

Checkmarx Supported Languages: What CxSAST Can Actually Scan

Checkmarx supports 35+ programming languages and 80+ frameworks for static analysis. Here is how its language coverage works and what to check before buying.

Marcus Chen
DevSecOps Engineer
5 min read

Checkmarx supported languages number more than 35 programming languages and over 80 development frameworks, scanned by its SAST engine without requiring you to compile the code first. That "no compilation" property is the detail that matters most in practice: Checkmarx analyzes source directly, so you can scan a partial checkout or a branch that would not build, which is exactly what CI needs.

If you are evaluating Checkmarx (now Checkmarx One / CxSAST), the headline count is less useful than understanding how the coverage is structured and how to confirm your specific stack is supported.

The breadth of language coverage

Checkmarx's static analysis supports the mainstream enterprise and web languages you would expect, plus a long tail of older and niche ones. Per Checkmarx's own documentation, the SAST scanner covers 35+ languages and 80+ frameworks out of the box.

The commonly supported languages include Java, C#, C and C++, JavaScript and TypeScript, Python, Go, Ruby, PHP, Swift, Kotlin, Objective-C, Scala, and Apex (Salesforce), along with markup and query languages relevant to security such as SQL variants. The framework coverage — Spring, .NET, Angular, React, and many more — is what lets the engine understand data flow through the constructs those frameworks introduce, not just raw language syntax.

Because the exact list shifts with each engine pack release, treat any static list (including this one) as approximate and confirm against the current documentation for the version you will run.

Why "no compilation required" matters

Many SAST engines need a build. That creates friction: the scanner needs a working toolchain, all dependencies resolvable, and a clean compile. In a real pipeline, branches break, dependencies go missing, and forcing a build just to scan slows everything down.

Checkmarx's source-based approach sidesteps that. It parses the code and builds its own representation for taint analysis without invoking your compiler. The upside is you can scan almost anything, including code that does not currently build. The trade-off is that source-only analysis can miss context that a full build would provide, so results still need tuning.

Frameworks are the real coverage question

Raw language support is table stakes. The harder question is whether the engine understands your frameworks well enough to trace tainted data through them. A SAST tool that knows Java but not Spring will misread where user input enters a Spring controller, producing both false negatives and false positives.

When you evaluate coverage, check framework support specifically for:

  • Your web framework (Spring, ASP.NET, Express, Django, Rails, and so on).
  • Your ORM and database access layer, since injection sinks live there.
  • Your templating engine, which is where cross-site scripting sinks appear.

Language on the list plus framework on the list is the combination that produces accurate results.

How to verify coverage for your stack

Do not take the marketing number at face value. Before committing:

  1. Find the engine pack version you will be running. Checkmarx publishes a supported-languages page per engine pack (for example the 9.7.x series), and the list evolves between them.
  2. Match your exact languages and frameworks against that specific page, not a generic overview.
  3. Run a proof-of-concept scan on a representative repository. The only reliable coverage test is scanning your real code and reviewing whether the findings make sense.
  4. Check the query/rule set for your language. Coverage is not binary; a language can be "supported" with a deep rule set or a shallow one.

That PoC step is where evaluations are won or lost. A tool can list your language and still produce weak results if the rules for it are thin.

Where SAST fits alongside other scanning

SAST like Checkmarx analyzes the code you wrote. It does not, by itself, tell you about vulnerable open-source dependencies — that is the job of software composition analysis. A complete program pairs static analysis of first-party code with an SCA tool for third-party components, because a large share of real, exploitable risk comes from libraries rather than your own logic.

If you are comparing commercial options on both breadth and price, our Snyk comparison walks through how language coverage, developer workflow, and licensing differ across tools — the same evaluation lens applies whether you land on Checkmarx, Snyk, or something else.

FAQ

How many languages does Checkmarx support?

Per Checkmarx documentation, the SAST engine supports more than 35 programming languages and over 80 frameworks out of the box. The precise list depends on the engine pack version you run.

Does Checkmarx require compiling my code to scan it?

No. Checkmarx SAST analyzes source directly without compilation, which lets it scan partial checkouts and branches that do not currently build — a practical advantage in CI pipelines.

Is my framework supported, or just my language?

Check both. Framework support determines whether the engine can trace data flow through your web, ORM, and templating layers. A supported language with an unsupported framework produces weaker results.

How do I confirm coverage before buying?

Locate the supported-languages page for the specific engine pack version, match your stack against it, and run a proof-of-concept scan on a representative repository to judge real-world result quality.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.