Sold by: Checkmarx
Deployed on AWS
Checkmarx One helps you deliver secure software faster with an integrated Application Security Testing platform deployed as a service. A single event, like a code commit or build stage, can trigger scans of your source code, dependencies, and IaC templates, with results aggregated in one place.
4.1
Overview
Checkmarx One is an integrated Application Security Testing (AST) platform delivered by Checkmarx, an AWS Advanced Tier partner with Security and DevOps Competencies. We're a global leader in software security solutions, trusted by 1,700+ organizations and consistently recognized by Gartner as a Leader in AST. Checkmarx One delivers three essential AST services on a platform that's easy to integrate into your existing dev tools: Static application security testing: Checkmarx One is a flexible, accurate solution able to identify hundreds of vulnerabilities and weaknesses in custom code, with support for 25+ languages and frameworks. Software composition analysis: CxSCA enables you to mitigate risks in open source software and third-party libraries. Users can identify and prioritize open source vulnerabilities, take inventory of open source components and dependencies in use, and evaluate the risk of open source licenses. Infrastructure as code analysis: KICS detects security misconfigurations in IaC templates, helping prevent errors such as open storage buckets, insecure databases, and excessive privileges. Checkmarx One is easy to integrate: one event can trigger all scan types for your project, and scan results are aggregated, giving you fast triage of your project's security posture. Checkmarx One Developer Assist is an advanced security agent that delivers real-time context-aware prevention, remediation, and guidance to developers from the IDE. It empowers developers to identify risks in their code in realtime and harness the power of AI to remediate the risks on the spot. This feature is initially being released as part of the Checkmarx One plugin for VS Code, Cursor and Windsurf IDEs.
CXONE ASSIST comprises two main elements: Realtime Scanning - Identify vulnerabilities in realtime during IDE development of both human-generated and AI-generated code. Our super-fast scanners run in the background whenever you edit a relevant file. Our scanners identify vulnerabilities and unmasked secrets in your code. We also identify vulnerable or malicious container images and open source packages used in your project. Results are marked as Problems which are highlighted in the code and annotated with identifying icons. Agentic-AI Remediation-Initiate an Agentic-AI session to receive remediation suggestions. Checkmarx feeds all relevant info to the AI agent which accesses our MCP server to gather data from our proprietary databases and customized AI models. The AI assistant then uses this data to generate remediated code for your project. You can accept the suggested changes or you can chat with the AI agent to learn more about the vulnerability and fine-tune the remediation suggestion.
If you're an AWS customer interested in Checkmarx One and wish to purchase over AWS Marketplace in a different quantity or configuration, visit http://www.checkmarx.com/contact-us-aws IMPORTANT INFORMATION ABOUT PRODUCTS AND SERVICES.
- Please note that add-ons be purchased only when the base product is purchased.
- Description of Base product: Checkmarx One Start with SAST. Description of available Add-ons: CxOne Start with SAST NG-API Security Addon, CxOne Start with SAST NG-IaC (KICS) Add on, Checkmarx One Start with SAST NG- AI Add on
- Description of Base product: Checkmarx One Essential Description of available Add-ons: CxOne Essential-Containers Add on, Cx One Essential-Malicious Packages Add on, Cx One Essential-IaC (KICS) Add on, CxOne Essential-AI Protection Add on
- Description of Base product: Checkmarx One Professional Description of available Add-ons: Checkmarx One Professional - IaC (KICS) Add on, Checkmarx One Professional - Enterprise Secrets Add on, Checkmarx One Professional - AI Protection Add on
- Checkmarx One Codebashing is available both as standalone and add-on with Base products mentioned above.
- CxOne Premium Service Package is available @ 20% of SaaS subscription fee. Checkmarx One Premium Service package fee shall be calculated as higher of: a) 20% of SaaS subscription fee OR b) USD 10,000 in case of 1 year term / USD 30,000 for 3 year term.
- Cx-SCS Threat API Malicious (per package) : Minimum quantity is 2 (two) and listed price is for 2 (two) units. SCS Threat API for Malicious OSS Packages Threat Information only (limited to 10,000 packages lookup per month). Each version/sub-version of the same package is considered a unique package.
- Minimum deal size shall be USD 30,000 for a one year term and USD 90,000 for three year term. Minimum deal size excludes Checkmarx One Premium Service Package and Checkmarx One PS days.
- Checkmarx reserves the right to revise prices periodically.
- Prices exclude applicable VAT/GST and WHT, if any.
- Refund Policy: no Refunds. Please reach out to aws-marketplace@checkmarx.com for further information about the add-ons available under various base products.
Highlights
- FIND THREATS AND SAVE TIME : Identify open source risks. Get severity metrics and remediation guidance. Identify potential license and compliance issues. See which libraries are adding to maintenance burdens. Get risk reports or extract data via API.
- SPOT INSECURE CODE EARLIER: Our industry-leading source code analysis covers a wide range of languages. Checkmarx One finds vulnerabilities faster by scanning uncompiled code and only re-scanning new or modified code.
- Prevent misconfigurations from reaching production: Scan your IaC templates for valid but insecure configurations before deployment to prevent catastrophic security misconfigurations.
Details
Sold by
Categories
Delivery method
Deployed on AWS
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Buyer guide
Gain valuable insights from real users who purchased this product, powered by PeerSpot.
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Pricing is based on the duration and terms of your contract with the vendor. This entitles you to a specified quantity of use for the contract duration. If you choose not to renew or replace your contract before it ends, access to these entitlements will expire.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Description | Cost/12 months |
|---|---|---|
CxOne Start with SAST NG | Checkmarx One Start with SAST-price per license per year | $1,035.00 |
CxOne API Security | CxOne Start with SAST NG-API Security Addon-price per license per year | $276.00 |
CxOne IaC (KICS) | CxOne Start with SAST NG-IaC (KICS) Add on-price per license per year | $240.00 |
CxOne DevAssist | Checkmarx One Start with SAST NG- DevAssist Add on-price per license per year | $300.00 |
Checkmarx One Codebashing | Checkmarx One Codebashing | $345.00 |
CxOne Essential | Checkmarx One Essential - price per license per year | $1,564.00 |
CxAST-CONTAINERS | CxOne Essential-Containers Add on-price per license per year | $240.00 |
CxOne Malicious Packages | Cx One Essential-Malicious Packages Add on-price per license per year | $276.00 |
CxAST-IAC-KICS | Cx One Essential-IaC (KICS) Add on-price per license per year | $240.00 |
CxOne DevAssist | CxOne Essential-DevAssist Add on-price per license per year | $120.00 |
Vendor refund policy
- Minimum Deal size shall be USD 30,000 for 1 year term & USD 90,000 for 3 year term, excluding Checkmarx One Premium Service Package and Checkmarx one PS days.
- Checkmarx One Premium Service package fee shall be calculated as higher of: a) 20% of SaaS subscription fee OR b) USD 10,000 in case of 1 year term / USD 30,000 for 3 year term.
- Checkmarx reserves the right to revise prices, without advance notice.
- Prices quoted are exclusive of VAT/GST and WHT, if applicable.
- No refunds.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Resources
Vendor resources
Support
Vendor support
Checkmarx technical support, online support https://support.checkmarx.com Checkmarx One Standard Support is Included within the price of software subscription and Checkmarx One Premium Service Package available by paying 20% SaaS subscription fee.
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Updated weekly
By Checkmarx
By Fortinet Inc.
Top
10
In Testing
Top
25
In Continuous Integration and Continuous Delivery
Top
25
In Cloud Governance
Sentiment is AI generated from actual customer reviews on AWS and G2
Functionality
Ease of use
Customer service
Cost effectiveness
Positive reviews
Mixed reviews
Negative reviews
AI generated from product descriptions
Static Application Security Testing
Comprehensive vulnerability scanning for custom code across 25+ programming languages and frameworks
Software Composition Analysis
Automated identification and prioritization of vulnerabilities in open source software and third-party library dependencies
Infrastructure as Code Analysis
Detection of security misconfigurations in infrastructure template deployments to prevent potential security risks
Real-time IDE Security Scanning
Background vulnerability scanning during code development with immediate identification of risks in human and AI-generated code
AI-Powered Remediation
Context-aware AI agent that generates code remediation suggestions using proprietary databases and customized AI models
Application Security Scanning
Continuous end-to-end security scanning across source control, CI/CD, registry, and cloud environments with real-time monitoring
Vulnerability Prioritization
Advanced threat assessment using contextual analysis of vulnerability exploitability, reachability, and business impact
Pipeline Security Tracking
Proprietary Pipeline Bill of Materials (PBOM) framework for tracking complete software lineage and ensuring build integrity
Automated Remediation
No-code workflow capabilities for automatically blocking vulnerabilities, risky code, and configuration changes
Software Supply Chain Protection
Comprehensive security coverage across software development lifecycle with integrated risk prevention mechanisms
Code Security
Integrated code security with Static Application Security Testing (SAST), Software Composition Analysis (SCA), and Infrastructure as Code (IaC) security with continuous runtime application behavior monitoring
Cloud Security Posture Management
Robust Cloud Service Posture Management (CSPM) and Kubernetes Security Posture Management (KSPM) with attack path analysis and visualization of interconnected infrastructure risks
Cloud Infrastructure Entitlement Management
Comprehensive visibility and assessment of AWS IAM users, groups, roles, policies, and entitlements with automatic discovery and excessive permission identification
Behavioral Analytics
Continuous monitoring of AWS workloads for unusual behaviors using advanced anomaly detection techniques with over 100 patents for faster threat detection
Threat Correlation
Automated correlation of multiple security alerts into high-confidence composite alerts using behavioral analytics, anomaly detection, and threat intelligence from AWS CloudTrail and GuardDuty
Standard contract
No
No
No
Customer reviews
Ján J.
Great Automation and UI, But Needs Better Kotlin Support
Reviewed on Dec 10, 2025
Review provided by G2
What do you like best about the product?
Helps to automate a security review of a codebase. Easy to implement into existing repositories. Nice intuitive user interface and good vulnerability descriptions with a hints where in code and how to fix.
What do you dislike about the product?
Unfortunately Checkmarx reported a huge number of false positives for Kotlin based projects. Probably this language is poorly supported because there were no such issues in more popular languages like Java or Javascript.
What problems is the product solving and how is that benefiting you?
Helps to catch a new security vulnerabilities at each code commit and forces developers to fix them before pushing to production code.
Kapileanuj Vinayak
Regular code scans have improved vulnerability detection and keep our repositories secure
Reviewed on Dec 05, 2025
Review provided by PeerSpot
What is our primary use case?
My main use case for Checkmarx One is that we have a Git repository, and we are implementing and integrating Checkmarx One to our Git repository to manage vulnerabilities and scan for vulnerabilities inside the repository. We are scanning this repo on a monthly or quarterly basis to keep our repositories clean and secured.
A specific example of how I use Checkmarx One with my Git repository is that in the last two months, we first integrated Checkmarx One into our repository and discovered Spring Security vulnerabilities that were causing a lot of issues in our application. Because of Checkmarx One, we easily found which vulnerability was causing the issues in our application. After the scanning, we immediately got the vulnerability list detailing whatever vulnerabilities were present in the repository, and we started working on that. This was really helpful at that time.
What is most valuable?
The best features Checkmarx One offers include the SAST report, which really helps us during the scan. This report also aids us from a security point of view because there are some IMA controllers included. After getting the report, we have to submit it to the security team, and they scan it. This helps us for security purposes as well.
When I explore Checkmarx One, I find that the SAST capability, accurate findings, and clean UI are very notable. It is a very dependable performance and a highly effective platform for our organization and our company.
Checkmarx One has positively impacted my organization because in the past, when Checkmarx One scan was not implemented, we faced a lot of issues finding vulnerabilities inside the repository. But now, since we have integrated Checkmarx One into our repository, we can smoothly and very easily find vulnerabilities and manage those effectively.
What needs improvement?
One way Checkmarx One could be improved is if it could automatically run scans every month after implementation. If it is possible to set it in the SAST portal to scan the repositories automatically, that would help us because currently, we have to run Checkmarx One scan manually every time.
From the perspective of needed improvements, first-line support is also necessary for Checkmarx One because sometimes people encounter issues while implementing Checkmarx One. At that time, they need help from Checkmarx team, so that support is also needed.
For how long have I used the solution?
I am using Checkmarx One for the last one year, and the experience has been very good.
What do I think about the stability of the solution?
Checkmarx One is stable.
What do I think about the scalability of the solution?
Regarding Checkmarx One's scalability, I have implemented it in two projects, and we are using Checkmarx One in both of those projects.
Which solution did I use previously and why did I switch?
I can share specific outcomes with Checkmarx One. Before we did not have Checkmarx One scan, so we tried to find vulnerabilities via the G-SOC report, but that was very difficult due to a lot of troubles. However, now, because of Checkmarx One, we easily find scans for particular repositories, which helps us and it consumes very little time, making it efficient for our team as well.
What other advice do I have?
My advice for others looking into using Checkmarx One is that it is good to use. If they want to implement it, I recommend they do so as it saves time and is efficient as well. I would rate Checkmarx One highly based on my positive experience with the product.
reviewer2783283
Automated security scans have strengthened pipeline checks and now need better noise reduction and IDE integration
Reviewed on Nov 29, 2025
Review provided by PeerSpot
What is our primary use case?
Checkmarx One is primarily used for SAST scans in my organization. A specific example of how I use Checkmarx One for SAST scans is in applications that require scanning both static and dynamic vulnerabilities. For the static vulnerabilities, Checkmarx One identifies SQL injections and other static vulnerabilities in the code.
Checkmarx One has been included in the CI/CD pipelines, so it runs automatically for all components and microservices across various applications. The tool indicates severity levels from one, two, three, and so on, and is integrated within the pipeline.
What is most valuable?
Checkmarx One offers several standout features. The tool summarizes CWE reports so I can identify what is exploitable and what is non-exploitable. It is well-integrated with other internal tools where I can disposition false positives and provides vulnerability resolutions and guidance on how to fix them, which are sometimes very helpful.
The CWE report summaries assist in my daily work by showing up in reports, allowing me to see all types of vulnerabilities at once. The tool indicates when there are multiple vulnerabilities in specific legacy code, for example, by showing that there are 12 findings for CVE X.X, and I can fix them all at once.
Checkmarx One has positively impacted the organization by providing resolution strategies and indicating which vulnerabilities need to be fixed. It is beneficial to catch vulnerabilities early in the pipeline so that any false positives can be addressed later, which is especially important for security in a banking environment.
What needs improvement?
Checkmarx One can be improved by reducing noise and improving false positive filtering. There are instances when false positives appear, such as when the word 'password' appears in a file, which actually refers to a code variable elsewhere. Checkmarx One could provide better reports, and the UI could be made more user-friendly.
Integration into the IDE being used would be beneficial so that code does not need to be uploaded to the website and an IDE-friendly report could be generated.
For how long have I used the solution?
Checkmarx One has been used for approximately three years.
What do I think about the stability of the solution?
Checkmarx One has been stable with no observed issues with downtime or reliability.
What do I think about the scalability of the solution?
Checkmarx One has handled increased workloads adequately.
How are customer service and support?
There has been no interaction with the support team.
How would you rate customer service and support?
What other advice do I have?
Checkmarx One saves significant time because it is directly integrated into the CI/CD pipeline, although specific metrics are not available. The overall rating for Checkmarx One is seven out of ten, primarily based on the previously mentioned features and capabilities. Checkmarx One is a solid program that has a secure-first mentality, and no specific advice comes to mind for others considering the product. There is no business relationship with the vendor other than being a customer.
Adarkum Kumar
Early detection with custom queries has improved secure coding practices and continuously prevents critical vulnerabilities from reaching deployment
Reviewed on Nov 29, 2025
Review from a verified AWS customer
What is our primary use case?
My main use case for Checkmarx One is as a SAST product. In the Jenkins pipeline, we use it to build or confirm the Checkmarx result. Whenever we find any high or critical severity vulnerability, we break the pipeline and the product does not go to deployment. I use Checkmarx audit a lot. Whenever I find a zero-day vulnerability, we go to Checkmarx audit and write some custom query so that we can find the particular vulnerability in a particular library. Checkmarx One can give us the exact code where that library is deployed and we replace the server version and the library version.
What is most valuable?
The best features Checkmarx One offers are Checkmarx audit and the ability to write custom queries.
Checkmarx One has positively impacted our organization as we tend to find vulnerabilities very early in the development cycle. The initial scans allowed the teams to catch the vulnerabilities early. But after some time, they got used to it and started writing more secure code. In a way, it has saved a lot of time.
What needs improvement?
For Checkmarx One, I think that adding repositories and scanning impromptu code could improve it. Suppose an impromptu team comes and provides the code in a GitLab repo, there should be a quick scan button. You just link the repo and can get a result instantly.
For how long have I used the solution?
I have been using it for five years.
What do I think about the stability of the solution?
Checkmarx One is stable.
What do I think about the scalability of the solution?
Checkmarx One's scalability is good.
How are customer service and support?
We had Checkmarx office hours for customer support, and that helps a lot.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
We did not previously use a different solution. We were using the free version of Semgrep .
What was our ROI?
I'm not in a position to provide a return on investment because I'm at a lower level, such as Product Security Engineer. I don't deal with these details.
What other advice do I have?
My advice to others looking into using Checkmarx One is to go for the demo version first and see. If it fits into your pipeline, then go for it.
Checkmarx One is a great tool. SAST-wise, I love it. It's integrating into the pipeline, Checkmarx audit, and manually marking the results as false positive. After the rescan, it does not appear. So that works great.
I found this interview to be good, but I think there should be a pause button. Anyone can take a break and doesn't have to continue for the whole length. You can hit pause and continue whenever you come back.
I would rate this review an 8.
Which deployment model are you using for this solution?
On-premises
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Gideon Anichi
Reselling has delivered fast secure-code training and streamlined code review for development teams
Reviewed on Nov 28, 2025
Review from a verified AWS customer
What is our primary use case?
My main use case for Checkmarx One is that I am a reseller, and the company I work for is a reseller. What I typically do with Checkmarx One is implementation, helping our clients or customers to meet their use cases, support, and setting up, and also using it to show the customer how to use the product.
A very recent implementation I can think of is that we had a client that wanted to do SAST , and we sold Checkmarx One to them for their SAST implementation. I was able to walk the clients through how to use the platform, how to review the source code with Checkmarx One, and most especially how to use the one-fix remediation features of Checkmarx whereby you can use the recommendation from Checkmarx One to fix the issues found in the source code.
What is most valuable?
The best features that Checkmarx One offers in my experience include its reliability in managing false positives, the integration to the CI/CD pipeline, and most importantly, the Codebashing feature that Checkmarx One has where developers can learn how to code better and securely.
In terms of usability, Checkmarx One is one of those solutions where implementation is very straightforward and within the next few minutes after implementing Checkmarx One, you can actually start getting results almost instantly. The ease of use is there, and the usability shows that the time to generate returns on your investment is very quick.
From my point of view as a professional service or support engineer, Checkmarx One has positively impacted my organization and clients. The fact that clients come back to renew their Checkmarx One subscription means that it is valuable to them, and winning new deals means that the solution is actually meeting the need in the market. I have deployed Checkmarx One for different clients and resold Checkmarx One to different clients, and that can only be because the solution does exactly what it says it does.
After implementing Checkmarx One, the time it takes for clients to come up with secure code has been a lot faster. Once you implement Checkmarx One, you can be sure that you're getting value from the solution almost immediately because Checkmarx One also handles false positives very effectively, saving you time and saving your developers time. This has really improved the client's experience.
Additionally, Checkmarx One also has the Codebashing feature that helps to provide further knowledge to the customer on how to write secure codes, and that's a very outstanding feature of Checkmarx One.
What needs improvement?
Checkmarx One is doing a lot already, and what I would just ask is for Checkmarx One, as a company, to look into investing in RASP because being a very good SAST to DAST solution, RASP is becoming increasingly needed, especially from the reseller vendor side. If Checkmarx One could start development of a RASP platform, that would do us a lot of good.
RASP is the key one for me.
For how long have I used the solution?
I have been working in my current field for about over eight years.
What do I think about the stability of the solution?
Checkmarx One is very stable in my experience.
What do I think about the scalability of the solution?
Checkmarx One's scalability is good; it can handle growing needs or larger environments easily.
How are customer service and support?
I have relied on Checkmarx One customer support hundreds of times for several things, and Checkmarx One support is very proactive and very responsive. You can rely on them.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I have not previously used a different solution for my clients; it has most times always been Checkmarx One.
How was the initial setup?
The ease of use is there, and the usability shows that the time to generate returns on your investment is very quick. That is something that is outstanding about Checkmarx One.
What about the implementation team?
Due to the number of years I've implemented Checkmarx One, there are rebates and discounts from the OEM which makes it a lot more profitable, and in terms of setup costs, it's already factored into the cost of the solution. The clients we are deploying for usually manage that cost. We have a good relationship with generating a license and all of that, so the experience is seamless and really good.
What was our ROI?
I have to mention again that I am not a direct user of Checkmarx One, as I implement Checkmarx One for clients and use it in clients' environments. The person who has the most accurate answer around return on investment would be the client. However, based on my interactions with the clients, I can tell that there is a return on investment because if something is not profitable and it's not helping to save costs or vulnerabilities, clients wouldn't come back to renew their license year after year. I would say that while I may not have direct metrics, I can affirm that there is a good return on investment for our clients' environments.
What's my experience with pricing, setup cost, and licensing?
Due to the number of years I've implemented Checkmarx One, there are rebates and discounts from the OEM which makes it a lot more profitable, and in terms of setup costs, it's already factored into the cost of the solution. The clients we are deploying for usually manage that cost.
Which other solutions did I evaluate?
Before choosing Checkmarx One, we did not evaluate other options for clients; in most cases, clients really wanted Checkmarx One themselves, so we just implement Checkmarx One for them.
What other advice do I have?
I would rate Checkmarx One an eight out of ten.
I choose eight out of ten because Checkmarx One is outstanding; truthfully, Checkmarx One is really, really good.
My advice for others looking into using Checkmarx One is to come to me; let me sell Checkmarx One to you. I have good experience using Checkmarx One, and I can help you set up your Checkmarx One to ensure that you're getting your return on value quickly. If you're looking for a SAST solution that would provide a return on investment and assist with source code scanning to improve your entire SDLC cycle, Checkmarx One is a tool that you can rely on. My overall rating for Checkmarx One is eight out of ten.
Which deployment model are you using for this solution?
Private Cloud