Sold by: Checkmarx
Deployed on AWS
Checkmarx One helps you deliver secure software faster with an integrated Application Security Testing platform deployed as a service. A single event, like a code commit or build stage, can trigger scans of your source code, dependencies, and IaC templates, with results aggregated in one place.
4.1
Overview
Checkmarx One is an integrated Application Security Testing (AST) platform delivered by Checkmarx, an AWS Advanced Tier partner with Security and DevOps Competencies. We're a global leader in software security solutions, trusted by 1,700+ organizations and consistently recognized by Gartner as a Leader in AST. Checkmarx One delivers three essential AST services on a platform that's easy to integrate into your existing dev tools: Static application security testing: Checkmarx One is a flexible, accurate solution able to identify hundreds of vulnerabilities and weaknesses in custom code, with support for 25+ languages and frameworks. Software composition analysis: CxSCA enables you to mitigate risks in open source software and third-party libraries. Users can identify and prioritize open source vulnerabilities, take inventory of open source components and dependencies in use, and evaluate the risk of open source licenses. Infrastructure as code analysis: KICS detects security misconfigurations in IaC templates, helping prevent errors such as open storage buckets, insecure databases, and excessive privileges. Checkmarx One is easy to integrate: one event can trigger all scan types for your project, and scan results are aggregated, giving you fast triage of your project's security posture. Checkmarx One Developer Assist is an advanced security agent that delivers real-time context-aware prevention, remediation, and guidance to developers from the IDE. It empowers developers to identify risks in their code in realtime and harness the power of AI to remediate the risks on the spot. This feature is initially being released as part of the Checkmarx One plugin for VS Code, Cursor and Windsurf IDEs.
CXONE ASSIST comprises two main elements: Realtime Scanning - Identify vulnerabilities in realtime during IDE development of both human-generated and AI-generated code. Our super-fast scanners run in the background whenever you edit a relevant file. Our scanners identify vulnerabilities and unmasked secrets in your code. We also identify vulnerable or malicious container images and open source packages used in your project. Results are marked as Problems which are highlighted in the code and annotated with identifying icons. Agentic-AI Remediation-Initiate an Agentic-AI session to receive remediation suggestions. Checkmarx feeds all relevant info to the AI agent which accesses our MCP server to gather data from our proprietary databases and customized AI models. The AI assistant then uses this data to generate remediated code for your project. You can accept the suggested changes or you can chat with the AI agent to learn more about the vulnerability and fine-tune the remediation suggestion.
If you're an AWS customer interested in Checkmarx One and wish to purchase over AWS Marketplace in a different quantity or configuration, visit http://www.checkmarx.com/contact-us-aws IMPORTANT INFORMATION ABOUT PRODUCTS AND SERVICES.
- Please note that add-ons be purchased only when the base product is purchased.
- Description of Base product: Checkmarx One Start with SAST. Description of available Add-ons: CxOne Start with SAST NG-API Security Addon, CxOne Start with SAST NG-IaC (KICS) Add on, Checkmarx One Start with SAST NG- AI Add on
- Description of Base product: Checkmarx One Essential Description of available Add-ons: CxOne Essential-Containers Add on, Cx One Essential-Malicious Packages Add on, Cx One Essential-IaC (KICS) Add on, CxOne Essential-AI Protection Add on
- Description of Base product: Checkmarx One Professional Description of available Add-ons: Checkmarx One Professional - IaC (KICS) Add on, Checkmarx One Professional - Enterprise Secrets Add on, Checkmarx One Professional - AI Protection Add on
- Checkmarx One Codebashing is available both as standalone and add-on with Base products mentioned above.
- CxOne Premium Service Package is available @ 20% of SaaS subscription fee. Checkmarx One Premium Service package fee shall be calculated as higher of: a) 20% of SaaS subscription fee OR b) USD 10,000 in case of 1 year term / USD 30,000 for 3 year term.
- Cx-SCS Threat API Malicious (per package) : Minimum quantity is 2 (two) and listed price is for 2 (two) units. SCS Threat API for Malicious OSS Packages Threat Information only (limited to 10,000 packages lookup per month). Each version/sub-version of the same package is considered a unique package.
- Minimum deal size shall be USD 30,000 for a one year term and USD 90,000 for three year term. Minimum deal size excludes Checkmarx One Premium Service Package and Checkmarx One PS days.
- Checkmarx reserves the right to revise prices periodically.
- Prices exclude applicable VAT/GST and WHT, if any.
- Refund Policy: no Refunds. Please reach out to aws-marketplace@checkmarx.com for further information about the add-ons available under various base products.
Highlights
- FIND THREATS AND SAVE TIME : Identify open source risks. Get severity metrics and remediation guidance. Identify potential license and compliance issues. See which libraries are adding to maintenance burdens. Get risk reports or extract data via API.
- SPOT INSECURE CODE EARLIER: Our industry-leading source code analysis covers a wide range of languages. Checkmarx One finds vulnerabilities faster by scanning uncompiled code and only re-scanning new or modified code.
- Prevent misconfigurations from reaching production: Scan your IaC templates for valid but insecure configurations before deployment to prevent catastrophic security misconfigurations.
Details
Sold by
Categories
Delivery method
Deployed on AWS
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Buyer guide
Gain valuable insights from real users who purchased this product, powered by PeerSpot.
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Pricing is based on the duration and terms of your contract with the vendor. This entitles you to a specified quantity of use for the contract duration. If you choose not to renew or replace your contract before it ends, access to these entitlements will expire.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Description | Cost/12 months |
|---|---|---|
CxOne Start with SAST NG | Checkmarx One Start with SAST-price per license per year | $1,035.00 |
CxOne API Security | CxOne Start with SAST NG-API Security Addon-price per license per year | $276.00 |
CxOne IaC (KICS) | CxOne Start with SAST NG-IaC (KICS) Add on-price per license per year | $240.00 |
CxOne DevAssist | Checkmarx One Start with SAST NG- DevAssist Add on-price per license per year | $300.00 |
Checkmarx One Codebashing | Checkmarx One Codebashing | $345.00 |
CxOne Essential | Checkmarx One Essential - price per license per year | $1,564.00 |
CxAST-CONTAINERS | CxOne Essential-Containers Add on-price per license per year | $240.00 |
CxOne Malicious Packages | Cx One Essential-Malicious Packages Add on-price per license per year | $276.00 |
CxAST-IAC-KICS | Cx One Essential-IaC (KICS) Add on-price per license per year | $240.00 |
CxOne DevAssist | CxOne Essential-DevAssist Add on-price per license per year | $120.00 |
Vendor refund policy
- Minimum Deal size shall be USD 30,000 for 1 year term & USD 90,000 for 3 year term, excluding Checkmarx One Premium Service Package and Checkmarx one PS days.
- Checkmarx One Premium Service package fee shall be calculated as higher of: a) 20% of SaaS subscription fee OR b) USD 10,000 in case of 1 year term / USD 30,000 for 3 year term.
- Checkmarx reserves the right to revise prices, without advance notice.
- Prices quoted are exclusive of VAT/GST and WHT, if applicable.
- No refunds.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Resources
Vendor resources
Support
Vendor support
Checkmarx technical support, online support https://support.checkmarx.com Checkmarx One Standard Support is Included within the price of software subscription and Checkmarx One Premium Service Package available by paying 20% SaaS subscription fee.
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Updated weekly
By Checkmarx
By Fortinet Inc.
Top
10
In Testing
Top
25
In Continuous Integration and Continuous Delivery
Top
25
In Cloud Governance
Sentiment is AI generated from actual customer reviews on AWS and G2
Functionality
Ease of use
Customer service
Cost effectiveness
Positive reviews
Mixed reviews
Negative reviews
AI generated from product descriptions
Static Application Security Testing
Identifies vulnerabilities and weaknesses in custom code with support for 25+ languages and frameworks, scanning uncompiled code and re-scanning only new or modified code.
Software Composition Analysis
Identifies and prioritizes open source vulnerabilities, takes inventory of open source components and dependencies, and evaluates risks of open source licenses.
Infrastructure as Code Analysis
Detects security misconfigurations in IaC templates using KICS to prevent errors such as open storage buckets, insecure databases, and excessive privileges.
Real-time IDE Security Scanning
Provides real-time vulnerability detection during IDE development for both human-generated and AI-generated code, identifying vulnerabilities, unmasked secrets, vulnerable container images, and malicious open source packages.
Agentic-AI Remediation
Generates remediation suggestions using AI agents that access proprietary databases and customized AI models to provide context-aware code fixes with interactive refinement capabilities.
Software Supply Chain Visibility
Continuous end-to-end visibility and traceability across source control, CI/CD, registry, and cloud environments through API integrations and proprietary Pipeline Bill of Materials (PBOM) tracking
Vulnerability Prioritization Engine
Context-based threat prioritization that assesses vulnerability exploitability, reachability, business impact, and risk normalization to identify critical issues requiring immediate attention
Automated Remediation Workflows
No-code workflow automation that automatically blocks vulnerabilities, risky code, and configuration changes while enabling pull request and ticket creation from a unified console
Real-time Security Scanning
Real-time monitoring and scanning across the software development lifecycle from code to cloud with build integrity verification and production application security from inception to release
Unified Application Security Platform
Consolidated platform integrating application security posture management, application security testing, and supply chain security across the complete software development lifecycle
Code Security Analysis
Integrated code security with Software Composition Analysis (SCA), Static Application Security Testing (SAST), and Infrastructure as Code (IaC) security with runtime application behavior monitoring to identify active, exploitable vulnerable packages.
Cloud Security Posture Management
Cloud Security Posture Management (CSPM) and Kubernetes Security Posture Management (KSPM) with attack path analysis visualization and compliance validation against CIS Benchmarks for AWS and AWS Foundational Security Best Practices.
Cloud Infrastructure Entitlement Management
Cloud Infrastructure Entitlement Management (CIEM) providing visibility into AWS IAM users, groups, roles, policies, entitlements, and EC2 instances with automatic identity discovery and net-effective permissions assessment.
Behavioral Analytics and Anomaly Detection
Continuous monitoring of AWS workloads for unusual behaviors through comparison of past and present states using patented analytics with over 100 patents to detect anomalies and compromises.
Composite Alert Correlation
Automatic correlation of multiple alerts into single, high-confidence composite alerts using behavioral analytics, anomaly detection, in-house threat intelligence, AWS CloudTrail and GuardDuty data to identify active attacks including compromised credentials, ransomware, and cryptojacking.
Standard contract
No
No
No
Customer reviews
Navdeep_Singh
Security scans have transformed how I detect vulnerabilities and collaborate on rapid remediation
Reviewed on Jan 24, 2026
Review provided by PeerSpot
What is our primary use case?
My main use case for Checkmarx One is mostly for scanning and vulnerability detection, and in that, I mostly use the SAST scans and access management for users and the remediation part for scans.
A recent scenario is that Checkmarx One is integrated with the pipeline, so mostly our DevOps engineer can scan it from the pipeline, the security scan is initiated, and I get reports in Checkmarx, and I share that, and accordingly, I help developers to remediate vulnerabilities in the code. That's how I use it.
I also manage policies that are for security scan features like implementation of security gates, according to which, the application will be blocked from pipeline production. And to reduce vulnerability, mostly, I use it.
What is most valuable?
The best features Checkmarx One offers, in my opinion, are that it is easy to use, and there is not much deep diving into this. Anyone can use it for scanning purposes and for security gate purposes. It is really helpful, to be honest. For me, I personally believe it is a great tool.
The entire process in Checkmarx One is easy to understand, and although not a particular part stands out, there are no multiple features which I need to enable, or I have to deep dive into another tab or options for scanning and doing work. I can directly do this from the home page, and I can use it even for basic tasks.
Checkmarx One has helped with efficiency and security for sure, as I am able to detect vulnerabilities on the earliest basis and help developers to remediate them. It really helps a lot at the enterprise level.
Most probably, the most common thing that Checkmarx One does is reduce the vulnerabilities and the criticality of the vulnerabilities also. I am able to detect, and in the same way, I can collaborate with developers to remediate them on the earliest basis. That is a useful part.
What needs improvement?
I wish there could be some features to improve Checkmarx One, but I don't think so. It is an easy-to-use application, so I'm happy with the current features. I don't think there is anything required.
The latest version or upgraded version of Checkmarx One is too good, and I'm satisfied.
There are some downtimes when Checkmarx One is being upgraded to the latest version or some improvement is there. Sometimes I face issues, and I get a notification from Checkmarx. That's okay.
For how long have I used the solution?
I have been using Checkmarx One for the last three years for my daily work in the office, in my daily routine work.
What do I think about the scalability of the solution?
Checkmarx One's scalability is that I have a limited license number, and accordingly, it is able to manage most of my scans and the number of scans at the same time.
How are customer service and support?
Customer support for Checkmarx One is good because I had some doubts or issues, so I asked them, and I got a reply within 24 working hours. That's good, I would say.
How would you rate customer service and support?
Neutral
What other advice do I have?
I would advise others to use Checkmarx One, as it is a good application, and for most of the work I do, I would suggest SAST scans are really helpful, and it is easy to use. I need not do much work, and it will be helpful for any organization that is using it. I'm not sure about the pricing metrics, but it is helpful. I gave this review a rating of 9.5 out of 10.
Ján J.
Great Automation and UI, But Needs Better Kotlin Support
Reviewed on Dec 10, 2025
Review provided by G2
What do you like best about the product?
Helps to automate a security review of a codebase. Easy to implement into existing repositories. Nice intuitive user interface and good vulnerability descriptions with a hints where in code and how to fix.
What do you dislike about the product?
Unfortunately Checkmarx reported a huge number of false positives for Kotlin based projects. Probably this language is poorly supported because there were no such issues in more popular languages like Java or Javascript.
What problems is the product solving and how is that benefiting you?
Helps to catch a new security vulnerabilities at each code commit and forces developers to fix them before pushing to production code.
Kapileanuj Vinayak
Regular code scans have improved vulnerability detection and keep our repositories secure
Reviewed on Dec 05, 2025
Review provided by PeerSpot
What is our primary use case?
My main use case for Checkmarx One is that we have a Git repository, and we are implementing and integrating Checkmarx One to our Git repository to manage vulnerabilities and scan for vulnerabilities inside the repository. We are scanning this repo on a monthly or quarterly basis to keep our repositories clean and secured.
A specific example of how I use Checkmarx One with my Git repository is that in the last two months, we first integrated Checkmarx One into our repository and discovered Spring Security vulnerabilities that were causing a lot of issues in our application. Because of Checkmarx One, we easily found which vulnerability was causing the issues in our application. After the scanning, we immediately got the vulnerability list detailing whatever vulnerabilities were present in the repository, and we started working on that. This was really helpful at that time.
What is most valuable?
The best features Checkmarx One offers include the SAST report, which really helps us during the scan. This report also aids us from a security point of view because there are some IMA controllers included. After getting the report, we have to submit it to the security team, and they scan it. This helps us for security purposes as well.
When I explore Checkmarx One, I find that the SAST capability, accurate findings, and clean UI are very notable. It is a very dependable performance and a highly effective platform for our organization and our company.
Checkmarx One has positively impacted my organization because in the past, when Checkmarx One scan was not implemented, we faced a lot of issues finding vulnerabilities inside the repository. But now, since we have integrated Checkmarx One into our repository, we can smoothly and very easily find vulnerabilities and manage those effectively.
What needs improvement?
One way Checkmarx One could be improved is if it could automatically run scans every month after implementation. If it is possible to set it in the SAST portal to scan the repositories automatically, that would help us because currently, we have to run Checkmarx One scan manually every time.
From the perspective of needed improvements, first-line support is also necessary for Checkmarx One because sometimes people encounter issues while implementing Checkmarx One. At that time, they need help from Checkmarx team, so that support is also needed.
For how long have I used the solution?
I am using Checkmarx One for the last one year, and the experience has been very good.
What do I think about the stability of the solution?
Checkmarx One is stable.
What do I think about the scalability of the solution?
Regarding Checkmarx One's scalability, I have implemented it in two projects, and we are using Checkmarx One in both of those projects.
Which solution did I use previously and why did I switch?
I can share specific outcomes with Checkmarx One. Before we did not have Checkmarx One scan, so we tried to find vulnerabilities via the G-SOC report, but that was very difficult due to a lot of troubles. However, now, because of Checkmarx One, we easily find scans for particular repositories, which helps us and it consumes very little time, making it efficient for our team as well.
What other advice do I have?
My advice for others looking into using Checkmarx One is that it is good to use. If they want to implement it, I recommend they do so as it saves time and is efficient as well. I would rate Checkmarx One highly based on my positive experience with the product.
reviewer2783283
Automated security scans have strengthened pipeline checks and now need better noise reduction and IDE integration
Reviewed on Nov 29, 2025
Review provided by PeerSpot
What is our primary use case?
Checkmarx One is primarily used for SAST scans in my organization. A specific example of how I use Checkmarx One for SAST scans is in applications that require scanning both static and dynamic vulnerabilities. For the static vulnerabilities, Checkmarx One identifies SQL injections and other static vulnerabilities in the code.
Checkmarx One has been included in the CI/CD pipelines, so it runs automatically for all components and microservices across various applications. The tool indicates severity levels from one, two, three, and so on, and is integrated within the pipeline.
What is most valuable?
Checkmarx One offers several standout features. The tool summarizes CWE reports so I can identify what is exploitable and what is non-exploitable. It is well-integrated with other internal tools where I can disposition false positives and provides vulnerability resolutions and guidance on how to fix them, which are sometimes very helpful.
The CWE report summaries assist in my daily work by showing up in reports, allowing me to see all types of vulnerabilities at once. The tool indicates when there are multiple vulnerabilities in specific legacy code, for example, by showing that there are 12 findings for CVE X.X, and I can fix them all at once.
Checkmarx One has positively impacted the organization by providing resolution strategies and indicating which vulnerabilities need to be fixed. It is beneficial to catch vulnerabilities early in the pipeline so that any false positives can be addressed later, which is especially important for security in a banking environment.
What needs improvement?
Checkmarx One can be improved by reducing noise and improving false positive filtering. There are instances when false positives appear, such as when the word 'password' appears in a file, which actually refers to a code variable elsewhere. Checkmarx One could provide better reports, and the UI could be made more user-friendly.
Integration into the IDE being used would be beneficial so that code does not need to be uploaded to the website and an IDE-friendly report could be generated.
For how long have I used the solution?
Checkmarx One has been used for approximately three years.
What do I think about the stability of the solution?
Checkmarx One has been stable with no observed issues with downtime or reliability.
What do I think about the scalability of the solution?
Checkmarx One has handled increased workloads adequately.
How are customer service and support?
There has been no interaction with the support team.
How would you rate customer service and support?
What other advice do I have?
Checkmarx One saves significant time because it is directly integrated into the CI/CD pipeline, although specific metrics are not available. The overall rating for Checkmarx One is seven out of ten, primarily based on the previously mentioned features and capabilities. Checkmarx One is a solid program that has a secure-first mentality, and no specific advice comes to mind for others considering the product. There is no business relationship with the vendor other than being a customer.
Adarkum Kumar
Early detection with custom queries has improved secure coding practices and continuously prevents critical vulnerabilities from reaching deployment
Reviewed on Nov 29, 2025
Review from a verified AWS customer
What is our primary use case?
My main use case for Checkmarx One is as a SAST product. In the Jenkins pipeline, we use it to build or confirm the Checkmarx result. Whenever we find any high or critical severity vulnerability, we break the pipeline and the product does not go to deployment. I use Checkmarx audit a lot. Whenever I find a zero-day vulnerability, we go to Checkmarx audit and write some custom query so that we can find the particular vulnerability in a particular library. Checkmarx One can give us the exact code where that library is deployed and we replace the server version and the library version.
What is most valuable?
The best features Checkmarx One offers are Checkmarx audit and the ability to write custom queries.
Checkmarx One has positively impacted our organization as we tend to find vulnerabilities very early in the development cycle. The initial scans allowed the teams to catch the vulnerabilities early. But after some time, they got used to it and started writing more secure code. In a way, it has saved a lot of time.
What needs improvement?
For Checkmarx One, I think that adding repositories and scanning impromptu code could improve it. Suppose an impromptu team comes and provides the code in a GitLab repo, there should be a quick scan button. You just link the repo and can get a result instantly.
For how long have I used the solution?
I have been using it for five years.
What do I think about the stability of the solution?
Checkmarx One is stable.
What do I think about the scalability of the solution?
Checkmarx One's scalability is good.
How are customer service and support?
We had Checkmarx office hours for customer support, and that helps a lot.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
We did not previously use a different solution. We were using the free version of Semgrep .
What was our ROI?
I'm not in a position to provide a return on investment because I'm at a lower level, such as Product Security Engineer. I don't deal with these details.
What other advice do I have?
My advice to others looking into using Checkmarx One is to go for the demo version first and see. If it fits into your pipeline, then go for it.
Checkmarx One is a great tool. SAST-wise, I love it. It's integrating into the pipeline, Checkmarx audit, and manually marking the results as false positive. After the rescan, it does not appear. So that works great.
I found this interview to be good, but I think there should be a pause button. Anyone can take a break and doesn't have to continue for the whole length. You can hit pause and continue whenever you come back.
I would rate this review an 8.
Which deployment model are you using for this solution?
On-premises