My main use case for Checkmarx One is that we have a Git repository, and we are implementing and integrating Checkmarx One to our Git repository to manage vulnerabilities and scan for vulnerabilities inside the repository. We are scanning this repo on a monthly or quarterly basis to keep our repositories clean and secured.

A specific example of how I use Checkmarx One with my Git repository is that in the last two months, we first integrated Checkmarx One into our repository and discovered Spring Security vulnerabilities that were causing a lot of issues in our application. Because of Checkmarx One, we easily found which vulnerability was causing the issues in our application. After the scanning, we immediately got the vulnerability list detailing whatever vulnerabilities were present in the repository, and we started working on that. This was really helpful at that time.

The best features Checkmarx One offers include the SAST report, which really helps us during the scan. This report also aids us from a security point of view because there are some IMA controllers included. After getting the report, we have to submit it to the security team, and they scan it. This helps us for security purposes as well.

When I explore Checkmarx One, I find that the SAST capability, accurate findings, and clean UI are very notable. It is a very dependable performance and a highly effective platform for our organization and our company.

Checkmarx One has positively impacted my organization because in the past, when Checkmarx One scan was not implemented, we faced a lot of issues finding vulnerabilities inside the repository. But now, since we have integrated Checkmarx One into our repository, we can smoothly and very easily find vulnerabilities and manage those effectively.

One way Checkmarx One could be improved is if it could automatically run scans every month after implementation. If it is possible to set it in the SAST portal to scan the repositories automatically, that would help us because currently, we have to run Checkmarx One scan manually every time.

From the perspective of needed improvements, first-line support is also necessary for Checkmarx One because sometimes people encounter issues while implementing Checkmarx One. At that time, they need help from Checkmarx team, so that support is also needed.

I am using Checkmarx One for the last one year, and the experience has been very good.

Checkmarx One is stable.

Regarding Checkmarx One's scalability, I have implemented it in two projects, and we are using Checkmarx One in both of those projects.

I can share specific outcomes with Checkmarx One. Before we did not have Checkmarx One scan, so we tried to find vulnerabilities via the G-SOC report, but that was very difficult due to a lot of troubles. However, now, because of Checkmarx One, we easily find scans for particular repositories, which helps us and it consumes very little time, making it efficient for our team as well.

My advice for others looking into using Checkmarx One is that it is good to use. If they want to implement it, I recommend they do so as it saves time and is efficient as well. I would rate Checkmarx One highly based on my positive experience with the product.

Checkmarx One is primarily used for SAST scans in my organization. A specific example of how I use Checkmarx One for SAST scans is in applications that require scanning both static and dynamic vulnerabilities. For the static vulnerabilities, Checkmarx One identifies SQL injections and other static vulnerabilities in the code.

Checkmarx One has been included in the CI/CD pipelines, so it runs automatically for all components and microservices across various applications. The tool indicates severity levels from one, two, three, and so on, and is integrated within the pipeline.

Checkmarx One offers several standout features. The tool summarizes CWE reports so I can identify what is exploitable and what is non-exploitable. It is well-integrated with other internal tools where I can disposition false positives and provides vulnerability resolutions and guidance on how to fix them, which are sometimes very helpful.

The CWE report summaries assist in my daily work by showing up in reports, allowing me to see all types of vulnerabilities at once. The tool indicates when there are multiple vulnerabilities in specific legacy code, for example, by showing that there are 12 findings for CVE X.X, and I can fix them all at once.

Checkmarx One has positively impacted the organization by providing resolution strategies and indicating which vulnerabilities need to be fixed. It is beneficial to catch vulnerabilities early in the pipeline so that any false positives can be addressed later, which is especially important for security in a banking environment.

Checkmarx One can be improved by reducing noise and improving false positive filtering. There are instances when false positives appear, such as when the word 'password' appears in a file, which actually refers to a code variable elsewhere. Checkmarx One could provide better reports, and the UI could be made more user-friendly.

Integration into the IDE being used would be beneficial so that code does not need to be uploaded to the website and an IDE-friendly report could be generated.

Checkmarx One has been used for approximately three years.

Checkmarx One has been stable with no observed issues with downtime or reliability.

Checkmarx One has handled increased workloads adequately.

There has been no interaction with the support team.

Checkmarx One saves significant time because it is directly integrated into the CI/CD pipeline, although specific metrics are not available. The overall rating for Checkmarx One is seven out of ten, primarily based on the previously mentioned features and capabilities. Checkmarx One is a solid program that has a secure-first mentality, and no specific advice comes to mind for others considering the product. There is no business relationship with the vendor other than being a customer.

Checkmarx One is my main tool for vulnerability detection and smooth integration over the things to be scanned. It helps me to perform smooth vulnerability detection. The primary use case that fits into my workflow is to see the vulnerabilities in Checkmarx One dashboard, and then we can fix them. It depends on the vulnerability that we have in our code, and then we do the same until we achieve the desired latency.Checkmarx One dashboard is helpful for scanning, integration, and vulnerability detection.

I have been using Checkmarx One for three years.Checkmarx One positively impacts my organization by detecting vulnerabilities. This is a significant impact when we are going into the coding part. It helps us to do proper coding and deploy with improved performance.The features that help me in my work include CI/CD pipeline integration and code repository integration that are automated with triggering. I can also get scanning results as feedback and testing integration. It supports board security coverage. Checkmarx One is basically embedding security into the developer workflow, which means IDE, plus source code management, plus CI/CD.Checkmarx One has significantly reduced the time we spend identifying vulnerabilities because the scan runs automatically in our CI/CD pipeline. The results are centralized in a single dashboard. This eliminates manual checking and gives us faster visibility into high-risk problems and issues. In terms of collaboration, it helps us improve coordination between development and security teams. We use a shared dashboard. The clear remediation guidelines and automated ticket creation make communication smoother and ensure both teams are aligned on priorities and timelines. Overall, the tool has helped streamline our DevSecOps workflow.

Scanning speed optimization is an area where improvements can be made, and we can reduce false positives. The tool still requires manual verification in some cases, which could be improved. I recommend stronger integration with modern development tools. Other tools might include GitHub Actions, GitLab Runner, and Azure DevOps pipelines.The improvements needed are in scan speed, reducing false positives, and more detailed remediation guidelines. These are the areas where improvements can be made.

I have been using Checkmarx One for three years.

Checkmarx One is very stable, so we switched to it.

Checkmarx One's scalability has changed my organization because the strong collaboration between the development and security team helps us to do things much faster.

I have reached out to customer support for Checkmarx One, and they are very helpful when needed.

We were using a combination of open scanners before Checkmarx One. We might have used SonarQube for code quality and basic security checks, and a tool for dependency checking for vulnerability scanning. While they were very useful, they were not fully integrated. There was a significant gap between them. Overall, when moving to Checkmarx One, it helped us to unify all security checks under one tool, improve visibility, reduce manual effort, and have strong collaboration between the development and security teams.

The setup eliminates a lot of manual coding reviews and reduces the dependency on a dedicated security analyst for the initial stage.

I have seen a return on investment with Checkmarx One as fewer employees are needed and time is also saved.Checkmarx One has definitely helped us to save time and reduce the need for additional security resources, meaning employees. One of the biggest advantages is that the scan runs automatically in our CI/CD pipeline. The results go right to the dashboard or the ticketing system. This eliminates a lot of manual coding reviews and reduces the dependency on a dedicated security analyst for the initial stage. In terms of saving time, I estimate that we have roughly saved twenty to thirty percent of the effort we spent in manual code reviews. For example, in our recent project, I reviewed around two thousand-plus lines of changes, which would naturally take a senior person three to four hours to review. Checkmarx One identified two major vulnerabilities within a second, and the developer fixed them before the migration. This automation protects us from needing additional code reviewers for peak release cycles. Overall, between the fast scanning, automation, automatic reporting, and easy detection, it has reduced manual effort enough that we did not need an extra reviewer, even as our codebase or team size grew.

I am experiencing pricing, setup cost, and licensing for Checkmarx One. I did not see any challenges; the pricing should be reasonable, matching what we are paying for. It is actually reasonable.

Before choosing Checkmarx One, I evaluated other options such as SonarQube.

My advice to others looking into using Checkmarx One would be to look at it. Overall, the tool delivery gives the best result. If your plan is rolled out well, integrate it deeply into the workflow and fine-tune it in your environment so that you can see a better result in Checkmarx One. I would rate this review an eight out of ten.

I would like to refer Checkmarx One as I have been working with it for a long time. I led the implementation of Checkmarx One as the centralized AppSec platform during a large cloud modernization project. We onboarded 200 plus repositories, standardized security policies across teams, and introduced branch-level gating so that no code could reach production unless it passed SAST and SCA quality thresholds. This reduced critical findings by over 70% within the first quarter and aligned engineering with a major, repeatable, secure SDLC process. Overall, I use Checkmarx One as a strategic control point to improve developer velocity while strengthening application security across the full software lifecycle.

I can talk about SAST, which is static application security testing with correlation and prioritization. It automates and identifies insecure coding patterns early in development. The correlation engine links SAST and SCA and API vulnerability, reducing noise. It helps developers fix what is actually exploitable instead of drowning in false positives, improving the developer productivity and accelerating secure SDLC.

The second case I can give is SCA, software composition analysis for open source risk. It monitors CVE, licensing issues, and vulnerable libraries. It helps quickly identify supply chain risk, which is very important in 2025, and automatic PRs to upgrade vulnerable dependencies, saving engineering time and strengthening SBOM and supply chain security postures.

I can talk about IAC security. Terraform, ARM, CloudFormation, Kubernetes manifest detection finds misconfiguration before cloud resources go live, providing fast fixes directly to developers, which eliminates potential cloud exposure at the design stage. It is important for DevSecOps and preventing cloud drift.

I do use the IDE plugin for VS Code and IntelliJ, where a developer gets immediate feedback inside their editor. Issues are fixed at their cheapest point before committing code, which reduces friction between AppSec and engineering, shifting security left in a practical, low-resistance way.

Another example is the CI/CD continuous integration and continuous delivery integration and branch-level gating, which enforces and automates policies. No merge to main unless scans pass removes the manual review bottleneck and ensures consistent governance across teams and environments, creating a repeatable, scalable, secure SDLC.

Checkmarx One's API automation workflows enable automated reporting, custom dashboards, and Slack and Jira alerts, powering enterprise-level orchestration and compliance reporting. It allows integration with SIEM and SOAR for unified visibility and turns Checkmarx One into a security automation powerhouse.

The unified dashboard and risk overview provide a centralized view of SAST, SCA, IAC, and API findings that help AppSec teams prioritize across multiple codebases, allowing managers to get instant insight for audit or executive reporting that provides clarity and data-driven decision making. The day-to-day Checkmarx One features I rely on most are SAST and SCA with the correlation engines because they drastically reduce false positives and help me focus on real exploitable risk. I also use IAC scanning to catch cloud misconfiguration early and IDE plugins to shift security left for developers.

CI/CD gating and the Checkmarx One API are essential because they automate governance and create a consistent, scalable, secure SDLC across teams. The unified dashboard brings everything together, making risk visibility very clear at both engineering and leadership levels.

Checkmarx One is a very strong platform, but there are several areas where it can improve to support modern DevSecOps workflows even better. For example, better real-time developer guidance is needed. The IDE plugin should offer richer AI-powered auto-fixes similar to SNYK Code or GitHub Copilot Security, as current guidance is good but not deeply contextual for large-scale enterprise codebases. This matters because it reduces developer friction and accelerates shift-left adoption.

More transparency control over the correlation engines is another need. The correlation engine is powerful but not fully transparent. Users want to understand why vulnerabilities were correlated or de-prioritized, which helps AppSec teams trust the prioritization logic.

Faster SAST scan and more language coverage is needed since SAST scan can still be slow for very large mono-repos and there is limited deep support for new language frameworks like Rust and Go, along with advanced coverage for serverless-specific frameworks. This matters because large organizations want sub-minute scans in CI/CD as cloud-native ecosystems evolve fast.

A strong API security module is another area for enhancement. API security scanning could be improved with active testing, API discovery, full Swagger, OpenAPI, drift detection, and schema-based fuzzing. This is important as API attacks are one of the biggest AppSec risks in 2025.

Checkmarx One is strong, but I see a few areas for improvement including faster SAST scanning for large mono-repos, deeper language framework support, more transparent correlation logic, and stronger API security that includes discovery and runtime context. The IDE plugin could offer more AI-assisted fixes, and the SBOM lifecycle tracking can evolve further. Enhancing integration with SIEM and SOAR would also make enterprise adoption smoother, and these improvements would help developers and AppSec teams move faster with more accuracy.

I have been working in this field for 15 years and I am a subject matter expert.

Checkmarx One is a scalable product and handles the workload. It depends on the licensing being used, which scales accordingly. Since it is cloud-based, the infrastructure and PaaS, IaaS, and SaaS are taken care of by the cloud marketplace. In our case, we have Azure and everything we are running is managed through Azure.

The customer support team is amazing and they provide on-phone call, email support, and on-website support. It has been a really great experience.

I have used other helpful solutions including SNYK, Veracode, GitHub Advanced Security, and SonarQube before Checkmarx One. These competitors have helped improve my experience with Checkmarx One due to the balance between depth versus speed, policy versus developer experience, and unified AppSec strategy with tuning prioritization.

The deployment was smooth and aligned well with our Azure ecosystem. The Marketplace offering gave us a pre-configured SaaS environment, simplified licensing, and allowed direct integration with Azure AD, Azure DevOps, and Git repos. I initiated the deployment from Azure Marketplace, selected the subscription, resource group, and tenant, and linked it to our enterprise Azure AD. The main feature was fast provisioning through SaaS with no infrastructure to maintain, automatically identifying integration using Azure AD and SSO, with native billing through Azure subscription and pre-configured API endpoint optimized for the Microsoft cloud. The Marketplace deployment eliminated a lot of manual setup compared to traditional AppSec setups.

We deployed Checkmarx One using phases including scale, rollout, monitoring, covering, planning, integration, onboarding, governance, and organization. First, we used discovery and planning, then platform setup and access based on Azure. We integrated CI/CD, developer workflow integration, SAST, SCA, IAC configuration tuning, and dashboard reporting. A full optimization rollout was done.

First, we set up SSO, RBAC, and CI/CD integration. Then, we onboarded repos, tuned SAST, SCA, IAC rules, and rolled out IDE plugins to developers. We automated Jira tickets, enabled branch gating for critical apps, and built risk dashboards using the API. Within a few months, we achieved over 90% repo coverage, reduced false positives significantly, and embedded secure coding directly into developer workflows.

I would like to talk about setup, pricing, and licensing with Checkmarx One. The licensing module is modular consumption-based, and organizations typically license the platform in three ways: module-based licensing, repo-based or LOC-based licensing, and Enterprise Agreement-based licensing. When it goes to Azure Marketplace, billing is directly through Azure subscription, allowing the ability to pay using Microsoft credits and easier contract approval, which procurement loves. Marketplace deals offer pre-configured SaaS tenant in Azure, faster onboarding with native integrations including AAD, Entra, ADO, ARM, or AKS. The Marketplace also offers monthly or annual SKU, add-on modules as needed, and custom quotes for enterprise workloads.

For a small team under 50 developers, normal expenses come under 30 to 60K. For a mid-size team with 50 to 250 developers, the range is 80 to 250K depending on the number of modules. For enterprises with 250 to 2,000 developers, costs range from 250K to 1 million and include SAST, SCA, IAC, and API. Azure Marketplace gives organizations a savings of 10 to 20% by consolidating billing through their Microsoft Enterprise Agreement.

My best advice, a top practical advice to share is to start with governance first, which reduces noise early, integrate everywhere developers work, automate pull request gates, provide developer training, use the analytics dashboard, and align it with your secure SDLC. Checkmarx One works best when implemented as a part of your systematic, automated, developer-first AppSec program. Tune early, automate everything, integrate everywhere, and pair it with proper developer education. The tool's power is in consistency and governance, not just scanning. I would rate this solution a 7 out of 10.

My main use case for Checkmarx One is to perform SAST and SCA scans to web applications.

When a development team needs to scan the code before going to production, I use Checkmarx One to perform the SAST and SCA to evaluate the code security.

After evaluation, if findings are discovered, the team works to fix them.

Checkmarx One is now fully integrated in the CI/CD pipeline. We perform SAST and SCA for more than 2,000 applications globally.

The best features Checkmarx One offers include good integration with SCM tools such as GitHub, Azure DevOps, and Bitbucket.

Whenever a code modification is performed, it scans automatically. The results are retrieved and a dashboard is created for the product owners and application owners to evaluate their security posture.

The dashboard feature helps product and application owners evaluate whether they are achieving the KPI that was implemented. No code with critical or high issues can be accepted in production.

The reporting in Checkmarx One is not comprehensive, so the reports are retrieved and integrated with scan reports to provide an overall overview of each application.

Checkmarx One has positively impacted the organization. Since replacing the previous tool, SAST and SCA scans are conducted in a couple of minutes instead of hours or days. Overall, time has been saved and the speed to market has increased, reducing the timeline from three or four days to one day only.

Checkmarx One can be improved by having editable reporting, so a report creator could be developed to decide what information to provide instead of using only the available templates.

A more efficient dashboard would be beneficial so that views in Checkmarx One can be customized.

The integration part is working easily, and integration with all SCM providers has been completed. Code is now being scanned in Bitbucket, Azure DevOps, and GitHub. The integration is fantastic.

Checkmarx One has been used for the past three years.

Checkmarx One is often down when the cloud provider experiences issues. A more fail-tolerant solution needs to be created.

Checkmarx One's scalability is good for the organization as it handles global needs well. Approximately four billion lines of code are being scanned monthly.

Customer support for Checkmarx One would be rated a seven due to a lack of proactivity.

Before Checkmarx One, a different solution called FOD was previously used. The decision was made to switch because FOD caused significant delays in the CI/CD pipeline.

Before choosing Checkmarx One, other options were evaluated, including FOD and Snyk.

The advice for others looking into using Checkmarx One is to use more automation scripts instead of the web interface, as it makes it easier to handle all features and integrate them in CI/CD pipelines such as onboarding applications, creating project applications, onboarding users, and using the available API. This approach works best for large organizations. The onboarding of almost 2,000 applications has been completed and is working well. The overall review rating for Checkmarx One is nine.

My main case to use Checkmarx One was to streamline validation and quality check across our code, and we are quickly verifying our PCI compliances, identifying inconsistencies, and ensuring that our output meets the required standard before we move on to the next stage.
The platform is integrated into our CI/CD pipelines (Bitbucket/Jenkins), allowing scans to run automatically on every commit or pull request. This ensures vulnerabilities are detected early and fixes are incorporated before code reaches production.

Checkmarx One has significantly improved our organization’s security posture. We now catch vulnerabilities much earlier in the development cycle, which has reduced remediation time and lowered the number of issues reaching production. This has also improved developer efficiency and given us greater confidence in our releases.
Checkmarx One has improved visibility across our codebases. We now have centralized dashboards and consistent scanning across projects, which makes governance and compliance much easier to manage.

Checkmarx One has become an essential part of our current project because in every process of code it checks what type of errors are there, what type of code quality is there, these types of checks and visibility to developers really help and make our project easy to work.

I appreciate most features of Checkmarx One including automated checks, code quality checks, checking the rule-based validation, what type of code coverage is there, whether it's covering or not, whether it's applied or not, these types of issues and triage, what type of triage we will get before merging the code in our production. Logging functionality is also very good, as it will tell if this code is flexible for your current scenario or not. Alert and notification to each customer and each developer is also a big task here. These are the good features, audit and traceability we can say.

Checkmarx One has had a positive impact on our organization, especially in terms of productivity. When we went with manual checks, we spent a lot of time, but automated checks by using Checkmarx One make fixing our issues easier, faster and save our team's time. We save a lot of time here.

By using the automated testing in Checkmarx One, we have saved around one or two days in a full week of our team because we have a lot of code to do with seven markets. In this market, we have to daily push around 20 to 30 tickets per day. This saves us a lot of time, mostly around 16 hours a week.

Checkmarx One is doing great, but there is a need for UI improvement so we can get the exact error over there on our Bitbucket itself. Additionally, if you can improve the speed optimization, it takes around 30 to 40 minutes for checking a build. If you can make it within five minutes or 10 minutes, that would be great. This feature is something I want from your side.

Integration with Checkmarx One is easy, so it is not complicated. However, reporting is complicated because it takes a lot of time to report the errors and it makes around 40 to 50 minutes for a build. After we push the code, it will give around 40 to 50 minutes. Therefore, you need to work on the reporting part and apart from that, it is doing a great job here.

You are doing a great job in checking the code quality, bug fixing, vulnerabilities, and security aspects. However, one thing you have to improve is your reporting time should be less. It takes around 40 to 50 minutes, so you need to reduce it to within 10 to 20 minutes.

In my current project, I am using Checkmarx One and from the last four years, we have been working with Checkmarx.

The solution has been very stable. Scans run reliably, the platform is consistently available, and we haven’t experienced unexpected downtime. It’s dependable enough to integrate directly into our CI/CD workflow.

Overall, scalability has been solid. The platform supports our growing workloads and additional applications without requiring major configuration changes. A bit of tuning was needed in the beginning, but after that it has been smooth.

Customer support has been excellent. The team is responsive, knowledgeable, and quick to assist when issues arise. Whether it’s configuration questions or troubleshooting, they consistently provide clear and actionable guidance.

Before Checkmarx One, we relied on a mix of manual code reviews and basic scanning tools. As our codebase grew, this approach wasn’t scalable or consistent. We switched to Checkmarx One because it offered deeper coverage, automation, and a unified platform for SAST, SCA, and other security scans

Setup was generally easy, but it required coordination between development and security teams to ensure SAST, SCA, and pipeline integrations were properly configured. Once aligned, the rollout was smooth.

We implemented Checkmarx One using our in-house team. The setup was manageable with the documentation provided, and we were able to configure the platform without needing external assistance.

Our ROI has been strong. We’ve reduced manual code review time by around 25–30%, allowing developers to focus more on feature delivery. The automation and early detection of vulnerabilities have noticeably lowered rework costs.

Checkmarx One is a premium solution, so budget accordingly. Make sure you understand how licensing scales with additional applications and users. I advise negotiating multi-year contracts or bundles, as these can reduce costs and simplify licensing.

Yes, we evaluated a few other application security platforms, but Checkmarx One provided the best combination of accuracy, ease of integration, and centralized scanning capabilities

I find this interview great, and there is nothing that I think should change for the future. You are doing a great job here.

If someone is looking for code quality, then my advice is to use Checkmarx One. This is the best solution to provide efficiency in your work, code compliance, security, and scalability in your code. You can also save a lot of time by using Checkmarx One to scan your code. I would recommend you, if you are looking to save time checking the code, then Checkmarx One is the best solution for you. I would rate this product a 9 out of 10.