Sold by
Checkmarx One
Checkmarx One helps you deliver secure software faster with an integrated Application Security Testing platform deployed as a service. A single event, like a code commit or build stage, can trigger scans of your source code, dependencies, and IaC templates, with results aggregated in one place.
Reviews (62)
Program Development
Seamless Developer Workflow Integration for Real-Time Vulnerability Fixes
Reviewed on May 31, 2026
Review provided by G2
What do you like best about the product?
Checkmarx integrates directly into the developer workflow. By providing plugins for popular IDEs, CI/CD pipelines, and source code management (SCM) platforms, it allows developers to catch and fix vulnerabilities in real time without context-switching
What do you dislike about the product?
Running the application can strain local servers, and I note that the system requires substantial RAM and processing power to perform efficiently.
What problems is the product solving and how is that benefiting you?
Checkmarx solves the critical problem of vulnerabilities slipping into production code, which directly benefits me by reducing security risks and saving development time.
Information Technology and Services
Proactive Security and Smooth Cross-Team Collaboration
Reviewed on May 30, 2026
Review provided by G2
What do you like best about the product?
Its proactive approach to security.. I like how it enables you to collaborate with other teams.
What do you dislike about the product?
the only concern I had initially was the complexity the platform has a steep learning curve. and the Cost
What problems is the product solving and how is that benefiting you?
Protects customers data, and lowered remediation cost.
Amshu P.
Powerful for Security, But Needs UI Improvements
Reviewed on May 27, 2026
Review provided by G2
What do you like best about the product?
I like Checkmarx for its security testing at the application level. It's practical even though it wasn't really easy to use at first. I appreciate its security capabilities, easy navigation, and the reporting which works pretty well.
What do you dislike about the product?
It was really tough for me to use initially, felt kinda confusing but got used to it as I started working with it. UI could be better. Scans take a lot of time and I used to get false positives, which required so much energy ugh. I stopped using it because the cost was too high for my boss and he stopped paying for it. Tough, it took like, days for the team to properly set it up.
What problems is the product solving and how is that benefiting you?
Checkmarx helps with scanning code and addressing security issues, offering good security testing capabilities with easy navigation and solid reporting for our team.
Tadele L.
Essential for Secure Development, Accurate and Efficient
Reviewed on May 26, 2026
Review provided by G2
What do you like best about the product?
I like Checkmarx for its accurate vulnerability detection, easy CI/CD integration, and detailed remediation guidance that helps developers fix security issues quickly.
What do you dislike about the product?
Checkmarx could improve scan performance for large projects, reduce false positives, and provide a more user-friendly interface for easier navigation and reporting.
What problems is the product solving and how is that benefiting you?
Checkmarx helps us identify and fix application security vulnerabilities early in the development lifecycle, improve secure coding practices, and automate security testing within CI/CD pipelines.
Navdeep_Singh
Security scans have transformed how I detect vulnerabilities and collaborate on rapid remediation
Reviewed on Jan 24, 2026
Review provided by PeerSpot
What is our primary use case?
My main use case for Checkmarx One is mostly for scanning and vulnerability detection, and in that, I mostly use the SAST scans and access management for users and the remediation part for scans.
A recent scenario is that Checkmarx One is integrated with the pipeline, so mostly our DevOps engineer can scan it from the pipeline, the security scan is initiated, and I get reports in Checkmarx, and I share that, and accordingly, I help developers to remediate vulnerabilities in the code. That's how I use it.
I also manage policies that are for security scan features like implementation of security gates, according to which, the application will be blocked from pipeline production. And to reduce vulnerability, mostly, I use it.
What is most valuable?
The best features Checkmarx One offers, in my opinion, are that it is easy to use, and there is not much deep diving into this. Anyone can use it for scanning purposes and for security gate purposes. It is really helpful, to be honest. For me, I personally believe it is a great tool.
The entire process in Checkmarx One is easy to understand, and although not a particular part stands out, there are no multiple features which I need to enable, or I have to deep dive into another tab or options for scanning and doing work. I can directly do this from the home page, and I can use it even for basic tasks.
Checkmarx One has helped with efficiency and security for sure, as I am able to detect vulnerabilities on the earliest basis and help developers to remediate them. It really helps a lot at the enterprise level.
Most probably, the most common thing that Checkmarx One does is reduce the vulnerabilities and the criticality of the vulnerabilities also. I am able to detect, and in the same way, I can collaborate with developers to remediate them on the earliest basis. That is a useful part.
What needs improvement?
I wish there could be some features to improve Checkmarx One, but I don't think so. It is an easy-to-use application, so I'm happy with the current features. I don't think there is anything required.
The latest version or upgraded version of Checkmarx One is too good, and I'm satisfied.
There are some downtimes when Checkmarx One is being upgraded to the latest version or some improvement is there. Sometimes I face issues, and I get a notification from Checkmarx. That's okay.
For how long have I used the solution?
I have been using Checkmarx One for the last three years for my daily work in the office, in my daily routine work.
What do I think about the scalability of the solution?
Checkmarx One's scalability is that I have a limited license number, and accordingly, it is able to manage most of my scans and the number of scans at the same time.
How are customer service and support?
Customer support for Checkmarx One is good because I had some doubts or issues, so I asked them, and I got a reply within 24 working hours. That's good, I would say.
What other advice do I have?
I would advise others to use Checkmarx One, as it is a good application, and for most of the work I do, I would suggest SAST scans are really helpful, and it is easy to use. I need not do much work, and it will be helpful for any organization that is using it. I'm not sure about the pricing metrics, but it is helpful. I gave this review a rating of 9.5 out of 10.
Ján J.
Great Automation and UI, But Needs Better Kotlin Support
Reviewed on Dec 10, 2025
Review provided by G2
What do you like best about the product?
Helps to automate a security review of a codebase. Easy to implement into existing repositories. Nice intuitive user interface and good vulnerability descriptions with a hints where in code and how to fix.
What do you dislike about the product?
Unfortunately Checkmarx reported a huge number of false positives for Kotlin based projects. Probably this language is poorly supported because there were no such issues in more popular languages like Java or Javascript.
What problems is the product solving and how is that benefiting you?
Helps to catch a new security vulnerabilities at each code commit and forces developers to fix them before pushing to production code.
Kapileanuj Vinayak
Regular code scans have improved vulnerability detection and keep our repositories secure
Reviewed on Dec 05, 2025
Review provided by PeerSpot
What is our primary use case?
My main use case for Checkmarx One is that we have a Git repository, and we are implementing and integrating Checkmarx One to our Git repository to manage vulnerabilities and scan for vulnerabilities inside the repository. We are scanning this repo on a monthly or quarterly basis to keep our repositories clean and secured.
A specific example of how I use Checkmarx One with my Git repository is that in the last two months, we first integrated Checkmarx One into our repository and discovered Spring Security vulnerabilities that were causing a lot of issues in our application. Because of Checkmarx One, we easily found which vulnerability was causing the issues in our application. After the scanning, we immediately got the vulnerability list detailing whatever vulnerabilities were present in the repository, and we started working on that. This was really helpful at that time.
What is most valuable?
The best features Checkmarx One offers include the SAST report, which really helps us during the scan. This report also aids us from a security point of view because there are some IMA controllers included. After getting the report, we have to submit it to the security team, and they scan it. This helps us for security purposes as well.
When I explore Checkmarx One, I find that the SAST capability, accurate findings, and clean UI are very notable. It is a very dependable performance and a highly effective platform for our organization and our company.
Checkmarx One has positively impacted my organization because in the past, when Checkmarx One scan was not implemented, we faced a lot of issues finding vulnerabilities inside the repository. But now, since we have integrated Checkmarx One into our repository, we can smoothly and very easily find vulnerabilities and manage those effectively.
What needs improvement?
One way Checkmarx One could be improved is if it could automatically run scans every month after implementation. If it is possible to set it in the SAST portal to scan the repositories automatically, that would help us because currently, we have to run Checkmarx One scan manually every time.
From the perspective of needed improvements, first-line support is also necessary for Checkmarx One because sometimes people encounter issues while implementing Checkmarx One. At that time, they need help from Checkmarx team, so that support is also needed.
For how long have I used the solution?
I am using Checkmarx One for the last one year, and the experience has been very good.
What do I think about the stability of the solution?
Checkmarx One is stable.
What do I think about the scalability of the solution?
Regarding Checkmarx One's scalability, I have implemented it in two projects, and we are using Checkmarx One in both of those projects.
Which solution did I use previously and why did I switch?
I can share specific outcomes with Checkmarx One. Before we did not have Checkmarx One scan, so we tried to find vulnerabilities via the G-SOC report, but that was very difficult due to a lot of troubles. However, now, because of Checkmarx One, we easily find scans for particular repositories, which helps us and it consumes very little time, making it efficient for our team as well.
What other advice do I have?
My advice for others looking into using Checkmarx One is that it is good to use. If they want to implement it, I recommend they do so as it saves time and is efficient as well. I would rate Checkmarx One highly based on my positive experience with the product.
reviewer2783283
Automated security scans have strengthened pipeline checks and now need better noise reduction and IDE integration
Reviewed on Nov 29, 2025
Review provided by PeerSpot
What is our primary use case?
Checkmarx One is primarily used for SAST scans in my organization. A specific example of how I use Checkmarx One for SAST scans is in applications that require scanning both static and dynamic vulnerabilities. For the static vulnerabilities, Checkmarx One identifies SQL injections and other static vulnerabilities in the code.
Checkmarx One has been included in the CI/CD pipelines, so it runs automatically for all components and microservices across various applications. The tool indicates severity levels from one, two, three, and so on, and is integrated within the pipeline.
What is most valuable?
Checkmarx One offers several standout features. The tool summarizes CWE reports so I can identify what is exploitable and what is non-exploitable. It is well-integrated with other internal tools where I can disposition false positives and provides vulnerability resolutions and guidance on how to fix them, which are sometimes very helpful.
The CWE report summaries assist in my daily work by showing up in reports, allowing me to see all types of vulnerabilities at once. The tool indicates when there are multiple vulnerabilities in specific legacy code, for example, by showing that there are 12 findings for CVE X.X, and I can fix them all at once.
Checkmarx One has positively impacted the organization by providing resolution strategies and indicating which vulnerabilities need to be fixed. It is beneficial to catch vulnerabilities early in the pipeline so that any false positives can be addressed later, which is especially important for security in a banking environment.
What needs improvement?
Checkmarx One can be improved by reducing noise and improving false positive filtering. There are instances when false positives appear, such as when the word 'password' appears in a file, which actually refers to a code variable elsewhere. Checkmarx One could provide better reports, and the UI could be made more user-friendly.
Integration into the IDE being used would be beneficial so that code does not need to be uploaded to the website and an IDE-friendly report could be generated.
For how long have I used the solution?
Checkmarx One has been used for approximately three years.
What do I think about the stability of the solution?
Checkmarx One has been stable with no observed issues with downtime or reliability.
What do I think about the scalability of the solution?
Checkmarx One has handled increased workloads adequately.
How are customer service and support?
There has been no interaction with the support team.
What other advice do I have?
Checkmarx One saves significant time because it is directly integrated into the CI/CD pipeline, although specific metrics are not available. The overall rating for Checkmarx One is seven out of ten, primarily based on the previously mentioned features and capabilities. Checkmarx One is a solid program that has a secure-first mentality, and no specific advice comes to mind for others considering the product. There is no business relationship with the vendor other than being a customer.
Adarkum Kumar
Early detection with custom queries has improved secure coding practices and continuously prevents critical vulnerabilities from reaching deployment
Reviewed on Nov 29, 2025
Review from a verified AWS customer
What is our primary use case?
My main use case for Checkmarx One is as a SAST product. In the Jenkins pipeline, we use it to build or confirm the Checkmarx result. Whenever we find any high or critical severity vulnerability, we break the pipeline and the product does not go to deployment. I use Checkmarx audit a lot. Whenever I find a zero-day vulnerability, we go to Checkmarx audit and write some custom query so that we can find the particular vulnerability in a particular library. Checkmarx One can give us the exact code where that library is deployed and we replace the server version and the library version.
What is most valuable?
The best features Checkmarx One offers are Checkmarx audit and the ability to write custom queries.
Checkmarx One has positively impacted our organization as we tend to find vulnerabilities very early in the development cycle. The initial scans allowed the teams to catch the vulnerabilities early. But after some time, they got used to it and started writing more secure code. In a way, it has saved a lot of time.
What needs improvement?
For Checkmarx One, I think that adding repositories and scanning impromptu code could improve it. Suppose an impromptu team comes and provides the code in a GitLab repo, there should be a quick scan button. You just link the repo and can get a result instantly.
For how long have I used the solution?
I have been using it for five years.
What do I think about the stability of the solution?
Checkmarx One is stable.
What do I think about the scalability of the solution?
Checkmarx One's scalability is good.
How are customer service and support?
We had Checkmarx office hours for customer support, and that helps a lot.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
We did not previously use a different solution. We were using the free version of Semgrep.
What was our ROI?
I'm not in a position to provide a return on investment because I'm at a lower level, such as Product Security Engineer. I don't deal with these details.
What other advice do I have?
My advice to others looking into using Checkmarx One is to go for the demo version first and see. If it fits into your pipeline, then go for it.
Checkmarx One is a great tool. SAST-wise, I love it. It's integrating into the pipeline, Checkmarx audit, and manually marking the results as false positive. After the rescan, it does not appear. So that works great.
I found this interview to be good, but I think there should be a pause button. Anyone can take a break and doesn't have to continue for the whole length. You can hit pause and continue whenever you come back.
I would rate this review an 8.
Which deployment model are you using for this solution?
On-premises
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Gideon Anichi
Reselling has delivered fast secure-code training and streamlined code review for development teams
Reviewed on Nov 28, 2025
Review from a verified AWS customer
What is our primary use case?
My main use case for Checkmarx One is that I am a reseller, and the company I work for is a reseller. What I typically do with Checkmarx One is implementation, helping our clients or customers to meet their use cases, support, and setting up, and also using it to show the customer how to use the product.
A very recent implementation I can think of is that we had a client that wanted to do SAST, and we sold Checkmarx One to them for their SAST implementation. I was able to walk the clients through how to use the platform, how to review the source code with Checkmarx One, and most especially how to use the one-fix remediation features of Checkmarx whereby you can use the recommendation from Checkmarx One to fix the issues found in the source code.
What is most valuable?
The best features that Checkmarx One offers in my experience include its reliability in managing false positives, the integration to the CI/CD pipeline, and most importantly, the Codebashing feature that Checkmarx One has where developers can learn how to code better and securely.
In terms of usability, Checkmarx One is one of those solutions where implementation is very straightforward and within the next few minutes after implementing Checkmarx One, you can actually start getting results almost instantly. The ease of use is there, and the usability shows that the time to generate returns on your investment is very quick.
From my point of view as a professional service or support engineer, Checkmarx One has positively impacted my organization and clients. The fact that clients come back to renew their Checkmarx One subscription means that it is valuable to them, and winning new deals means that the solution is actually meeting the need in the market. I have deployed Checkmarx One for different clients and resold Checkmarx One to different clients, and that can only be because the solution does exactly what it says it does.
After implementing Checkmarx One, the time it takes for clients to come up with secure code has been a lot faster. Once you implement Checkmarx One, you can be sure that you're getting value from the solution almost immediately because Checkmarx One also handles false positives very effectively, saving you time and saving your developers time. This has really improved the client's experience.
Additionally, Checkmarx One also has the Codebashing feature that helps to provide further knowledge to the customer on how to write secure codes, and that's a very outstanding feature of Checkmarx One.
What needs improvement?
Checkmarx One is doing a lot already, and what I would just ask is for Checkmarx One, as a company, to look into investing in RASP because being a very good SAST to DAST solution, RASP is becoming increasingly needed, especially from the reseller vendor side. If Checkmarx One could start development of a RASP platform, that would do us a lot of good.
RASP is the key one for me.
For how long have I used the solution?
I have been working in my current field for about over eight years.
What do I think about the stability of the solution?
Checkmarx One is very stable in my experience.
What do I think about the scalability of the solution?
Checkmarx One's scalability is good; it can handle growing needs or larger environments easily.
How are customer service and support?
I have relied on Checkmarx One customer support hundreds of times for several things, and Checkmarx One support is very proactive and very responsive. You can rely on them.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I have not previously used a different solution for my clients; it has most times always been Checkmarx One.
How was the initial setup?
The ease of use is there, and the usability shows that the time to generate returns on your investment is very quick. That is something that is outstanding about Checkmarx One.
What about the implementation team?
Due to the number of years I've implemented Checkmarx One, there are rebates and discounts from the OEM which makes it a lot more profitable, and in terms of setup costs, it's already factored into the cost of the solution. The clients we are deploying for usually manage that cost. We have a good relationship with generating a license and all of that, so the experience is seamless and really good.
What was our ROI?
I have to mention again that I am not a direct user of Checkmarx One, as I implement Checkmarx One for clients and use it in clients' environments. The person who has the most accurate answer around return on investment would be the client. However, based on my interactions with the clients, I can tell that there is a return on investment because if something is not profitable and it's not helping to save costs or vulnerabilities, clients wouldn't come back to renew their license year after year. I would say that while I may not have direct metrics, I can affirm that there is a good return on investment for our clients' environments.
What's my experience with pricing, setup cost, and licensing?
Due to the number of years I've implemented Checkmarx One, there are rebates and discounts from the OEM which makes it a lot more profitable, and in terms of setup costs, it's already factored into the cost of the solution. The clients we are deploying for usually manage that cost.
Which other solutions did I evaluate?
Before choosing Checkmarx One, we did not evaluate other options for clients; in most cases, clients really wanted Checkmarx One themselves, so we just implement Checkmarx One for them.
What other advice do I have?
I would rate Checkmarx One an eight out of ten.
I choose eight out of ten because Checkmarx One is outstanding; truthfully, Checkmarx One is really, really good.
My advice for others looking into using Checkmarx One is to come to me; let me sell Checkmarx One to you. I have good experience using Checkmarx One, and I can help you set up your Checkmarx One to ensure that you're getting your return on value quickly. If you're looking for a SAST solution that would provide a return on investment and assist with source code scanning to improve your entire SDLC cycle, Checkmarx One is a tool that you can rely on. My overall rating for Checkmarx One is eight out of ten.
Which deployment model are you using for this solution?
Private Cloud