Application Security Testing (AST)

There are risks all along the software development and delivery pipeline. Think of weaknesses in the application code, the libraries of third parties or the implementation templates of Infrastructure as Code (IaC). You limit these risks to a minimum with extensive AST. The Checkmarx One Software Security Platform platform reduces the number of security vulnerabilities in the applications you develop and deploy yourself. It also provides education for developers. The platform integrates seamlessly with DevOps methodologies and fits perfectly into the CI/CD pipeline. The Checkmarx One AST platform sets the new standard in cyber security– from source code level scanning to runtime testing.

Easily integrate one-click AppSec testing with a platform built from Checkmarx' industry-leading technology. Designed for the cloud development generation and delivered from the cloud, it seamlessly secures your entire codebase so can you deliver and deploy more-secure code.

With software at the heart of digital transformation, ensuring it’s secure from a developer’s first code commit through the push to production is essential. Securing the modern application landscape of custom code, open source libraries, open source supply chain, infrastructure as code (IaC), containers, and more requires an all-in-one platform your teams can trust to fully address your risks without slowing you down. 


more requires an all-in-one platform your teams can trust to fully address your risks without slowing you down. 

Organizations that develop their own software use an abundance of AST tools to test their code for security issues at various stages of the SDLC. But none of their tools can actually correlate the many results from the various scan engines.

Without correlation, your view of the overall security of your code is distorted at best. This gap is filled by Checkmarx Fusion providing unprecedented, advanced correlation for AppSec testing in modern application development environments.


Checkmarx One offers:

  1. Integrated and automated security scans performed early and frequently during the software development lifecycle (SDLC). A true shift left with scanning uncompiled code. These scans help detect and fix vulnerabilities before they go into production.
  2. Intelligent recovery guidance and best fix location so developers can fix risks quickly and easily.
  3. Diverse AST solutions to mitigate risk in native code, open source code, Infrastructure as Code (IaC), containers, APIs, and in the open source supply chain.
  4. Comes as Software as a Service (SaaS) or can be self-managed, easily integrates into today’s dev pipelines, and comes with standard and optional AppSec services.
  1. Includes a real-time, integrated, and gamified developer secure code training platform called Codebashing so you and your developers can learn while coding.
  2. Provides a unified dashboard, reporting, and delivers a vastly needed correlation capability called Checkmarx Fusion, with topology and table views so you can truly measure your risk.
  3. Fits well into AppSec programs with SDLC integrations and plugins for IDEs, SCMs, CI/CD pipelines, and the tools you use daily.

No organization is helped by a collection of poorly connected point solutions or a complex test infrastructure. With the assurance of excellent AST services, developers can code boldly and deliver great applications.

The Checkmarx One AST solutions


Integrates simple one-click Application Security testing, designed for the cloud development generation and delivered from the cloud, it seamlessly secures your entire codebase so can you deliver and deploy more-secure code.

Purposely designed for today’s technology stack, processes, vulnerabilities, and risks, the Checkmarx One AST Platform™ is a solution you can rely on. It enables you to simplify security—in application source code, open source dependencies, supply chains, IaC, APIs, containers, and more—all from a single scan.

Static Application Security Testing (SAST)

Provides fast and accurate scans – incremental or full. Flexible and accurate application security without having to build the code first. You just need to check in the code, scan it to get results quickly. Developers can launch scans and view the results within their development environment.

Supports dozens of programming languages and frameworks. Checkmarx SAST is compatible with virtually every mainstream IDE, source code management (SCM) platform, CI server, and so on. Add security scanning seamlessly to existing development pipelines with Checkmarx plugins and out-of-the-box integrations.

Remediation guidance and best fix location ensure you know where and how to resolve a security issue. Our SAST tool helps you fix security flaws quickly and deploy software releases rapidly and continuously.

Source Composition Analysis (SCA)

Gives development, security, and operations teams the tools and insights to address risks associated with the open source code components in their applications. It automatically reveals compromised dependencies, provides a recovery guide as well as license compliance. You can identify the third-party code as well as where it resides within your development landscape. Automated software lists (SBOMs; software bill of materials) are used to check whether the code is vulnerable or safe.

Supply Chain Security (SCS)

Supply Chain Security in combination with SCA delivers automated, policy-based, open source security for DevSecOps. Checkmarx is the solution for managing supply chain risks. Traditional SCA identifies packages with known vulnerabilities (CVEs) or packages that have yet to be updated to a latest version. SCS focuses more on tactics, techniques, and procedures that attackers use to infiltrate an open source supply chain. SCS is part of the SCA module of the platform.

Container Security

The platform can analyze the basic container images used to build an application's container. It also evaluates these images against a continuously updated list of container images with known issues. This prevents applications from being built on insecure foundations. Container security is also included in the SCA part of the platform.

API Security

Using SAST (Static Application Security Testing), this tool discovers every API in modern applications at the source code level. With a full understanding of your API inventory, you can eliminate the problem of shadow and zombie APIs. After automatically discovering and building the API inventory, the solution compares it to the inventory that developers have created themselves. This allows you to quickly isolate security problems. Checkmarx API Security complements runtime security checks such as WAFs and API gateways. These controls create the API context that allows you to keep pace with the rapidly changing application footprint.

IaC Security

Scalable scanning of Infrastructure as Code (IaC) via the platform. This solution simplifies code analysis of IaC files and correlates findings with the Checkmarx One AppSec Platform. It automatically detects unsafe configurations that could expose applications, data or services to attacks. It also offers a better visual insight into the scan results via the platform.

It uses Checkmarx Fusion (see below) to correlate IaC scan results with findings from other scan engines. This gives direction to prioritizing the problems. That puts an end to juggling the overload of warnings to find out which ones really matter.

With more than 2000 customizable queries, it finds vulnerabilities, compliance issues and misconfigurations in IaC solutions such as Terraform, Kubernetes, Docker, AWS CloudFormation, Ansible, Helm, Google Deployment Manager, AWS SAM, Microsoft ARM and OpenAPI 3.0 specifications.

Includes native integrations with popular repositories such as GitHub and GitLab, and feedback solutions such as Jira. For example, you can create a ticket to manage scan results in GitHub.


Provides unprecedented, advanced result correlation between the various Checkmarx application security testing solutions. In this 'merger' you see the actual risks so that you can prioritize the right fixes. It visualizes the security risk of an application in the form of a topological view of all threats. This is an easy-to-read chart that shows all software elements, cloud resources consumed, and their interrelationships. Fusion combines and correlates the results of static code scans and runtime scans to eliminate false positives. This reduces warning fatigue and provides a reliable picture of the overall risk position.


Unlike traditional classroom or video-based training, Codebashing is a fun, hands-on, interactive solution that developers can follow as they work. Developers don't learn about security vulnerabilities for a day or more. No, they get bite-sized, on-demand sessions relevant to the specific challenges they face in their code. This form of AppSec Awareness and Secure Code training is much more effective.

Checkmarx offers a unique integration between their SAST solution and their hands-on training in secure coding. The vulnerabilities identified by SAST are linked to relevant, practical training lessons for rapid and targeted remediation guidance. The developer learns why the problem occurred, how to fix it and - more importantly - how to avoid making the same mistake again. All this in less than 5 minutes per lesson.

Checkmarx solutions can run on-premise, in the cloud or in hybrid environments.


Download Portal
Focus Application Security

A Guide to Modern API Security - 2023.04.05

APIs are like highways: They’re everywhere, and although they provide the foundation for interaction between all manner of resources, they also pose challenges.

Focus Application Security

Dropping the SBOM

Why the Industry Must Unite Against Software Supply Chain Cybercrime
SCS is rapidly gaining unwelcome notoriety as high-impact breaches hit the headlines.

Focus Application Security

Checkmarx - SAST - Static Application Security Testing

Today’s software-driven organizations thrive on developing, delivering, and deploying their own innovative applications to enhance their business offerings and better serve their customers.

Focus Application Security

Checkmarx - SCS - Supply Chain Security

Automated Policy-Driven Open Source Security for DevSecOps
A significant challenge of modern application development stems from potential supply chain threats due to the ever-increasing use of OSS.

Focus Application Security

Checkmarx - KICS - IAC- Security Scanning Solution

KICS enables DevOps and Developers who provision their cloud resources using IaC frameworks to shift left by scanning & fixing their IaC misconfigurations, security vulnerabilities before deployment.

Focus Application Security

Checkmarx - API-Security

You Can’t Secure What You Can’t See

Challenges of API Security in a Modern, Cloud-Native World

Focus Application Security

Checkmarx One - Application Security Platform

Without comprehensive AST in your software development pipelines, you’re introducing unnecessary risk to your organization and your
customer base.

Focus Application Security

Datasheet Why Checkmarx

Why Checkmarx
With software everywhere, everything becomes an attack surface. And while “everything” certainly sounds daunting, don’t panic, we’ve got your back.