We deliver excellence with a down-to-earth approach. Whether you're running an enterprise-level company or a startup, we've got you covered when it comes to Data Analytics, Testing and Security.
1035 Pearl Street, Suite 400 Boulder, CO 80302, US
619.886.4498
connect@merito.com
Checkmarx One Platform Update 3.54 | SAST, DAST, and Secrets Detection
CheckmarxMarch 10, 2026By Chris Carpenter
Checkmarx One 3.54 Update: Stronger Application Security Governance And CI/CD Integration
Checkmarx One 3.54 improves enterprise application security with AI driven SAST query tuning, expanded secrets detection, DAST automation, and unified reporting across DevSecOps security scanners.
Enterprise application security programs operate across hundreds of repositories, distributed engineering teams, and complex release pipelines. Security tooling must support automation, governance, and measurable risk reduction across the SDLC.
The Checkmarx One 3.54 release focuses on operational maturity for DevSecOps programs. Updates across SAST, SCA, DAST, secrets detection, and analytics introduce stronger identity controls, improved vulnerability management workflows, and better reporting across scanners.
For enterprise leaders responsible for secure software delivery, these updates improve risk prioritization, reduce operational friction for development teams, and provide clearer metrics for security posture.
AI QUERY BUILDER FOR FASTER CxQL CUSTOMIZATION
Checkmarx One introduces an AI assisted Query Builder within the Queries Editor. The feature helps AppSec teams generate and refine CxQL queries using guided prompts.
Key capabilities include
automated query generation based on security patterns
quick regeneration and editing for improved accuracy
copy ready queries for integration into scanning rules
Enterprise impact
Large organizations often maintain custom SAST rules aligned with internal security policies. Writing and maintaining these queries requires specialized expertise.
The AI Query Builder supports
faster query creation for secure coding rules
improved consistency in vulnerability detection
reduced false positives from poorly written queries
Operational example
A security engineer refining a query for a legacy application can quickly test variations and deploy updates across multiple repositories without long review cycles.
CUSTOM STATES FOR SCA AND IaC FINDINGS
Checkmarx One now supports custom states for risks detected by SCA and Infrastructure as Code scanners. These states can be managed directly in the web application.
Organizations can define custom dispositions such as
vendor fix pending
compensating control approved
accepted business risk
Enterprise value
Security programs often require consistent vulnerability disposition across different scanners. Custom states allow teams to align triage outcomes with compliance frameworks and internal governance policies.
This improves
audit traceability for vulnerability decisions
standardized remediation workflows
clearer reporting across security teams
APPLICATION CLASSIFICATION FOR BUSINESS RISK PRIORITIZATION
Applications within Checkmarx One can now be classified as Business or Internal.
Business applications represent systems that directly impact customers or revenue. Internal applications represent supporting systems used inside the organization.
Enterprise impact
Security dashboards in large portfolios can become overloaded with findings from internal utilities and experimental projects. Classification allows leadership to focus risk reviews on applications that carry real business impact.
This supports
clearer executive reporting
improved prioritization of remediation efforts
alignment between security activity and business value
GITHUB APP AUTHENTICATION FOR REPOSITORY INTEGRATIONS
Checkmarx One now supports GitHub App authentication for repository integrations. This replaces long lived credentials with short lived tokens that rotate automatically.
Capabilities include
granular permission scopes for repository access
automatic token rotation
compatibility with GitHub Enterprise Managed Users
Enterprise value
Identity management plays a central role in secure DevSecOps pipelines. GitHub App authentication reduces credential exposure and aligns repository scanning with enterprise identity governance practices.
DevOps teams benefit from simpler integration management and reduced credential maintenance.
LEAST PRIVILEGED IAM ROLES FOR DEVSECOPS OPERATIONS
New IAM roles provide more precise access control for different user groups.
Examples include
plugin scanner role for CI/CD pipelines and IDE scanning
analytics developer assist view role for read only analytics access
standalone plugin role for generating API keys without tenant wide permissions
Enterprise impact
Access governance often determines how well security programs scale. These roles allow organizations to extend scanning capabilities across teams while maintaining strict access control policies.
Security leaders gain
improved compliance with access review requirements
clearer separation of duties
reduced administrative overhead
SECRETS DETECTION ACROSS GIT HISTORY AND COLLABORATION PLATFORMS
Checkmarx One expands secrets detection coverage beyond active code.
New capabilities include
scanning Git commit history through UI, CLI, and API
scanning Confluence content using API triggered scans
centralized results within the secrets detection viewer
Enterprise value
Credentials and tokens often appear in commit history or collaboration systems used by engineering teams. Expanding coverage across these locations reduces the risk of credential exposure.
Security teams can respond faster to incidents by identifying exposed secrets across repositories and documentation systems.
DAST AUTOMATION FOR ENTERPRISE APPLICATION TESTING
Checkmarx One adds new automation capabilities for Dynamic Application Security Testing.
Proxy support allows DAST scans to reach internal applications behind corporate firewalls.
Additional CLI functionality enables
automated environment configuration
scripted authentication and session handling
programmatic scan execution and results retrieval
Enterprise impact
Dynamic testing often remains outside automated pipelines due to network restrictions and manual configuration. These updates allow organizations to integrate DAST into CI/CD workflows and maintain consistent testing coverage across environments.
UNIFIED SECURITY REPORTING ACROSS MULTIPLE SCANNERS
Reporting and analytics capabilities now include data from container security, secret detection, and repository health scanners.
Enhancements include
consolidated security reports across scanners
analytics dashboards with container security metrics
custom date range filters for release reporting
Enterprise value
Security leaders require consolidated metrics across multiple scanning tools. Unified reporting simplifies governance and supports executive level visibility into application security trends.
Development leaders gain clearer insights into vulnerability trends during specific release cycles.
DEVELOPER ASSIST DASHBOARD FOR AI REMEDIATION INSIGHTS
Checkmarx One introduces a Developer Assist Usage Dashboard that tracks adoption of AI driven remediation recommendations.
Metrics include
number of AI suggestions generated
developer fix interactions
usage trends across scanners
Enterprise impact
Organizations investing in AI assisted security tooling require measurable adoption data. This dashboard helps leadership evaluate how effectively development teams are using AI guidance during remediation.
WHAT CHECKMARX ONE 3.54 MEANS FOR ENTERPRISE APPSEC PROGRAMS
The Checkmarx One 3.54 release strengthens the operational structure of enterprise DevSecOps programs.
Organizations gain
improved identity and access governance for security integrations
better vulnerability prioritization through application classification
stronger secrets detection coverage across repositories and collaboration tools
unified reporting across multiple security scanners
These capabilities support security programs that must protect large software portfolios while maintaining fast delivery cycles.
HOW MERITO HELPS ENTERPRISES IMPLEMENT CHECKMARX ONE
Successful AppSec adoption requires more than enabling scanners. Enterprises need standardized workflows, governance models, and integration patterns across CI/CD pipelines.
Merito helps organizations operationalize Checkmarx One through
enterprise DevSecOps architecture design
CI/CD integration for SAST, SCA, DAST, and container scanning
identity and access governance configuration
vulnerability triage workflows aligned with compliance frameworks
enterprise security reporting and metrics frameworks
As a Value Added Partner for DevSecOps and application security platforms, Merito helps enterprises deploy Checkmarx One in a way that aligns security controls with real delivery workflows.
FREQUENTLY ASKED QUESTIONS
WHAT ARE THE KEY FEATURES IN CHECKMARX ONE 3.54 Major updates include AI Query Builder for SAST queries, GitHub App authentication for repository integrations, custom states for SCA and IaC findings, expanded secrets detection, and unified reporting across security scanners.
HOW DOES CHECKMARX ONE SUPPORT ENTERPRISE DEVSECOPS PROGRAMS Checkmarx One integrates security testing across the SDLC through SAST, SCA, DAST, container security, and secrets detection while providing centralized reporting and governance controls.
WHAT IS THE PURPOSE OF AI QUERY BUILDER IN CHECKMARX ONE AI Query Builder helps security teams create and refine CxQL queries used in SAST scanning. This improves vulnerability detection accuracy and reduces false positive findings.
HOW DOES GITHUB APP AUTHENTICATION IMPROVE SECURITY INTEGRATIONS GitHub App authentication uses short lived tokens with automatic rotation and scoped permissions. This improves credential management and aligns integrations with enterprise identity governance.
WHAT IS THE ROLE OF SECRETS DETECTION IN APPLICATION SECURITY Secrets detection identifies exposed credentials such as API keys and tokens within source code, commit history, and documentation systems. This reduces the risk of unauthorized system access.
HOW CAN DAST BE AUTOMATED IN CI/CD PIPELINES USING CHECKMARX ONE Checkmarx One provides CLI based DAST automation and proxy support, allowing dynamic security testing to run inside CI/CD pipelines for internal and external applications.
HOW CAN MERITO HELP IMPLEMENT CHECKMARX ONE IN ENTERPRISE ENVIRONMENTS Merito provides DevSecOps architecture planning, CI/CD pipeline integration, security governance frameworks, and enterprise rollout strategies for Checkmarx One deployments.
WHY SHOULD ENTERPRISES WORK WITH A CHECKMARX VALUE ADDED PARTNER A partner like Merito provides expertise in SDLC tooling, DevSecOps integration, and enterprise application security governance, ensuring faster adoption and sustainable security practices.
