Checkmarx • Application security
Checkmarx SAST scans 30+ languages including Java, JavaScript, TypeScript, Python, C#, Go, Rust, Apex, and COBOL with reachability-aware findings, Best Fix Location guidance, and a custom query language (CxQL) that lets AppSec teams encode their own coding standards.
Merito sells Checkmarx SAST and tunes static analysis to the customer's actual codebase, integrating findings into PR review and build-gate policy across the SDLC so the AppSec backlog stays signal over noise.
What it is
Checkmarx SAST is the static analysis engine inside Checkmarx One. Its language breadth covers JavaScript and TypeScript, Java, C# and .NET, Python, Go, Rust, Ruby, PHP, Kotlin, Scala, Swift, C/C++, Apex, and COBOL. The same engine handles modern microservices and the legacy stacks regulated enterprises still maintain, which is the reason large AppSec programs pick Checkmarx over single-language specialists.
Two engine features carry most of the program-level value. Best Fix Location returns one fix point per logical vulnerability instead of dumping every flow path as a separate ticket and tells the developer where one edit closes the most paths. Custom rules through the CxQL query language let AppSec teams encode internal standards (must use this internal crypto wrapper, must validate input through this gateway, must not log this PII field) so policy enforcement runs inside the scanner instead of being managed in a separate document nobody reads.
The Exploitable Path Analysis (EPA) signal extends from SCA into SAST findings: vulnerabilities in code paths that are not actually called from production entry points get demoted, so the backlog reflects what an attacker can reach instead of every theoretically vulnerable line. On portfolios with deep dependency trees and large legacy footprints, that distinction is the difference between a 50,000-finding backlog nobody touches and a several-thousand-finding queue that AppSec actually works.
What kills SAST adoption is policy drift. Programs that take vendor-default policies and never tune them generate huge false-positive volumes, lose developer trust by month two, and eventually become a checkbox scan that nobody reads. Merito's engagement starts with policy tuning to the customer's risk tolerance, suppression discipline that is auditable rather than a graveyard of ignored findings, and PR-time integration so developers see results in the workflow they already use.
Ideal use cases
What it is best at
30+ languages including JavaScript, TypeScript, Java, C#, .NET, Python, Go, Rust, Ruby, PHP, Kotlin, Scala, Swift, C/C++, Salesforce Apex, and COBOL. Single-language SAST tools force enterprises to bolt together specialist scanners; Checkmarx covers the modern and the legacy stacks in one engine.
One fix point per logical vulnerability instead of one ticket per flow path. On large codebases this is the difference between a 50,000-finding backlog and a tractable queue. Developers stop seeing duplicates of the same issue under different stack traces.
Larger AppSec programs need to enforce their own coding standards (internal crypto wrapper required, input must traverse named gateway, certain logging patterns are forbidden). CxQL lets AppSec architects write those rules into the scanner directly. Few competing SAST tools expose a real query language at this depth.
Exploitable Path Analysis demotes findings in unreachable code paths so the backlog reflects what attackers can actually exploit. Combined with SCA reachability on dependencies, the program ships fewer tickets that developers correctly recognize as noise.
Incremental scan mode analyzes only the diff and reaches deltas in seconds rather than re-scanning the full codebase every PR. Build-gate latency stops being the reason developers ask to bypass SAST.
Core capabilities
The static analysis core that does the heavy lifting across modern and legacy code.
30+ language support
JavaScript, TypeScript, Java, C#, .NET, Python, Go, Rust, Ruby, PHP, Kotlin, Scala, Swift, C/C++, Salesforce Apex, COBOL, and more in a single engine. Supports microservices and mainframe-adjacent code in the same program.
Best Fix Location
Identifies the single edit point that resolves the largest number of flow paths and emits one finding instead of dozens. Reduces ticket volume on enterprise codebases by a meaningful margin.
Incremental scanning
Diff-based analysis returns PR-time results in seconds instead of full-scan minutes. Keeps build gates fast enough that developers stop asking to skip SAST.
Exploitable Path Analysis (EPA)
Reachability-aware scoring that demotes unreachable findings. The backlog reflects what an attacker can exploit from real entry points.
Encoding the customer's internal coding standards inside the scanner instead of in a wiki.
CxQL query language
First-class custom-rule authoring. AppSec architects write organization-specific rules (internal crypto wrappers, mandatory input gateways, banned logging patterns) and ship them as scanner policy.
Policy tuning per application
Severity and rule sets tunable per repository or business unit, so internal-tooling code does not get audited like a public-facing payment service.
Suppression discipline
Auditable suppression workflows with expiry, reviewer assignment, and rationale capture. Suppressions stop being permanent ignore lists.
SAST in the developer workflow, not a separate dashboard.
PR-time scanning
Runs against the diff in the pull request and posts findings as PR comments. Developers see issues in the review they were already doing.
Build-gate policy
Configurable thresholds (severity, count, age) that pass or fail builds. Block-on-introduce policy stops new vulnerabilities while triage works the legacy backlog.
Findings forwarding
Direct integration with Jira, Azure Boards, ServiceNow, and other ticket systems. Findings become trackable work items rather than dashboard rows.
IDE integration
VS Code, IntelliJ, and Eclipse plugins surface findings during authoring. Pairs naturally with Checkmarx Developer Assist for AI-suggested fixes.
Where it fits in the stack
Deployment and implementation
Licensing and packaging
Checkmarx One Essentials
SAST plus baseline SCA and Container Security in a single bundle.
Best for: Programs starting consolidation onto Checkmarx One.
Checkmarx One Advanced
Adds DAST, API Security, IaC Security, Malicious Package Protection, and Repository Health.
Best for: Mature AppSec programs running multiple scan types.
Checkmarx One Enterprise
Adds AI agents (Developer Assist, Triage and Remediation), AI Supply Chain Security, Software Supply Chain Security, and premium SLAs.
Best for: Enterprise programs with AI-augmented triage and supply-chain governance in scope.
Merito services
Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.
Tenant setup, policy tuning, language configuration, and CI/CD integration.
Explore service02AppSec program scoping for Checkmarx SAST adoption alongside or against Snyk Code, Veracode, OpenText SAST, and Semgrep.
Explore service03PR-time SAST gates and build-gate policy in Jenkins, GitHub Actions, GitLab CI, Azure DevOps, and Bitbucket.
Explore service04Developer-facing SAST adoption and AppSec champion programs.
Explore service05Named engineer, priority SLAs, and release-time coverage for Checkmarx SAST in production.
Explore service06Long-term run support including policy tuning, CxQL rule maintenance, and triage operating-model evolution.
Explore service07Role-based training for AppSec architects, security engineers, and developers using Checkmarx SAST output.
Explore service08Merito-placed AppSec engineers and Checkmarx specialists embedded on long-running programs.
Explore serviceCheckmarx SAST licensing
Merito sells Checkmarx SAST and delivers the policy tuning, CxQL custom-rule authoring, suppression discipline, and PR-time CI/CD integration that turn the scanner into a working AppSec program.
Merito point of view
Merito has rolled out Checkmarx SAST on programs where the engine works fine, language coverage is solid, and the backlog still grows uncontrollably. The cause is almost always that vendor-default policies were never tuned to the customer's actual risk tolerance, suppressions accumulated as a permanent ignore list instead of an auditable workflow, and findings flowed to a queue that nobody owned. Those are policy and operating-model problems, and no SAST replacement fixes them.
Merito recommends Checkmarx SAST specifically when the program needs language breadth across modern and legacy stacks, when CxQL custom rules let internal coding standards become enforceable, or when consolidation onto a single Checkmarx One platform pays back the migration cost. For programs that are already running mature Snyk Code or Veracode pipelines, replacing them with Checkmarx is a 12-month project that often does not deliver enough delta to justify the disruption. Merito runs that decision honestly.
Best Fix Location and Exploitable Path Analysis are the two engine features that materially change backlog math. Programs adopting Checkmarx SAST without using either are leaving the productized advantages on the table. Merito's engagements turn both on early so the program ships fewer false positives and lower-priority findings.
What buyers usually underestimate
Related from Merito
Related solutions
Related services
Related products
Frequently Asked Questions
Consultation request
Share your codebase profile, current SAST tool (if any), and AppSec program shape. A Merito Checkmarx specialist follows up within one business day.
Language breadth
30+ languages including COBOL and Apex alongside JavaScript and Go. One scanner across the portfolio instead of stitched specialist tools.
Policy first
Vendor defaults generate noise. Merito's first thirty days are policy tuning, CxQL rule authoring, and suppression-workflow design.
Next step
A Merito Checkmarx SAST engagement starts with policy tuning, CxQL rule authoring, and PR-time integration. Day-one defaults are how programs lose developer trust by month two.