# Checkmarx

> Checkmarx is an enterprise application security testing platform that helps organizations find and fix vulnerabilities across their software development lifecycle.

Checkmarx is an enterprise-grade application security testing (AST) platform designed to help development and security teams identify, prioritize, and remediate vulnerabilities throughout the software development lifecycle (SDLC). The platform consolidates multiple security testing disciplines—including static analysis (SAST), software composition analysis (SCA), API security, and infrastructure-as-code scanning—into a unified solution. Checkmarx serves organizations looking to embed security earlier in the development process, commonly referred to as "shifting left."

## What It Is

Checkmarx provides a cloud-native application security platform that integrates directly into developer workflows, CI/CD pipelines, and IDEs. Rather than treating security as a gate at the end of development, Checkmarx positions its tooling as a continuous layer that surfaces issues as code is written and committed. The platform supports a broad range of programming languages and frameworks, making it applicable across polyglot enterprise environments.

## Core Security Capabilities

Checkmarx bundles several distinct security testing engines under one platform:

- **SAST (Static Application Security Testing):** Analyzes source code for security vulnerabilities without executing the application.
- **SCA (Software Composition Analysis):** Identifies open-source dependencies with known vulnerabilities, license risks, and outdated packages.
- **API Security:** Discovers and tests APIs for common vulnerabilities and misconfigurations.
- **IaC Security:** Scans infrastructure-as-code templates (Terraform, CloudFormation, Kubernetes manifests) for misconfigurations.
- **DAST (Dynamic Application Security Testing):** Tests running applications for exploitable vulnerabilities.
- **Container Security:** Scans container images for vulnerabilities in base images and dependencies.

## Developer and CI/CD Integration

Checkmarx is built to integrate into existing developer toolchains. It offers plugins for popular IDEs such as VS Code and JetBrains, as well as integrations with CI/CD platforms including Jenkins, GitHub Actions, GitLab CI, Azure DevOps, and Bitbucket Pipelines. This allows security scans to run automatically on pull requests and commits, surfacing results directly in the developer's environment rather than requiring a separate security portal visit.

## Enterprise Focus and Deployment

Checkmarx targets mid-to-large enterprise customers with complex security and compliance requirements. The platform supports both cloud-hosted (SaaS) and on-premises deployment models, which is a differentiator for organizations in regulated industries that cannot send source code to external services. Checkmarx also provides role-based access controls, audit logging, and reporting features oriented toward security operations and compliance teams.

## AI-Assisted Security

Checkmarx has incorporated AI capabilities into its platform, including AI-powered triage to help reduce false positives and AI-generated remediation guidance that suggests code fixes alongside vulnerability findings. The company has also introduced Checkmarx AI Security, which addresses risks specific to AI-generated code and LLM-integrated applications, reflecting the growing concern around securing AI-assisted development workflows.

## Recognition and Market Position

According to Checkmarx's own published blog posts, the company states it was recognized as a "2024 Customers' Choice for Application Security Testing" by Gartner Peer Insights. This is a vendor-attributed claim based on customer review aggregation on the Gartner platform. Checkmarx positions itself as one of the established players in the enterprise AST market alongside other dedicated security vendors.

## Features
- Static Application Security Testing (SAST)
- Software Composition Analysis (SCA)
- API Security Testing
- Infrastructure-as-Code (IaC) Security Scanning
- Dynamic Application Security Testing (DAST)
- Container Security Scanning
- AI-powered vulnerability triage
- AI-generated remediation guidance
- IDE plugins for VS Code and JetBrains
- CI/CD pipeline integrations
- Cloud-native SaaS and on-premises deployment
- Role-based access control
- Compliance reporting
- AI code security for LLM-integrated applications

## Integrations
GitHub Actions, GitLab CI, Jenkins, Azure DevOps, Bitbucket Pipelines, VS Code, JetBrains IDEs, Terraform, CloudFormation, Kubernetes, Jira, ServiceNow

## Platforms
WEB, API, VSC_EXTENSION, JETBRAINS_PLUGIN, CLI

## Pricing
Paid

## Links
- Website: https://checkmarx.com
- Documentation: https://checkmarx.com/resource/documents/
- EveryDev.ai: https://www.everydev.ai/tools/checkmarx