Try our new research platform with insights from 80,000+ expert users

Checkmarx One pros and cons

Vendor: Checkmarx

3.9 out of 5

80 reviews
88% willing to recommend

Pros & Cons summary

Checkmarx One enhances code security by allowing SAST scanning of uncompiled code, integrating with SCM and CICD tools, reducing workload, and improving speed to market. It effectively tracks vulnerabilities for early detection. However, expanding language support, reducing false positives, and simplifying its pricing model would enhance its benefits. Possible improvements include better integration with DevSecOps and catering to diverse licensing and language needs such as Swift, despite its current perceived costliness.

Buyer's Guide

Get pricing advice, tips, use cases and valuable features from real users of this product.

Prominent pros & cons

PROS

Checkmarx One allows for SAST scanning of uncompiled code, making pre-compile scanning seamless and increasing code analysis efficiency.

It integrates with multiple SCM solutions and CICD tools, facilitating enhanced code security reviews and speeding up the development lifecycle.

Checkmarx One's ability to track vulnerabilities inside the code and pinpoint their origin and destination ensures early detection and resolution strategies.

The automation and information provided in the reports deliver valuable insights, aiding in finding vulnerabilities early in the development cycle.

Integration of the solution has led to significant reductions in workload and saved time by handling false positives effectively, positively impacting the speed to market.

CONS

Checkmarx One could improve by expanding application language and framework support, including comprehensive mobile application and open-source tool coverage.

False positives reported by Checkmarx One need reduction, as manual segregation and marking issues as "Not exploitable" is required.

Checkmarx One should enhance support for different licensing models and language capabilities, such as the Swift programming language.

Integration into continuous delivery pipelines and improved compatibility with DevSecOps require attention for Checkmarx One.

Checkmarx One's pricing model is deemed expensive and complex, suggesting room for improvement.

Checkmarx One Pros review quotes

RJ

Robert V. Jones

Founder at a tech company with 51-200 employees

Feb 2, 2017

The process of remediating software security vulnerabilities can now be performed (ongoing) as portions of the application are being built in advance of being compiled.

Read full review

Senior Software Security Analyst at a financial services firm with 1,001-5,000 employees

Sep 26, 2016

It allows for SAST scanning of uncompiled code. Further, it natively integrates with all key repos formats (Git, TFS, SVN, Perforce, etc).

Read full review

Senior Software Security Analyst at a financial services firm with 1,001-5,000 employees

Oct 13, 2016

We were using HPE Security Fortify to scan code for security vulnerabilities, but it can scan only after a successful compile. If the code has dependencies or build errors, the scan fails. With Checkmarx, pre-compile scanning is seamless. This allows us to scan more code.

Read full review

Free Report: Checkmarx One Reviews and More

Learn what your peers think about Checkmarx One. Get advice and tips from experienced pros sharing their opinions. Updated: January 2026.

880,745 professionals have used our research since 2012.

Assistant Manager Business Development at a tech services company with 501-1,000 employees

Oct 23, 2016

Less false positive errors as compared to any other solution.

Read full review

Innovation Consultant (Security Analyst) at a tech services company with 1,001-5,000 employees

Nov 6, 2016

Checkmarx pinpoints the vulnerability in the code and also presents the flow of malicious input across the application.

Read full review

GG

Gustavo_Gonzalez

Technical Program Manager at a engineering company with 10,001+ employees

Jan 16, 2017

The ability to track the vulnerabilities inside the code (origin and destination of weak variables or functions).

Read full review

SRE Vice Group Manager at a tech services company with 10,001+ employees

Jan 23, 2017

The solution allows us to create custom rules for code checks.

Read full review

Senior Manager at a financial services firm

Jan 31, 2017

Scan reviews can occur during the development lifecycle.

Read full review

YD

Yafes Duygulutuna

Sr. Security Engineer at SugarCRM

Jul 4, 2017

Vulnerability details is valuable.

Read full review

Security test engineer at a tech vendor with 10,001+ employees

Feb 12, 2017

The solution communicates where to fix the issue for the purpose of less iterations.

Read full review

Show 10 more reviews (out of 74)

Checkmarx One Cons review quotes

RJ

Robert V. Jones

Founder at a tech company with 51-200 employees

Feb 2, 2017

The product can be improved by continuing to expand the application languages and frameworks that can be scanned for vulnerabilities. This includes expanded coverage for mobile applications as well as open-source development tools.

Read full review

Senior Software Security Analyst at a financial services firm with 1,001-5,000 employees

Sep 26, 2016

Meta data is always needed.

Read full review

Senior Software Security Analyst at a financial services firm with 1,001-5,000 employees

Oct 13, 2016

Checkmarx reports many false positives that we need to manually segregate and mark “Not exploitable”.

Read full review

Free Report: Checkmarx One Reviews and More

Learn what your peers think about Checkmarx One. Get advice and tips from experienced pros sharing their opinions. Updated: January 2026.

880,745 professionals have used our research since 2012.

Assistant Manager Business Development at a tech services company with 501-1,000 employees

Oct 23, 2016

Licensing models and Swift language support are the aspects in which this product needs to improve. Swift is a new language, in which major customers require support for lower prices.

Read full review

Innovation Consultant (Security Analyst) at a tech services company with 1,001-5,000 employees

Nov 6, 2016

Some of the descriptions were found to be missing or were not as elaborate as compared to other descriptions. Although, they could be found across various standard sources but it would save a lot of time for developers, if this was fixed.

Read full review

GG

Gustavo_Gonzalez

Technical Program Manager at a engineering company with 10,001+ employees

Jan 16, 2017

The lack of ability to review compiled source code. It would then be able to compete with other scanning tools, such as Veracode.

Read full review

SRE Vice Group Manager at a tech services company with 10,001+ employees

Jan 23, 2017

This product requires you to create your own rulesets. You have to do a lot of customization.

Read full review

Senior Manager at a financial services firm

Jan 31, 2017

C, C++, VB and T-SQL are not supported by this product. Although, C and C++ were advertised as being supported.

Read full review

YD

Yafes Duygulutuna

Sr. Security Engineer at SugarCRM

Jul 4, 2017

Implementing a blackout time for any user or teams: Needs improvement.

Read full review

Security test engineer at a tech vendor with 10,001+ employees

Feb 12, 2017

The resolutions should also be provided. For example, if the user faces any problem regarding an installation due to the internal security policies of their company, there should be a resolution offered.

Read full review

Show 10 more reviews (out of 74)

Product Categories

Product Categories

Application Security Tools

Static Application Security Testing (SAST)

Vulnerability Management

Container Security

Static Code Analysis

Dynamic Application Security Testing (DAST)

Risk-Based Vulnerability Management

Application Security Posture Management (ASPM)

Popular Comparisons

Popular Comparisons

SonarQube vs Checkmarx One

Wiz vs Checkmarx One

SentinelOne Singularity Cloud Security vs Checkmarx One

Snyk vs Checkmarx One

Microsoft Defender for Cloud vs Checkmarx One

Prisma Cloud by Palo Alto Networks vs Checkmarx One

GitLab vs Checkmarx One

Veracode vs Checkmarx One

Coverity Static vs Checkmarx One

Imperva Application Security Platform vs Checkmarx One

CrowdStrike Falcon Cloud Security vs Checkmarx One

JFrog Xray vs Checkmarx One

GitHub Advanced Security vs Checkmarx One

Orca Security vs Checkmarx One

Tenable Vulnerability Management vs Checkmarx One

See all alternatives

Product Categories

Product Categories

Application Security Tools

Static Application Security Testing (SAST)

Vulnerability Management

Container Security

Static Code Analysis

Dynamic Application Security Testing (DAST)

Risk-Based Vulnerability Management

Application Security Posture Management (ASPM)

Popular Comparisons

Popular Comparisons

SonarQube vs Checkmarx One

Wiz vs Checkmarx One

SentinelOne Singularity Cloud Security vs Checkmarx One

Snyk vs Checkmarx One

Microsoft Defender for Cloud vs Checkmarx One

Prisma Cloud by Palo Alto Networks vs Checkmarx One

GitLab vs Checkmarx One

Veracode vs Checkmarx One

Coverity Static vs Checkmarx One

Imperva Application Security Platform vs Checkmarx One

CrowdStrike Falcon Cloud Security vs Checkmarx One

JFrog Xray vs Checkmarx One

GitHub Advanced Security vs Checkmarx One

Orca Security vs Checkmarx One

Tenable Vulnerability Management vs Checkmarx One

See all alternatives

Related questions

60

What is the biggest difference between Veracode and Checkmarx?

37

Checkmarx or Veracode. Which should we choose?

327

What is the Biggest Difference Between Checkmarx and Fortify?

35

What is the biggest difference between Checkmarx and SonarQube?

91

Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode

136

If you had to both encrypt and compress data during transmission, which would you do first and why?

43

When evaluating Application Security, what aspect do you think is the most important to look for?

96

What are the Top 5 cybersecurity trends in 2022?

128

What are the threats associated with using ‘bogus’ cybersecurity tools?

52

We're evaluating Tripwire, what else should we consider?