Checkmarx One Reviews

Name: Checkmarx One
Brand: Checkmarx
Rating: 3.8 (70 reviews)

Vendor: Checkmarx

3.8 out of 5

70 reviews
87% willing to recommend

4,046 followers

Start review

What is Checkmarx One?

Checkmarx One is an enterprise cloud-native application security platform focused on providing cross-tool, correlated results to help AppSec and developer teams prioritize where to focus time and resources.

Get the Checkmarx One Buyer's Guide and find out what your peers are saying about Checkmarx One, SonarQube Server (formerly SonarQube), GitLab and more!

Checkmarx One is the #2 ranked solution in top Static Code Analysis solutions, #2 ranked solution in top DevSecOps solutions, #3 ranked solution in application security solutions, #3 ranked solution in AST tools, #4 ranked solution in API Security Solutions, #10 ranked solution in top Risk-Based Vulnerability Management solutions, and #24 ranked solution in top Vulnerability Management solutions. PeerSpot users give Checkmarx One an average rating of 7.6 out of 10. Checkmarx One is most commonly compared to SonarQube Server (formerly SonarQube): Checkmarx One vs SonarQube Server (formerly SonarQube). Checkmarx One is popular among the large enterprise segment, accounting for 70% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a financial services firm, accounting for 21% of all views.

Helped 849,686 peers since 2012

Featured Checkmarx One reviews

Rohit Kesharwani

Manager, Engineering at 7-Eleven.

We integrate Checkmarx into our software development cycle using GitLab's CI/CD pipeline. Checkmark has been the most helpful for us in the development stage. The solution's incremental scanning feature has impacted our development speed. The solution's vulnerability detection is around 80% to 90% accurate. I would recommend Checkmarx to other users because it is one of the good tools for doing security analysis and security identification within the source code. Overall, I rate Checkmarx a nine out of ten.

Read full review

ScottDenton

Senior regional manager at AppDome

The interactive application security testing, or IAST, where code scans are being ran on an application that lives in a runtime environment on a server or virtual machine, needs improvement. There was limited support from different languages. It didn't support everything under the sun, so you would lose revenue since you didn't have support for Scala or some other language that your developer was fluent in. They needed to improve on language support. That is about it, really. The dev team did everything that they said they were going to do. If they said they were going to hit a mark, they'd hit a mark. That release would come out. Typically, they would do four major releases a year, quarterly, with two-point releases in between, or based on any additional hotfixes that may be needed. In most cases, however, IAST was the part of the product that needed to be improved the most. Codebashing is a really cool product from the aspect of teaching developers how to write secure code. However, it would be even cooler if you could not only point out and teach someone how to do it while also making the appropriate recommendation on how to rewrite the code itself, using machine learning or AI. Instead of you, the developer learning how to do it and then writing the code yourself, it'd be cooler if you could push a button, have it analyzed, scans the code, find the code, find the issue within the line of code, and then go ahead and automatically rewrite that code for you. Then, by repetition, it just teaches you through muscle memory how to do that as opposed to, "Hey, you've found this problem. This is where the problem's located, within this particular line of code." Right now, do you know how to rewrite Java? Well, if you're not familiar with how to do that, then go push on this button. Now, take this test and go through this exercise.” It doesn't make a recommendation. It's not like providing a script that fixes the problem. It's just teaching you on how to write the code in that form in that manner.

Read full review

San K

Senior Group Leader at Infosys

I rate Checkmarx eight out of 10. It's secure, easy to use, and Checkmarx regularly updates their rule sets. I'm happy with the main features of the product, but some of the additional features didn't work for us in the beginning, like scanning at the source code repository level, reporting, etc. There was a lot of back and forth before it started working, so that's why I deducted two points. My advice for future Checkmarx users is to plan the initial deployment well. You will have to choose the right system configuration: CPUs, RAM, disk space, and backup policy. If you plan ahead, you won't have any issues trying to debug or when the size increases.

Read full review

Checkmarx One mindshare

Product category:

As of May 2025, the mindshare of Checkmarx One in the Application Security Tools category stands at 10.3%, down from 14.8% compared to the previous year, according to calculations based on PeerSpot user engagement data.

Application Security Tools

PeerResearch reports based on Checkmarx One reviews

Type	Title	Date
Category	Application Security Tools	May 1, 2025	Download
Product	Reviews, tips, and advice from real users	May 1, 2025	Download
Comparison	Checkmarx One vs SonarQube Server (formerly SonarQube)	May 1, 2025	Download
Comparison	Checkmarx One vs Veracode	May 1, 2025	Download
Comparison	Checkmarx One vs Snyk	May 1, 2025	Download

Title	Rating	Mindshare	Recommending
SonarQube Server (formerly SonarQube)	4.0	24.5%	81%	114 interviews Add to research
GitLab	4.3	2.9%	97%	82 interviews Add to research

Valuable Features

Checkmarx One excels with its intuitive UI, ease of use, and comprehensive scanning capabilities. It highlights exact lines of vulnerabilities, supports incremental scanning without needing code compilation, and integrates seamlessly with key repositories. Users appreciate its ability to improve secure coding skills by providing coding syntax guidance. Checkmarx One supports numerous programming languages and reduces false positives. Its integration with tools like BitBucket and Jira, and flexible API make it highly effective.

"Checkmarx offers many valuable features, including Static Application Security Testing (SAST), Software Composition Analysis (SCA), Infrastructure as Code (IAC), Supply Chain Security, and API Security."
"The most valuable features of Checkmarx are its integration with multiple SCM solutions and CICD tools, its ability to scale according to user licenses, and the quick scanning process."
"The tool's valuable features include integrating GPT and Copilot. Additionally, the UI web representation is very user-friendly, making navigation easy. GPT has made several improvements to my security code."

Room for Improvement

Checkmarx One users suggest improvements in supporting more programming languages, reducing false positives, and offering better role management. They find pricing and licensing inflexible and costly. Integration with other tools and customization options should be enhanced. Reports need more detail and customization, and automatic handling of installation and configuration issues is requested. Users seek better API functionality, dynamic testing features, and clearer guidance on resolving vulnerabilities and managing large projects.

"The Dynamic Application Security Testing (DAST) feature should be better."
"Checkmarx needs improvement in its Dynamic Application Security Testing (DAST) and API security features."
"I can't create a business case with multiple-factor authentication."

ROI

Many users note that quantifying ROI from Checkmarx One can be challenging, but it enables faster secure development by identifying issues early, reducing rework. They acknowledge savings in troubleshooting costs and quicker production launches. While some have seen immediate returns, others appreciate its potential and commit long-term. Common benefits include improved security practices, cost-effectiveness, and significant time reduction in deploying applications, with potential ROI visible within six months.

Pricing

Enterprise users generally find Checkmarx One pricing competitive but expensive, especially per line of code and number of users. Some appreciate its investment value and flexibility for various environments, while others mention unclear licensing models with additional costs for components and services. Pricing can range from $75k to $500k annually, influenced by user count and project needs. Discounts and negotiation opportunities exist, with some users paying extra for professional services and additional features.

"For around 250 users or committers, the cost is approximately $500,000."
"The tool's pricing is fine."
"The solution's price is high and you pay based on the number of users."

Popular Use Cases

Businesses primarily utilize Checkmarx One for static code scanning to uncover security vulnerabilities in source code. They integrate it into software development lifecycle processes to detect application flaws early, ensuring vulnerability-free code before production. It's used for external application assessments, mobile security checks, compliance with best practices, fixed vulnerabilities at the build level, and training developers in secure coding. Users often connect via self-hosted Git, with deployments on-premises or cloud-based, depending on requirements.

Service and Support

Checkmarx One's customer service and support receive positive feedback, with ratings generally around 8/10. The technical support team is considered knowledgeable, responsive, and skilled. Some users appreciate being able to communicate with Russian-speaking engineers. However, there are reports of slow response times, especially concerning more technical issues. Users appreciate the availability of public resources and quick responses, contrasting with some reports of prolonged ticket resolution. Overall, Checkmarx One's support remains a key strength, despite areas for improvement.

Deployment

Checkmarx One's initial setup is often described as straightforward, with users finding it easy to follow due to clear documentation and installer wizards. While the process typically involves a basic computing environment and single-user maintenance, some find configuration complex, requiring technical knowledge for settings like SSL or LDAP. Challenges arise with cloud environments, impacting time and resources. For most, deployment takes a few minutes to days, though some report longer durations depending on integration needs.

Scalability

Checkmarx One scales efficiently across various environments. Users report minimal issues, noting its ability to handle large codebases with ease. The licensing model affects scalability, and additional resources may be needed for larger deployments. Many rate its scalability highly, appreciating its cloud-based nature and capability for concurrent scans. Teams find it adaptable to different enterprise sizes, with ease in adding more engines and users, though some occasionally encounter scaling challenges.

Stability

Many users find Checkmarx One stable, with no significant issues encountered. Some experience occasional memory consumption problems and service freezes during large scans. Performance can slow with many incremental scans. Some configuration-related issues arise with larger codebases, requiring fine-tuning. Most rate stability between eight to ten out of ten, while some consider it a four. Regular updates and fixes help maintain stability, but some suggest improvements. Checkmarx is generally reliable and recommended.

These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.

Download our Checkmarx One Buyer's Guide for additional reliable information.

Review data by company size

By reviewers

By visitors reading reviews

Top industries

By visitors reading reviews

Financial Services Firm

21%

Computer Software Company

14%

Manufacturing Company

10%

Government

Insurance Company

Healthcare Company

Energy/Utilities Company

Retailer

Educational Organization

University

Media Company

Comms Service Provider

Construction Company

Non Profit

Real Estate/Law Firm

Legal Firm

Outsourcing Company

Transportation Company

Logistics Company

Hospitality Company

Engineering Company

Performing Arts

Wholesaler/Distributor

Consumer Goods Company

Pharma/Biotech Company

Recreational Facilities/Services Company

Aerospace/Defense Firm

Compare Checkmarx One with alternative products

Learn more about Checkmarx One

Checkmarx One offers comprehensive application scanning across the SDLC:

Static Application Security Testing (SAST)
Software Composition Analysis (SCA)
API security
Dynamic Application Security Testing (DAST)
Container security
IaC security
Correlation, prioritization, and risk management
Codebashing secure code training
AI security
Tech partnerships extending AppSec into runtime analysis
Developer tool integrations including: CI/CD tools, development frameworks, feedback tools, IDEs, programming languages and SCMs

Checkmarx One provides everything you need to secure application development from the first line of code through deployment and runtime in the cloud. With an ever-evolving set of AppSec engines, correlation and prioritization features, and AI capabilities, Checkmarx One helps consolidate expanding lists of AppSec tools and make better sense of results. Its capabilities are designed to provide an improved developer experience to build trust with development teams and ensure the success of your AppSec program investment.