Checkmarx Overview

Checkmarx is the #2 ranked solution in our list of AST tools. It is most often compared to SonarQube: Checkmarx vs SonarQube

What is Checkmarx?

Checkmarx CxSAST is a highly accurate and flexible Static Code Analysis product that allows organizations to automatically scan un-compiled / un-built code and identify hundreds of security vulnerabilities in all major coding languages. CxSAST is available as a standalone product and can be effectively integrated into the Software Development Lifecycle (SDLC) to streamline detection and remediation. CxSAST can be deployed on-premise in a private data center or hosted via a public cloud.

Whitepaper: I, II

Checkmarx Buyer's Guide

Download the Checkmarx Buyer's Guide including reviews and more. Updated: May 2021

Checkmarx Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech

Case Study: Liveperson Implements Innovative Secure SDLC

Checkmarx Video

Filter Archived Reviews (More than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
EB
Director and Co-Founder at Ushiro-tec
Real User
The Best Fix Location & Payments Features Can Save Time Mitigating Network Configurations

What is our primary use case?

We use Checkmarx to review the source code for the external applications that we expose to the cloud or other servers on the internet.

Pros and Cons

  • "The most valuable features of Checkmarx are the Best Fix Location and the Payments option because you can save a lot of time trying to mitigate the configuration. Using these tools can save you a lot of time."
  • "With Checkmarx, normally you need to use one tool for quality and you need to use another tool for security. I understand that Checkmarx is not in the parity space because it's totally different, but they could include some free features or recommendations too."

What other advice do I have?

We have a small team. It is about four people in total. We do not require that many staff for the deployment and maintenance of Checkmarx. We are testing the solution in a small local company. Our idea is to expand the use of it to our clients in the West. In this space, you can have different points of view and if only you are looking for a solution to do a check in your auditory report, then you can choose anyone. If you really are worried about your business, i.e. about your development sites or development environments, Checkmarx is a great solution. I would rate Checkmarx a nine out of…
JB
Principal Software Engineer at SingTel Internet Exchange
Vendor
I like the code consistency feature, but it should have a dynamic testing feature to avoid false duplicates

What is our primary use case?

Code scan. We performed periodic static code scans on copies of our Git repository to identify possible vulnerabilities.

How has it helped my organization?

Code consistency. It prompted our developers to fix code or document code they otherwise would not have done.

What is most valuable?

The consistency of code. Showed our team where they are inconsistent or where they have made simple omissions.

What needs improvement?

Dynamic testing. If it had that feature I would have liked to see more consideration of framework validations that we don't have to duplicate. These flags are false positives.

For how long have I used the solution?

One to three years.
Learn what your peers think about Checkmarx. Get advice and tips from experienced pros sharing their opinions. Updated: May 2021.
501,499 professionals have used our research since 2012.
SD
Business Analyst at a tech services company with 201-500 employees
Real User
It made our organization more efficient with our whole code scan/deployment process for our software applications.

What is our primary use case?

Our primary use case solution is for code scanning.

How has it helped my organization?

It has made our organization more efficient with our whole code scan/deployment process for our software applications.

What is most valuable?

The most valuable features are: Ease of use Dashboard Interface Report

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

I have not had an issue with stability of the product.

What do I think about the scalability of the solution?

There have been no issues with scalability that I am aware of.

How are customer service and technical support?

I have not needed the use of technical support.

Which solution did I use previously and why did I switch?

Technical Architect at Photon Interactive
MSP
Top 10Leaderboard
It gives the proper code flow of vulnerabilities and the number of occurrences

What is our primary use case?

I have used it for source code scanning of security vulnerabilities. It seems to be a good tool. It gives the proper code flow of vulnerabilities and the number of occurrences.

How has it helped my organization?

We have scanned various applications with it. It works fine, although we need to check manually for false positive issues. 

What is most valuable?

After scanning, it shows in-depth code of where actual vulnerabilities are, which helps us to analyze them.

What needs improvement?

It provides us with quite a handful of false positive issues. If Checkmarx could reduce this number, it would be a great tool to use.

For how long have I used the solution?

One to three years.
Security Source Code Analyst at a tech services company with 10,001+ employees
Consultant
Easy to insert in the SDLC, but the CxAudit tool has room for improvement

Pros and Cons

  • "The most valuable feature for me is the Jenkins Plugin."
  • "I think the CxAudit tool has room for improvement. At the beginning you can choose a scan of a project, but in any event the project must be scanned again (wasting time)."
  • "Updating and debugging of queries is not very convenient."

What other advice do I have?

Before implementing the product I would evaluate if it is really necessary to scan so many different languages and frameworks. If not, I think there must be a cheaper solution for scanning Java-only applications (which are 90% of our applications).
Sr. Security Engineer at SugarCRM
Real User
Security testing solution with vulnerability details and planned blackout times.

Pros and Cons

  • "Vulnerability details is valuable."
  • "Implementing a blackout time for any user or teams: Needs improvement."

What other advice do I have?

I don't like the latest license update. I can't set a limit for the reviewer account.
Responsable du Pôle Sécurité des Applications at a financial services firm with 5,001-10,000 employees
Vendor
Both automatic and manual code review are possible. We can set up proper reports of code vulnerability.

Pros and Cons

  • "Both automatic and manual code review (CxQL) are valuable."
  • "Integration into the SDLC (i.e. support for last version of SonarQube) could be added."

What other advice do I have?

Ask to meet another customer with the same needs or the same kind of organization, to learn from their experience.
Security test engineer at a tech vendor with 10,001+ employees
Vendor
Communicates where to fix the issue for less iterations. Resolutions should be provided for installation issues due to internal security policies.

Pros and Cons

  • "The solution communicates where to fix the issue for the purpose of less iterations."
  • "The resolutions should also be provided. For example, if the user faces any problem regarding an installation due to the internal security policies of their company, there should be a resolution offered."

What other advice do I have?

Go for it, if you want testing on the code level.
SAP FIORI / HCP Consultant at Silveo
Consultant
Helps us check vulnerabilities in our applications. I would like to integrate it as a service along with the cloud platform.

Pros and Cons

  • "Helps us check vulnerabilities in our SAP Fiori application."
  • "I really would like to integrate it as a service along with the SAP HANA Cloud Platform. It will then be easy to use it directly as a service."

What other advice do I have?

It is a good tool. I recommend it in order to ensure software quality.
Technical Program Manager at a engineering company with 10,001+ employees
Real User
Acts as the first check point during our consulting for apps that are looking for a security assessment or Penetration Testing.

Pros and Cons

  • "The ability to track the vulnerabilities inside the code (origin and destination of weak variables or functions)."
  • "The lack of ability to review compiled source code. It would then be able to compete with other scanning tools, such as Veracode."

What other advice do I have?

I recommend to have a live session with the marketing team, to have a demo and to track all your doubts before purchasing. Checkmarx is a powerful tool but you need to be sure what you are using, and what it is for. You could use just 20% of what the tool can do, and therefore waste your money. So either fully learn how to use it and evaluate if it’s the right scanning tool to have, or go for a better and cheaper option.
Innovation Consultant (Security Analyst) at a tech services company with 1,001-5,000 employees
Consultant
It makes it easier to identify code vulnerabilities by presenting the flow of malicious input and fixing it.

Pros and Cons

  • "Checkmarx pinpoints the vulnerability in the code and also presents the flow of malicious input across the application."
  • "Some of the descriptions were found to be missing or were not as elaborate as compared to other descriptions. Although, they could be found across various standard sources but it would save a lot of time for developers, if this was fixed."

What other advice do I have?

Better to look out for other products available in the market as well.
Senior Manager at a financial services firm
Vendor
We felt like we were the extended quality organization as they frequently released poor quality patches that broke the existing functionality.

Pros and Cons

  • "Scan reviews can occur during the development lifecycle."
  • "C, C++, VB and T-SQL are not supported by this product. Although, C and C++ were advertised as being supported."

What other advice do I have?

The product is not mature and ready for the enterprise usage yet. It is okay to use it when the support expectations are low and the code is in languages that require support only in Java and .NET.
Founder at a tech company with 51-200 employees
Real User
It can scan precompiled (source) code, as well as compiled (binary) code.

Pros and Cons

  • "The process of remediating software security vulnerabilities can now be performed (ongoing) as portions of the application are being built in advance of being compiled."
  • "The product can be improved by continuing to expand the application languages and frameworks that can be scanned for vulnerabilities. This includes expanded coverage for mobile applications as well as open-source development tools."

What other advice do I have?

The Checkmarx CxSuite product works well, delivers efficiency to the SDLC, and most important of all, it effectively improves application security. It works!
SRE Vice Group Manager at a tech services company with 10,001+ employees
Consultant
We can create custom rules for code checks. You have to do a lot of customization.

Pros and Cons

  • "The solution allows us to create custom rules for code checks."
  • "This product requires you to create your own rulesets. You have to do a lot of customization."
Senior Software Security Analyst at a financial services firm with 1,001-5,000 employees
Vendor
It scans code for security vulnerabilities without needing to compile first. It reports many false positives.

Pros and Cons

  • "We were using HPE Security Fortify to scan code for security vulnerabilities, but it can scan only after a successful compile. If the code has dependencies or build errors, the scan fails. With Checkmarx, pre-compile scanning is seamless. This allows us to scan more code."
  • "Checkmarx reports many false positives that we need to manually segregate and mark “Not exploitable”."

What other advice do I have?

Personally, I recommend Checkmarx for static analysis.
Assistant Manager Business Development at a tech services company with 501-1,000 employees
Consultant
It offers comprehensive and incremental scanning, and supports all major languages.

Pros and Cons

  • "Less false positive errors as compared to any other solution."
  • "Licensing models and Swift language support are the aspects in which this product needs to improve. Swift is a new language, in which major customers require support for lower prices."

What other advice do I have?

Go for it.
Senior Software Security Analyst at a financial services firm with 1,001-5,000 employees
Vendor
It allows for SAST scanning of uncompiled code. More API functionality should be added.

Pros and Cons

  • "It allows for SAST scanning of uncompiled code. Further, it natively integrates with all key repos formats (Git, TFS, SVN, Perforce, etc)."
  • "Meta data is always needed."
Full Stack Developer at a tech services company with 51-200 employees
Consultant
It helps with vulnerability scanning of codes to prevent vulnerability of our applications.

What is most valuable?

It provides us with code analysis.

How has it helped my organization?

It helps with vulnerability scanning of codes to prevent vulnerability of our applications.

For how long have I used the solution?

I've used it for one year.

What was my experience with deployment of the solution?

No issues encountered.

Which solution did I use previously and why did I switch?

Straight forward. Easy to follow steps.  I worked for an IT security firm and it was quite easy to setup the product for demo purposes virtually and even physically on the client premises

How was the initial setup?

It was straightforward, as it has easy to follow steps.  I worked for an IT security firm and it was quite easy to setup the product for demo purposes…
Co-Founder, CTO at a tech services company with 51-200 employees
Consultant
It allows us to verify the dev department's code in order to minimize security holes, but it needs better role management.

What is most valuable?

They're all as valuable as each other.

How has it helped my organization?

We have used this product to verify the dev department's code in order to minimize security holes.

What needs improvement?

It needs better role management.

For how long have I used the solution?

I've used it for three years.

What was my experience with deployment of the solution?

No issues encountered.

What do I think about the stability of the solution?

No issues encountered.

What do I think about the scalability of the solution?

No issues encountered.

How are customer service and technical support?

Customer Service: It's very good. Technical Support: It's very good.

Which solution did I use previously and why did I switch?

This is the only solution I have…
Cyber-Ark Consultant at a tech services company with 51-200 employees
Consultant
It is a very good product, but it needs a better understanding of file references.

What is most valuable?

It provides a graphical view of any vulnerabilities.

How has it helped my organization?

I have used it as a consultant.

What needs improvement?

It could be improved with more reporting of false positives and the understanding of file references.

For how long have I used the solution?

I've used it for one year.

What was my experience with deployment of the solution?

No issues encountered.

What do I think about the stability of the solution?

No issues encountered.

What do I think about the scalability of the solution?

One needs to be sure on the number of LOC that will be run and also the size of the code.

How are customer service and technical support?

Customer Service: 8/10. Technical Support: 8/10.

Which solution did I use previously

Buyer's Guide
Download our free Checkmarx Report and get advice and tips from experienced pros sharing their opinions.