Checkmarx
Static code analysis tools
Dynamic application security testing (DAST) software
Interactive application security testing (IAST) software
Secure code review software
Static application security testing (SAST) software
Generative AI software
DevSecOps software
AI APPSEC assistants
- Features
- Ease of use
- Ease of management
- Quality of support
- Affordability
- Market presence
Take the quiz to check if Checkmarx and its alternatives fit your requirements.
$25 per user per month
Free Trial
Free version unavailable
Small
Medium
Large
- Healthcare and life sciences
- Banking and insurance
- Information technology and software
What is Checkmarx
Checkmarx is an application security testing platform used to identify and manage security issues in source code and application components across the software development lifecycle. It supports developer and security teams with static analysis, software composition analysis, and additional testing capabilities that can be integrated into CI/CD pipelines. The platform emphasizes policy-based risk prioritization, workflow integration (issue trackers and pipelines), and centralized reporting for AppSec programs.
Broad AppSec testing coverage
Checkmarx provides SAST as a core capability and also offers complementary testing modules (such as DAST and API-focused testing in some editions) to cover multiple stages of the SDLC. This helps teams consolidate findings and governance across different testing approaches. Compared with tools focused mainly on code quality or a single language/runtime, it is designed for security-specific workflows and remediation.
CI/CD and workflow integrations
The product integrates with common source control systems and CI/CD tools to run scans automatically on pull requests and builds. It supports exporting findings to issue trackers so developers can remediate within existing workflows. These integrations help operationalize DevSecOps practices by making scans repeatable and auditable.
Centralized governance and reporting
Checkmarx includes centralized dashboards, policy controls, and reporting that support security program oversight across multiple applications and teams. It enables triage workflows to manage false positives and prioritize remediation based on risk. This is useful for organizations that need consistent controls and evidence for internal governance or compliance.
Tuning and triage effort
Like many SAST-centric platforms, initial rollout often requires rule tuning, baseline creation, and process changes to manage noise and false positives. Teams typically need time to calibrate policies and severity thresholds to match their risk appetite. Without this effort, scan results can overwhelm developer backlogs.
Resource and runtime considerations
Static and dynamic scans can be compute-intensive, especially for large repositories or frequent pipeline execution. Organizations may need to plan for scan scheduling, incremental scanning strategies, or additional build resources to avoid slowing delivery. This can be more noticeable than lightweight linters or code-quality-only tools.
Licensing and module complexity
Capabilities are commonly packaged as separate modules/editions, which can complicate procurement and long-term cost management. Organizations may need to evaluate which components (SAST, SCA, DAST, API testing, etc.) are required to meet their security objectives. This can add administrative overhead compared with single-purpose tools.
Plan & Pricing
| Plan | Price | Key features & notes |
|---|---|---|
| Checkmarx Developer Assist (IDE agent) | $25/month/user (purchase); 1-month free trial (Explore) | Real-time inline vulnerability detection and explainable fixes in the IDE; pre-commit remediation; supports Cursor, Windsurf, VS Code, and AWS Kiro. (Pricing & trial explicitly listed on the official product page.) |
| Checkmarx One (platform) | Custom pricing — Contact sales | Enterprise AppSec platform (unified SAST, SCA, API Security, ASPM, etc.). Packaging page directs customers to request a custom quote — no public list prices. |
| Checkmarx DAST (CxDAST) | Custom pricing — Contact sales | DAST is available as an add-on to Checkmarx One or as a standalone product; official DAST product page instructs visitors to contact Checkmarx for a price quote. |
| Checkmarx SAST (CxSAST) | Custom pricing — Contact sales | Market-leading static application security testing; Checkmarx packaging/pricing pages direct customers to contact sales for pricing. |
| Checkmarx SCA (CxSCA) | Custom pricing — Contact sales / Request a demo | Software Composition Analysis (SCA) product page offers demos and contact pathways but does not show public pricing; no explicit permanent free tier found. |
Seller details
Checkmarx Ltd.
Ramat Gan, Israel
2006
Private
https://checkmarx.com/
https://x.com/checkmarx
https://www.linkedin.com/company/checkmarx/
