TrustRadius: an HG Insights company

Checkmarx Information Reviews & Insights

Score9.2 out of 10

21 Reviews and Ratings

Get a Demo

Community insights

TrustRadius Insights for Checkmarx are summaries of user sentiment data from TrustRadius reviews and, when necessary, third party data sources.

Pros

Valuable Code Scanning and Accurate Results: Many users have found Checkmarx to be a valuable tool for scanning code and providing accurate results. It allows for in-depth analysis by providing the flow of code from source to execution.

User-Friendly Interface and Intuitive Nature: The easy-to-understand interface and user-friendly nature of Checkmarx have been appreciated by reviewers. They find it very intuitive, making reducing code and scanning for vulnerabilities simple.

Effective Security Threat Identification: Checkmarx has received praise for its ability to scan any application and identify security threats effectively. Users appreciate its reliability in identifying all security vulnerabilities, making their code more secure.

Checkmarx Reviews

3 Reviews
InformationComputer Software1Internet1Telecommunications1

Checkmarks for improving overall SAST security posture

Rating: 8 out of 10
Incentivized

Use Cases and Deployment Scope

Checkmarx was uses as a reactive security sast control in my org, to detect code security scans, secret detection and license scanning. We also used it to assess our overall sast structure by dashboards and metrics such as MTTR etc. There were lot of grey areas where devs needed assistance with the vulnerable piece of code and checkmarx used to provide great insights on that.

Pros

  • Code security scans where issues needs to be tagged as Critical or High and needs to be merged into PR
  • Secrets that are hardcoded in the code or comments of the PR
  • License scanning where devs will be having an idea if they are using right set of open source packages

Cons

  • DAST capability can be the one where it does not support native use case of using OTP based arch
  • API Scanning is something that lacks a bit due to not much customizations
  • Branch wise reports for SAST is not available

Likelihood to Recommend

If you are going with SAST process or want to improve overall security posture then go for it like integrating it with post deployment steps.
If you are more concerned about proactive controls better choose other options such as pee-commit hooks and CI security. Also choose other tools for DAST and API scans.
AS
Abhineet Sagar
DevSecOps Engineer II in Engineering at Circles (Telecommunications, 501-1000 employees)
Vetted Review
Checkmarx
4 years of experience
Verified on LinkedIn

SAST tool review

Rating: 7 out of 10
Incentivized

Use Cases and Deployment Scope

Checkmarx is used in our organization to scan code base or applications and perform security analysis. The SAST tool of the Checkmarx is used for scanning the code and finding the security defects. It addresses the security concerns and eliminates manual security review. The scope includes 75% of the organization's code base.

Pros

  • Recommendations to fix the security findings
  • Reports
  • Finds wide range of security risks

Cons

  • Time taken for scan
  • False positives
  • Integrations with other systems

Likelihood to Recommend

Chechmarx is really suited for finding wide range of security risks. It although identifies false positives which can be confusing at times. It can do better in terms of scan duration. They are better alternate competitors in the market who can do equally good or even better. It all depends on the scope of the problem you want to address
VU
Verified User
Engineer in Information Technology (Computer Software company, 10,001+ employees)
Vetted Review
Checkmarx
1 year of experience

A catchy review of Checkmarx not full of wordplay

Rating: 4 out of 10
Incentivized

Use Cases and Deployment Scope

As part of R&D projects for military contracts, we used Checkmarx to help our engineering team improve information assurance and reduce potential security risks in our software. We specifically used it to scan applications written in PHP. Through the many months of use, we found it often had a very large amount of false-positives but the things it did catch was helpful. We refactored several components, libraries and classes and upgraded some of dependencies to reduce the number of results Checkmarx returned. It never found a truly significant security risk, but we were a team of security experts so I'm rather glad about that. Downsides I did see was that it was completely impossible to get set up locally or through a continuous integration system. This was partially because the way Checkmarx was designed, and partially because the security requirements we held in configuring our development and staging environments made it so. We had to interact with Checkmarx by exporting a zip of our codebase and uploading it, and it was a rather large codebase, so it took awhile to scan. Overall, it was a helpful took, but cumbersome to use.

Pros

  • Supports a large number of languages
  • Finds a large variety of potential risks

Cons

  • Lots of false positives
  • Hard to integrate with CI

Likelihood to Recommend

Checkmarx works really well when you actively work with it, rerunning it after change. It gets confused easily when lots of files get changes, and results in a lot of additional false positives.
VU
Verified User
Team Lead in Research & Development (Internet company, 11-50 employees)
Vetted Review
Checkmarx
1 year of experience