Checkmarx Reviews & Insights

Score9.2 out of 10

21 Reviews and Ratings

Community insights

TrustRadius Insights for Checkmarx are summaries of user sentiment data from TrustRadius reviews and, when necessary, third party data sources.

Pros

Valuable Code Scanning and Accurate Results: Many users have found Checkmarx to be a valuable tool for scanning code and providing accurate results. It allows for in-depth analysis by providing the flow of code from source to execution.

User-Friendly Interface and Intuitive Nature: The easy-to-understand interface and user-friendly nature of Checkmarx have been appreciated by reviewers. They find it very intuitive, making reducing code and scanning for vulnerabilities simple.

Effective Security Threat Identification: Checkmarx has received praise for its ability to scan any application and identify security threats effectively. Users appreciate its reliability in identifying all security vulnerabilities, making their code more secure.

Reviews

5 Reviews

Review of Checkmarx: Pros, Cons, and How It Fits into Our Development Process.

Rating: 9 out of 10

Incentivized

January 12, 2025

Use Cases and Deployment Scope

We use Checkmarx to scan our code for security vulnerabilities during development. It helps us find and fix issues early, reducing the risk of security breaches. Our developers and security team mainly use the tool to ensure our applications are safe before release. It addresses the challenge of maintaining secure code in a fast-paced development cycle.

Pros

Detects security vulnerabilities in source code with accuracy and detail.
Integrates seamlessly with CI/CD pipelines, IDEs, and repositories.
Provides clear reports and actionable fix recommendations for developers.

Cons

Scans can be slow for large codebases, which may disrupt development workflows.
The interface can overwhelm new users, making navigation and setup challenging.
Reports occasionally flag non-issues, requiring extra time for manual validation.

Likelihood to Recommend

Checkmarx works best in organizations with secure development practices where code is regularly scanned during development. It's ideal for CI/CD pipelines, ensuring vulnerabilities are caught early. Checkmarx might not be the best for old systems that aren’t updated often, as setting it up can take time. It’s also less useful for teams that mostly use third-party libraries instead of writing their own code.

Verified User

Engineer in Information Technology (1001-5000 employees)

Vetted Review

3 years of experience

SAST tool review

Rating: 7 out of 10

Incentivized

February 6, 2023

Use Cases and Deployment Scope

Checkmarx is used in our organization to scan code base or applications and perform security analysis. The SAST tool of the Checkmarx is used for scanning the code and finding the security defects. It addresses the security concerns and eliminates manual security review. The scope includes 75% of the organization's code base.

Pros

Recommendations to fix the security findings
Reports
Finds wide range of security risks

Cons

Time taken for scan
False positives
Integrations with other systems

Likelihood to Recommend

Chechmarx is really suited for finding wide range of security risks. It although identifies false positives which can be confusing at times. It can do better in terms of scan duration. They are better alternate competitors in the market who can do equally good or even better. It all depends on the scope of the problem you want to address

Verified User

Engineer in Information Technology (10,001+ employees)

Vetted Review

1 year of experience

Checkmarx scored good marks

Rating: 6 out of 10

Incentivized

May 10, 2021

Use Cases and Deployment Scope

It is used by the information security team in our company. We run various static code analysis tools on our source code and Checkmarx is one of them. What it helps us with is to generate reports that we can share with our Developers as it is comprehensive and easy to understand.

Pros

Reporting
Language support
Fix recommendations

Cons

Scan duration
False positives
Integration with other tools like Jenkins comes with some inconveniences.

Likelihood to Recommend

It is well suited in cases where you wanna share reports with people that do not have a lot of knowledge in security concepts. It would help as the report has elaborate content explaining the issues and fix recommendations. If you want a SAST tool that gives fewer false positives, there are better options compared to Checkmarx. In cases where you want to do SAST scans regularly and quickly, Checkmarx may hold you back with its high count of false positives and lengthy reports.

Verified User

Engineer in Research & Development (1001-5000 employees)

Vetted Review

1 year of experience

A catchy review of Checkmarx not full of wordplay

Rating: 4 out of 10

Incentivized

August 29, 2016

Use Cases and Deployment Scope

As part of R&D projects for military contracts, we used Checkmarx to help our engineering team improve information assurance and reduce potential security risks in our software. We specifically used it to scan applications written in PHP. Through the many months of use, we found it often had a very large amount of false-positives but the things it did catch was helpful. We refactored several components, libraries and classes and upgraded some of dependencies to reduce the number of results Checkmarx returned. It never found a truly significant security risk, but we were a team of security experts so I'm rather glad about that. Downsides I did see was that it was completely impossible to get set up locally or through a continuous integration system. This was partially because the way Checkmarx was designed, and partially because the security requirements we held in configuring our development and staging environments made it so. We had to interact with Checkmarx by exporting a zip of our codebase and uploading it, and it was a rather large codebase, so it took awhile to scan. Overall, it was a helpful took, but cumbersome to use.

Pros

Supports a large number of languages
Finds a large variety of potential risks

Cons

Lots of false positives
Hard to integrate with CI

Likelihood to Recommend

Checkmarx works really well when you actively work with it, rerunning it after change. It gets confused easily when lots of files get changes, and results in a lot of additional false positives.

Verified User

Team Lead in Research & Development (11-50 employees)

Vetted Review

1 year of experience

Checkmarks for improving overall SAST security posture

Rating: 8 out of 10

Incentivized

July 19, 2025

Use Cases and Deployment Scope

Checkmarx was uses as a reactive security sast control in my org, to detect code security scans, secret detection and license scanning. We also used it to assess our overall sast structure by dashboards and metrics such as MTTR etc. There were lot of grey areas where devs needed assistance with the vulnerable piece of code and checkmarx used to provide great insights on that.

Pros

Code security scans where issues needs to be tagged as Critical or High and needs to be merged into PR
Secrets that are hardcoded in the code or comments of the PR
License scanning where devs will be having an idea if they are using right set of open source packages

Cons

DAST capability can be the one where it does not support native use case of using OTP based arch
API Scanning is something that lacks a bit due to not much customizations
Branch wise reports for SAST is not available

Likelihood to Recommend

If you are going with SAST process or want to improve overall security posture then go for it like integrating it with post deployment steps.
If you are more concerned about proactive controls better choose other options such as pee-commit hooks and CI security. Also choose other tools for DAST and API scans.

Abhineet Sagar

DevSecOps Engineer II in Engineering at Circles (501-1000 employees)

Vetted Review

4 years of experience

Loading Reviews List....