Let’s shoot straight: Security isn’t what developers want to be doing. It’s something they have to be doing. Until a systemic-level change of paradigm in how development work is perceived, the most – and some would argue – the only effective way to drive developer buy-in is to make security work as easy and seamless for them as possible, while weaving security across the SDLC.
Add to this the growing trend of development teams gaining a central role in AppSec purchasing decisions, as shown in our recent ‘DevSecOps Evolution’ report, and the conclusion becomes clear: An AppSec platform must not only provide the most advanced risk management tools but make them work for both security teams and developers.
That’s why today, here at the RSA Security Conference 2025, we’re announcing a platform update with new features that continue to improve the developer experience with Checkmarx One:
- ASPM in the IDE: Bringing prioritized security insights directly to developers’ workspaces
- Artifact Registry Security: Protecting private component libraries from vulnerabilities
- Secrets Detection with Pre-Commit Blocking: Preventing sensitive credentials from reaching code repositories
- Head of Engineering Dashboard: Enabling data-driven security decisions for development leadership
Let’s explore how this update strengthens your security posture, minimizes friction in the development process and provides better security coverage and visibility across the entire software development lifecycle.
ASPM Delivered Directly Into the IDE
Application Security Posture Management (ASPM) is quickly becoming a staple in the AppSec arsenal, correlating and prioritizing results from different tools like SAST, SCA, IaC scanning, and more, across the software development lifecycle (SDLC).
However, until now ASPM was used by and designed for AppSec teams and focused on risk management.
But what about the developers?
By embedding Checkmarx’ award-winning ASPM into the development workflow, your organization will reduce friction, ensuring developers can address security concerns effectively and immediately – and know that the time they invest in security tasks is high impact.
Extending SCA Protection to Your Private Registry
Traditional software composition analysis (SCA) scans open-source libraries for known vulnerabilities and license risks. Checkmarx already took SCA one important step further with malicious package protection that automatically detects open-source libraries containing malicious code – leveraging the industry’s largest proprietary database of 400,000+ malicious packages.
Building on our protection of open-source libraries in public repositories, we’re now expanding SCA coverage to include Artifact Registry Security, starting with our first of many integrations – JFrog Artifactory – you can now:
- Scan OSS libraries stored in your private registry for vulnerabilities or malicious code.
- Customize risk level and policies preventing the upload of non-compliant libraries.
- Block the download of non-compliant libraries into dev environments or build processes.
- Pre-Commit Blocking: Prevent Hardcoded Credentials from Reaching Code Repos
The issue of leaving hardcoded secrets in application code is more common than most organizations would care to admit: A recent Wired investigation revealed over 15,000 exposed secrets across thousands of organizations, including credentials from courts, universities, and major tech companies.
Even the most vigilant teams aren’t immune from this risk, where hardcoded secrets find their way into code repositories, leaving their organizations vulnerable to threat actors.
The best way to combat credential leaks is by preventing secrets from ever reaching code repositories. That is why Checkmarx has added pre-commit blocking to its Secrets Detection capabilities.
By automatically detecting sensitive information like API keys, passwords, and access tokens before they reach code repositories, Secret Detection prevents data breaches and compliance violations.
By implementing these protective measures, organizations create a crucial safety net that catches human errors and enforces security policies, significantly reducing the risk of exposed secrets.
More Data and Less Clutter, with New Head of Engineering Dashboard
Checkmarx One’s Analytics dashboard, introduced in June 2024, provided better actionable insights to empower AppSec teams with a crystal-clear understanding of their security posture.
Today, we are announcing another key tool for improved visibility, with an updated Head of Engineering Dashboard. This dashboard helps development teams put security data into their own context and better manage DevSecOps team metrics at scale.
This view allows engineering leadership to filter security data by development team, keep track of their performance, and identify teams and applications that need more support.
Combined with our code coverage indicator that gives detail on how much of your repositories are covered by scans, development teams can get an accurate picture of their live security coverage and translate the results into actionable steps.
Learn What Checkmarx One Can Do for You
We’re excited to introduce these new capabilities as part of our April 2025 Platform Update, as we continue to enhance our platform to make your jobs easier.
To learn more about Checkmarx One’s enterprise AppSec solution helping security teams and developers secure applications from code to cloud, book a live demo.