Written by: Mark Hull, Co-Founder and CEO, Exceeds AI | Last updated: April 22, 2026
Key Takeaways
- Checkmarx One combines SAST for custom code, SCA for third-party dependencies, and IaC for infrastructure security scanning.
- Use the 7-step GitHub integration process to run automated scans on PRs and pushes with incremental scanning for faster CI/CD.
- SAST finds deep vulnerabilities in proprietary code, while SCA focuses on known CVEs in open-source libraries. Use both for full coverage.
- AI-generated code often passes traditional scans but can hide context-blind vulnerabilities. Checkmarx alone cannot provide AI code observability.
- Pair Checkmarx with Exceeds AI to secure AI-era development and measure AI code quality and ROI with a free pilot.
Core Checkmarx Scanning Types: SAST, SCA, and IaC
Checkmarx One uses several scanning engines that each cover a different security angle.
- SAST (Static Application Security Testing): Analyzes source code for vulnerabilities using data-flow analysis that follows taint flows across function boundaries. Checkmarx’s AI SAST engine applies hybrid LLM-powered analysis to detect vulnerabilities in AI-generated code and emerging programming languages.
- SCA (Software Composition Analysis): Identifies vulnerabilities in open-source dependencies and third-party libraries, while also tracking license compliance and known CVEs.
- IaC Security: Scans infrastructure-as-code templates such as Terraform and CloudFormation for misconfigurations before deployment.
The platform’s AI features include Triage Assist for automated vulnerability prioritization and Remediation Assist for generating review-ready fixes.
GitHub Integration: 7-Step Checkmarx Scan Setup
This workflow connects Checkmarx to GitHub so your team can scan every PR and push with minimal friction.
- Create a Project in the Checkmarx One Portal: Go to New > New Project – Code Repository Integration. Select Cloud-hosted > GitHub for GitHub Cloud or Enterprise Cloud.
- Complete OAuth GitHub Integration: Authorize Checkmarx-AST with your GitHub credentials and grant read access to the repositories you plan to scan.
- Select Repositories and Protected Branches: Choose target repositories and configure protected branches with wildcards such as “release*” or “*main” where scans run on push and PR events.
- Enable Scanner Modules: Turn on SAST, SCA, IaC Security, Container Security, API Security, and Secret Detection based on your languages, frameworks, and deployment model.
- Configure Incremental Scanning: Enable Pull Request Decoration and scan triggers for push and PR events. This setup analyzes only changed code instead of rescanning the full repository.
- Trigger the Initial Scan: Run a scan with the CLI using
cx scan create --project-name "MyProject" --source .or trigger it through a webhook on the next commit. - Review the Results Dashboard: Inspect findings by severity bands (Critical: 9.0–10.0, High: 7.0–8.9, Medium: 4.0–6.9, Low: 0.1–3.9) and follow the remediation guidance.
Scan duration depends on codebase size and complexity. Incremental scans keep CI/CD pipelines responsive by limiting work to changed files.
SCA vs SAST: Key Differences and When to Use Each
Security teams often need to decide where to invest first in SAST or SCA and how to balance both across services. The right mix depends on how much custom code you maintain versus open-source dependencies and on your risk tolerance.
| Scan Type | Primary Focus | Best Use Case | Detection Method |
|---|---|---|---|
| SAST | Custom application code vulnerabilities | SQL injection, XSS, buffer overflows in proprietary code | Inter-procedural data-flow analysis |
| SCA | Third-party dependency risks | Known CVEs in open-source libraries, license compliance | CVE database matching, license scanning |
SAST performs deep analysis by following taint flows across function boundaries. This capability makes it critical for securing custom business logic.
SCA focuses on known vulnerabilities in external dependencies and usually runs faster but does not inspect proprietary logic. Use SAST for application code and SCA for dependency risk. Most teams rely on both engines to cover their full stack.
SonarQube vs Checkmarx: How They Compare for Security
Many teams evaluating Checkmarx also look at SonarQube, especially when weighing security depth against developer experience and scan speed. Understanding the tradeoffs helps you align tool choice with your risk profile and delivery timelines.
| Tool | False Positive Rate | Scan Speed | AI Code Support | Language Coverage |
|---|---|---|---|---|
| Checkmarx | Requires tuning | Varies | AI SAST engine (2026) | 35+ languages |
| SonarQube | below 5% (typical) | 5–15 minutes | Limited | 25+ languages |
Checkmarx offers deeper vulnerability detection but often needs tuning to control false positives. G2 reviewers report high false positive rates that require manual triage, although Best Buy achieved an 80% false positive reduction after targeted optimization.
Effective tuning usually involves disabling low-severity rules, using framework-aware profiles, and writing custom CxQL queries that match your sanitization patterns.
Scanning AI-Generated Code from Copilot and Cursor
AI coding tools introduce security risks that traditional scanning engines only partially address. Checkmarx research shows LLMs can generate working CVE exploits in 10–15 minutes at about $1 per exploit, with projections dropping to under 1 minute by 2028.
Key AI code scanning challenges form a connected set of risks.
- Context-Blind Generation: AI tools often produce code that looks safe but skips input validation or relies on deprecated patterns, which increases hidden risk.
- False Negative Risks: Subtle vulnerabilities in AI-generated code may bypass SAST rules and quietly add long-term technical debt.
- Volume Inflation: LLM-assisted scanning can inflate false-positive counts in production-grade codebases, which strains triage capacity.
Checkmarx Developer Assist adds real-time prevention inside IDEs such as VS Code, Cursor, and Windsurf. It flags issues as AI-generated code appears in the editor.
Traditional scanning still cannot see which lines came from AI versus humans, so teams cannot measure AI impact or tune adoption. Gain code-level visibility into AI impact with a free Exceeds AI pilot alongside your Checkmarx rollout.
Closing AI Security Gaps with Exceeds AI and Checkmarx
Checkmarx delivers strong vulnerability detection but does not identify AI-generated code or track long-term AI quality trends. This limitation creates several gaps in modern security programs.
| Capability | Checkmarx | Exceeds AI | Combined Value |
|---|---|---|---|
| Vulnerability Detection | Comprehensive SAST/SCA | Limited | Complete security coverage |
| AI Code Identification | No | Tool-agnostic detection | AI-aware vulnerability analysis |
| ROI Measurement | No | Commit and PR-level proof | Justified security investments |
| Setup Time | Days to weeks | Hours | Rapid deployment |
Exceeds AI adds an observability layer that tracks which lines are AI-generated across Cursor, Claude Code, GitHub Copilot, and similar tools. Teams can then correlate AI usage with security outcomes and see whether AI improves or harms code quality.
Customers using both platforms have found that GitHub Copilot contributed to 58% of commits and delivered an 18% productivity lift. They also discovered that specific AI-heavy modules showed higher rework rates, which highlighted where targeted coaching was needed.
The Exceeds AI founding team includes former engineering leaders from Meta, LinkedIn, and GoodRx who built systems for more than 1 billion users. Their code-level analytics extend traditional scanning with AI-specific insights that Checkmarx alone cannot provide.
Checkmarx Best Practices and Integration Guidelines
These practices help teams roll out Checkmarx without overwhelming developers or pipelines.
Start by enabling incremental scanning so Checkmarx analyzes only changed files and keeps CI/CD impact low. After scans run efficiently, configure PR gate policies that block Critical and High findings while tracking Medium and Low issues.
Finally, tune false positives by targeting rates below 20% with custom CxQL rules and framework-aware settings. This sequence builds trust in scan results and keeps feedback actionable.
Key integrations include GitHub, GitLab, Bitbucket, Jenkins, and Azure DevOps for automated scanning workflows. These connections embed security checks directly into existing delivery pipelines.
Measure effectiveness with coverage across repositories, MTTR by severity, fix rates within SLA, and noise ratio, which is false positives divided by total findings. These metrics guide continuous improvement of your security posture.
For AI-heavy teams, pair Checkmarx with code-level observability so you can prove that AI investments reduce risk instead of increasing it. Start measuring AI code quality and ROI with a free Exceeds AI pilot.
Frequently Asked Questions
How is SCA different from SAST?
SCA focuses on third-party dependencies and open-source libraries, identifying known CVEs and license issues through database matching. SAST analyzes custom application code for vulnerabilities such as SQL injection and XSS using data-flow analysis. SCA usually runs faster and targets external components, while SAST provides deeper coverage of proprietary logic. Most organizations combine both approaches for complete security coverage.
What is the difference between SonarQube and Checkmarx for security scanning?
Checkmarx specializes in security-focused SAST with deep vulnerability detection and support for more than 35 languages and complex inter-procedural analysis. SonarQube emphasizes code quality and maintainability, offering faster scans but less exhaustive security coverage. Checkmarx often reports more complex vulnerabilities and more false positives, while SonarQube delivers a smoother developer experience with quicker feedback. Choose Checkmarx for security-critical systems and SonarQube when code quality and velocity take priority.
How can I reduce false positives in Checkmarx scans?
Use framework-aware configurations that recognize built-in security features such as Django’s auto-escaping or Spring’s parameterized queries. Add custom CxQL rules for your internal sanitization libraries and disable rule categories that do not apply to your application type.
Adopt incremental scanning so Checkmarx focuses on changed code and create baseline projects that track known findings across runs. Configure confidence thresholds and severity filters at the project level. Combine SAST with runtime testing such as IAST or DAST to validate findings with exploitability evidence.
Can Checkmarx detect vulnerabilities in AI-generated code?
Checkmarx’s AI SAST engine can detect vulnerabilities in AI-generated code using pattern analysis and data-flow tracking. The platform still cannot distinguish AI-generated code from human-written code or measure how AI tools affect long-term quality.
Checkmarx scans all code regardless of origin, so teams need extra observability to understand whether AI improves or weakens their security posture. That visibility requires analytics that track AI contributions and correlate them with vulnerability trends over time.
Should I use Exceeds AI instead of Checkmarx for AI code security?
Use Exceeds AI and Checkmarx together for complete AI-era security. Checkmarx delivers SAST, SCA, and IaC scanning that every development team needs for vulnerability detection.
Exceeds AI adds observability that shows which code is AI-generated, measures AI tool ROI, and tracks long-term quality outcomes. Many teams start with Exceeds AI to prove AI value and find optimization opportunities, then layer Checkmarx for shift-left scanning. This combination provides AI intelligence plus broad vulnerability coverage.
Conclusion
Modern Checkmarx programs require both traditional security scanning and AI-aware observability to stay effective. Checkmarx covers core vulnerabilities, while code-level analytics reveal how AI tools change risk and quality.
Bridge the gap between traditional scanning and AI intelligence with a free Exceeds AI pilot and measure AI code quality alongside your Checkmarx implementation.