Checkmarx One Introduces Hybrid SAST Engine With Finding Analysis Engine
Checkmarx said it added a new hybrid static application security testing (SAST) scanning engine to the Checkmarx One platform to improve scanning fidelity while reducing false positives. The company linked the change to challenges teams face when scanning at volume and when code includes AI-generated or emerging languages.
The update describes a scenario where rules-based analysis and AI models each leave gaps on their own. Checkmarx said deterministic scanning provides precision for languages it covers, while AI extends coverage to languages outside fixed rules. It added that scanning at volume can surface findings faster than teams can act, creating noise that affects how vulnerabilities get addressed.
Checkmarx said the hybrid engine combines three layers: a deterministic rules-based foundation refined over two decades of AppSec, a purpose-tuned LLM engine that extends detection to any language including AI-generated code and emerging languages, and a Finding Analysis Engine (FAE) that confirms true positives and suppresses false ones before a finding reaches a developer.
In head-to-head testing across seven real production codebases, Checkmarx said the hybrid engine achieved an F1 score of 0.64 and reduced false positives by 60%. “No single approach – rules-based or AI – tells the whole story on its own,” said Sandeep Johri, CEO of Checkmarx. “At today's volumes, that noise is what slows teams down and drives up cost.” “AI has handed developers an unprecedented productivity boost,” said Jonathan Rende, Chief Product Officer at Checkmarx. “What teams need isn't just more findings, it’s confidence and predictability.” The new hybrid scanning engines and Finding Analysis Engine entered early access as part of Checkmarx One.
Provided by Globe Newswire on behalf of Checkmarx.com. Click to read original content.