Activate and scale your Checkmarx application security capabilities, including SAST, SCA, IaC scanning, and pipeline integrations, so your teams can find and fix code risk faster across all SDLC workflows.
Quick Benefits
- Secure Workflows: Enable secure coding for developers, DevOps, and AppSec teams.
- Flexible Coverage: Choose the exact edition you need for SAST, open-source risk, and cloud/IaC coverage.
- Tailored Usage: Align your licensing to your specific environment (apps, repositories, developers, pipelines).
- Expert Guidance: Get help with sizing, activation, and renewal planning.
Checkmarx At a Glance
- What it does: Unlocks the Checkmarx AppSec platform capabilities across custom code, open-source dependencies, and infrastructure-as-code (IaC), plus deep integrations into CI/CD tools.
- Who needs it: Organizations building software that require consistent application security coverage across repositories, teams, and pipelines.
- License Type: Enterprise subscription entitlement.
- Typical Terms: 1, 3, or 5 years.
- Activation: Entitlement/tenant-based activation (cloud) or administrative console license activation (on-prem).
License Overview
A Checkmarx license activates your application security capabilities and defines how your organization uses the platform across projects, teams, and development workflows.
Modules & Metrics
Your entitlement determines which modules are enabled. This might include Static Application Security Testing (SAST) for custom code analysis, Software Composition Analysis (SCA) for open-source dependency risk, or coverage for infrastructure-as-code and containers. The license also governs how we measure your usage, typically based on the number of applications, projects, repositories, developers, scan volume, or CI/CD integration scope.
Terms & Activation
Licensing is delivered via a 1-, 3-, or 5-year subscription. Maintaining an active term ensures you receive continuous updates for new vulnerabilities, rules, and secure coding patterns. Cloud deployments generally provision a tenant with your assigned entitlements, while on-prem deployments use an administrative activation workflow to enable modules.
Sizing Strategy
Because AppSec programs vary drastically, from monorepos to multi-repo setups, and from centralized AppSec to developer-led security, you must align your entitlements to your actual SDLC requirements. Accurate sizing upfront prevents coverage gaps, avoids overspending, and keeps renewals predictable as your engineering teams scale.
Options & Tiers
Most buyers get stuck deciding which modules they actually need and what drives the pricing metric. Here is how it breaks down:
|
Plan / Edition |
Best For |
Key Inclusions |
What Affects Price |
|
SAST-Focused |
Code-first AppSec |
Code scanning, rules, remediation guidance |
Apps/projects, dev teams, term |
|
SCA / Open-Source |
Dependency risk |
OSS inventory, vulnerability & license risk |
Repos, scan volume, term |
|
Full AppSec Bundle |
Broad coverage |
SAST + SCA + IaC + CI/CD integrations |
Scope/modules, users, term |
|
Add-ons & Services |
Faster rollout |
Implementation, policy design, training |
Scope & complexity |
Features & Benefits
- Static Code Scanning (SAST): Find vulnerabilities early in development before they hit production, driving true shift-left workflows.
- Open-Source Risk Visibility (SCA): Identify vulnerable dependencies to manage third-party risk at scale and reduce supply-chain exposure.
- CI/CD Integrations: Automate security checks directly inside your pipelines to enforce policies consistently and reduce manual review overhead.
- Policy & Reporting: Standardize AppSec governance with dashboards and audit-ready outputs for compliance and security leadership.
Compatibility & Requirements
- Git-based repositories and modern SDLC workflows.
- CI/CD pipelines (Jenkins, GitLab CI, Azure DevOps, etc.).
- Enterprise identity and access management (SSO/RBAC).
Quote Checklist
To get an accurate quote, please provide:
- Number of applications, projects, or repositories to cover.
- Required modules (SAST, SCA, IaC, etc.).
- Number of teams/developers and expected scan frequency.
- Deployment preference (cloud vs. on-prem).
- Term preference (1, 3, or 5 years).
Activation Guide For Checkmarx
- Confirm: Finalize your edition, modules, and scope.
- Provision: Spin up your tenant (cloud) or enable your modules (on-prem).
- Connect: Link your repositories and CI/CD integrations.
- Configure: Set your policies, roles, and scan baselines.
- Validate: Confirm reporting and policy enforcement are active.
Pricing Factors & Quoting
Checkmarx pricing depends directly on your coverage scope and required modules.
Cost Drivers
The biggest drivers are the specific capabilities you enable (code scanning, open-source risk, IaC, integrations) and the size of your environment (apps, projects, or repositories). The number of teams running pipeline or scheduled scans will also influence the cost.
Longer subscription terms (3 or 5 years) typically improve your annualized pricing. Finally, your deployment approach (cloud vs. on-prem) and any required implementation support, such as onboarding, policy tuning, or governance reporting, will shape the final quote. The most accurate pricing comes from quoting against your actual SDLC scope, ensuring your entitlement perfectly matches your rollout plan.