Try our new research platform with insights from 80,000+ expert users
Checkmarx Software Composition Analysis Logo

Checkmarx Software Composition Analysis Reviews

Vendor: Checkmarx
4.5 out of 5
Start review

What is Checkmarx Software Composition Analysis?

Checkmarx Software Composition Analysis (SCA) helps organizations manage the risks associated with open source and third-party components in their software applications. While leveraging open source libraries and third-party dependencies is common practice, it can also introduce security vulnerabilities and license risks.

Get the Checkmarx Software Composition Analysis Buyer's Guide and find out what your peers are saying about Checkmarx Software Composition Analysis, GitLab, Snyk and more!
Checkmarx Software Composition Analysis is the #8 ranked solution in top Software Composition Analysis (SCA) solutions. PeerSpot users give Checkmarx Software Composition Analysis an average rating of 9.0 out of 10. Checkmarx Software Composition Analysis is most commonly compared to GitLab: Checkmarx Software Composition Analysis vs GitLab. Checkmarx Software Composition Analysis is popular among the large enterprise segment, accounting for 81% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a financial services firm, accounting for 37% of all views.
Buyer's Guide
Checkmarx Software Composition Analysis
March 2025
Get the report
Helped 842,388 peers since 2012

Featured Checkmarx Software Composition Analysis reviews

Read more reviews

Checkmarx Software Composition Analysis mindshare

As of March 2025, the mindshare of Checkmarx Software Composition Analysis in the Software Composition Analysis (SCA) category stands at 2.6%, down from 3.2% compared to the previous year, according to calculations based on PeerSpot user engagement data.
Software Composition Analysis (SCA)

PeerAnalyst reports based on Checkmarx Software Composition Analysis reviews

TypeTitleDate
CategorySoftware Composition Analysis (SCA)Mar 27, 2025Download
ProductReviews, tips, and advice from real usersMar 27, 2025Download
ComparisonCheckmarx Software Composition Analysis vs Black DuckMar 27, 2025Download
ComparisonCheckmarx Software Composition Analysis vs VeracodeMar 27, 2025Download
ComparisonCheckmarx Software Composition Analysis vs SnykMar 27, 2025Download
Suggested products
TitleRatingMindshareRecommending
GitLab4.34.5%97%82 interviewsAdd to research
Snyk4.015.8%100%45 interviewsAdd to research
 
 
Key learnings from peers

Valuable Features

Checkmarx Software Composition Analysis offers ease of use and seamless CICB pipeline integration, enabling fast incremental scans. Users value its ability to identify component vulnerabilities, provide security from development start, and offer comprehensive visibility into software security. It supports integration with developer tools, offers configurability, and provides actionable remediation advice. The tool highlights potential license issues, offers comprehensive security scans, shows library vulnerabilities, and suggests version upgrades. The user-friendly interface and AI integration improve identification and scalability.
  • "We were able to reduce the number of vulnerable libraries by 50%, leading to significant operational improvement."
  • "It has improved identification capabilities, scalability, and integration with AI, such as the AI-powered suggestions."
  • "The tool's visual scan analysis shows me all the libraries' vulnerabilities and license types. It helps identify the most complex issues with licenses. It provides good visibility. SCA shows me all libraries that are vulnerable and the extent of their vulnerability."

Room for Improvement

Checkmarx Software Composition Analysis requires enhancements in pricing and licensing models, user interface, scanning speed, integration with systems like MuleSoft, and handling of false positives. Users desire faster updates to address vulnerabilities and improvements in dynamic analysis and API functionality. Support quality, performance during scans, and user-friendly implementation also need attention. Customer feedback highlights the need for more accurate vulnerability assessments and a "what if" feature to simulate changes without full reruns.
  • "The solution could improve by determining the success factor of an upgrade, which is currently lacking."
  • "The solution could improve by determining the success factor of an upgrade, which is currently lacking."
  • "Checkmarx Software Composition Analysis should improve dynamic analysis."

Pricing

Enterprise users find Checkmarx Software Composition Analysis pricing to be on the higher side, with a complex licensing model based on user numbers, project scans, and additional factors. The high cost can be challenging for small organizations, though larger companies benefit significantly. Compared to competitors, pricing appears less competitive, necessitating careful evaluation of value versus expense. Enterprises typically opt for annual subscriptions, although usage can be limited to specific team sizes.
  • "We don't have a license. The usage is limited to one, two, three, five, or ten people. It is currently used for all projects, and there are plans to increase its usage."
  • "My customers need to pay for the licensing part, and they need to opt for an annual subscription."
  • "The license model is somewhat perplexing as it comprises multiple aspects that can be confusing for customers. The model is determined by the number of registered users and the number of projects being scanned, along with a third component that adds to the complexity."

Popular Use Cases

Checkmarx Software Composition Analysis is mainly used by IT security and development teams for detecting vulnerabilities in open-source components of applications. Commonly integrated into CI/CD pipelines, it performs static code analysis and checks the integrity of libraries, focusing on .NET and Java applications. It facilitates security scanning and vulnerability identification in various domains, including banking and insurance, and helps manage legal and licensing risks associated with open-source software.

Service and Support

Checkmarx Software Composition Analysis has responsive and dedicated customer service. Their team often resolves issues quickly, with same-day responses. Support is available 24/7 and rates high in effectiveness. Users appreciate helpful assistance during installation and for queries, highlighting good documentation. Some feedback suggests a decline in support quality compared to previous years. Integrators are recognized for being knowledgeable and customer-friendly, providing excellent assistance through various communication channels.

Deployment

Users found Checkmarx Software Composition Analysis's initial setup straightforward and user-friendly, often describing it as easy and uncomplicated. While some highlighted effortless plug-and-play installation, others mentioned minimal deployment times, ranging from a couple of hours to a few days. Technical support was noted as helpful in some cases. Organizations appreciated the seamless integration with platforms like GitHub and Jenkins, guided effectively by available documentation, allowing for management by individuals with limited technical expertise.

Scalability

Checkmarx Software Composition Analysis exhibits strong scalability. Multiple users commend its capacity to support unlimited projects and its efficient data consumption. Ratings for scalability generally fall between seven to ten, reflecting positive experiences with adaptability across various projects. Despite some limited usage, several users highlight its ability to perform well with diverse applications, including SaaS and code batching solutions. The number of users often fluctuates, contributing to its flexibility and resource optimization.

Stability

Checkmarx Software Composition Analysis is highly stable according to users who report it performing as expected without major issues even during upgrades. They indicate it supports numerous projects and scans efficiently. Stability ratings average between eight and nine out of ten. Some note occasional performance bottlenecks, especially when using a European-based cloud, which can slow scans significantly. However, most agree it is a stable platform as the company progresses.
These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.
Download our Checkmarx Software Composition Analysis Buyer's Guide for additional reliable information.

Review data by company size

By reviewers
By visitors reading reviews

Top industries

By visitors reading reviews
Financial Services Firm
37%
Manufacturing Company
14%
Computer Software Company
9%
Healthcare Company
4%
Educational Organization
3%
Transportation Company
3%
Logistics Company
3%
Comms Service Provider
3%
Government
3%
Energy/Utilities Company
3%
Insurance Company
2%
University
1%
Media Company
1%
Wholesaler/Distributor
1%
Construction Company
1%
Legal Firm
1%
Non Profit
1%
Pharma/Biotech Company
1%
Real Estate/Law Firm
1%
Retailer
1%
Outsourcing Company
1%
Recruiting/Hr Firm
1%
Performing Arts
1%
Leisure / Travel Company
1%
Consumer Goods Company
1%

Compare Checkmarx Software Composition Analysis with alternative products

Go!

Learn more about Checkmarx Software Composition Analysis


Checkmarx SCA offers a multifaceted approach to managing these risks by:


  • Automatically scanning project repositories, build configurations, and manifests to create a comprehensive inventory of all components, including version information and associated licenses.

  • Performing vulnerability assessments on each component, including identifying and prioritizing actual exploitable or reachable vulnerabilities.

  • Protecting organizations from software supply chain attacks involving malicious packages, such as the XZ Utils backdoor.

  • Identifying licenses associated and providing insights into license obligations, restrictions, and potential conflicts.

  • Integrating seamlessly into existing development workflows and CI/CD pipelines.

  • Providing actionable remediation guidance to help organizations address identified vulnerabilities and compliance issues effectively.

Checkmarx Software Composition Analysis was previously known as CxSCA.

Checkmarx Software Composition Analysis customers

AXA, Liveperson, Aaron's, Playtech, Morningstar

Related questions

  • 78
What tools do you rely on for building a DevSecOps pipeline?
  • 65
What alternatives are there for Fortify WebInspect and Fortify SCA?
  • 62
What is the best way to track open-source license compatibility?
  • 62
How long does SCA scanning take?
  • 99
Why is Software Composition Analysis (SCA) important for companies?
  • 140
Differences between Black Duck & Veracode
  • 19
What SCA solution do you recommend?
  • 12
Is there an SCA solution that finds and fixes vulnerabilities?
  • 16
Can I get SCA in my IDE?
  • 1
When evaluating Software Composition Analysis, what aspect do you think is the most important to look for?

Product Categories

Product Categories
Software Composition Analysis (SCA)

Popular Comparisons

Popular Comparisons
GitLab vs Checkmarx Software Composition Analysis Logo
GitLab vs Checkmarx Software Composition Analysis
Snyk vs Checkmarx Software Composition Analysis Logo
Snyk vs Checkmarx Software Composition Analysis
Black Duck vs Checkmarx Software Composition Analysis Logo
Black Duck vs Checkmarx Software Composition Analysis
Mend.io vs Checkmarx Software Composition Analysis Logo
Mend.io vs Checkmarx Software Composition Analysis
Sonatype Lifecycle vs Checkmarx Software Composition Analysis Logo
Sonatype Lifecycle vs Checkmarx Software Composition Analysis
JFrog Xray vs Checkmarx Software Composition Analysis Logo
JFrog Xray vs Checkmarx Software Composition Analysis
Semgrep vs Checkmarx Software Composition Analysis Logo
Semgrep vs Checkmarx Software Composition Analysis
FOSSA vs Checkmarx Software Composition Analysis Logo
FOSSA vs Checkmarx Software Composition Analysis
CAST Highlight vs Checkmarx Software Composition Analysis Logo
CAST Highlight vs Checkmarx Software Composition Analysis
Polaris Software Integrity Platform vs Checkmarx Software Composition Analysis Logo
Polaris Software Integrity Platform vs Checkmarx Software Composition Analysis
See all alternatives
 

Checkmarx Software Composition Analysis reviews

Sort by:
Tharindu Malwenna - PeerSpot user
Senior Application Security Engineer at Wiley
Verified user of Checkmarx Software Composition Analysis
Dec 12, 2024
Efficient library identification and upgrade suggestions improve application security

Pros

"It has improved identification capabilities, scalability, and integration with AI, such as the AI-powered suggestions."

Cons

"The solution could improve by determining the success factor of an upgrade, which is currently lacking."

What is our primary use case?

We have many third-party libraries in our organization. I used Checkmarx Software Composition Analysis to identify all the libraries we use and determine whether they are used or unused within the application.

What is most valuable?

Checkmarx Software Composition Analysis provides identification of libraries and suggestions for version upgrades. It has improved identification capabilities, scalability, and integration with AI, such as the AI-powered suggestions.

*Disclosure: I am a real user, and this review is based on my own experience and opinions.
Read full review (356 words)
Sujata Sujata Ghadage - PeerSpot user
Sr Manager consultant - Digital assurance Services at ADROSONIC
Verified user of Checkmarx Software Composition Analysis
Mar 14, 2024
Offers great security in the area of vulnerability detection

Pros

"It is a stable solution...It is a scalable solution."

Cons

"Some of the recommendations provided by the product are generic. Even if the recommendations provided by the product are of low level, the appropriate ones can help users deal with vulnerabilities."

What is our primary use case?

Checkmarx Software Composition Analysis is a good tool I have used in multiple projects, especially in banking and insurance domains. It is a good tool for static code review and SAST analysis. I want to understand the cost of the other tools in the market compared to Checkmarx Software Composition Analysis because our company needs to make recommendations to our customers. Considering the budget of our company's customers, we need to make recommendations to them.

My company uses the tool to support banking applications by indulging in static code analysis.

What is most valuable?

The most valuable feature of the solution stems from the rules it offers. I also like the coverage it provides while having to deal with fewer false positives.

*Disclosure: I am a real user, and this review is based on my own experience and opinions.
Read full review (808 words)
Buyer's Guide
Checkmarx Software Composition Analysis
Download free report
Find out what your peers are saying about Checkmarx Software Composition Analysis. Updated March 2025
842,388 professionals have used our research since 2012.
DS
VP Software Developer/Architect at a financial services firm with 5,001-10,000 employees
Verified user of Checkmarx Software Composition Analysis
Sep 10, 2023
Identified and fixed security vulnerabilities in our code, such as a SQL injection vulnerability.

Pros

"The customer service and support were good."

Cons

"I would rate the scalability a seven out of ten."

What is our primary use case?

We use SCA for security scanning and routing. The replica is really good. It's supposed to measure vulnerabilities.

We use SCA to scan our code for vulnerabilities on a regular basis. Every new release is assessed for vulnerabilities using Checkmarx's SCA tool.

How has it helped my organization?

It has helped us identify and fix security vulnerabilities in our code. For example, we were able to fix a SQL injection vulnerability that could have been exploited by attackers.

*Disclosure: I am a real user, and this review is based on my own experience and opinions.
Read full review (396 words)
PeerSpot user
Sr. Director Global Solutions Development at a energy/utilities company with 10,001+ employees
Verified user of Checkmarx Software Composition Analysis
Apr 17, 2023
Comprehensive security scan, helpful support, and high availability

Pros

"The most valuable feature of Checkmarx Software Composition Analysis is the comprehensive security scan."

Cons

"Parts of the implementation process could improve by making it more user-friendly."

What is our primary use case?

We use Checkmarx Software Composition Analysis for scanning software for security vulnerabilities.

What is most valuable?

The most valuable feature of Checkmarx Software Composition Analysis is the comprehensive security scan.

*Disclosure: I am a real user, and this review is based on my own experience and opinions.
Read full review (373 words)
Harsh Soni - PeerSpot user
Cyber Security Engineer at Rah Infotech Pvt Ltd
Verified user of Checkmarx Software Composition Analysis
Jun 5, 2023
Along with a straightforward initial setup phase in place, good technical support is also provided

Pros

"The integration part is easy...It's a stable solution right now. "

Cons

"API security is an area with shortcomings that needs improvement."

What is our primary use case?

Basically, I review the code of the developer and find the vulnerability in that, and then I get back to the developer to resolve and remediate the vulnerability on the dashboard. We also review the source code of the developer just as if some developer cracked the code for the kind of product development or production phase, or initial phase. We then review Checkmarx with the support of the developer and get it corrected right away at that time.

What is most valuable?

The integration part is easy. It will also be compatible with a developer because a lot of tools are needed to write code, just like in Java. And then, users have the Eclipse software tool that writes code in Java, while Checkmarx also supports integration with Eclipse. So it becomes much easier for developers to find the vulnerabilities and see if they are correct or if they need to be correct. Checkmarx will highlight those lines and words which will be vulnerable on that code. They will highlight, and they will prompt, but we have to correct it.

*Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Read full review (509 words)
PeerSpot user
Sr. Director Global Solutions Development at a energy/utilities company with 10,001+ employees
Verified user of Checkmarx Software Composition Analysis
Feb 8, 2021
A solid, stable, and easy-to-deploy solution that allows you to incorporate it into a CICB pipeline and has the ability to do incremental scans

Pros

"One of the strong points of this solution is that it allows you to incorporate it into a CICB pipeline. It has the ability to do incremental scans. If you scan a very large application, it might take two hours to do the initial scan. The subsequent scans, as people are making changes to the app, scan the Delta and are very fast. That's a really nice implementation. The way they have incorporated the functionality of the incremental scans is something to be aware of. It is quite good. It has been very solid. We haven't really had any issues, and it does what it advertises to do very nicely."

Cons

"Its pricing can be improved. It is a little bit high priced. It would be better if it was a little less expensive. It is a good tool, and we're still figuring out how to fully leverage it. There are some questions regarding whether it can scan the MuleSoft code. We don't know if this is a gap in the tool or something else. This is one thing that we're just working through right now, and I am not ready to conclude that there is a weakness there. MuleSoft is kind of its own beast, and we're trying to see how we get it to work with Checkmarx."

What is our primary use case?

We use it for scanning .NET and Java applications. We are using its latest version.

What is most valuable?

One of the strong points of this solution is that it allows you to incorporate it into a CICB pipeline. It has the ability to do incremental scans. If you scan a very large application, it might take two hours to do the initial scan. The subsequent scans, as people are making changes to the app, scan the Delta and are very fast. That's a really nice implementation. The way they have incorporated the functionality of the incremental scans is something to be aware of. It is quite good.

It has been very solid. We haven't really had any issues, and it does what it advertises to do very nicely.

*Disclosure: I am a real user, and this review is based on my own experience and opinions.
Read full review (457 words)
Abner Silva - PeerSpot user
Cloud Security Analyst at a agriculture with 1-10 employees
Verified user of Checkmarx Software Composition Analysis
Apr 3, 2024
Has visual scan analysis feature that shows all libraries' vulnerabilities and license types

Pros

"The tool's visual scan analysis shows me all the libraries' vulnerabilities and license types. It helps identify the most complex issues with licenses. It provides good visibility. SCA shows me all libraries that are vulnerable and the extent of their vulnerability. "

Cons

"Checkmarx Software Composition Analysis should improve dynamic analysis. "

What is our primary use case?

We have the tool integrated into our CI/CD pipeline. 

What is most valuable?

The tool's visual scan analysis shows me all the libraries' vulnerabilities and license types. It helps identify the most complex issues with licenses. It provides good visibility. SCA shows me all libraries that are vulnerable and the extent of their vulnerability.

The tool's most valuable feature is visibility. Not only does it identify vulnerabilities and their severity, but it also provides solutions for fixing them.

The solution's remediation recommendations have been very beneficial in our development process. They provide better visibility into the types of vulnerabilities that can be fixed and offer guidance on addressing them.

*Disclosure: I am a real user, and this review is based on my own experience and opinions.
Read full review (294 words)
PeerSpot user
Penetration Tester & Information Security Expert at a comms service provider with 11-50 employees
Verified user of Checkmarx Software Composition Analysis
Jan 22, 2024
The GUI is excellent, providing detailed information on outdated versions

Pros

"I appreciate the user-friendly interface. The GUI is excellent, providing detailed information on outdated versions, including version numbers and the flow of library calls. This allows me to plan and prioritize library changes based on potential vulnerabilities, even if the affected library is indirectly used in my project. The tool offers specific guidance on addressing these issues. "

Cons

"Personally, I currently use it as a standalone tool without integrating it with other systems, and it meets my needs adequately. As a suggestion, I request on considering to add a "what if" feature to the application. Currently, when the tool identifies issues and suggests updates, if I want to explore different scenarios, I need to prepare another file, turn it into a ZIP, and run the analysis again. It would be more convenient if there was a "what if" option in the GUI. This feature could simulate a run, allowing me to quickly check the impact of changing one or more files or versions without the need for a full rerun."

What is our primary use case?

I use it to check software library versions for potential vulnerabilities.

What is most valuable?

I appreciate the user-friendly interface. The GUI is excellent, providing detailed information on outdated versions, including version numbers and the flow of library calls. This allows me to plan and prioritize library changes based on potential vulnerabilities, even if the affected library is indirectly used in my project. The tool offers specific guidance on addressing these issues.       

*Disclosure: I am a real user, and this review is based on my own experience and opinions.
Read full review (440 words)