Checkmarx is a long-standing company with their roots in SAST. They are recognized as a Leader in the Gartner Application Security Testing Magic Quadrant.
Comparison to GitLab
Although Checkmarx has a more mature SAST offering, GitLab offers a much broader range of security testing capabilities, including DAST and Fuzz Testing. GitLab’s capabilities come integrated with the rest of GitLab out-of-the-box and do not require any special integration to shift the workflow left to the development team. GitLab customers report that GitLab generally has a better false positive rate than Checkmarx, which saves time when trying to find true vulnerabilities that really matter. Checkmarx’s established position in the security market and deep SAST capabilities are offset by GitLab’s lower price point and tighter integration with the rest of the software development lifecycle.
The Checkmarx vision is closest to GitLab among the AppSec vendors, but because they must integrate into the rest of the SDLC via APIs, their path toward execution is more limited. Also, like the other AppSec vendors, Checkmarx is expensive. It is priced per developer with a rough estimate of 12 Developers for $59k USD per year or 50 Developers for $99k USD per year. Checkmarx uses Whitesource for dependency scanning and charges an extra $12k USD per year for this open source scanning.
Checkmarx excels in that they are context aware, meaning they can mark what is not exploitable based on path. GitLab lacks this capability. On the other hand, GitLab automatically includes broad security scanning with every code commit including Static and Dynamic Application Security Testing, along with dependency scanning, container scanning, and license compliance. All of this is part of the single GitLab Ultimate application.