Archipelo, Checkmarx tie dev context to app security
Archipelo and Checkmarx have agreed a technical partnership to link application security vulnerability findings with information captured during software development, including developer identity and workflow signals.
The integration connects Checkmarx's application security testing and application security posture management with Archipelo's Developer Security Posture Management. It provides a combined view of detected vulnerabilities alongside records showing how code changes entered a repository or pipeline.
Application security tools typically flag where vulnerabilities exist and rank them by severity. Many teams still need additional evidence during investigations, often reconstructing which change introduced a weakness and how it moved through the delivery process.
Software development workflows now mix human coding with AI-assisted tools. As a result, security teams and engineering managers increasingly need to identify who initiated a change, whether AI tools were involved, and what conditions applied when the code was produced.
The partnership correlates Checkmarx findings with what Archipelo calls development-origin signals. These include developer identity association, workflow metadata, and code provenance information observed during development. The information can be incorporated into existing application security processes as evidence to review alongside scan results.
Origin evidence
Archipelo positions DevSPM as a discipline that examines observable developer actions during software creation across source control and CI/CD systems. Its platform associates code changes with the developers and AI-assisted workflows that produced them.
Checkmarx provides application security testing and application security posture management to identify and manage risk across development pipelines. Its tools scan code and track vulnerabilities across repositories and build systems.
Together, the companies say the approach is designed to show both the presence of risk and the circumstances that led to its introduction, including the identity connected to a change and the workflow conditions recorded at the time of creation.
Matthew Wise, CEO of Archipelo, said the pairing reduces reliance on retrospective analysis during investigations.
"Vulnerability detection establishes that risk exists," said Matthew Wise, CEO of Archipelo. "Development context shows how the change entered the system - including the identity, actions, and AI-assisted conditions present during creation. The partnership connects these capabilities so remediation decisions are based on originating evidence rather than post-hoc reconstruction."
Operational context
Ori Bendet, VP of Product Management at Checkmarx, said context influences how security teams triage issues and decide what to fix first.
"Organisations need more than vulnerability detection - they need the context required to act quickly and confidently. By combining Checkmarx's application risk insights with Archipelo's development-origin context, security teams gain a clearer understanding of how risk enters the software lifecycle and can prioritize remediation based on operational evidence," said Ori Bendet, VP of Product Management at Checkmarx.
The partnership comes as organisations expand their use of automated code generation and AI coding assistants, increasing focus on provenance, accountability, and workflow governance in software delivery. Security leaders have also sought tighter links between engineering activity and security controls as application risk management moves earlier in the development process.
In practical terms, the combined approach connects scan results with metadata from the development process, including signals indicating which identity initiated a change and what workflow states existed when the code was created. It is intended to give investigators recorded evidence rather than requiring manual reconstruction from commit histories and build logs.
Archipelo and Checkmarx plan to present the approach in a joint webinar.