A catchy review of Checkmarx not full of wordplay

As part of R&D projects for military contracts, we used Checkmarx to help our engineering team improve information assurance and reduce potential security risks in our software. We specifically used it to scan applications written in PHP. Through the many months of use, we found it often had a very large amount of false-positives but the things it did catch was helpful. We refactored several components, libraries and classes and upgraded some of dependencies to reduce the number of results Checkmarx returned. It never found a truly significant security risk, but we were a team of security experts so I'm rather glad about that. Downsides I did see was that it was completely impossible to get set up locally or through a continuous integration system. This was partially because the way Checkmarx was designed, and partially because the security requirements we held in configuring our development and staging environments made it so. We had to interact with Checkmarx by exporting a zip of our codebase and uploading it, and it was a rather large codebase, so it took awhile to scan. Overall, it was a helpful took, but cumbersome to use.