Skip to main content

Installing and Setting up the Checkmarx VS Code Extension

Installing the Extension

The Visual Studio Code Extension is available on the Visual Studio Code marketplace. You can initiate the installation directly from the Visual Studio Code console.

To install the extension:

  1. Open Visual Studio Code.

  2. In the main menu, click on the Extensions icon.

  3. Search for the Checkmarx One extension, then click Install for that extension.

    Image_101.png

    Notice

    By default, only release versions are installed. You can click on the down arrow next to Install and select Install Pre-Release Version to get the latest pre-release version. See Automatic Updates - Releases Versions and Pre-Release Versions

    The Checkmarx One extension is installed and the Checkmarx icon appears in the left-side navigation panel.

    Image_767.png

Automatic Updates - Releases Versions and Pre-Release Versions

Once you have installed the Checkmarx extension, it is automatically updated to the latest version whenever we create a new release.

Whenever new code is merged in between full releases, we create nightly pre-release versions. You can choose to install a pre-release version. Once you have installed a pre-release version, you will continue to get automatic updates whenever a new pre-release (or release) is created.

To start getting pre-release versions:

  1. In the main menu, click on the Extensions icon.

  2. Search for the Checkmarx extension, then click Switch to Pre-Release Version.

    Image_105.png

  3. A restart is required to activate the changes.

    Notice

    You can revert at any time to only getting release versions by clicking on Switch to Release Version.

Setting up the Extension

After installing the plugin, in order to use the Checkmarx One Results tool you need to configure access to your Checkmarx One account, as described below.

Notice

If you are only using the free KICS Auto Scanning tool and/or the SCA Realtime Scanning tool, then this setup procedure is not relevant. However, for SCA Realtime Scanning tool, if your environment doesn't have access to the internet, then you will need to configure a proxy server in the Settings, under Checkmarx One: Additional Params.

  1. In the VS Code console, click on the Checkmarx extension icon and then click on the Open settings button.

    The Checkmarx Settings form opens.

    VSCodeSettings.png

  2. Click on Authentication.

    A new tab opens showing the Checkmarx One Authentication dialog.

    Image_1968.png

  3. Connect to Checkmarx One either using an API Key or your login credentials.

    • Login Credentials

      1. Select the OAuth radio button (default).

      2. Enter the Base URL of your Checkmarx One environment and the name of your tenant account, then click Sign in to Checkmarx.

        Notice

        Once you have submitted a base URL and tenant name, it is saved in cache and can be selected for future use (saves up to 10 accounts).

        A confirmation dialog asks for permission to open an external website.

        Image_240.png

      3. Click on Open to proceed.

        Notice

        If you would like to prevent this dialog from opening in the future, click on Configure Trusted Domains and then in the Command Pallete click on Trust....

      4. If you are logged in to your account, the system connects automatically. If you are not logged in, your account's login page opens in your browser. Enter your Username and Password and then your One-Time Password (2FA) to log in.

    • API Key

      1. Under Checkmarx One settings, in the API Key field, enter your Checkmarx One API Key.

        Notice

        To create an API key, see Generating an API Key

        The roles (permissions) assigned to the API Key are inherited from the user account that generates the key. Therefore, make sure that you are logged in to an account with the appropriate roles.

        The following are the minimum required roles for accessing the full functionality of the IDE plugins:

        • CxOne composite role ast-scanner

        • IAM role default-roles

  4. Go back to the Settings tab, and in the Additional Params field, you can submit additional CLI params. This can be used to manually submit the base url and tenant name if there is a problem extracting them from the API Key. It can also be used to add global params such as --debug or --proxy. To learn more about CLI globalparams, see Global Flags.

Activating Checkmarx AI Secure Coding Assistant (ASCA)

If you would like to activate the ASCA scanner, select the Activate ASCA checkbox.

For more information about ASCA, see AI Secure Coding Assistant (ASCA) for VS Code.

Configuring AI Security Champion

AI Security Champion can be used with the Checkmarx One results tool as well as with the KICS Realtime Scanning tool. In order to use AI Security Champion you need to integrate the VS Code extension with your OpenAI account.

Notice

If the Global Settings for your account have been configured to use Azure AI instead of OpenAI, then the credentials are submitted on the account level and it is not possible to submit credentials in your IDE for an alternative AI model.

To set up the integration with your OpenAI account:

  1. Go to the Checkmarx extension Settings and select Checkmarx AI Security Champion.

    VSCodeSettings1.png

  2. In the Model field, select from the drop-down list the model of the GPT account that you are using.

  3. In the Key field, enter the API key for your OpenAI account.

    Notice

    Follow this link to generate an API key.

The configuration is saved automatically.

Setting up a Proxy (Optional)

There are three ways to set up a proxy for Checkmarx One in VS Code: using Checkmarx One additional parameters, Using VS Code proxy setttings (http.proxy), or using your system’s environment variables.

If multiple methods are used, the following order of precedence is applied (from highest precedence to lowest).

  1. Checkmarx One Additional Parameters

  2. VS Code proxy (http.proxy)

  3. HTTPS_PROXY environment variable

  4. HTTP_PROXY environment variable

Setting up a Proxy using Additional Parameters

  1. In the main navigation, click Customize > All settings.

    The Settings window is shown.

  2. In the Settings window, click Tools > Checkmarx One (or search for Checkmarx One in the search box).

    The Checkmarx One VS Code extension configuration settings are shown.

  3. In the Additional parameters section, enter --proxy <proxy_url>, with the proxy_url using the following format http://<proxy_ip>:<port_number>. If authentication is required, then the format should be http://<username>:<password>@<proxy_ip>:<port_number>.

    Notice

    Make sure to include the http:// prefix.

    It is not recommended to pass the username and password in clear text.

  4. Click OK at the bottom of the screen.

Setting up a Proxy Using VS Code Proxy Settings (http.proxy)

  1. In the VS Code console go to File > Preferences > Settings.

  2. In the Settings window search for Proxy.

  3. In the http.proxy field enter your proxy URL using the follwoing format http://<proxy_ip>:<port_number>. If authentication is required, then the format should be http://<username>:<password>@<proxy_ip>:<port_number>.

    Notice

    Make sure to include the http:// prefix.

    It is not recommended to pass the username and password in clear text.

  4. Optionally, set http.proxySupport to override to ensure all VSCode traffic goes through the proxy.

  5. Restart VS Code.

Setting up a Proxy Variable Using your OS System Environment Variables

In your operating system (e.g., Windows, iOS, Linux, etc.), set up system environment variables for HTTP and/or HTTPS.

  • Create an environment variable for HTTP with the following configuration:

    • In the Name field, enter HTTP_PROXY.

    • In the Value field, enter the value of your proxy address using the following format:http://<proxy_ip>:<port_number>. If authentication is required, then the format should be: http://<username>:<password>@<proxy_ip>:<port_number>.

      Notice

      Make sure to include the http:// prefix.

      It is not recommended to pass the username and password in clear text.

  • Create an environment variable for HTTPS with the following configuration:

    • In the Name field, enter HTTPS_PROXY.

    • In the Value field, enter the value of your proxy address using the following format:https://<proxy_ip>:<port_number>. If authentication is required, then the format should be: https://<username>:<password>@<proxy_ip>:<port_number>.

      Notice

      Make sure to include the https:// prefix.

      It is not recommended to pass the username and password in clear text.

Configuring the KICS Realtime Scanning Tool (Optional)

This tool is activated automatically upon installation and no configuration is required.

Notice

It is not necessary to configure the Checkmarx One Authentication settings in order to use the KICS Realtime Scanning feature.

If you would like to customize the scan settings, you can use the following procedure:

  1. In the VS Code console, go to Settings > Extensions > Checkmarx > Checkmarx KICS Auto Scanning.

    VSCodeSettings2.png

  2. By default the extension is configured to run a KICS scan whenever an infrastructure file of a supported type is opened or saved. If you would like to disable automatic scanning, deselect the Activate KICS Auto Scanning checkbox.

    Notice

    In this case, you will still be able to trigger scans manually from the command palette.

  3. If you would like to customize the scan parameters, enter the desired flags in the Additional Parameters field. For a list of available options, see Scan Command Options.

In this section: