Skip to main content

Installing and Setting up the Checkmarx Windsurf Extension

Installing the Extension

The Windsurf Extension is available on the Open VSX Registry. You can initiate the installation directly from within Windsurf.

Notice

Although there is no dedicated Checkmarx plugin for Windsurf, the plugin for VS Code has been tested and is effective for use in Windsurf.

Warning

The Checkmarx VS Code extension includes the Checkmarx One Assist feature as part of the Checkmarx One platform experience and should be used by Checkmarx One customers with a Checkmarx One Assist license. The Checkmarx and Checkmarx Developer Assist VS Code extensions are mutually exclusive. To use the Checkmarx extension, ensure that the Checkmarx Developer Assist extension is uninstalled before installation. If you are not a Checkmarx One customer and are trying to install the Checkmarx Developer Assist VS Code extension, see Initial Setup and Configuration.

To install the extension:

  1. Open Windsurf.

  2. In the main menu, click on the Extensions icon.

  3. Search for the Checkmarx extension, then click Install for that extension.

    windsurf.png

    The Checkmarx extension is installed, and the Checkmarx icon appears on the left-side navigation panel.

    windsurficon.png

Setting up the Extension

After installing the plugin, in order to use Checkmarx One Platform tool you need to configure access to your Checkmarx One account, as described below.

Notice

If you are only using the free KICS Auto Scanning tool and/or the SCA Realtime Scanning tool, then this setup procedure is not relevant. However, for SCA Realtime Scanning tool, if your environment doesn't have access to the internet, then you will need to configure a proxy server in the Settings, under Checkmarx One: Additional Params.

  1. In the Windsurf console, click on the Checkmarx extension icon.

    The Checkmarx One Authentication sidebar opens:

    windsurfsidebar.png

  2. In the Checkmarx One Authentication sidebar, connect to Checkmarx One either using an API Key or login credentials.

    Important

    In order to use this integration for running an end-to-end flow of scanning a project and viewing results with the minimum required permissions, the API Key or user account should have the role plugin-scanner. Alternatively, they can have at a minimum the out-of-the-box composite role ast-scanner as well as the IAM role default-roles.

    • Login Credentials

      1. Select the OAuth login button.

        The OAuth Log in window opens.

        OauthLogin.png

      2. Enter the Base URL of your Checkmarx One environment and the name of your tenant account, then click Log in.

        Notice

        Once you have submitted a base URL and tenant name, it is saved in cache and can be selected for future use (saves up to 10 accounts).

        A confirmation dialog asks for permission to open an external website.

      3. Click on Open to proceed.

        Notice

        If you would like to prevent this dialog from opening in the future, click on Configure Trusted Domains and then in the Command Pallete click on Trust....

      4. If you are logged in to your account, the system connects automatically. If you are not logged in, your account's login page opens in your browser. Enter your Username and Password and then your One-Time Password (2FA) to log in.

    • API Key (see Generating an API Key)

      1. Select the API Key login button.

        The API Key Log in window opens.

        ApiKeyLogin.png

      2. Enter your Checkmarx One API Key and click Log in.

  3. The Checkmarx One Authentication sidebar will now show that you are logged in.

    windsurflogin.png

  4. At the top right of the Checkmarx One Authentication sidebar, select the more options icon and click Settings.

    windsurfsettings.png

  5. Navigate to the Checkmarx One settings tab, and in the Additional Params field, you can submit additional CLI params. This can be used to manually submit the base url and tenant name if there is a problem extracting them from the API Key. It can also be used to add global params such as --debug or --proxy. To learn more about CLI globalparams, see Global Flags.

Configuring Checkmarx Developer Assist

  1. Verify that your MCP server is running:

    1. Go to Settings > Windsurf Settings.

    2. Under Cascade, click Open MCP Marketplace, and make sure that the Checkmarx MCP is installed and enabled.

      Image_799.png

  2. You can optionally adjust the Settings for Checkmarx One Assist, as follows:

    1. Add Additional Params to set up custom configuraitions, such as proxy servers or to run in debug mode.

    2. Enable/disable specific realtime scanners. By default, all scanners are enabled.

      Image_1948.png

    3. For IaC realtime scanner you can change the container platform used, Docker (default) or Podman.

Troubleshooting MCP Installation

In case the automatic installation procedure fails. You can manually configure access to the Checkmarx MCP server using the following procedure.

  1. If it does not already exist, create an mcp_config.json file at the following location: ${homeDir}\.codeium\windsurf\mcp_config.json

    Notice

    If you are using windsurf-next, then the file location should be ${homeDir}\.codeium\windsurf-next\mcp_config.json

  2. Add the "checkmarx" mcp using the following snippet, replacing the placeholders as follows:

    • Checkmarx_one_base_url - The base URL of your Checkmarx One environment.

    • Checkmarx_one_API_key - An API Key for your Checkmarx One account.

      {
   "mcpServers":{
      "checkmarx":{
         "url":"<Checkmarx_one_base_url>/api/security-mcp/mcp",
         "headers":{
            "cx-origin":"Windsurf",
            "Authorization":"<Checkmarx_one_API_key>"
         }
      }
   }
}

  3. Go to Settings > Windsurf Settings., and under Cascade, click Open MCP Marketplace. Make sure that the Checkmarx MCP is installed and enabled.

    Image_799.png

Configuring AI Security Champion

AI Security Champion can be used with the Checkmarx One tool as well as with the KICS Realtime Scanning tool. In order to use AI Security Champion you need to integrate the Kiro extension with your OpenAI account.

Notice

If the Global Settings for your account have been configured to use Azure AI instead of OpenAI, then the credentials are submitted on the account level and it is not possible to submit credentials in your IDE for an alternative AI model.

To set up the integration with your OpenAI account:

  1. Go to the Checkmarx extension Settings and select Checkmarx AI Security Champion.

    kiro8.png

  2. In the Model field, select from the drop-down list the model of the GPT account that you are using.

  3. In the Key field, enter the API key for your OpenAI account.

    Notice

    Follow this link to generate an API key.

The configuration is saved automatically.

Configuring the KICS Realtime Scanning Tool (Optional)

This tool is activated automatically upon installation and no configuration is required.

Notice

It is not necessary to configure the Checkmarx One Authentication settings in order to use the KICS Realtime Scanning feature.

If you would like to customize the scan settings, you can use the following procedure:

  1. In the VS Code console, go to Settings > Extensions > Checkmarx > Checkmarx KICS Auto Scanning.

    6466142452.png

  2. By default the extension is configured to run a KICS scan whenever an infrastructure file of a supported type is opened or saved. If you would like to disable automatic scanning, deselect the Activate KICS Auto Scanning checkbox.

    Notice

    In this case, you will still be able to trigger scans manually from the command palette, as described below.

  3. If you would like to customize the scan parameters, enter the desired flags in the Additional Parameters field. For a list of available options, see Scan Command Options.

In this section: