Checkmarx One Developer Assist

Overview

Checkmarx One Developer Assist empowers developers to identify risks in their code in realtime and harness the power of AI to remediate the risks on the spot. This feature is initially being released as part of the Checkmarx One plugin for the VS Code and Cursor IDEs.

CxOne Assist comprises two main elements:

Realtime Scanning - Identify vulnerabilities in realtime during IDE development of both human-generated and AI-generated code. Our super-fast scanners run in the background whenever you open or edit a relevant file. Our scanners identify vulnerabilities and unmasked secrets in your code. We also identify vulnerable or malicious container images and open source packages used in your project. Results are marked as Problems which are highlighted in the code and annotated with identifying icons.
Agentic-AI Remediation – Initiate an Agentic-AI session to receive remediation suggestions. Checkmarx feeds all relevant info to the AI agent which accesses our MCP server to gather data from our proprietary databases and customized AI models. The AI assistant then uses this data to generate remediated code for your project. You can accept the suggested changes or you can chat with the AI agent to learn more about the vulnerability and fine-tune the remediation suggestion.
Notice
For risks identified by the OSS, Containers and Secret Detection realtime scanners, remediation info is drawn from the Checkmarx MCP server. However, for ASCA and IaC, we currently rely on the the IDEs built-in AI models (Copilot or Cursor).

Realtime Scanning

The following sections describe the various realtime scanners that are included in CxOne Assist.

Warning

Realtime scans provide important feedback to developers in realtime. However, realtime results aren't as comprehensive as those provided by actual Checkmarx One scans. Therefore, it is important to also run complete Checkmarx One scans periodically.

Checkmarx AI Secure Coding Assistant (ASCA) Realtime Scanner

The ASCA scanner enables developers to identify secure coding best practice violations in the file that they are working on as they code. The ASCA scanner is a lightweight scan engine that runs in the background as you work in VS Code. Whenever you edit a file in VS Code the ASCA scanner automatically scans that file. The ASCA scan runs on your local machine as a running process and returns results within milliseconds.

Notice

Editing a file triggers new detection after 1 second of inactivity.

Supported Languages

ASCA currently supports Java, JavaScript (Node.js), C#, and Python.

IaC Realtime Scanner

The IaC Realtime scanner (based on the KICS opens source project powered by Checkmarx) examines configuration definitions and scripts used to instantiate infrastructure to ensure the resulting resources are secure.

A scan runs automatically whenever you edit an infrastructure file of a supported type.

Notice

Editing a file triggers new detection after 1 second of inactivity.

Prerequisites

You must have a supported container engine (e.g., Docker, Podman etc.) installed and running in your environment.

Open Source Realtime Scanner (OSS-Realtime)

Checkmarx’s OSS-Realtime scanner is a lightweight version of our SCA scanner that analyzes your manifest files and quickly identifies risks associated with your open source dependencies. This includes vulnerable packages as well as packages that we have identified as malicious.

Scans are triggered when the developer opens a project in the IDE that includes a manifest file (e.g., package.json, requirements.txt). In addition, whenever the developer adds, moves or edits a manifest file within the IDE the project is re-scanned.

Notice

Editing a file triggers new detection after 1 second of inactivity.

Supported Manifest Files

In the initial phase, the plugin supports the following popular manifest files:

Dotnet: csproj, directory.packages.props, packages.config
Maven: pom.xml
npm: package.json
PyPi: requirements.txt
Go: go.mod

Containers Realtime Scanner

Checkmarx’s Containers Realtime scanner is a lightweight version of our Container Security scanner that analyzes your container images and quickly identifies risks associated with your images and associated packages. This includes images that use vulnerable packages or packages that we have identified as malicious.

Scans are triggered when the developer opens a project in the IDE that includes a container image file (e.g., Dockerfile). In addition, whenever the developer adds, moves or edits an image file within the IDE the project is re-scanned.

Notice

Editing a file triggers new detection after 1 second of inactivity.

Supported File Types

In the initial phase, the plugin supports the following popular image files:

Dockerfile
DockerCompose
Helm chart (limited support)

Checkmarx Secret Detection Realtime Scanner

Checkmarx Secret Detection reduces risk by quickly identifying sensitive credentials that are exposed in your code, enabling your development and security teams to remove and change the discovered secrets. Checkmarx identifies more than 170 different types of login credentials, access tokens, encryption keys, API keys, SSH keys, webhook URLs, and other unsecured sensitive information.

Whenever you edit a file in the IDE, Secret Detection is run on that file.

Notice

Editing a file triggers new detection after 1 second of inactivity.

Secret Detection Rules

The following table shows the list of rules that are used to detect various types of secrets.

Name	Description	Type	Validity Check
adafruit-api-key	Identified a potential Adafruit API Key, which could lead to unauthorized access to Adafruit services and sensitive data exposure.	api-key
adobe-client-id	Detected a pattern that resembles an Adobe OAuth Web Client ID, posing a risk of compromised Adobe integrations and data breaches.	client-id
adobe-client-secret	Discovered a potential Adobe Client Secret, which, if exposed, could allow unauthorized Adobe service access and data manipulation.	client-secret
age secret key	Discovered a potential Age encryption tool secret key, risking data decryption and unauthorized access to sensitive information.	secret-key
airtable-api-key	Uncovered a possible Airtable API Key, potentially compromising database access and leading to data leakage or alteration.	api-key
algolia-api-key	Identified an Algolia API Key, which could result in unauthorized search operations and data exposure on Algolia-managed platforms.	api-key
alibaba-access-key-id	Detected an Alibaba Cloud AccessKey ID, posing a risk of unauthorized cloud resource access and potential data compromise.	access-key,access-id	V
alibaba-secret-key	Discovered a potential Alibaba Cloud Secret Key, potentially allowing unauthorized operations and data access within Alibaba Cloud.	secret-key	V
asana-client-id	Discovered a potential Asana Client ID, risking unauthorized access to Asana projects and sensitive task information.	client-id
asana-client-secret	Identified an Asana Client Secret, which could lead to compromised project management integrity and unauthorized access.	client-secret
atlassian-api-token	Detected an Atlassian API token, posing a threat to project management and collaboration tool security and data confidentiality.	api-token
authress-service-client-access-key	Uncovered a possible Authress Service Client Access Key, which may compromise access control services and sensitive data.	access-token
aws-access-token	Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms.	access-token
bitbucket-client-id	Discovered a potential Bitbucket Client ID, risking unauthorized repository access and potential codebase exposure.	client-id
bitbucket-client-secret	Discovered a potential Bitbucket Client Secret, posing a risk of compromised code repositories and unauthorized access.	client-secret
bittrex-access-key	Identified a Bittrex Access Key, which could lead to unauthorized access to cryptocurrency trading accounts and financial loss.	access-key
bittrex-secret-key	Detected a Bittrex Secret Key, potentially compromising cryptocurrency transactions and financial security.	secret-key
beamer-api-token	Detected a Beamer API token, potentially compromising content management and exposing sensitive notifications and updates.	api-token
codecov-access-token	Found a pattern resembling a Codecov Access Token, posing a risk of unauthorized access to code coverage reports and sensitive data.	access-token
coinbase-access-token	Detected a Coinbase Access Token, posing a risk of unauthorized access to cryptocurrency accounts and financial transactions.	access-token
clojars-api-token	Uncovered a possible Clojars API token, risking unauthorized access to Clojure libraries and potential code manipulation.	api-token
confluent-access-token	Identified a Confluent Access Token, which could compromise access to streaming data platforms and sensitive data flow.	access-token
confluent-secret-key	Found a Confluent Secret Key, potentially risking unauthorized operations and data access within Confluent services.	secret-key
contentful-delivery-api-token	Discovered a Contentful delivery API token, posing a risk to content management systems and data integrity.	api-token
databricks-api-token	Uncovered a Databricks API token, which may compromise big data analytics platforms and sensitive data processing.	api-token
datadog-access-token	Detected a Datadog Access Token, potentially risking monitoring and analytics data exposure and manipulation.	access-token,client-id
defined-networking-api-token	Identified a Defined Networking API token, which could lead to unauthorized network operations and data breaches.	api-token
digitalocean-pat	Discovered a DigitalOcean Personal Access Token, posing a threat to cloud infrastructure security and data privacy.	access-token
digitalocean-access-token	Found a DigitalOcean OAuth Access Token, risking unauthorized cloud resource access and data compromise.	access-token
digitalocean-refresh-token	Uncovered a DigitalOcean OAuth Refresh Token, which could allow prolonged unauthorized access and resource manipulation.	refresh-token
discord-api-token	Detected a Discord API key, potentially compromising communication channels and user data privacy on Discord.	api-key,api-token
discord-client-id	Identified a Discord client ID, which may lead to unauthorized integrations and data exposure in Discord applications.	client-id
discord-client-secret	Discovered a potential Discord client secret, risking compromised Discord bot integrations and data leaks.	client-secret
doppler-api-token	Discovered a Doppler API token, posing a risk to environment and secrets management security.	api-token
dropbox-api-token	Identified a Dropbox API secret, which could lead to unauthorized file access and data breaches in Dropbox storage.	api-token
dropbox-short-lived-api-token	Discovered a Dropbox short-lived API token, posing a risk of temporary but potentially harmful data access and manipulation.	api-token
dropbox-long-lived-api-token	Found a Dropbox long-lived API token, risking prolonged unauthorized access to cloud storage and sensitive data.	api-token
droneci-access-token	Detected a Droneci Access Token, potentially compromising continuous integration and deployment workflows.	access-token
duffel-api-token	Uncovered a Duffel API token, which may compromise travel platform integrations and sensitive customer data.	api-token
dynatrace-api-token	Detected a Dynatrace API token, potentially risking application performance monitoring and data exposure.	api-token
easypost-api-token	Identified an EasyPost API token, which could lead to unauthorized postal and shipment service access and data exposure.	api-token
easypost-test-api-token	Detected an EasyPost test API token, risking exposure of test environments and potentially sensitive shipment data.	api-token
etsy-access-token	Found an Etsy Access Token, potentially compromising Etsy shop management and customer data.	access-token
facebook	Discovered a Facebook Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure.	api-token
fastly-api-token	Uncovered a Fastly API key, which may compromise CDN and edge cloud services, leading to content delivery and security issues.	api-token,api-key
finicity-client-secret	Identified a Finicity Client Secret, which could lead to compromised financial service integrations and data breaches.	client-secret
finicity-api-token	Detected a Finicity API token, potentially risking financial data access and unauthorized financial operations.	api-token
flickr-access-token	Discovered a Flickr Access Token, posing a risk of unauthorized photo management and potential data leakage.	access-token
finnhub-access-token	Found a Finnhub Access Token, risking unauthorized access to financial market data and analytics.	access-token
flutterwave-public-key	Detected a Finicity Public Key, potentially exposing public cryptographic operations and integrations.	public-key
flutterwave-secret-key	Identified a Flutterwave Secret Key, risking unauthorized financial transactions and data breaches.	secret-key
flutterwave-encryption-key	Uncovered a Flutterwave Encryption Key, which may compromise payment processing and sensitive financial information.	encryption-key
frameio-api-token	Found a Frame.io API token, potentially compromising video collaboration and project management.	api-token
freshbooks-access-token	Discovered a Freshbooks Access Token, posing a risk to accounting software access and sensitive financial data exposure.	access-token
gcp-api-key	Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.	api-key	V
generic-api-key	Detected a Generic API Key, potentially exposing access to various services and sensitive operations.	api-key
github-pat	Uncovered a GitHub Personal Access Token, potentially leading to unauthorized repository access and sensitive content exposure.	access-token	V
github-fine-grained-pat	Found a GitHub Fine-Grained Personal Access Token, risking unauthorized repository access and code manipulation.	access-token	V
github-oauth	Discovered a GitHub OAuth Access Token, posing a risk of compromised GitHub account integrations and data leaks.	access-token
github-app-token	Identified a GitHub App Token, which may compromise GitHub application integrations and source code security.	access-token
github-refresh-token	Detected a GitHub Refresh Token, which could allow prolonged unauthorized access to GitHub services.	refresh-token
gitlab-pat	Identified a GitLab Personal Access Token, risking unauthorized access to GitLab repositories and codebase exposure.	access-token	V
gitlab-ptt	Found a GitLab Pipeline Trigger Token, potentially compromising continuous integration workflows and project security.	trigger-token
gitlab-rrt	Discovered a GitLab Runner Registration Token, posing a risk to CI/CD pipeline integrity and unauthorized access.	registration-token
gitter-access-token	Uncovered a Gitter Access Token, which may lead to unauthorized access to chat and communication services.	access-token
gocardless-api-token	Detected a GoCardless API token, potentially risking unauthorized direct debit payment operations and financial data exposure.	api-token
grafana-api-key	Identified a Grafana API key, which could compromise monitoring dashboards and sensitive data analytics.	api-key
grafana-cloud-api-token	Found a Grafana cloud API token, risking unauthorized access to cloud-based monitoring services and data exposure.	api-token
grafana-service-account-token	Discovered a Grafana service account token, posing a risk of compromised monitoring services and data integrity.	access-token
hashicorp-tf-api-token	Uncovered a HashiCorp Terraform user/org API token, which may lead to unauthorized infrastructure management and security breaches.	api-token
hashicorp-tf-password	Identified a HashiCorp Terraform password field, risking unauthorized infrastructure configuration and security breaches.	password
heroku-api-key	Detected a Heroku API Key, potentially compromising cloud application deployments and operational security.	api-key
hubspot-api-key	Found a HubSpot API Token, posing a risk to CRM data integrity and unauthorized marketing operations.	api-token,api-key
huggingface-access-token	Discovered a Hugging Face Access token, which could lead to unauthorized access to AI models and sensitive data.	access-token
huggingface-organization-api-token	Uncovered a Hugging Face Organization API token, potentially compromising AI organization accounts and associated data.	api-token
infracost-api-token	Detected an Infracost API Token, risking unauthorized access to cloud cost estimation tools and financial data.	api-token
intercom-api-key	Identified an Intercom API Token, which could compromise customer communication channels and data privacy.	api-token,api-key
jfrog-api-key	Found a JFrog API Key, posing a risk of unauthorized access to software artifact repositories and build pipelines.	api-key
jfrog-identity-token	Discovered a JFrog Identity Token, potentially compromising access to JFrog services and sensitive software artifacts.	access-token
jwt	Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.	access-token
jwt-base64	Detected a Base64-encoded JSON Web Token, posing a risk of exposing encoded authentication and data exchange information.	access-token
kraken-access-token	Identified a Kraken Access Token, potentially compromising cryptocurrency trading accounts and financial security.	access-token
kucoin-access-token	Found a Kucoin Access Token, risking unauthorized access to cryptocurrency exchange services and transactions.	access-token
kucoin-secret-key	Discovered a Kucoin Secret Key, which could lead to compromised cryptocurrency operations and financial data breaches.	secret-key
launchdarkly-access-token	Uncovered a Launchdarkly Access Token, potentially compromising feature flag management and application functionality.	access-token
linear-api-key	Detected a Linear API Token, posing a risk to project management tools and sensitive task data.	api-token,api-key
linear-client-secret	Identified a Linear Client Secret, which may compromise secure integrations and sensitive project management data.	client-secret
linkedin-client-id	Found a LinkedIn Client ID, risking unauthorized access to LinkedIn integrations and professional data exposure.	client-id
linkedin-client-secret	Discovered a LinkedIn Client secret, potentially compromising LinkedIn application integrations and user data.	client-secret
lob-api-key	Uncovered a Lob API Key, which could lead to unauthorized access to mailing and address verification services.	api-key
lob-pub-api-key	Detected a Lob Publishable API Key, posing a risk of exposing mail and print service integrations.	api-key
mailchimp-api-key	Identified a Mailchimp API key, potentially compromising email marketing campaigns and subscriber data.	api-key
mailgun-pub-key	Discovered a Mailgun public validation key, which could expose email verification processes and associated data.	public-key
mailgun-private-api-token	Found a Mailgun private API token, risking unauthorized email service operations and data breaches.	private-key
mailgun-signing-key	Uncovered a Mailgun webhook signing key, potentially compromising email automation and data integrity.	api-key
mapbox-api-token	Detected a MapBox API token, posing a risk to geospatial services and sensitive location data exposure.	api-token
mattermost-access-token	Identified a Mattermost Access Token, which may compromise team communication channels and data privacy.	access-token
messagebird-api-token	Found a MessageBird API token, risking unauthorized access to communication platforms and message data.	api-token
messagebird-client-id	Discovered a MessageBird client ID, potentially compromising API integrations and sensitive communication data.	client-id
netlify-access-token	Detected a Netlify Access Token, potentially compromising web hosting services and site management.	access-token
new-relic-user-api-key	Discovered a New Relic user API Key, which could lead to compromised application insights and performance monitoring.	api-key
new-relic-user-api-id	Found a New Relic user API ID, posing a risk to application monitoring services and data integrity.	access-id
new-relic-browser-api-token	Identified a New Relic ingest browser API token, risking unauthorized access to application performance data and analytics.	api-token
npm-access-token	Uncovered an npm access token, potentially compromising package management and code repository access.	access-token
nytimes-access-token	Detected a Nytimes Access Token, risking unauthorized access to New York Times APIs and content services.	access-token
okta-access-token	Identified an Okta Access Token, which may compromise identity management services and user authentication data.	access-token
openai-api-key	Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.	api-key
plaid-client-id	Uncovered a Plaid Client ID, which could lead to unauthorized financial service integrations and data breaches.	client-id
planetscale-password	Discovered a PlanetScale password, which could lead to unauthorized database operations and data breaches.	password
planetscale-api-token	Identified a PlanetScale API token, potentially compromising database management and operations.	api-token
planetscale-oauth-token	Found a PlanetScale OAuth token, posing a risk to database access control and sensitive data integrity.	access-token
postman-api-token	Uncovered a Postman API token, potentially compromising API testing and development workflows.	api-token
prefect-api-token	Detected a Prefect API token, risking unauthorized access to workflow management and automation services.	api-token
private-key	Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.	private-key
pulumi-api-token	Found a Pulumi API token, posing a risk to infrastructure as code services and cloud resource management.	api-token
pypi-upload-token	Discovered a PyPI upload token, potentially compromising Python package distribution and repository integrity.	upload-token
rapidapi-access-token	Uncovered a RapidAPI Access Token, which could lead to unauthorized access to various APIs and data services.	access-token
readme-api-token	Detected a Readme API token, risking unauthorized documentation management and content exposure.	api-token
rubygems-api-token	Identified a Rubygem API token, potentially compromising Ruby library distribution and package management.	api-token
sendbird-access-id	Discovered a Sendbird Access ID, which could compromise chat and messaging platform integrations.	access-id
sendbird-access-token	Uncovered a Sendbird Access Token, potentially risking unauthorized access to communication services and user data.	access-token
sendgrid-api-token	Detected a SendGrid API token, posing a risk of unauthorized email service operations and data exposure.	api-token
sendinblue-api-token	Identified a Sendinblue API token, which may compromise email marketing services and subscriber data privacy.	api-token
sentry-access-token	Found a Sentry Access Token, risking unauthorized access to error tracking services and sensitive application data.	access-token
shippo-api-token	Discovered a Shippo API token, potentially compromising shipping services and customer order data.	api-token
shopify-access-token	Uncovered a Shopify access token, which could lead to unauthorized e-commerce platform access and data breaches.	access-token
shopify-custom-access-token	Detected a Shopify custom access token, potentially compromising custom app integrations and e-commerce data security.	access-token
shopify-private-app-access-token	Identified a Shopify private app access token, risking unauthorized access to private app data and store operations.	access-token
shopify-shared-secret	Found a Shopify shared secret, posing a risk to application authentication and e-commerce platform security.	public-secret
sidekiq-secret	Discovered a Sidekiq Secret, which could lead to compromised background job processing and application data breaches.	secret-key
sidekiq-sensitive-url	Uncovered a Sidekiq Sensitive URL, potentially exposing internal job queues and sensitive operation details.	sensitive-url
slack-bot-token	Identified a Slack Bot token, which may compromise bot integrations and communication channel security.	access-token
slack-app-token	Detected a Slack App-level token, risking unauthorized access to Slack applications and workspace data.	access-token
slack-legacy-token	Detected a Slack Legacy token, risking unauthorized access to older Slack integrations and user data.	access-token
slack-user-token	Found a Slack User token, posing a risk of unauthorized user impersonation and data access within Slack workspaces.	access-token
slack-config-access-token	Found a Slack Configuration access token, posing a risk to workspace configuration and sensitive data access.	access-token
slack-config-refresh-token	Discovered a Slack Configuration refresh token, potentially allowing prolonged unauthorized access to configuration settings.	refresh-token
slack-legacy-bot-token	Uncovered a Slack Legacy bot token, which could lead to compromised legacy bot operations and data exposure.	access-token
slack-legacy-workspace-token	Identified a Slack Legacy Workspace token, potentially compromising access to workspace data and legacy features.	access-token
slack-webhook-url	Discovered a Slack Webhook, which could lead to unauthorized message posting and data leakage in Slack channels.	webhook
stripe-access-token	Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data.	access-token
square-access-token	Detected a Square Access Token, risking unauthorized payment processing and financial transaction exposure.	access-token
squarespace-access-token	Identified a Squarespace Access Token, which may compromise website management and content control on Squarespace.	access-token
sumologic-access-token	Uncovered a SumoLogic Access Token, which could lead to unauthorized access to log data and analytics insights.	access-token
snyk-api-token	Uncovered a Snyk API token, potentially compromising software vulnerability scanning and code security.	api-key
microsoft-teams-webhook	Uncovered a Microsoft Teams Webhook, which could lead to unauthorized access to team collaboration tools and data leaks.	webhook
telegram-bot-api-token	Detected a Telegram Bot API Token, risking unauthorized bot operations and message interception on Telegram.	api-token
travisci-access-token	Identified a Travis CI Access Token, potentially compromising continuous integration services and codebase security.	access-token
twilio-api-key	Found a Twilio API Key, posing a risk to communication services and sensitive customer interaction data.	api-key
twitch-api-token	Discovered a Twitch API token, which could compromise streaming services and account integrations.	api-token
twitter-api-key	Identified a Twitter API Key, which may compromise Twitter application integrations and user data security.	api-key
twitter-api-secret	Found a Twitter API Secret, risking the security of Twitter app integrations and sensitive data access.	api-key
twitter-access-token	Detected a Twitter Access Token, posing a risk of unauthorized account operations and social media data exposure.	access-token
twitter-access-secret	Uncovered a Twitter Access Secret, potentially risking unauthorized Twitter integrations and data breaches.	public-secret
twitter-bearer-token	Discovered a Twitter Bearer Token, potentially compromising API access and data retrieval from Twitter.	api-token
typeform-api-token	Uncovered a Typeform API token, which could lead to unauthorized survey management and data collection.	api-token
vault-batch-token	Detected a Vault Batch Token, risking unauthorized access to secret management services and sensitive data.	api-token
vault-service-token	Identified a Vault Service Token, potentially compromising infrastructure security and access to sensitive credentials.	api-token
yandex-api-key	Discovered a Yandex API Key, which could lead to unauthorized access to Yandex services and data manipulation.	api-key
yandex-aws-access-token	Uncovered a Yandex AWS Access Token, potentially compromising cloud resource access and data security on Yandex Cloud.	access-token
yandex-access-token	Found a Yandex Access Token, posing a risk to Yandex service integrations and user data privacy.	access-token
zendesk-secret-key	Detected a Zendesk Secret Key, risking unauthorized access to customer support services and sensitive ticketing data.	secret-key
authenticated-url	Identify username:password inside URLS	sensitive-url

Cx Assist Agentic-AI Remediation

When the user initiates a remediation action for a risk, a session is opened with the IDE’s AI assistant (GitHub Copilot for VS Code or the local AI in Cursor). Checkmarx gathers all relevant data about the risk and submits it to the AI assistant. For supported risk types, the AI assistant sends a request to our MCP which applies the relevant tools and returns a response with suggested remediation steps. The AI assistant implements the changes and offers the user the option to accept the changes or continue a chat session to refine the remediation.

Remediating Vulnerable or Malicious Images and Packages

Remediation for OSS and Container risks is done by identifying the best non-vulnerable package that provides the same functionality as the vulnerable package. When our proprietary databases indicate that a remediated version of the current package is available, the remediated version that is closest to the current version is used. When no remediated version is available, our MCP server uses a dedicated AI tool to identify alternative packages that provide equivalent functionality.

Notice

Our MCP tool for identifying non-vulnerable versions is supported both for OSS and Containers. However, the MCP tool for finding alternative packages is not supported for containers.

When the change in version or package requires refactoring of your code, the AI assistant helps you to make those changes.

Remediation Logic

The following tables describe the logic of the remediation response for various cases.

Case	Response
Package has non-vulnerable version	Secure version of the same package. Suggest that the user apply changes and help with fixing code if there were breaking changes.
Package has no completely non-vulnerable version, but has a more secure one	Suggest the most secure version of the same package List alternative packages
Package has no non-vulnerable version, and no more secure version	List alternative packages
Package has no completely non-vulnerable version, but has a more secure one	Suggest the most secure version of the same package Offer user if they want to run a web search, with a warning that it’s his own responsibility to check the security and relevance of the results.
Package has no non-vulnerable version, and not more secured version	Offer user if they want to run a web search, with a warning that it’s his own responsibility to check the security and relevance of the results.

Case	Response
Package has non-vulnerable and non-malicious version	Secure version of the same package. Suggest that the user apply changes and help with fixing code if there were breaking changes.
Package has non-malicious but vulnerable version	Suggest the most secure version of the same package List alternative packages
Package has no non-malicious version	List alternative packages
Package has no non-malicious version	Offer user if they want to run a web search, with a warning that it’s his own responsibility to check the security and relevance of the results.

Remediating Exposed Secrets

Remediation is done by removing the hard coded secret from the code and replacing it with an Environment Variable that can be used to store the secret in a secure manner.

Remediating ASCA and IaC Vulnerabilities

For vulnerabilities in your code that were identified by the ASCA or IaC Realtime scanners, remediation is done by sending a customized prompt including all relevant data about the vulnerability instance to your IDEs AI assistant (Copilot or Cursor). The AI assistant then provides a remediated snippet that can be used in your code.

Notice

These realtime scanners do not currently make use of the Checkmarx MCP server.

Initial Setup and Configuration

Prerequisites

A Checkmarx One account with AI Protection license
You have access to Checkmarx One via:
- an API Key (see Generating an API Key), OR
- login credentials (Base URL, Tenant name, Username and Password)
The Checkmarx MCP must be activated for your tenant account. This is done in the Checkmarx One web application (UI) on the Settings > Plugins page. This must be done by an account admin.
VS Code users must have GitHub Copilot installed

Installing and Configuring the Plugin

Notice

If there is a problem with the automatic installation, check the troubleshooting section below.

Install the Checkmarx extension in your VS Code or Cursor IDE, as described in the following articles:
- Installing the VS Code Extension
- Installing Cursor
Log in to the Checkmarx plugin and set it up for use, as described in the following articles:
- Setting up the VS Code Extension
- Setting up Cursor
Go to the Checkmarx One settings and select CxOne Assist settings.
Make sure that the desired CxOne Assist checkboxes are selected.
If MCP is activated on the tenant level, then these should be selected by default. You can deselect any scanners that you don't want to run.
For the IaC Realtime scanner, select the Containers Management Tool used in your environment. Options are docker or podman.
Click on Install MCP.
The Checkmarx MCP is added to your mcp.json file.
If the process doesn't start automatically, you may need to open the file and click Start.

AI Remediation

How to Remediate Risks Using AI

When Checkmarx realtime scanners identify a risk, it is flagged as a Problem, which is marked in the code with a squiggly underline and annotated in the margin with an icon that indicates the type of risk.
Hover over the vulnerable line of code.
The Checkmarx dialog opens.
Click on Fix with CxOne Assist.
A Copilot session opens in the side panel and all relevant info is sent for analysis.
Notice
Depending on your IDE configuration, you may need to click Continue several times in order to complete the process.
Copilot automatically makes the necessary changes in the code in order to remediate the risk.
- If you approve the change, click Accept.
  The change is made and the code is rescanned to verify that the risk is no longer present.
- If you want to improve on the suggestion, click Undo. You can then chat with Copilot to determine the best way of remediating the code.

Ignoring packages

You can mark a risk as Ignore, so that that risks will not be shown in your IDE. This can be applied to a specific instance of a risk or it can be applied to all instances of that risk in your project. You can revive the risk at any time to resume showing risks for that package.

Notice

For risks identified in open source packages, a risk instance refers to the entire package that the vulnerability is associated with.

To Ignore a risk

When Checkmarx realtime scanners identify a risk, it is flagged as a Problem, which is marked in the code with a squiggly underline and annotated in the margin with an icon that indicates the type of risk.
Hover over the vulnerable line of code.
The Checkmarx dialog opens.
To ignore the risk in this particular instance, click on Ignore this vulnerability.
To ignore all instances of the risk, click on Ignore all of this type.

To revive a package:

Click on the Ignore icon in the bottom bar.
The Ignor Vulnerabilities tab opens.
For the desired vulnerabilitiy click on the Revive button.
Notice
This can also be done as a bulk action for all selected items.

Troubleshooting - Manually Configuring the MCP Server

In case the automatic procedure fails. You can manually configure access to the Checkmarx MCP server using the appropriate procedure below, according to your IDE.

Configuring VS Code

Open VS Code Settings.
Search for MCP settings.
In the MCP section, click on the link to open the settings.json file.
Add the following snippet for the Checkmarx MCP server to the file, replacing the placeholders as follows:
- Checkmarx_one_base_url - The base url of your Checkmarx One environment.
- Checkmarx_one_API_key - An API for your Checkmarx One account.

"mcp": {  
    "servers": {
       "checkmarx": {
          "url": "<Checkmarx_one_base_url>/api/security-mcp/mcp",
          "headers": {
              "cx-origin": "VS Code",
              "Authorization": "<Checkmarx_one_API_key>"
          }
      },
}
}

Configuring Cursor

Open Cursor Settings.
Select Tools & Integrations.
Under MCP Tools, click on New MCP Server.
The mcp.json file opens.
Add the following snippet for the Checkmarx MCP server to the file, replacing the placeholders as follows:
- Checkmarx_one_base_url - The base url of your Checkmarx One environment.
- Checkmarx_one_API_key - An API for your Checkmarx One account.

{
"mcpServers": {  
       "checkmarx": {
          "url": "<Checkmarx_one_base_url>/api/security-mcp/mcp",
          "headers": {
              "cx-origin": "Cursor",
              "Authorization": "<Checkmarx_one_API_key>"
          }
      },
}
}

In this section:

Checkmarx One Developer Assist

Overview

Notice

Realtime Scanning

Warning

Checkmarx AI Secure Coding Assistant (ASCA) Realtime Scanner

Notice

Supported Languages

IaC Realtime Scanner

Notice

Prerequisites

Open Source Realtime Scanner (OSS-Realtime)

Notice

Supported Manifest Files

Containers Realtime Scanner

Notice

Supported File Types

Checkmarx Secret Detection Realtime Scanner

Notice

Secret Detection Rules

Cx Assist Agentic-AI Remediation

Remediating Vulnerable or Malicious Images and Packages

Notice

Remediation Logic

Remediating Exposed Secrets

Remediating ASCA and IaC Vulnerabilities

Notice

Initial Setup and Configuration

Prerequisites

Installing and Configuring the Plugin

Notice

AI Remediation

How to Remediate Risks Using AI

Notice

Ignoring packages

Notice

Notice

Troubleshooting - Manually Configuring the MCP Server

Configuring VS Code

Configuring Cursor

Search results