Skip to main content

Installing and Setting up the Checkmarx Kiro Extension

Installing the Extension

The Kiro extension is available on the Open VSX Registry. You can initiate the installation directly from within Kiro.

Notice

Although there is no dedicated Checkmarx plugin for Kiro, the plugin for VS Code version 2.44.0 and above has been tested and is effective for use in Kiro.

Warning

The Checkmarx VS Code extension includes the Checkmarx One Assist feature as part of the Checkmarx One platform experience and should be used by Checkmarx One customers with a Checkmarx One Assist license. The Checkmarx and Checkmarx Developer Assist VS Code extensions are mutually exclusive. To use the Checkmarx extension, ensure that the Checkmarx Developer Assist extension is uninstalled before installation. If you are not a Checkmarx One customer and are trying to install the Checkmarx Developer Assist VS Code extension, see Initial Setup and Configuration.

To install the extension:

  1. Open Kiro.

  2. In the main menu, click on the Extensions icon.

  3. Search for the Checkmarx extension, then click Install for that extension.

    Notice

    Make sure to install version 2.44.0 or above, since older versions don't support Kiro.

    kiro1.png

    The Checkmarx extension is installed, and the Checkmarx icon appears on the left-side navigation panel.

    kiroicon.png

Setting up the Extension

After installing the plugin, in order to use the Checkmarx One tool you need to configure access to your Checkmarx One account, as described below.

Notice

If you are only using the free KICS Auto Scanning tool and/or the SCA Realtime Scanning tool, then this setup procedure is not relevant. However, for SCA Realtime Scanning tool, if your environment doesn't have access to the internet, then you will need to configure a proxy server in the Settings, under Checkmarx One: Additional Params.

  1. In the Kiro console, in the left-side panel, click the Checkmarx icon.

    The Checkmarx One Authentication sidebar opens.

    kirosidebar.png

  2. In the Checkmarx One Authentication sidebar, connect to Checkmarx One either using an API Key or login credentials.

    Important

    In order to use this integration for running an end-to-end flow of scanning a project and viewing results with the minimum required permissions, the API Key or user account should have the role plugin-scanner. Alternatively, they can have at a minimum the out-of-the-box composite role ast-scanner as well as the IAM role default-roles.

    • Login Credentials

      1. Select the OAuth login button.

        The OAuth Log in window opens.

        OauthLogin.png

      2. Enter the Base URL of your Checkmarx One environment and the name of your tenant account, then click Log in.

        Notice

        Once you have submitted a base URL and tenant name, it is saved in cache and can be selected for future use (saves up to 10 accounts).

        A confirmation dialog asks for permission to open an external website.

      3. Click on Open to proceed.

        Notice

        If you would like to prevent this dialog from opening in the future, click on Configure Trusted Domains and then in the Command Pallete click on Trust....

      4. If you are logged in to your account, the system connects automatically. If you are not logged in, your account's login page opens in your browser. Enter your Username and Password, and then your One-Time Password (2FA) to log in.

    • API Key (see Generating an API Key)

      1. Select the API Key login button.

        The API Key Log in window opens.

        ApiKeyLogin.png

      2. Enter your Checkmarx One API Key and click Log in.

  3. A Checkmarx welcome page is displayed immediately after a successful login. This page provides a selection box to enable Checkmarx One Assist realtime scanners. If you would like to enable this feature, mark the selection box. Either way, close the window and proceed to the next step.

  4. The Checkmarx One Authentication sidebar will now show that you are logged in.

    kirologgedin.png

  5. In the Checkmarx One Results sidebar, click on the more options icon in the top right and select Settings.

    kirosettings.png

  6. In the Additional Params field, you can submit additional CLI params. This can be used to manually submit the base url and tenant name if there is a problem extracting them from the API Key. It can also be used to add global params such as --debug or --proxy. To learn more about CLI global params, see Global Flags.

    kirosettings2.png

Configuring Checkmarx Developer Assist

  1. Verify that your MCP server is connected, as follows:

    1. Select the Kiro icon in the left-side navigation panel.

    2. Under MCP servers, confirm that Checkmarx is connected.

      Image_832b.png

  2. You can optionally adjust the Checkmarx Developer Assist Settings as follows:

    1. Add Additional Params to set up custom configuraitions, such as proxy servers or to run in debug mode.

    2. Enable/disable specific realtime scanners. By default, all scanners are enabled.

    3. For IaC realtime scanner you can change the container platform used, Docker (default) or Podman.

Troubleshooting MCP Installation

In case the automatic installation procedure fails. You can manually configure access to the Checkmarx MCP server using the following procedure.

  1. If it does not already exist, create an mcp.json file at the following location: ${homeDir}\.kiro\settings\mcp.json

  2. Add the "checkmarx" mcp using the following snippet, replacing the placeholders as follows:

    • Checkmarx_one_base_url - The base URL of your Checkmarx One environment.

    • Checkmarx_one_API_key - An API Key for your Checkmarx One account.

      {
   "mcpServers":{
      "checkmarx":{
         "url":"<Checkmarx_one_base_url>/api/security-mcp/mcp",
         "headers":{
            "cx-origin":"Kiro",
            "Authorization":"<Checkmarx_one_API_key>"
         }
      }
   }
}

  3. Click on theKiro icon in the left-side navigation, and under MCP servers, confirm that Checkmarx is connected.

Configuring AI Security Champion

AI Security Champion can be used with the Checkmarx One tool as well as with the KICS Realtime Scanning tool. In order to use AI Security Champion you need to integrate the Kiro extension with your OpenAI account.

Notice

If the Global Settings for your account have been configured to use Azure AI instead of OpenAI, then the credentials are submitted on the account level and it is not possible to submit credentials in your IDE for an alternative AI model.

To set up the integration with your OpenAI account:

  1. Go to the Checkmarx extension Settings and select Checkmarx AI Security Champion.

    kiro8.png

  2. In the Model field, select from the drop-down list the model of the GPT account that you are using.

  3. In the Key field, enter the API key for your OpenAI account.

    Notice

    Follow this link to generate an API key.

The configuration is saved automatically.

Configuring the KICS Realtime Scanning Tool (Optional)

This tool is activated automatically upon installation and no configuration is required.

Notice

It is not necessary to configure the Checkmarx One Authentication settings in order to use the KICS Realtime Scanning feature.

If you would like to customize the scan settings, you can use the following procedure:

  1. In the VS Code console, go to Settings > Extensions > Checkmarx > Checkmarx KICS Auto Scanning.

    VSCodeSettings2.png

  2. By default the extension is configured to run a KICS scan whenever an infrastructure file of a supported type is opened or saved. If you would like to disable automatic scanning, deselect the Activate KICS Auto Scanning checkbox.

    Notice

    In this case, you will still be able to trigger scans manually from the command palette.

  3. If you would like to customize the scan parameters, enter the desired flags in the Additional Parameters field. For a list of available options, see Scan Command Options.

In this section: