Checkmarx Developer Assist - JetBrains Plugin
Caution
Currently this tool is bundeled with the Checkmarx One JetBrains plugin. Soon it will be released as a standalone plugin, similar to the Checkmarx Developer Assist extension for VS Code.
Overview
Checkmarx Developer Assist delivers context-aware security guidance directly within your IDE, helping prevent vulnerabilities before they reach the pipeline. As developers write or refine AI-generated and existing code, it provides real-time detection, remediation, and actionable insights—ensuring security is built in from the start.
Checkmarx Developer Assist comprises two main elements:
Realtime Scanning - Identify vulnerabilities in realtime during IDE development of both human-generated and AI-generated code. Our super-fast scanners run in the background whenever you edit a relevant file. Our scanners identify vulnerabilities and unmasked secrets in your code. We also identify vulnerable or malicious container images and open source packages used in your project. Results are marked as Problems which are highlighted in the code and annotated with identifying icons.
Agentic-AI Remediation – Initiate an Agentic-AI session to receive remediation suggestions. Checkmarx feeds all relevant info to the AI agent which accesses our Model Context Protocol (MCP) server to gather data from our proprietary databases and customized AI models. The AI assistant then uses this data to generate remediated code for your project. You can accept the suggested changes or you can chat with the AI agent to learn more about the vulnerability and fine-tune the remediation suggestion.
In order to help you focus on actionable risks, Checkmarx Developer Assist enables marking risks as Ignore, so that the risks will no longer be shown in your IDE. You can Revive a risk at any time to resume showing that risk.
About Model Context Protocol (MCP) Server
The Checkmarx MCP Server is a secure gateway that bridges AI-powered development assistants with the Checkmarx security platform. It defines the tools and APIs that allow AI agents — such as GitHub Copilot, Cursor AI, or Windsurf AI — to interact safely with Checkmarx’s cloud services directly from within the IDE.
Once the developer successfully authenticates in the IDE, the MCP Service is automatically installed. It can also be installed manually if required. For installation and configuration instructions, see below.
What is MCP?
Model Context Protocol (MCP) is an emerging open standard that enables communication between AI agents and external systems in a structured, secure, and context-aware way. By adopting MCP, Checkmarx ensures that any IDE-integrated AI assistant can securely access Checkmarx engines and services — including SAST, SCA, IaC, and API Security — through a unified interface.
Why Checkmarx Chose MCP
Checkmarx selected the MCP standard as the foundation for our agentic architecture because it provides:
Interoperability: MCP is vendor-neutral and supported by a growing ecosystem of AI tools. It allows Checkmarx to connect seamlessly with multiple AI assistants and IDEs using a consistent communication layer.
Security and Governance: MCP enforces strict access control and contextual awareness, ensuring that only the right data is exposed to the AI agent under the right conditions. This aligns with enterprise-grade compliance and governance models.
Scalability: The protocol supports multi-agent environments where different AI assistants operate across complex enterprise setups, making it ideal for large-scale deployments.
Future-readiness: As new IDEs and AI tools adopt MCP, Checkmarx can easily integrate without changing the underlying architecture — ensuring long-term compatibility and innovation flexibility.
How it Works
Once enabled, the Checkmarx MCP Server:
Authenticates the developer’s IDE session with Checkmarx.
Exposes the available Checkmarx tools and capabilities (e.g., code scanning, remediation, policy enforcement) as AI-accessible functions.
Allows the AI assistant to invoke these tools securely, analyze code, and propose context-aware fixes directly in the IDE.
This creates a secure, AI-augmented development experience — where Checkmarx intelligence powers real-time risk identification and remediation during coding.
See below for additional details as well as instructions for installing and using the MCP server as part of Checkmarx Dev Assist.
Developer Assist Data Security FAQ
Realtime Scanning
Realtime scans run automatically as you work in your IDE. The following is a list of scan triggers:
As soon as you open the workspace, the SCA scanner scans the manifest files.
When you open any artifact that is supported for real-time scanners it is scanned by the relevant scanner.
When you edit any supported artifact.
When you save a supported file to an external location.
When you use an AI assistant (e.g. Copilot), to make changes to a supported file.
The following sections describe the various realtime scanners that are included in Checkmarx Dev Assist.
Checkmarx AI Secure Coding Assistant (ASCA) Realtime Scanner
The ASCA is a lightweight source code scanner that enables developers to identify secure coding best practice violations in the file that they are working on as they code. The ASCA scanner runs in the background as you work in your IDE. Unlike SAST engines that scan entire projects and analyze complex source code flows, ASCA focuses on individual files and short code snippets, including AI-generated code.
Whenever you edit a file in your IDE the ASCA scanner automatically scans that file. The ASCA scan runs on your local machine as a running process and returns results within milliseconds.
Notice
Editing a file triggers new detection after 1 second of inactivity.
Supported Languages
ASCA currently supports Java, JavaScript (Node.js), C#, Go and Python.
IaC Realtime Scanner
The IaC Realtime scanner (based on the KICS opens source project powered by Checkmarx) examines configuration definitions and scripts used to instantiate infrastructure to ensure the resulting resources are secure.
A scan runs automatically whenever you edit an infrastructure file of a supported type.
Notice
Editing a file triggers new detection after 1 second of inactivity.
Prerequisites
You must have a supported container engine (e.g., Docker, Podman etc.) installed and running in your environment.
Open Source Realtime Scanner (OSS-Realtime)
Checkmarx’s OSS-Realtime scanner is a lightweight version of our SCA scanner that analyzes your manifest files and quickly identifies risks associated with your open source dependencies. This includes vulnerable packages as well as packages that we have identified as malicious.
Scans are triggered when the developer opens a project in the IDE that includes a manifest file (e.g., package.json, requirements.txt). In addition, whenever the developer adds, moves or edits a manifest file within the IDE the project is re-scanned.
Notice
Editing a file triggers new detection after 1 second of inactivity.
Supported Manifest Files
In the initial phase, the plugin supports the following popular manifest files:
Dotnet:
csproj,directory.packages.props,packages.configMaven:
pom.xmlnpm:
package.jsonPyPI:
requirements.txtGo:
go.mod
Known Limitations
Identifies vulnerabilities only in direct packages not in transitive dependencies.
Many package managers use custom version specifiers (e.g., ^, ~, *, etc.) to indicate which version to use. OSS scanner does not support these characters. Asside from the cases listed below, when it encounters these characters the scanner defaults to analyzing the "latest" version of the package. Similarly, when no version is provided, the scanner defaults to "latest".
Exceptions:
NPM - If a
package-lock.jsonfile is provided, we get the actual version from that file. If thepackage-lock.jsondoes not exist, you runnpm install, to generate apackage-lock.json.Python - If the version includes a comment after it, the comment will be removed and only the specific version will be used. For example: requests==2.25.1 # my comment
Maven -
If the version is defined via a property, it will be retrieved from the
properties.If the version is empty, the resolved version from
<dependencyManagement>will be used.
Containers Realtime Scanner
Checkmarx’s Containers Realtime scanner is a lightweight version of our Container Security scanner that analyzes your container images and quickly identifies risks associated with your images and associated packages. This includes images that use vulnerable packages or packages that we have identified as malicious.
Scans are triggered when the developer edits a project in the IDE that includes a container image file (e.g., Dockerfile). In addition, whenever the developer adds, moves or edits an image file within the IDE the project is re-scanned.
Notice
Editing a file triggers new detection after 1 second of inactivity.
Supported File Types
In the initial phase, the plugin supports the following popular image files:
Dockerfile
DockerCompose
Helm chart (limited support)
Checkmarx Secret Detection Realtime Scanner
Checkmarx Secret Detection reduces risk by quickly identifying sensitive credentials that are exposed in your code, enabling your development and security teams to remove and change the discovered secrets. Checkmarx identifies more than 210 different types of login credentials, access tokens, encryption keys, API keys, SSH keys, webhook URLs, and other unsecured sensitive information.
Whenever you edit a file in the IDE, Secret Detection is run on that file.
Notice
Editing a file triggers new detection after 1 second of inactivity.
Secret Detection Rules
The following table shows the list of rules that are used to detect various types of secrets.
Checkmarx Dev Assist Agentic-AI Remediation
When the user initiates a remediation action for a risk, a session is opened with the IDE’s AI assistant, GitHub Copilot Chat. Checkmarx gathers all relevant data about the risk and submits it to the AI assistant. For supported risk types, the AI assistant sends a request to our MCP which applies the relevant tools and returns a response with suggested remediation steps. The AI assistant implements the changes and offers the user the option to accept the changes or continue a chat session to refine the remediation.
In addition, this tool enables use of AI to better understand the precise nature of a risk in the context of your code.
Remediating Vulnerable or Malicious Images and Packages
Remediation for OSS and Container risks is done by identifying the best non-vulnerable package that provides the same functionality as the vulnerable package. When our proprietary databases indicate that a remediated version of the current package is available, the remediated version that is closest to the current version is used. When no remediated version is available, our MCP server uses a dedicated AI tool to identify alternative packages that provide equivalent functionality.
Notice
Our MCP tool for identifying non-vulnerable versions is supported both for OSS and Containers. However, the MCP tool for finding alternative packages is not supported for containers.
When Checkmarx Dev Assist recommends updating a package version, our Safe Refactor feature searches your entire project for additional usage of that package and determines where and how the code needs to be refactored to accommodate the package update.
Remediation Logic
The following tables describe the logic of the remediation response for various cases.
Remediating Exposed Secrets
Remediation is done by removing the hard coded secret from the code and replacing it with an Environment Variable that can be used to store the secret in a secure manner.
Remediating ASCA and IaC Vulnerabilities
For vulnerabilities in your code that were identified by the ASCA or IaC Realtime scanners, remediation is done by sending a customized prompt including all relevant data about the vulnerability instance to your IDEs AI assistant (Copilot or Cursor). The AI assistant then provides a remediated snippet that can be used in your code.