Skip to main content

MCP Server - Interacting with Checkmarx via AI Assistant

Overview

Warning

This article relates to use of the MCP Server for standalone users with a Checkmarx Developer Assist license, and focuses on remediation use cases. Checkmarx One customers licensed for Checkmarx One Assist or AI Protection should refer to the Checkmarx One MCP Server article, which describes the full set of MCP tools used in the context of Checkmarx One.

Modern development workflows are increasingly centered around AI-powered tools. Developers now rely on AI assistants in IDEs, editors, terminals, and chat-based environments to understand code, troubleshoot issues, and accelerate delivery. Security guidance should be available wherever these workflows take place.

The Checkmarx MCP Server enables AI assistants to provide Checkmarx security remediation guidance directly within developer workflows. Built on the Model Context Protocol (MCP), it allows developers to access remediation capabilities using natural language from MCP-compatible IDEs, editors, terminals, CLIs, and AI assistants.

Rather than switching between tools to investigate and fix security findings, developers can request remediation guidance and receive actionable recommendations within their existing workflow. The MCP Server provides targeted guidance for source code vulnerabilities, dependency vulnerabilities, secrets findings, Infrastructure-as-Code (IaC) issues, and container image vulnerabilities.

This edition of the MCP Server is included with standalone Checkmarx Developer Assist licenses and focuses on remediation use cases. It exposes Developer Assist remediation capabilities as MCP tools, making them available across a broad ecosystem of MCP-compatible clients and development environments. This allows developers to access Checkmarx remediation guidance even in environments where the Developer Assist extension is not available, while maintaining a consistent experience across IDEs, terminals, and AI-powered workflows.

By enabling direct integration with MCP-compatible AI tools, organizations can extend Checkmarx remediation guidance beyond supported IDE extensions and make security assistance available wherever developers choose to work.

Limitations

  • Tools - The initial phase provides tools in the areas of remediation only.

Prerequisites

  • A valid Checkmarx Developer Assist API Key.

Data Security

  • Data in encryption in transit - TLS 1.2+ on all connections

  • No credential storage or logging

  • Repo URL credentials always sanitized - never shown to user

  • No destructive activities allowed via MCP

Installation and Configuration

The Checkmarx MCP can be used with any AI platform that supports the Model Context Protocol (MCP), including IDE assistants, web-based AI platforms, CLI assistants, and custom integrations.

We offer three methods for installing the MCP: Install from Marketplace, Install from CLI and Install Manually.

Install from Marketplace

The MCP is available on Marketplace for many popular platforms. Simply, search for Checkmarx in the relevant marketplace and follow the platform installation flow.

Supported marketplaces include:

Notice

The MCP may not be available yet on some of these marketplaces.

Installation

  1. Search for Checkmarx in the relevant marketplace.

  2. Select Install or Add Connector, depending on your platform.

  3. Complete the configuration steps presented by the platform.

Depending on the platform, you may be prompted to enter a URL and Authorization. In these cases:

  • Replace the URL with the following: "https://mea.ast.checkmarx.net/api/security-mcp/mcp"

  • Replace the Authorization with your Checkmarx Developer Assist API Key.

Some platforms install the MCP configuration with placeholder values rather than prompting for configuration during installation. In these cases, open the MCP configuration file and update the placeholder values as described in Manual Installation.

Install Using CLI

You can register, authenticate and enable the MCP from the command line on supported platforms, using industry standards for MCP tools.

Install Manually

You can create a custom integration by installing the MCP manually as a JSON file in the relevant folder in your platform.

{
   "servers":{
      "Checkmarx Developer Assist":{
         "url":"https://mea.ast.checkmarx.net/api/security-mcp/mcp",
         "headers":{
            "cx-origin":"<your_platform>",
            "Authorization":"<Activation_Key>"
         }
      }
   }
}

Replace the placeholder values as follows:

  • For cx-origin, enter the name of the platform that you are using (Possible values: Vscode, Jetbrains, Cursor, Windsurf, Kiro) .

    Notice

    This is used for analytics tracking.

  • For Authorization, enter your API key.

Using the MCP

Interact with Checkmarx via natural language chat in your AI assistant. The MCP interprets your instructions and runs the appropriate tools to provide the requested information and initiate the appropriate activities. A single prompt can trigger a series of tools, with the AI Agent requesting confirmation or additional input before moving from one step to the next.

The following is a list of tools:

Remediation

These tools are used to analyze and remediate various types risks.

Warning

The "Triggered by (examples)" column is intended to provide general guidance for how these tools can be used. However, the specific phrases haven't been tested and we can't guarentee accurate results.

Tool

Triggered by (examples)

Description

packageRemediation

  • "fix this"

  • "is this package safe"

  • "is this package malicious"

  • "remediate this finding"

  • "find a safer package"

Analyze and remediate risk for one specific package or dependency version, including CVEs and malicious package concerns.

Use when: user asks whether a specific package is safe, wants to fix a vulnerable dependency, or check if a package is malicious.

Requires: packageName, packageVersion, packageManager, issueType.

Returns: remediation guidance with safer versions and alternatives when available.

codeRemediation

  • "fix this"

  • "is this code safe"

  • "remediate this finding"

  • "revealed secrets"

  • "improve infrastructure configuration"

Provide remediation guidance for one specific code security issue, including SAST findings, exposed secrets, and IaC misconfigurations.

Use when: user wants to fix a code vulnerability such as SQL injection, XSS, a hardcoded secret, or an infrastructure misconfiguration.

Requires: type (secret/sast/iac). For sast and iac also requires finding metadata.

Returns: remediation steps and fix guidance.

imageRemediation

  • "fix this"

  • "is this image safe"

  • "remediate this finding"

  • "safer base image"

Analyze and remediate risk for one specific container image or base image reference.

Use when: user asks whether a container image is safe, wants CVE guidance for an image, or wants a safer base image.

Requires: imageName, imageTag.

Returns: image-specific remediation guidance and alternatives when available.

In this section: