Skip to main content

Checkmarx One VS Code Extension (Plugin)

Checkmarx continues to spearhead the shift-left approach to AppSec by bringing our powerful AppSec tools into your IDE. This empowers developers to identify vulnerabilities and remediate them as they code. The Checkmarx Visual Studio Code plugin integrates seamlessly into your IDE, identifying vulnerabilities in your proprietary code, open source dependencies, and IaC files. The plugin offers actionable remediation insights in real-time.

The Checkmarx Visual Studio Code extension contains four separate tools:

Notice

The plugin is available on marketplace. In addition, the code can be accessed here.

Checkmarx One Results

This tool enables Checkmarx One users to access the full functionality of your Checkmarx One account (SAST, SCA, IaC) directly from your IDE. You can run new scans or import results from scans run in your Checkmarx One account. Checkmarx provides detailed info about each vulnerability, including remediation recommendations and examples of effective remediation. The plugin enables you to navigate from a vulnerability to the relevant source code, so that you can easily zero-in on the problematic code and start working on remediation. This tool requires authentication, using credentials from your Checkmarx One account.

Key Features

  • Access the full power of Checkmarx One (SAST, SCA, and IaC Security) directly from your IDE.

  • Run a new scan from your IDE even before committing the code, or import scan results from your Checkmarx One account.

  • Provides actionable results including remediation recommendations. Navigate from results panel directly to the highlighted vulnerable code in the editor and get right down to work on the remediation.

  • View info about how to remediate SAST vulnerabilities, including code samples

  • Group and filter results

  • Triage results - edit the result predicate (severity, state and comments) directly from the Visual Studio Code console (currently supported for SAST and IaC Security)

  • Links to Codebashing lessons

  • Apply Auto Remediation to automatically remediate open source vulnerabilities, by updating to a non-vulnerable package version.

  • ”AI Security Champion” harnesses the power of AI to help you to understand the vulnerabilities in your code, and resolve them quickly and easily. Currently supported for SAST and IaC Security vulnerabilities.

  • AI Secure Coding Assistant (ASCA) - A lightweight scan engine that runs in the background while you work, enabling developers to identify and remediate secure coding best practice violations as they code.

Prerequisites

  • An installation of VS Code version 1.63.0 or above

  • You have an API Key for your Checkmarx One account. To create an API key, see Generating an API Key.

    Note

    The following are the minimum required roles for running an end-to-end flow of scanning a project and viewing results via the CLI or plugins:

    • CxOne composite role ast-scanner

    • CxOne role view-policy-management

    • IAM role default-roles

  • In order to use AI Generated Remediation, you need to have an API Key for your GPT account.

AI Secure Coding Assistant (ASCA)

This tool enables developers to identify secure coding best practice violations in the file that they are working on as they code. The ASCA scanner is a lightweight scan engine that runs in the background as you work in VS Code. Whenever you edit a file in VS Code the ASCA scanner automatically scans that file. The ASCA scan runs on your local machine as a running process and returns results within milliseconds.

The results are shown in the Problems section. The relevant code is also underlined by a color coded line indicating the severity of the risk. Hover over the text to show risk details. There is also an integration with Copilot that enables you to harness AI to generate custom snippets for remediating the vulnerability. Each time that you edit the file and then pause for 2 seconds a new scan runs and the results shown in the IDE are updated.

Key features

  • Identify security best practice violations as you code

  • Super-fast scanner provides imidiate feedback

  • Harness AI to suggest remediated code

Prerequisites

  • Checkmarx One account with "AI Security" license

  • Running version 2.21.0 or above of the Checkmarx One extension for VS Code

  • To get remediation snippets, you need to have a Copilot license

KICS Realtime Scanner

This tool initiates KICS scans directly from their VS Code console. The scan runs automatically whenever an infrastructure file of a supported type is saved, either manually or by auto-save. The scan runs only on the file that is open in the editor. The results are shown in the VS Code console, making it easy to remediate the vulnerabilities that are detected. This is a free tool provided by Checkmarx for all VS Code users, and does not require the user to submit credentials for a Checkmarx One account.

Key Features

  • Free tool, no Checkmarx account required

  • Run scans directly from your IDE

  • Scans are triggered automatically whenever a file is saved

  • Apply Auto Remediation to automatically fix IaC vulnerabilities

  • ”AI Security Champion” harnesses the power of AI to help you to understand the vulnerabilities in your code, and resolve them quickly and easily.

Prerequisites

  • You must have a supported container engine (e.g., Docker, Podman etc.) installed and running in your environment.

  • In order to use AI Generated Remediation, you need to have an API Key for your GPT account.

Checkmarx SCA Realtime Scanner

This tool enables VS Code users to initiate SCA scans directly from their VS Code console, and shows detailed results as soon as the scan is completed. The scan identifies the open-source dependencies used in your code and indicates the security risks associated with those packages. The identified packages are shown in a tree structure with an indication of the risk level for each package. You can drill down to show the specific vulnerabilities associated with a package. This is a free tool provided by Checkmarx for all VS Code users, and does not require the user to submit credentials for a Checkmarx One account.

Key Features

  • Free tool, no Checkmarx account required

  • Run scans directly from your IDE

  • View actionable results in your IDE, indicating which of your open-source packages are at risk

  • Provides links to detailed info about the vulnerabilities on the Checkmarx Developer Hub

Prerequisites