A production-ready Model Context Protocol (MCP) server that connects AI coding assistants to Checkmarx One — enabling real-time security scanning, vulnerability management, and AI-generated remediation directly inside your IDE or AI agent.
The Checkmarx Security MCP server bridges your AI assistant (Claude, Cursor, Copilot, etc.) with Checkmarx One's enterprise application security platform. It exposes security workflows as natural-language-accessible MCP tools, allowing developers to scan code, investigate findings, and receive context-aware fixes without leaving their development environment.
- SAST — Static Application Security Testing (30+ languages)
- SCA — Software Composition Analysis (open-source dependencies)
- KICS — Infrastructure as Code security (Terraform, CloudFormation, Kubernetes, Dockerfile)
- Secret Detection — Hardcoded credentials, API keys, tokens
Multi-protocol support to facilitate secure and efficient communication between clients and the server:
stdio: Standard input/output for CLI or embedded agentssse(Server-Sent Events): For real-time streaming to web-based clientshttpstreamableHttp: HTTP-compatible protocol for stream-based messaging
| Category | Capabilities |
|---|---|
| Scanning | Plan, trigger, and monitor multi-engine security scans (CLI or API mode) |
| Findings | List, filter, and inspect vulnerabilities with severity and state tracking |
| Remediation | AI-generated fixes for code vulnerabilities, insecure packages, and container images |
| Project Management | Create, configure, and search Checkmarx One projects |
| Application Management | Group projects into applications and get org-wide security metrics |
| Analytics | Tenant-wide vulnerability summaries, risk scores, and time-windowed trends |
| Supply Chain | Detect malicious npm/Maven/PyPI/Go/NuGet packages via Dustico integration |
| Enterprise Auth | JWT (JWKS-verified), OAuth2 token exchange, Redis session caching |
| Observability | Structured logging (zerolog), OpenTelemetry tracing |
The server uses API Key and OAuth2 authentication.
- Clients authenticate to Checkmarx One and get an API key.
- This API key will be used during MCP client configuration, include the API Key in the
Authorizationheader as mentioned in the MCP Client Configuration section.
Checkmarx MCP supports Dynamic Client Registration (DCR) flow allows an AI client (such as Cursor or Claude Desktop) to connect securely.
- User only needs to configure the MCP client as mentioned in the MCP Client Configuration section.
- When the client attempts to connect to the MCP server, it will be redirected to Checkmarx One login page for authentication.
- Once authentication is successful with valid Checkmarx credentials, the MCP client can use the tools provided by the MCP server.
Note: You required valid Checkmarx credentials to get the API Key or connect to the MCP server.
Refer Authentication for detailed authentication instructions and troubleshooting.
- A Checkmarx One tenant
- Checkmarx API Host
- API Key (with required access if using API key authentication)
Below are examples to add the server to your MCP client configuration. See the examples/ folder for ready-to-use client config files.
API Key Authentication:
{
"mcpServers": {
"Checkmarx": {
"serverUrl": "https://{api_host}/api/security-mcp/mcp/{tenant}",
"headers": {
"cx-origin": "Windsurf",
"Authorization": "API_KEY"
}
}
}
}OAuth2 Authentication
{
"mcpServers": {
"Checkmarx": {
"serverUrl": "https://{api_host}/api/security-mcp/mcp/{tenant}"
}
}
}API Key Authentication:
{
"mcpServers": {
"Checkmarx": {
"type": "http",
"url": "https://{api_host}/api/security-mcp/mcp/{tenant}",
"headers": {
"Authorization": "<API_KEY>"
}
}
}
}Refer usage for detail information.
| Tool | Description |
|---|---|
planScan |
Recommend scan engines based on the project |
triggerScan |
Start a scan (CLI for local code, API for repository URL) |
getScanDetails |
Get scan status, progress, and severity summary |
getLatestScans |
Retrieve recent scans for a project |
listScans |
List scans with status, date, and branch filters |
listFindings |
List vulnerabilities from a scan with severity filtering |
getFindingDetails |
Get detailed information for a specific finding |
| Tool | Description |
|---|---|
resolveProject |
Look up a project by name |
createProject |
Create a new Checkmarx One project |
listProjects |
Browse or search all projects |
getProjectConfig |
Get full project configuration |
| Tool | Description |
|---|---|
listApplications |
Browse or search applications |
createApplication |
Create a new application |
getApplicationDetails |
Get application details by ID |
associateProject |
Link projects to an application |
| Tool | Description |
|---|---|
getTenantVulnerabilitiesSummary |
Returns org-wide severity counts by engine over a time window (trends). |
| Tool | Description |
|---|---|
codeRemediation |
Provides fixes for code-level issues: SAST, secrets, and IaC misconfigurations. |
packageRemediation |
Analyzes and remediates a specific vulnerable or malicious package/dependency. |
imageRemediation |
Provides remediation for container image CVEs and safer base-image alternatives. |
Apache 2.0 — see LICENSE for details.
See CONTRIBUTING.md for development setup, module architecture, and contribution guidelines.
Website: Checkmarx.
© 2026 Checkmarx Ltd. All Rights Reserved.