Checkmarx
The Checkmarx Security MCP server bridges your AI assistant (Claude, Cursor, Copilot, etc.) with Checkmarx One's enterprise application security platform. It exposes security workflows as natural-language-accessible MCP tools, allowing developers to scan code, investigate findings, and receive context-aware fixes without leaving their development environment.
README
Checkmarx Security MCP
A production-ready Model Context Protocol (MCP) server that connects AI coding assistants to Checkmarx One — enabling real-time security scanning, vulnerability management, and AI-generated remediation directly inside your IDE or AI agent.
Table of Contents
Overview
The Checkmarx Security MCP server bridges your AI assistant (Claude, Cursor, Copilot, etc.) with Checkmarx One's enterprise application security platform. It exposes security workflows as natural-language-accessible MCP tools, allowing developers to scan code, investigate findings, and receive context-aware fixes without leaving their development environment.
Supported scan engines:
- SAST — Static Application Security Testing (30+ languages)
- SCA — Software Composition Analysis (open-source dependencies)
- KICS — Infrastructure as Code security (Terraform, CloudFormation, Kubernetes, Dockerfile)
- Secret Detection — Hardcoded credentials, API keys, tokens
Supported transport protocols
Multi-protocol support to facilitate secure and efficient communication between clients and the server:
stdio: Standard input/output for CLI or embedded agentssse(Server-Sent Events): For real-time streaming to web-based clientshttpstreamableHttp: HTTP-compatible protocol for stream-based messaging
Features
| Category | Capabilities |
|---|---|
| Scanning | Plan, trigger, and monitor multi-engine security scans (CLI or API mode) |
| Findings | List, filter, and inspect vulnerabilities with severity and state tracking |
| Remediation | AI-generated fixes for code vulnerabilities, insecure packages, and container images |
| Project Management | Create, configure, and search Checkmarx One projects |
| Application Management | Group projects into applications and get org-wide security metrics |
| Analytics | Tenant-wide vulnerability summaries, risk scores, and time-windowed trends |
| Supply Chain | Detect malicious npm/Maven/PyPI/Go/NuGet packages via Dustico integration |
| Enterprise Auth | JWT (JWKS-verified), OAuth2 token exchange, Redis session caching |
| Observability | Structured logging (zerolog), OpenTelemetry tracing |
Authentication
The server uses API Key and OAuth2 authentication.
API Key Authentication
- Clients authenticate to Checkmarx One and get an API key.
- This API key will be used during MCP client configuration, include the API Key in the
Authorizationheader as mentioned in the MCP Client Configuration section.
OAuth2 Authentication
Checkmarx MCP supports Dynamic Client Registration (DCR) flow allows an AI client (such as Cursor or Claude Desktop) to connect securely.
- User only needs to configure the MCP client as mentioned in the MCP Client Configuration section.
- When the client attempts to connect to the MCP server, it will be redirected to Checkmarx One login page for authentication.
- Once authentication is successful with valid Checkmarx credentials, the MCP client can use the tools provided by the MCP server.
Note: You required valid Checkmarx credentials to get the API Key or connect to the MCP server.
Refer Authentication for detailed authentication instructions and troubleshooting.
MCP Client Configuration
Prerequisites
- A Checkmarx One tenant
- Checkmarx API Host
- API Key (with required access if using API key authentication)
JSON Configuration
Below are examples to add the server to your MCP client configuration. See the examples/ folder for ready-to-use client config files.
Windsurf IDE
API Key Authentication:
{
"mcpServers": {
"Checkmarx": {
"serverUrl": "https://{api_host}/api/security-mcp/mcp/{tenant}",
"headers": {
"cx-origin": "Windsurf",
"Authorization": "API_KEY"
}
}
}
}
OAuth2 Authentication
{
"mcpServers": {
"Checkmarx": {
"serverUrl": "https://{api_host}/api/security-mcp/mcp/{tenant}"
}
}
}
Claude Desktop / Claude Code
API Key Authentication:
{
"mcpServers": {
"Checkmarx": {
"type": "http",
"url": "https://{api_host}/api/security-mcp/mcp/{tenant}",
"headers": {
"Authorization": "<API_KEY>"
}
}
}
}
Available Tools
Refer usage for detail information.
Scanning
| Tool | Description |
|---|---|
planScan |
Recommend scan engines based on the project |
triggerScan |
Start a scan (CLI for local code, API for repository URL) |
getScanDetails |
Get scan status, progress, and severity summary |
getLatestScans |
Retrieve recent scans for a project |
listScans |
List scans with status, date, and branch filters |
listFindings |
List vulnerabilities from a scan with severity filtering |
getFindingDetails |
Get detailed information for a specific finding |
Project management
| Tool | Description |
|---|---|
resolveProject |
Look up a project by name |
createProject |
Create a new Checkmarx One project |
listProjects |
Browse or search all projects |
getProjectConfig |
Get full project configuration |
Application management
| Tool | Description |
|---|---|
listApplications |
Browse or search applications |
createApplication |
Create a new application |
getApplicationDetails |
Get application details by ID |
associateProject |
Link projects to an application |
Analytics & risk
| Tool | Description |
|---|---|
getTenantVulnerabilitiesSummary |
Returns org-wide severity counts by engine over a time window (trends). |
Remediation
| Tool | Description |
|---|---|
codeRemediation |
Provides fixes for code-level issues: SAST, secrets, and IaC misconfigurations. |
packageRemediation |
Analyzes and remediates a specific vulnerable or malicious package/dependency. |
imageRemediation |
Provides remediation for container image CVEs and safer base-image alternatives. |
License
Apache 2.0 — see LICENSE for details.
Contributing
See CONTRIBUTING.md for development setup, module architecture, and contribution guidelines.
Website: Checkmarx.
© 2026 Checkmarx Ltd. All Rights Reserved.
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.