Checkmarx

Checkmarx

The Checkmarx Security MCP server bridges your AI assistant (Claude, Cursor, Copilot, etc.) with Checkmarx One's enterprise application security platform. It exposes security workflows as natural-language-accessible MCP tools, allowing developers to scan code, investigate findings, and receive context-aware fixes without leaving their development environment.

Category
Visit Server

README

Checkmarx Security MCP

License

A production-ready Model Context Protocol (MCP) server that connects AI coding assistants to Checkmarx One — enabling real-time security scanning, vulnerability management, and AI-generated remediation directly inside your IDE or AI agent.

Table of Contents

Overview

The Checkmarx Security MCP server bridges your AI assistant (Claude, Cursor, Copilot, etc.) with Checkmarx One's enterprise application security platform. It exposes security workflows as natural-language-accessible MCP tools, allowing developers to scan code, investigate findings, and receive context-aware fixes without leaving their development environment.

Supported scan engines:

  • SAST — Static Application Security Testing (30+ languages)
  • SCA — Software Composition Analysis (open-source dependencies)
  • KICS — Infrastructure as Code security (Terraform, CloudFormation, Kubernetes, Dockerfile)
  • Secret Detection — Hardcoded credentials, API keys, tokens

Supported transport protocols

Multi-protocol support to facilitate secure and efficient communication between clients and the server:

  • stdio: Standard input/output for CLI or embedded agents
  • sse (Server-Sent Events): For real-time streaming to web-based clients
  • httpstreamableHttp: HTTP-compatible protocol for stream-based messaging

Features

Category Capabilities
Scanning Plan, trigger, and monitor multi-engine security scans (CLI or API mode)
Findings List, filter, and inspect vulnerabilities with severity and state tracking
Remediation AI-generated fixes for code vulnerabilities, insecure packages, and container images
Project Management Create, configure, and search Checkmarx One projects
Application Management Group projects into applications and get org-wide security metrics
Analytics Tenant-wide vulnerability summaries, risk scores, and time-windowed trends
Supply Chain Detect malicious npm/Maven/PyPI/Go/NuGet packages via Dustico integration
Enterprise Auth JWT (JWKS-verified), OAuth2 token exchange, Redis session caching
Observability Structured logging (zerolog), OpenTelemetry tracing

Authentication

The server uses API Key and OAuth2 authentication.

API Key Authentication

  1. Clients authenticate to Checkmarx One and get an API key.
  2. This API key will be used during MCP client configuration, include the API Key in the Authorization header as mentioned in the MCP Client Configuration section.

OAuth2 Authentication

Checkmarx MCP supports Dynamic Client Registration (DCR) flow allows an AI client (such as Cursor or Claude Desktop) to connect securely.

  1. User only needs to configure the MCP client as mentioned in the MCP Client Configuration section.
  2. When the client attempts to connect to the MCP server, it will be redirected to Checkmarx One login page for authentication.
  3. Once authentication is successful with valid Checkmarx credentials, the MCP client can use the tools provided by the MCP server.

Note: You required valid Checkmarx credentials to get the API Key or connect to the MCP server.

Refer Authentication for detailed authentication instructions and troubleshooting.

MCP Client Configuration

Prerequisites

  • A Checkmarx One tenant
  • Checkmarx API Host
  • API Key (with required access if using API key authentication)

JSON Configuration

Below are examples to add the server to your MCP client configuration. See the examples/ folder for ready-to-use client config files.

Windsurf IDE

API Key Authentication:

{
  "mcpServers": {
    "Checkmarx": {
      "serverUrl": "https://{api_host}/api/security-mcp/mcp/{tenant}",
      "headers": {
        "cx-origin": "Windsurf",
        "Authorization": "API_KEY"
      }
    }
  }
}

OAuth2 Authentication

{
  "mcpServers": {
    "Checkmarx": {
      "serverUrl": "https://{api_host}/api/security-mcp/mcp/{tenant}"
    }
  }
}

Claude Desktop / Claude Code

API Key Authentication:

{
  "mcpServers": {
    "Checkmarx": {
      "type": "http",
      "url": "https://{api_host}/api/security-mcp/mcp/{tenant}",
      "headers": {
        "Authorization": "<API_KEY>"
      }
    }
  }
}

Available Tools

Refer usage for detail information.

Scanning

Tool Description
planScan Recommend scan engines based on the project
triggerScan Start a scan (CLI for local code, API for repository URL)
getScanDetails Get scan status, progress, and severity summary
getLatestScans Retrieve recent scans for a project
listScans List scans with status, date, and branch filters
listFindings List vulnerabilities from a scan with severity filtering
getFindingDetails Get detailed information for a specific finding

Project management

Tool Description
resolveProject Look up a project by name
createProject Create a new Checkmarx One project
listProjects Browse or search all projects
getProjectConfig Get full project configuration

Application management

Tool Description
listApplications Browse or search applications
createApplication Create a new application
getApplicationDetails Get application details by ID
associateProject Link projects to an application

Analytics & risk

Tool Description
getTenantVulnerabilitiesSummary Returns org-wide severity counts by engine over a time window (trends).

Remediation

Tool Description
codeRemediation Provides fixes for code-level issues: SAST, secrets, and IaC misconfigurations.
packageRemediation Analyzes and remediates a specific vulnerable or malicious package/dependency.
imageRemediation Provides remediation for container image CVEs and safer base-image alternatives.

License

Apache 2.0 — see LICENSE for details.

Contributing

See CONTRIBUTING.md for development setup, module architecture, and contribution guidelines.

Website: Checkmarx.

© 2026 Checkmarx Ltd. All Rights Reserved.

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured