Checkmarx
OfficialIntegrates with Checkmarx One to enable real-time security scanning, vulnerability management, and AI-generated remediation across SAST, SCA, KICS, and secret detection engines.
Checkmarx Security MCP
A production-ready Model Context Protocol (MCP) server that connects AI coding assistants to Checkmarx One — enabling real-time security scanning, vulnerability management, and AI-generated remediation directly inside your IDE or AI agent.
Table of Contents
Related MCP server: stepsecurity-mcp
Overview
The Checkmarx Security MCP server bridges your AI assistant (Claude, Cursor, Copilot, etc.) with Checkmarx One's enterprise application security platform. It exposes security workflows as natural-language-accessible MCP tools, allowing developers to scan code, investigate findings, and receive context-aware fixes without leaving their development environment.
Supported scan engines:
SAST — Static Application Security Testing (30+ languages)
SCA — Software Composition Analysis (open-source dependencies)
KICS — Infrastructure as Code security (Terraform, CloudFormation, Kubernetes, Dockerfile)
Secret Detection — Hardcoded credentials, API keys, tokens
Supported transport protocols
Multi-protocol support to facilitate secure and efficient communication between clients and the server:
stdio: Standard input/output for CLI or embedded agentssse(Server-Sent Events): For real-time streaming to web-based clientshttpstreamableHttp: HTTP-compatible protocol for stream-based messaging
Features
Category | Capabilities |
Scanning | Plan, trigger, and monitor multi-engine security scans (CLI or API mode) |
Findings | List, filter, and inspect vulnerabilities with severity and state tracking |
Remediation | AI-generated fixes for code vulnerabilities, insecure packages, and container images |
Project Management | Create, configure, and search Checkmarx One projects |
Application Management | Group projects into applications and get org-wide security metrics |
Analytics | Tenant-wide vulnerability summaries, risk scores, and time-windowed trends |
Supply Chain | Detect malicious npm/Maven/PyPI/Go/NuGet packages via Dustico integration |
Enterprise Auth | JWT (JWKS-verified), OAuth2 token exchange, Redis session caching |
Observability | Structured logging (zerolog), OpenTelemetry tracing |
Authentication
The server uses API Key and OAuth2 authentication.
API Key Authentication
Clients authenticate to Checkmarx One and get an API key.
This API key will be used during MCP client configuration, include the API Key in the
Authorizationheader as mentioned in the MCP Client Configuration section.
OAuth2 Authentication
Checkmarx MCP supports Dynamic Client Registration (DCR) flow allows an AI client (such as Cursor or Claude Desktop) to connect securely.
User only needs to configure the MCP client as mentioned in the MCP Client Configuration section.
When the client attempts to connect to the MCP server, it will be redirected to Checkmarx One login page for authentication.
Once authentication is successful with valid Checkmarx credentials, the MCP client can use the tools provided by the MCP server.
Note: You required valid Checkmarx credentials to get the API Key or connect to the MCP server.
Refer Authentication for detailed authentication instructions and troubleshooting.
MCP Client Configuration
Prerequisites
A Checkmarx One tenant
Checkmarx API Host
API Key (with required access if using API key authentication)
JSON Configuration
Below are examples to add the server to your MCP client configuration. See the examples/ folder for ready-to-use client config files.
Windsurf IDE
API Key Authentication:
{
"mcpServers": {
"Checkmarx": {
"serverUrl": "https://{api_host}/api/security-mcp/mcp/{tenant}",
"headers": {
"cx-origin": "Windsurf",
"Authorization": "API_KEY"
}
}
}
}OAuth2 Authentication
{
"mcpServers": {
"Checkmarx": {
"serverUrl": "https://{api_host}/api/security-mcp/mcp/{tenant}"
}
}
}Claude Desktop / Claude Code
API Key Authentication:
{
"mcpServers": {
"Checkmarx": {
"type": "http",
"url": "https://{api_host}/api/security-mcp/mcp/{tenant}",
"headers": {
"Authorization": "<API_KEY>"
}
}
}
}Available Tools
Refer usage for detail information.
Scanning
Tool | Description |
| Recommend scan engines based on the project |
| Start a scan (CLI for local code, API for repository URL) |
| Get scan status, progress, and severity summary |
| Retrieve recent scans for a project |
| List scans with status, date, and branch filters |
| List vulnerabilities from a scan with severity filtering |
| Get detailed information for a specific finding |
Project management
Tool | Description |
| Look up a project by name |
| Create a new Checkmarx One project |
| Browse or search all projects |
| Get full project configuration |
Application management
Tool | Description |
| Browse or search applications |
| Create a new application |
| Get application details by ID |
| Link projects to an application |
Analytics & risk
Tool | Description |
| Returns org-wide severity counts by engine over a time window (trends). |
Remediation
Tool | Description |
| Provides fixes for code-level issues: SAST, secrets, and IaC misconfigurations. |
| Analyzes and remediates a specific vulnerable or malicious package/dependency. |
| Provides remediation for container image CVEs and safer base-image alternatives. |
License
Apache 2.0 — see LICENSE for details.
Contributing
See CONTRIBUTING.md for development setup, module architecture, and contribution guidelines.
Website: Checkmarx.
© 2026 Checkmarx Ltd. All Rights Reserved.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Checkmarx/cx-agentic-ai'
If you have feedback or need assistance with the MCP directory API, please join our Discord server