Checkmarx MCP. Analyze code security and infrastructure flaws via chat.

Q: How do I run a scan for a specific project using runscan?

You must first use getproject to confirm the correct project context. Then, you call runscan to trigger the job. The agent will return a unique scan ID that you can use later with getscandetails.

Q: Can I check KICS results without running a full SAST scan?

Yes, you use getkicsresults. This tool is specifically designed to look at misconfigurations in infrastructure files (like Dockerfiles or K8s YAML) without touching the application source code.

Q: What is the difference between getscanresults and listscans?

Use listscans to get a history and status list (IDs, dates, status). You must use getscanresults and provide a completed scan ID to download the actual, detailed vulnerability findings.

Q: How do I find the fix location for a vulnerability?

You need to call listbfl. This tool requires the vulnerability's scan ID and the specific rule ID to calculate the optimal patch location.

Q: How do I get a list of all available projects using listprojects?

The listprojects tool returns metadata for every codebase container in your Checkmarx One environment. This helps you identify the correct project ID before running a scan or checking results.

Q: What should I use to check the precise status of a scan using getscandetails?

Use getscandetails to check the status and configuration of a scan. It tells you which engines (SAST, SCA, KICS) ran, their individual timing, and if any engine failed.

Q: Can I cancel a running scan and why should I use cancelscan?

Yes, cancelscan stops an active Checkmarx scan. You should use this if a developer pushes a new commit that overlaps the running job, preventing unnecessary resource use.

Q: When should I use listapplications versus listprojects?

listapplications shows high-level containers for multiple microservices, providing aggregated risk reporting. listprojects lists the specific codebases within those applications.

Claude

ChatGPT

Cursor

Gemini

Windsurf

VS Code

JetBrains

Vercel

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

Just plug in your AI agents and start using Vinkius.

Checkmarx MCP Server automates Application Security (AppSec) by connecting your AI client directly to Checkmarx One. You can trigger deep SAST/SCA scans, list projects and applications, analyze specific vulnerabilities, and even calculate the precise Best Fix Location (BFL) for a flaw.

It lets you analyze code security findings and infrastructure misconfigurations (KICS) right inside your chat window, bypassing complex web dashboards.

What your AI agents can do

Cancel scan

Stops an active Checkmarx scan, preventing unnecessary resource use if a developer commits overlapping code.

Get kics results

Retrieves specialized findings related to infrastructure code (Terraform, K8s, Docker) rather than application source code flaws.

Get project

Gets specific details for a Checkmarx project, ensuring the correct branch and source control context is active for scanning.

+ 7 more capabilities included

List and scope codebases

Use list_projects and list_applications to inventory all existing code containers and determine the scope for a scan.

Execute and manage scans

Start new SAST/SCA scans using run_scan, and monitor their status or cancel them if they are redundant using get_scan_details or cancel_scan.

Retrieve vulnerability findings

Pull detailed vulnerability reports using get_scan_results, which includes severity, state, and the exact file/line number of the flaw.

Determine optimal code fixes

Calculate the precise patch location for a specific vulnerability using list_bfl, requiring a scan ID and rule ID.

Audit Infrastructure as Code

Focus on misconfigurations in infrastructure files (Terraform, K8s, Docker) by calling get_kics_results.

Ask AI about this MCP

Ask ChatGPT

Ask Claude

Ask Perplexity

Supported MCP Clients

Claude

ChatGPT

Cursor

Gemini

Windsurf

VS Code

JetBrains

Vercel

+ other MCP clients

Free for Subscribers

Lists all historical and active scans for a project, including status, targeted branch, and timestamps.

run019d756e

run scan

Triggers a new Checkmarx One code scan, used often in CI/CD to validate security quality on pull requests.

Choose How to Get Started

Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.

Build Your Own

Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.

Import from OpenAPI, Swagger, or YAML specs
Create Agent Skills with progressive disclosure
Deploy to edge with MCPFusion framework
Built in DLP, auth, and compliance on every call
Real time usage dashboard and cost metering
Publish to catalog or keep private

Start building

Make Your AI Do More

Start with Checkmarx, then connect any of our 4,700+ other servers whenever your AI needs more. One click, no limits.

Use this MCP plus 4,700+ others, all in one place
Add new capabilities to your AI anytime you want
Every connection is secured and compliant automatically
Track usage and costs across all your servers
Works with Claude, ChatGPT, Cursor, and more
New servers added to the catalog every week

What you can do with this MCP connector

Checkmarx MCP Server gives your AI client direct access to your Checkmarx One environment. You'll manage your AppSec posture without clicking through clunky web dashboards. Instead, you analyze deep code flaws right in your chat window.

List and Scope Codebases: You can use list_projects and list_applications to pull a full inventory of all your code containers. To set up for a scan, you'll call get_project to grab specific details, ensuring your agent's context is locked onto the right branch and source control repo.

Execute and Manage Scans: You can kick off new SAST/SCA scans with run_scan, which is killer for CI/CD pipelines validating security on pull requests. Don't want to wait for a job that's already running? You can check the exact status and config of any scan using get_scan_details, or if it's redundant, you'll use cancel_scan to stop it and save resources.

Retrieve Vulnerability Findings: To pull detailed reports, you'll use get_scan_results. This tool downloads SAST and security vulnerability findings from a finished scan, giving you the severity level and the precise file and line number where the flaw lives. For specialized infrastructure code, you'll run get_kics_results to pull findings on misconfigurations in files like Terraform, K8s, and Docker.

Determine Optimal Code Fixes: You don't have to guess where to patch things. You'll run list_bfl, feeding it a scan ID and a rule ID to pinpoint the optimal patch spot for any vulnerability.

Monitor Scans: You can check the status of all historical and active scans for a project using list_scans, which gives you status, targeted branch, and timestamps for every job.

How Checkmarx MCP Works

1 Subscribe to the server and provide your Checkmarx One JWT Token.
2 Use the agent to scope the environment by calling list_projects or list_applications.
3 Initiate a scan with run_scan and then use get_scan_results to pull the vulnerability data.

The bottom line is: your AI client runs the scan orchestration logic for you, making deep security data available via natural conversation.

Who Is Checkmarx MCP For?

This is for security engineers and platform teams who spend too much time jumping between multiple dashboards and ticket trackers. If you need to audit a microservice's security posture or find the exact line of code to fix a zero-day flaw without leaving your terminal, this is for you. It cuts the manual context switching.

Security Engineer (AppSec)

Runs vulnerability triage across multiple services, gathering severity and flaw location details without leaving their primary workstation or ticket tracker.

DevOps Engineer

Investigates misconfigured infrastructure (KICS) in staging branches directly through the agent before a deployment goes live.

Backend Developer

Needs the exact Best Fix Location (BFL) for a critical vulnerability and asks the agent to rewrite the sanitization logic instantly.

What Changes When You Connect

Get immediate, actionable vulnerability data. Instead of reviewing a massive report, get_scan_results pulls only the critical details, mapping severity and the exact lines of code where the flaw exists.
Manage the entire scan lifecycle from one place. Use run_scan to kick off a job, then get_scan_details to track its precise status, and cancel_scan if the job is redundant.
Pinpoint the perfect fix every time. The list_bfl tool calculates the optimal patch location for a vulnerability, telling you exactly what code to change, not just that a flaw exists.
Audit infrastructure code separately. The get_kics_results tool isolates misconfigurations found in non-application code—like Terraform or Kubernetes YAML—without needing to run a full application scan.
See your entire portfolio risk profile. list_applications gives you an aggregated view of risk across multiple microservices, helping you prioritize which codebase needs attention first.
Scope your work precisely. Use list_projects and get_project to confirm the correct codebase container is selected before you run any scan.

Real-World Use Cases

Debugging a critical vulnerability in a microservice.

A developer finds a SQL Injection issue. They ask their agent to run get_scan_results for the specific project. The agent returns the vulnerability details and uses list_bfl to pinpoint the exact root cause line of code, allowing the developer to fix it immediately without manual code tracing.

Auditing a new environment deployment.

The DevOps team is deploying a new service. They first use get_kics_results to check the associated Terraform and Kubernetes YAML for misconfigurations. They then use list_applications to confirm the service falls under the correct risk umbrella before deployment.

Cleaning up redundant or failed scans.

A scan job is running but the code has changed. The team uses get_scan_details to confirm the job status, then calls cancel_scan to stop the unnecessary engine consumption. Finally, they list_scans to confirm the cancellation was successful.

Scoping a large, multi-project codebase.

A security analyst needs to check 15 related microservices. Instead of running 15 separate scans, they first run list_projects to get all project IDs, then use get_project for each one to confirm scope, and finally use run_scan across the list.

The Tradeoffs

Running scans without scope.

Running a scan and getting a vague report that doesn't specify which application or branch the findings belong to. You end up questioning the data's source or reliability.

→ Always start by running list_projects to get all available code containers. Then use get_project to select the exact scope before you call run_scan.

Missing fix details.

Finding a critical vulnerability but only being told 'sanitize input.' You don't know the exact line or function to change, wasting hours of developer time.

→ Use get_scan_results to locate the flaw, then immediately call list_bfl with the specific scan ID and rule ID to get the precise optimal fix location.

Treating all flaws the same.

Spending equal time fixing a low-risk XSS flaw and a critical SQL Injection flaw. This leads to alert fatigue and slow remediation of real threats.

→ Filter results using the AI agent's chat capabilities, focusing only on critical vulnerabilities, and use get_scan_results to pull datasets for immediate prioritization.

When It Fits, When It Doesn't

Use this server if your workflow requires deep, programmatic access to vulnerability data, especially when you need to correlate findings across different code types (SAST, SCA, KICS). You must use it when you need to find the precise line of code to fix a flaw, not just the flaw itself. If your primary need is just to see a high-level risk score or a simple dashboard view, stick with your existing BI tool. Don't use this if you only need to check general CI/CD status; use a dedicated pipeline monitoring tool instead. You need this when the output of the scan must drive the next step in the development process.

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Checkmarx. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

VINKIUS INFRASTRUCTURE

Cloud Hosted

Managed infra

V8 Isolated

Sandboxed per request

Zero-Trust Proxy

No stored credentials

DLP Enforced

Policy on every call

GDPR Compliant

EU data residency

Token Compression

~60% cost reduction

How we secure it →

Works with Claude, ChatGPT, Cursor, and more

The Model Context Protocol standardizes how applications expose capabilities to LLMs. Instead of operating in isolation, your AI gains direct access to external platforms, live data, and real-world actions through secure, standardized connections.

This server provides 10 capabilities that interface natively with Claude, ChatGPT, Cursor, and any MCP client. No middleware. No custom integration required.

Available Capabilities

cancel_scan get_kics_results get_project get_scan_details get_scan_results list_applications list_bfl list_projects list_scans run_scan

Debugging security flaws shouldn't require navigating five different dashboards.

Today, finding a single vulnerability requires jumping through hoops. You start in your ticket tracker, copy a finding ID. You switch to the Checkmarx dashboard, paste the ID, and then manually navigate to the specific project and branch. You check the scan status on a third tab, and finally, you download a massive JSON report just to find the line number.

With the Checkmarx MCP Server, your agent handles the entire process. You just ask: 'What are the critical SQL Injection flaws in the payment service?' The agent runs `get_scan_results` and returns the flaw details, the exact file path, and the severity—all without you touching a dashboard.

Checkmarx MCP Server: Calculate Best Fix Location (BFL)

Manual remediation often fails because the original report just points to a function name. You have to guess where the input is unsanitized. You spend time arguing with the security team over whether the flaw is in the controller or the service layer.

The agent uses `list_bfl` to calculate the optimal fix location. It doesn't just tell you *where* the flaw is; it tells you the single best place in the code to apply the patch, eliminating ambiguity and accelerating developer time.

Common Questions About Checkmarx MCP

How do I run a scan for a specific project using run_scan? +

You must first use get_project to confirm the correct project context. Then, you call run_scan to trigger the job. The agent will return a unique scan ID that you can use later with get_scan_details.

Can I check KICS results without running a full SAST scan? +

Yes, you use get_kics_results. This tool is specifically designed to look at misconfigurations in infrastructure files (like Dockerfiles or K8s YAML) without touching the application source code.

What is the difference between get_scan_results and list_scans? +

Use list_scans to get a history and status list (IDs, dates, status). You must use get_scan_results and provide a completed scan ID to download the actual, detailed vulnerability findings.

How do I find the fix location for a vulnerability? +

You need to call list_bfl. This tool requires the vulnerability's scan ID and the specific rule ID to calculate the optimal patch location.

How do I get a list of all available projects using list_projects? +

The list_projects tool returns metadata for every codebase container in your Checkmarx One environment. This helps you identify the correct project ID before running a scan or checking results.

What should I use to check the precise status of a scan using get_scan_details? +

Use get_scan_details to check the status and configuration of a scan. It tells you which engines (SAST, SCA, KICS) ran, their individual timing, and if any engine failed.

Can I cancel a running scan and why should I use cancel_scan? +

Yes, cancel_scan stops an active Checkmarx scan. You should use this if a developer pushes a new commit that overlaps the running job, preventing unnecessary resource use.

When should I use list_applications versus list_projects? +

list_applications shows high-level containers for multiple microservices, providing aggregated risk reporting. list_projects lists the specific codebases within those applications.

How can the AI help me fix a vulnerability faster? +

Once an issue is identified via scan results, ask your agent to pull the 'Best Fix Location' (BFL) using the query ID. Checkmarx mathematically finds the common root code block, and your AI can instantly rewrite that exact block to sanitize the flaw. You save hours tracing code paths.

Can the agent initiate a static code scan independently? +

Yes! Tell the agent to 'Run a scan on project ID X targeting the main branch'. It initiates the analysis array natively across Checkmarx One engines. You can poll for completion status later and retrieve the new dataset directly via chat.

Does it segregate AppSec results from Cloud infrastructure flaws? +

It does. Application flaws are pulled cleanly via get_scan_results, whereas misconfigurations tied to Docker, Kubernetes, or Terraform limits use a dedicated get_kics_results pipeline. The agent intrinsically separates the context for your DevOps team.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python

Vercel AI SDK sdk-typescript