# Checkmarx MCP MCP

> Checkmarx One MCP automates Application Security testing for deep code analysis. Trigger full SAST/SCA scans across any project container, pull vulnerability data down to the exact line of code, and identify optimal patch locations without leaving your chat window.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** appsec, sast, sca, code-scanning, cybersecurity, devsecops

## Description

This connector lets you take programmatic control over your entire application security posture using Checkmarx One. Instead of clicking through complex cyber dashboards, you talk to your agent about code flaws—and it handles the heavy lifting. You can list all active projects and applications in your codebase containers, then trigger full scans on specific branches or pull existing scan data for immediate review. The real value comes when you need to connect this security check to other systems; through Vinkius, you can chain the vulnerability findings from this MCP with a ticketing system, automating the process of assigning remediation tasks and tracking status updates across multiple platforms. You get deep visibility into what every agent is doing via Vinkius AI Analytics—nothing happens in the dark when running scans or pulling results.

## Tools

### cancel_scan
Stops an actively running Checkmarx scan when new code commits overlap or resource usage is unnecessary.

### get_kics_results
Retrieves specialized findings focused only on misconfigurations in Infrastructure as Code (Terraform, Dockerfiles, Kubernetes YAML).

### get_project
Fetches specific metadata details for a designated Checkmarx project.

### get_scan_details
Checks the precise status and configuration of an existing scan, including which engines ran and when they failed.

### get_scan_results
Downloads structured SAST/security vulnerability findings for a completed scan ID, noting severity and code line number.

### list_applications
Lists all high-level applications that act as containers for multiple microservices within Checkmarx One.

### list_bfl
Determines the Best Fix Location (BFL) by providing a specific scan ID and rule identifier string.

### list_projects
Provides a list of all individual codebases managed within Checkmarx One, including their metadata.

### list_scans
Retrieves historical and current scan records for a project, showing the ID, status, branch, and time stamps.

### run_scan
Triggers a new Checkmarx One code scan, useful in CI/CD pipelines to test security quality on pull requests.

## Prompt Examples

**Prompt:** 
```
List the most severe vulnerabilities found in the last Checkmarx scan.
```

**Response:** 
```
Found 12 vulnerabilities in scan #4521. Critical: 2 SQL Injection (CWE-89) in `/api/users.js:142` and `/auth/login.ts:87`. High: 3 XSS (CWE-79). Medium: 7. Use `get_bfl` to find the optimal fix location for each.
```

**Prompt:** 
```
Trigger a new SAST scan for my current Checkmarx project.
```

**Response:** 
```
SAST scan initiated successfully for project 'web-app' on branch 'main'. Scan ID: #4522. Estimated completion: ~8 minutes. I'll notify you when results are ready.
```

**Prompt:** 
```
How do I fix the SQL injection vulnerability found in the Checkmarx report?
```

**Response:** 
```
The SQL injection in `auth/login.ts:87` can be fixed by using parameterized queries. Best Fix Location (BFL) analysis shows the root cause is at line 82 where user input flows unsanitized into the query builder. Replace the string concatenation with a prepared statement.
```

## Capabilities

### Run Targeted Scans
Trigger SAST/SCA security checks on specific code branches to test for vulnerabilities.

### Inventory Codebases
List all applications and projects within your environment, getting a full map of your codebase containers.

### Triage Vulnerability Data
Pull structured vulnerability findings, including severity and the exact line number where a flaw exists.

### Determine Best Fix Location (BFL)
Calculate the precise optimal spot in your code to apply a patch that resolves a specific security flaw entirely.

### Check Infrastructure Code
Get specialized metrics on misconfigurations found in Terraform, Dockerfiles, or Kubernetes YAML files (KICS).

## Use Cases

### The Nightly Compliance Audit
A compliance officer needs to know if all microservices have been scanned. They use `list_applications` to get the product container list, then loop through `list_projects` and call `run_scan` on each one, ensuring nothing is left un-scanned.

### The PR Security Gate
A developer pushes a pull request. The agent uses `run_scan` to trigger an immediate SAST check against the branch and then uses `get_scan_details` to confirm the scan ran successfully before allowing the merge.

### The Legacy Code Deep Dive
You find a critical vulnerability in old code. Instead of guessing, you provide the flaw ID and run `list_bfl`. The agent tells you exactly which lines to change, so you don't spend half a day debugging.

### The Infrastructure Drift Check
A platform team suspects an environment is misconfigured. They run `get_kics_results` to specifically check the Kubernetes YAML and Dockerfiles, ignoring application code entirely, to pinpoint the infrastructure flaw.

## Benefits

- Stop wasting time. Instead of manually checking every dashboard, use `get_scan_results` to pull structured vulnerability findings directly into your chat window for immediate action.
- Go beyond just application code. Run `get_kics_results` to isolate misconfigurations in infrastructure files like Terraform and Dockerfiles—the stuff that usually slips through testing.
- Don't guess where the fix goes. Pass a rule ID and scan ID to `list_bfl`. This finds the absolute best location in your code to apply a patch, cutting down remediation time by hours.
- Manage risk across product lines using `list_applications` first. You get an aggregated view of security metrics for every logical product container.
- Control the scan lifecycle completely. Use `cancel_scan` if a developer pushes a new commit that makes the running job obsolete, saving engine resources and time.

## How It Works

The bottom line is: you define the scope of your code, initiate a scan, then pull structured results for diagnosis and remediation guidance.

1. First, use `list_applications` and `list_projects` to identify the exact codebase container you need to audit.
2. Next, call `run_scan` to queue a new SAST/SCA scan against that project. Then, periodically check status using `get_scan_details` until it completes.
3. Finally, use `get_scan_results` to download the vulnerability data, or pass the ID and rule number to `list_bfl` to find the precise fix location.

## Frequently Asked Questions

**How do I get vulnerability data using `get_scan_results`?**
You need a completed scan ID and then you call `get_scan_results`. This pulls the structured findings, including severity and the exact lines of code where the flaw was detected.

**I want to check misconfigurations in my Kubernetes YAML. Which tool should I use?**
Use `get_kics_results`. This tool specifically focuses on Infrastructure as Code findings, isolating issues in K8s YAML, Dockerfiles, and Terraform files.

**What's the best way to find the fix for a flaw using `list_bfl`?**
You must provide two things: the scan ID and the specific query (rule) ID string. The agent then calculates the optimal patch location based on those inputs.

**How do I know if my scans are still running using `get_scan_details`?**
Call `get_scan_details`. It returns granular execution details, telling you which scan engines (SAST, SCA, KICS) fired and their individual run times or failure reasons.

**Before running a scan, how should I use `get_project` to ensure the correct source code context is selected?**
You must call `get_project` first. This step gives you the necessary metadata for the specific codebase container and branch. It ensures your subsequent scans run against the intended version of the app.

**My scan is running, but I need to stop it early; how does the `cancel_scan` tool prevent wasted resource use?**
The `cancel_scan` tool immediately drops the scanning context and prevents unnecessary engine resource consumption. It's useful if a developer pushes a new commit that overlaps with an active job.

**If I need to review results from last week, what does the `list_scans` tool allow me to retrieve?**
`list_scans` gives you a historical record of all runs. You get the scan ID, status (Completed, Failed, etc.), and the targeted branch for every project run.

**How can I get an overview of all microservices or major code containers using `list_applications`?**
`list_applications` provides a high-level inventory. It groups multiple individual services together, giving you aggregated risk reporting across your entire product line.