How to Use the Checkmarx MCP in Claude Code

Q: How do I start a Checkmarx scan using Claude Code?

You simply tell Claude Code to run a scan. The agent uses runscan to queue a new security analysis for your project and returns the scan ID to your terminal.

Q: Can I pipe Checkmarx scan results to other CLI tools using Claude Code?

Yes. Claude Code retrieves the vulnerabilities using getscanresults and outputs them in a structured format, allowing you to easily pipe the findings into grep, jq, or local shell scripts.

Q: How does Claude Code locate the best spot to fix a Checkmarx vulnerability?

The agent calls listbfl with the scan and query IDs. Claude Code then displays the exact node in your codebase where a single patch will resolve the security issue.

Run Checkmarx security scans, check IaC configurations, and fetch scan details directly from your terminal using Claude Code and this MCP Server.

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

MCP Servers - Free for Subscribers

Connect Checkmarx MCP to Claude Code

Create your Vinkius account to connect Checkmarx to Claude Code and route execution through our secure gateway. The platform manages server hosting, runtime updates, and security layers. Configuration requires no manual server provisioning.

GDPR Free for Subscribers

Setup Checkmarx with Claude Code

Ask AI about this MCP

ChatGPT

Claude

Perplexity

Terminal-driven AppSec pipelines

Stop bouncing between your terminal and the Checkmarx web UI. Claude Code uses `run_scan` to trigger security runs directly from your shell, making it easy to audit code before a git push. If you realize you made a mistake right after starting a run, you can immediately call `cancel_scan` to kill the active job. By querying `list_scans` and `get_scan_details`, you can check the status of your security pipeline without leaving your terminal. Claude Code pipes these execution timings and engine statuses directly into your CLI workflow.

Command-line IaC security audits

Secure your cloud configurations before they get committed to your repository. Claude Code uses `get_kics_results` to pull targeted security findings for your Terraform, Kubernetes, and Dockerfile setups. The terminal agent lists these infrastructure issues clearly, highlighting high-risk configurations. You can then instruct Claude Code to rewrite the offending YAML or Dockerfile lines right from the command prompt.

Automate vulnerability analysis via MCP Server

Fetching vulnerability reports shouldn't require a browser. Claude Code calls `get_scan_results` to pull down detailed SAST findings, including the exact file paths and line numbers where security flaws exist. To make remediation faster, the MCP Server queries `list_bfl` to find the Best Fix Location. It tells you exactly which file and line to modify to resolve the security issue with the least amount of code changes.

Setup guide

Set up Checkmarx MCP in Claude Code

Prerequisites

Claude Code CLI installed (npm install -g @anthropic-ai/claude-code)
Active Vinkius subscription with a valid endpoint token

1

Run the add command

Open your terminal and run the command shown on the right. Replace [YOUR_TOKEN_HERE] with your endpoint token from cloud.vinkius.com. Use --scope user to make it available across all projects.
2

Verify the connection

Start a Claude Code session and type /mcp to list connected servers. You should see checkmarx-mcp with a green status indicator.
3

Start using tools

Ask Claude Code something like "Check my latest Checkmarx transactions." It will automatically discover and invoke the available Checkmarx tools.

Terminal

claude mcp add --transport http checkmarx-mcp https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp

Get your connection token →

Prerequisites

Claude Code CLI installed
Active Vinkius subscription with a valid endpoint token

1

Open the config file

Create or edit .mcp.json in your project root for project-level scope, or ~/.claude.json for user-level scope.
2

Add the Checkmarx MCP

Paste the JSON snippet shown on the right into the mcpServers object. Replace [YOUR_TOKEN_HERE] with your endpoint token from cloud.vinkius.com.
3

Restart Claude Code

Start a new Claude Code session. Type /mcp to confirm the server is connected. The tools will be automatically available in your conversation.

.mcp.json

{
  "mcpServers": {
    "checkmarx-mcp": {
      "type": "url",
      "url": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
    }
  }
}

Get your connection token →

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Checkmarx. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

Why Choose Vinkius

Vinkius connects your tools to AI with real-time monitoring and automatic cost savings — all from one dashboard.

Connect Checkmarx now

Real-time monitoring

Live

visibility into every interaction

Connect your favorite tools to your AI and see exactly what's happening — every request, every response, in real time.

Built-in savings

60%

lower AI costs

Vinkius compresses data between your apps and your AI automatically. Lower bills every month — no configuration required.

Single dashboard

One

place for every integration

Every tool your AI connects to, managed from a single screen. One account, complete control.

Common questions about Checkmarx MCP in Claude Code

You simply tell Claude Code to run a scan. The agent uses `run_scan` to queue a new security analysis for your project and returns the scan ID to your terminal.

Yes. Claude Code retrieves the vulnerabilities using `get_scan_results` and outputs them in a structured format, allowing you to easily pipe the findings into grep, jq, or local shell scripts.

The agent calls `list_bfl` with the scan and query IDs. Claude Code then displays the exact node in your codebase where a single patch will resolve the security issue.

Yes. You can ask Claude Code to check your scan status, and it will query `get_scan_details` to show you which engines are running and any execution errors.

Your API token is stored locally in your Claude Code configuration file. Your credentials are used by the local MCP Server to make direct HTTPS requests to your Checkmarx One instance, meaning no scan results or vulnerability payloads are ever processed by external third parties.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python

Vercel AI SDK sdk-typescript