Bring Appsec
to Windsurf
Create your Vinkius account to connect Checkmarx to Windsurf and start using all 10 AI tools in minutes. Fully managed, enterprise secure, and ready to use without writing a single line of code. No hosting, no server setup — just connect and start using.
GDPR Free for SubscribersCompatible with every major AI agent and IDE
Gemini
What is the Checkmarx MCP Server?
Connect your Checkmarx One enterprise environment to any AI agent and take programmatic control over your Application Security posture. Analyze deep code flaws through natural chat instead of navigating complex cyber dashboards.
What you can do
- Projects & Applications — Inventory your codebase containers, inspect active project linkages, and prepare specific branches for security scanning
- Scans Lifecycle — Trigger dynamic SAST/SCA security scans on repos, cancel redundant queues, and poll engines for precise execution timing
- Vulnerability Triage — Extract core datasets of severe vulnerabilities, mapping exact lines of code where the flawed logic resides
- Best Fix Location (BFL) — Ask the agent to calculate the exact optimal spot in your execution path to apply a patch that resolves the flaw entirely
- KICS (IaC) — Read specialized Infrastructure as Code metrics isolating misconfigurations exclusively in Terraform, Dockerfiles, or Kubernetes YAML
How it works
- Subscribe to this server
- Provide your Checkmarx One JWT Token
- Uncover code vulnerabilities natively inside Claude, Cursor, or any compatible MCP agent
Who is this for?
- Security Engineers (AppSec) — seamlessly orchestrate vulnerability triage without toggling away from your primary workstation or ticket tracker
- DevOps & Platform Teams — investigate misconfigured KICS results in staging branches actively through the agent before deploying
- Developers — grab the exact Best Fix Location (BFL) for a zero-day issue and ask the LLM to rewrite the sanitization logic instantly
Built-in capabilities (10)
Prevents unnecessary engine resource consumption and drops the scanning context if the developer pushed a new commit overlapping the running job. Cancel an actively running Checkmarx scan
Focuses solely on Terraform, CloudFormation, Kubernetes YAML, and Dockerfile misconfigurations rather than typical application source code flaws. Get specialized Infrastructure as Code (KICS) findings
Essential for ensuring the correct branch and source control context is selected before triggering new scans. Get details for a specific Checkmarx project
It returns granular execution details including which scan engines (SAST, SCA, KICS) were fired, their individual execution timings, and any engine-specific failure reasons. Check the precise status and configuration of a Checkmarx scan
Each result includes the vulnerability severity, state (To Verify, Confirmed, Urgent), description, and the exact lines of code where the flaw was detected. Requires a completed scan ID. Download SAST and security vulnerability findings for a scan
An Application acts as an overarching container for multiple individual microservices or projects, providing aggregated risk reporting and security metric visibility across a logical product. List Checkmarx One Applications
Provide the scan ID and the specific query (rule) ID string. Get Best Fix Location (BFL) for a specific vulnerability node
A Project represents a specific codebase. Includes project metadata, IDs, and assigned application linkages. List all Checkmarx One Projects
Includes the scan ID, current status (Completed, Running, Failed, Canceled), branch targeted, and timestamps. Use the scan ID to fetch the actual vulnerability results. List all historical and active scans for a Checkmarx project
Extensively used in CI/CD integrations to assert security quality on PRs. Returns the ID of the newly queued scan. Trigger a new Checkmarx One code scan
Why Windsurf?
Windsurf's Cascade agent chains multiple Checkmarx tool calls autonomously. query data, analyze results, and generate code in a single agentic session. Paste Vinkius Edge URL, reload, and all 10 tools are immediately available. Real-time tool feedback appears inline, so you see API responses directly in your editor.
- —
Windsurf's Cascade agent autonomously chains multiple tool calls in sequence, solving complex multi-step tasks without manual intervention
- —
Purpose-built for agentic workflows. Cascade understands context across your entire codebase and integrates MCP tools natively
- —
JSON-based configuration means zero code changes: paste a URL, reload, and all 10 tools are immediately available
- —
Real-time tool feedback is displayed inline, so you see API responses directly in your editor without switching contexts
Checkmarx in Windsurf
Why run Checkmarx with Vinkius?
The Checkmarx connection runs on our fully managed, secure cloud infrastructure. We handle the hosting, maintenance, and security so you don't have to deal with servers or code. All 10 tools are ready to work instantly without any complex setup.
You stay in complete control of your data. Your AI only accesses the information you approve, keeping your sensitive passwords and private details completely safe. Plus, with automatic optimizations, your AI works faster and more efficiently.
* Every connection is hosted and maintained by Vinkius. We handle the security, updates, and infrastructure so you don't have to write code or manage servers. See our infrastructure
Over 4,000 integrations ready for AI agents
Explore a vast library of pre-built integrations, optimized and ready to deploy.
Connect securely in under 30 seconds
Generate tokens to authenticate and link external services in a single step.
Complete visibility into every agent action
Audit live requests, latency, success rates, and active security compliance policies.
Optimize spending and track token ROI
Analyze real-time token consumption and cost metrics detailed by connection.
Explore our live AI Agents Analytics dashboard to see it all working
This dashboard is included when you connect Checkmarx using Vinkius. You will never be left in the dark about what your AI agents are doing with your tools.
Checkmarx and 4,000+ other AI tools. No hosting, no code, ready to use.
Professionals who connect Checkmarx to Windsurf through Vinkius don't need to write code, manage servers, or worry about security. Everything is pre-configured, secure, and runs automatically in the background.
Raw MCP | Vinkius | |
|---|---|---|
| Ready-to-use MCPs | Find and configure each manually | 4,000+ MCPs ready to use |
| Connection Setup | Manual coding & server setup | 1-click instant connection |
| Server Hosting | You host it yourself (needs 24/7 uptime) | 100% hosted & managed by Vinkius |
| Security & Privacy | Stored in plaintext config files | Bank-grade encrypted vault |
| Activity Visibility | Blind execution (no logs or tracking) | Live dashboard with real-time logs |
| Cost Control | Runaway AI token spend risk | Automatic budget limits |
| Revoking Access | Must delete files or code to stop | 1-click disconnect button |
How Vinkius secures
Checkmarx for Windsurf
Every request between Windsurf and Checkmarx is protected by our secure gateway. We automatically keep your sensitive data private, prevent unauthorized access, and let you disconnect instantly at any time.
Frequently asked questions
How can the AI help me fix a vulnerability faster?
Once an issue is identified via scan results, ask your agent to pull the 'Best Fix Location' (BFL) using the query ID. Checkmarx mathematically finds the common root code block, and your AI can instantly rewrite that exact block to sanitize the flaw. You save hours tracing code paths.
Can the agent initiate a static code scan independently?
Yes! Tell the agent to 'Run a scan on project ID X targeting the main branch'. It initiates the analysis array natively across Checkmarx One engines. You can poll for completion status later and retrieve the new dataset directly via chat.
Does it segregate AppSec results from Cloud infrastructure flaws?
It does. Application flaws are pulled cleanly via get_scan_results, whereas misconfigurations tied to Docker, Kubernetes, or Terraform limits use a dedicated get_kics_results pipeline. The agent intrinsically separates the context for your DevOps team.
How does Windsurf discover MCP tools?
Windsurf reads the mcp_config.json file on startup and connects to each configured server via Streamable HTTP. Tools are listed in the MCP panel and available to Cascade automatically.
Can Cascade chain multiple MCP tool calls?
Yes. Cascade is an agentic system. it can plan and execute multi-step workflows, calling several tools in sequence to accomplish complex tasks without manual prompting between steps.
Does Windsurf support multiple MCP servers?
Yes. Add as many servers as needed in mcp_config.json. Each server's tools appear in the MCP panel and Cascade can use tools from different servers in a single flow.
Server not connecting
Check Settings → MCP for the server status. Try toggling it off and on.
Explore More MCP Servers
View all →
Kippy
13 toolsTrack GPS locations of pets and loved ones in real time with wearable devices that send alerts when they leave safe zones.
SmartHR
8 toolsEmpower your AI to manage employee records, organizational structures, and payrolls directly from your SmartHR workspace.
Discord
10 toolsManage Discord servers, post messages, organize channels, and moderate communities with full bot-level API access.
Campaign Monitor
7 toolsDesign branded email campaigns, segment subscriber lists, and measure engagement with professional marketing analytics.