Checkmarx MCP. Diagnose Flaws and Pinpoint the Perfect Fix Spot.
Gemini Works with every AI agent you already use
…and any MCP-compatible client
Just plug in your AI agents and start using Vinkius.
Checkmarx One MCP automates Application Security testing for deep code analysis. Trigger full SAST/SCA scans across any project container, pull vulnerability data down to the exact line of code, and identify optimal patch locations without leaving your chat window.
What your AI agents can do
Cancel scan
Stops an actively running Checkmarx scan when new code commits overlap or resource usage is unnecessary.
Get kics results
Retrieves specialized findings focused only on misconfigurations in Infrastructure as Code (Terraform, Dockerfiles, Kubernetes YAML).
Get project
Fetches specific metadata details for a designated Checkmarx project.
Trigger SAST/SCA security checks on specific code branches to test for vulnerabilities.
List all applications and projects within your environment, getting a full map of your codebase containers.
Pull structured vulnerability findings, including severity and the exact line number where a flaw exists.
Calculate the precise optimal spot in your code to apply a patch that resolves a specific security flaw entirely.
Get specialized metrics on misconfigurations found in Terraform, Dockerfiles, or Kubernetes YAML files (KICS).
Ask AI about this MCP
Supported MCP Clients
OAuth 2.0 Compatible Gemini Waiting for input…
Checkmarx: 10 Tools for Security Management
Manage your entire AppSec workflow with these tools, covering everything from listing applications to finding the perfect patch location.
Make your AI actually useful.
Add this MCP to Claude, Cursor, or Windsurf and your AI stops guessing. It gets real tools to look things up, take action, and handle the stuff you keep doing by hand.
Start using Checkmarx on Vinkius019d756ecancel scan
Stops an actively running Checkmarx scan when new code commits overlap or resource usage is unnecessary.
019d756eget kics results
Retrieves specialized findings focused only on misconfigurations in Infrastructure as Code (Terraform, Dockerfiles, Kubernetes YAML).
019d756eget project
Fetches specific metadata details for a designated Checkmarx project.
019d756eget scan details
Checks the precise status and configuration of an existing scan, including which engines ran and when they failed.
019d756eget scan results
Downloads structured SAST/security vulnerability findings for a completed scan ID, noting severity and code line number.
019d756elist applications
Lists all high-level applications that act as containers for multiple microservices within Checkmarx One.
019d756elist bfl
Determines the Best Fix Location (BFL) by providing a specific scan ID and rule identifier string.
019d756elist projects
Provides a list of all individual codebases managed within Checkmarx One, including their metadata.
019d756elist scans
Retrieves historical and current scan records for a project, showing the ID, status, branch, and time stamps.
019d756erun scan
Triggers a new Checkmarx One code scan, useful in CI/CD pipelines to test security quality on pull requests.
Choose How to Get Started
Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.
Build Your Own
Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.
- Import from OpenAPI, Swagger, or YAML specs
- Create Agent Skills with progressive disclosure
- Deploy to edge with MCPFusion framework
- Built in DLP, auth, and compliance on every call
- Real time usage dashboard and cost metering
- Publish to catalog or keep private
Make Your AI Do More
Start with Checkmarx, then connect any of our 4,800+ other servers whenever your AI needs more. One click, no limits.
- Use this MCP plus 4,800+ others, all in one place
- Add new capabilities to your AI anytime you want
- Every connection is secured and compliant automatically
- Track usage and costs across all your servers
- Works with Claude, ChatGPT, Cursor, and more
- New servers added to the catalog every week
Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Checkmarx. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.
VINKIUS INFRASTRUCTURE
Cloud Hosted
Managed infra
V8 Isolated
Sandboxed per request
Zero-Trust Proxy
No stored credentials
DLP Enforced
Policy on every call
GDPR Compliant
EU data residency
Token Compression
~60% cost reduction
Works with Claude, ChatGPT, Cursor, and more
The Model Context Protocol standardizes how applications expose capabilities to LLMs. Instead of operating in isolation, your AI gains direct access to external platforms, live data, and real-world actions through secure, standardized connections.
This server provides 10 capabilities that interface natively with Claude, ChatGPT, Cursor, and any MCP client. No middleware. No custom integration required.
Navigating Checkmarx's Dashboard Maze
Right now, figuring out a vulnerability requires jumping between the main dashboard, the project view, and the specific scan results tab. You click to see the flaw, then you copy the ID, then you switch tabs to check its severity, and finally, you open another window just to look up the recommended fix.
With this MCP, those manual jumps disappear. The agent handles the context switching for you. You ask it about a vulnerability, and it pulls all the necessary details—the location, the severity, the potential infrastructure overlap—and gives you one clean answer.
Pinpointing Vulnerabilities with `list_bfl`
The hardest part is that once an AppSec report shows a flaw at line 142, the fix might actually be three files away. You waste time guessing which parameter or function needs sanitization.
Using `list_bfl` changes that entirely. Give it the specific scan ID and the rule ID, and it calculates the one optimal spot to put your patch. It's surgical precision for remediation.
What you can do with this MCP connector
This connector lets you take programmatic control over your entire application security posture using Checkmarx One. Instead of clicking through complex cyber dashboards, you talk to your agent about code flaws—and it handles the heavy lifting. You can list all active projects and applications in your codebase containers, then trigger full scans on specific branches or pull existing scan data for immediate review.
The real value comes when you need to connect this security check to other systems; through Vinkius, you can chain the vulnerability findings from this MCP with a ticketing system, automating the process of assigning remediation tasks and tracking status updates across multiple platforms. You get deep visibility into what every agent is doing via Vinkius AI Analytics—nothing happens in the dark when running scans or pulling results.
019d756e-34c4-7303-b2e4-d79b36281968 
How Checkmarx MCP Works
- 1 First, use
list_applicationsandlist_projectsto identify the exact codebase container you need to audit. - 2 Next, call
run_scanto queue a new SAST/SCA scan against that project. Then, periodically check status usingget_scan_detailsuntil it completes. - 3 Finally, use
get_scan_resultsto download the vulnerability data, or pass the ID and rule number tolist_bflto find the precise fix location.
The bottom line is: you define the scope of your code, initiate a scan, then pull structured results for diagnosis and remediation guidance.
Who Is Checkmarx MCP For?
Security Engineers, DevOps/Platform Teams, and Developers. You're the person who gets tired of clicking through three different dashboards just to find out where the vulnerability is, and you need the fix location instantly.
Needs to orchestrate comprehensive vulnerability triage without leaving their primary workstation or ticket tracker.
Must investigate misconfigured infrastructure (KICS) in staging branches before promoting code into production.
Needs to grab the exact Best Fix Location for a zero-day issue and ask the agent to rewrite or sanitize the logic instantly.
What Changes When You Connect
- Stop wasting time. Instead of manually checking every dashboard, use
get_scan_resultsto pull structured vulnerability findings directly into your chat window for immediate action. - Go beyond just application code. Run
get_kics_resultsto isolate misconfigurations in infrastructure files like Terraform and Dockerfiles—the stuff that usually slips through testing. - Don't guess where the fix goes. Pass a rule ID and scan ID to
list_bfl. This finds the absolute best location in your code to apply a patch, cutting down remediation time by hours. - Manage risk across product lines using
list_applicationsfirst. You get an aggregated view of security metrics for every logical product container. - Control the scan lifecycle completely. Use
cancel_scanif a developer pushes a new commit that makes the running job obsolete, saving engine resources and time.
Real-World Use Cases
The Nightly Compliance Audit
A compliance officer needs to know if all microservices have been scanned. They use list_applications to get the product container list, then loop through list_projects and call run_scan on each one, ensuring nothing is left un-scanned.
The PR Security Gate
A developer pushes a pull request. The agent uses run_scan to trigger an immediate SAST check against the branch and then uses get_scan_details to confirm the scan ran successfully before allowing the merge.
The Legacy Code Deep Dive
You find a critical vulnerability in old code. Instead of guessing, you provide the flaw ID and run list_bfl. The agent tells you exactly which lines to change, so you don't spend half a day debugging.
The Infrastructure Drift Check
A platform team suspects an environment is misconfigured. They run get_kics_results to specifically check the Kubernetes YAML and Dockerfiles, ignoring application code entirely, to pinpoint the infrastructure flaw.
The Tradeoffs
Relying on GUI Dashboards
Spending 30 minutes clicking through complex web interfaces just trying to find a specific vulnerability's line number and severity score.
→
Use the MCP. After scanning, call get_scan_results directly in your chat client. It pulls the structured data with severity and code lines immediately.
Running Scans Blindly
Triggering a full scan every time without checking if an earlier job is still running or if the commit was already covered.
→
Always check status first. Use list_scans to see historical runs, then use get_scan_details before calling run_scan. If it's redundant, call cancel_scan.
Missing the Fix Location
Knowing a vulnerability exists but having no idea where in the code base to apply the fix, leading to manual guesswork and delays.
→
Always run list_bfl after finding a flaw. It calculates the optimal spot for remediation using the scan ID and rule ID.
When It Fits, When It Doesn't
Use this MCP if your process requires programmatic control over the full vulnerability lifecycle—from scoping (using list_projects) to detection (run_scan and get_kics_results) to surgical remediation guidance (list_bfl). Don't use it if you only need a simple, single-point status check. For basic status checks, get_scan_details is enough. However, if the goal is to act on that data—like fetching results or finding fixes—you need this full suite of tools.
Common Questions About Checkmarx MCP
How do I get vulnerability data using `get_scan_results`? +
You need a completed scan ID and then you call get_scan_results. This pulls the structured findings, including severity and the exact lines of code where the flaw was detected.
I want to check misconfigurations in my Kubernetes YAML. Which tool should I use? +
Use get_kics_results. This tool specifically focuses on Infrastructure as Code findings, isolating issues in K8s YAML, Dockerfiles, and Terraform files.
What's the best way to find the fix for a flaw using `list_bfl`? +
You must provide two things: the scan ID and the specific query (rule) ID string. The agent then calculates the optimal patch location based on those inputs.
How do I know if my scans are still running using `get_scan_details`? +
Call get_scan_details. It returns granular execution details, telling you which scan engines (SAST, SCA, KICS) fired and their individual run times or failure reasons.
Before running a scan, how should I use `get_project` to ensure the correct source code context is selected? +
You must call get_project first. This step gives you the necessary metadata for the specific codebase container and branch. It ensures your subsequent scans run against the intended version of the app.
My scan is running, but I need to stop it early; how does the `cancel_scan` tool prevent wasted resource use? +
The cancel_scan tool immediately drops the scanning context and prevents unnecessary engine resource consumption. It's useful if a developer pushes a new commit that overlaps with an active job.
If I need to review results from last week, what does the `list_scans` tool allow me to retrieve? +
list_scans gives you a historical record of all runs. You get the scan ID, status (Completed, Failed, etc.), and the targeted branch for every project run.
How can I get an overview of all microservices or major code containers using `list_applications`? +
list_applications provides a high-level inventory. It groups multiple individual services together, giving you aggregated risk reporting across your entire product line.
Use it with your favorite AI tools
Connect this server to Cursor, Claude, VS Code, and more.