Skip to main content

Checkmarx SCA Extension for Visual Studio Code


The Checkmarx SCA Extension for VS Code enables users to initiate SCA scans directly from their VS Code console, and shows detailed results as soon as the scan is completed. The scan identifies the open-source dependencies used in your code and indicates the security risks associated with those packages. The identified packages are shown in a tree structure with an indication of the risk level for each package. You can drill down to show the specific vulnerabilities associated with a package.


This is a free tool provided by Checkmarx for all VS Code users, and does not require the user to submit credentials for a Checkmarx SCA account. For SCA users, the scan results from this plugin are not synced with their SCA account.


Checkmarx SCA is Checkmarx’s proprietary Software Composition Analysis (SCA) solution for detecting risks associated with your open source dependencies. Checkmarx SCA is a cloud native SaaS solution which enables you to easily identify, prioritize, and remediate the risks posed by your open source packages. These risks may include security vulnerabilities, supply chain risks, license requirements and outdated open source packages. Checkmarx SCA addresses all of these issues, providing highly accurate, relevant, and actionable insights. See Checkmarx SCA

Main Features

  • Free tool, no Checkmarx account required

  • Run scans directly from your IDE

  • View actionable results in your IDE, indicating which of your open-source packages are at risk

  • Provides links to learn more about each vulnerability on Checkmarx’s Advisories website


You need to install all relevant package managers on your local environment, see Installing Supported Package Managers for Resolver.

Installing the SCA Extension

To install the extension:

  1. Download the VSIX file for installing the extension by clicking here.

  2. Optionally, you can download the sha256 checksum file here and use it to check the integrity of the download.

  3. In the VS Code console, in the Activity Bar, click on the Extensions icon.

  4. Click on the More Actions icon (…).

  5. Select Install from VSIX.

  6. Navigate to the downloaded file and click Install.

Configuring the Extension (Optional)


The extension is activated automatically upon installation and no configuration is required.

If you would like to customize the scan settings, you can use the following procedure:

  1. In the VS Code console, click on the Manage (Settings.png) icon and go to Settings > Extensions > Checkmarx > Checkmarx SCA.

  2. By default the extension is configured to run SCA scans on our US environment. If you would like to change the settings to run scans on our EU environment, in the API URL field, enter

  3. If you would like to run scans in debug mode, select the checkbox for Enable Debug.

Running a Scan

To run a scan on the project that is open in your workspace you can either

  • enter the scan command in the Command Palette, OR

  • open the Checkmarx SCA panel and click on the Scans.png icon.



If you haven’t yet scanned the project, a Run Scan button is shown in the Checkmarx SCA panel.

Viewing SCA Results

Viewing the Results Summary

The Checkmarx SCA window has two sections. The Dependency Tree tab shows the dependencies identified in your project and the risks associated with them. The Scan Information tab shows metadata about the most recent scan.

To view SCA scan results:

  1. Click on the Checkmarx icon in the Activity Bar.

    The Checkmarx SCA window opens, showing results in a tree structure. In the Dependencies Tree tab, the top level shows each of the folders in your workspace. Below that are the manifest files that were identified in each folder and then, for each manifest file, the dependency tree. For each package, an icon indicates whether or not it contains vulnerabilities and what the risk level is for that package, see SCA Icons below.

  2. Click on a package to open a tab showing info about the vulnerabilities associated with that package.

  3. Click on the Read More button to access an in-depth analysis of the vulnerability on the Checkmarx Advisory website.

  4. To view metadata about how the scan ran, click on the Scan Information tab to expand the display.

    Data about the time of the most recent scan is shown, as well as info about which package managers were used to resolve each manifest file and whether it was resolved successfully.


SCA Icons




Folder in workspace


Manifest file


Run scan


No known vulnerabilities


Low risk vulnerabilities


Medium risk vulnerabilities


High risk vulnerabilities


Package not found in our database