Skip to main content

Installing and Setting up the Checkmarx VS Code Extension

Installing the Extension

The Visual Studio Code Extension is available on the Visual Studio Code marketplace. You can initiate the installation directly from the Visual Studio Code console.

Figure 1. Installation and Initial Setup
Installation and Initial Setup

GIF - How to install and set up the extension

To install the extension:

  1. Open Visual Studio Code.

  2. In the main menu, click on the Extensions icon.

  3. Search for the Checkmarx extension, then click Install for that extension.



    By default, only release versions are installed. You can click on the down arrow next to Install and select Install Pre-Release Version to get the latest pre-release version. See Automatic Updates - Releases Versions and Pre-Release Versions

    The Checkmarx extension is installed and the Checkmarx icon appears in the left-side navigation panel.


Automatic Updates - Releases Versions and Pre-Release Versions

Once you have installed the Checkmarx extension, it is automatically updated to the latest version whenever we create a new release.

Whenever new code is merged in between full releases, we create nightly pre-release versions. You can choose to install a pre-release version. Once you have installed a pre-release version, you will continue to get automatic updates whenever a new pre-release (or release) is created.

To start getting pre-release versions:

  1. In the main menu, click on the Extensions icon.

  2. Search for the Checkmarx extension, then click Switch to Pre-Release Version.

  3. A restart is required to activate the changes.


    You can revert at any time to only getting release versions by clicking on Switch to Release Version.

Setting up the Extension

After installing the plugin, in order to use the Checkmarx One Results tool you need to configure access to your Checkmarx One account, as described below.


If you are only using the free KICS Auto Scanning tool and/or the SCA Realtime Scanning tool, then this setup procedure is not relevant. However, for SCA Realtime Scanning tool, if your environment doesn't have access to the internet, then you will need to configure a proxy server in the Settings, under Checkmarx One: Additional Params.

  1. In the VS Code console, click on the Checkmarx extension icon and then click on the Open settings button.

    The Checkmarx Settings form opens.

  2. Under Checkmarx One settings, in the API Key field, enter your Checkmarx One API Key.


    If you need to create an API key, see Generating an API Key.

    The configuration is saved automatically.

  3. In the Additional Params field, you can submit additional CLI params. This can be used to manually submit the base url and tenant name if there is a problem extracting them from the API Key. It can also be used to add global params such as --debug or --proxy. To learn more about CLI globalparams, see Global Flags.

Configuring AI Guided Remediation

AI Guided Remediation can be used with the Checkmarx One results tool as well as with the KICS Realtime Scanning tool. In order to use AI Guided Remediation you need to integrate the VS Code extension with your GPT account.

To set up the integration with your GPT account:

  1. Go to the Checkmarx extension Settings.

  2. In the Model field, select from the drop-down list the model of the GPT account that you are using.

  3. In the GPT Key field, enter the API key for your GPT account.


    Follow this link to generate an API key.

The configuration is saved automatically.

Configuring the KICS Realtime Scanning Tool (Optional)

This tool is activated automatically upon installation and no configuration is required.


It is not necessary to configure the Checkmarx One Authentication settings in order to use the KICS Realtime Scanning feature.

If you would like to customize the scan settings, you can use the following procedure:

  1. In the VS Code console, go to Settings > Extensions > Checkmarx > Checkmarx KICS Realtime Scanning.

  2. By default the extension is configured to run a KICS scan whenever an infrastructure file of a supported type is opened or saved. If you would like to disable automatic scanning, deselect the Activate KICS Auto Scanning checkbox.


    In this case, you will still be able to trigger scans manually from the command palette, as described below.

  3. If you would like to customize the scan parameters, enter the desired flags in the Additional Parameters field. For a list of available options, see Scan Command Options.