Skip to main content

Checkmarx VS Code Extension (Plugin)

The Checkmarx Visual Studio Code extension contains two separate tools:

  • Checkmarx One Results - This tool enables you to import results from a Checkmarx One scan directly into your IDE. You can view the vulnerabilities that were identified in your source code and navigate directly to the vulnerable code in the editor. This tool requires authentication with credentials from your Checkmarx One account.

  • Checkmarx KICS Realtime Scanning - This tool initiates KICS scans directly from their VS Code console. The scan runs automatically whenever an infrastructure file of a supported type is saved, either manually or by auto-save. The scan runs only on the file that is open in the editor. The results are shown in the VS Code console, making it easy to remediate the vulnerabilities that are detected. This is a free tool provided by Checkmarx for all VS Code users, and does not require the user to submit credentials for a Checkmarx One account.

  • Checkmarx SCA Realtime Scanning - This tool enables VS Code users to initiate SCA scans directly from their VS Code console, and shows detailed results as soon as the scan is completed. The scan identifies the open-source dependencies used in your code and indicates the security risks associated with those packages. The identified packages are shown in a tree structure with an indication of the risk level for each package. You can drill down to show the specific vulnerabilities associated with a package.

Main Features

  • Checkmarx One results

    • Run a new scan from your IDE even before committing the code, or import scan results from your Checkmarx One account.

    • Show results from all scan types (SAST, SCA, and IaC Security)

    • Group and filter results

    • Navigate from results directly to the vulnerable code in the editor

    • Vulnerable code is highlighted in the editor

    • Triage results - edit the result predicate (severity, state and comments) directly from the Visual Studio Code console

    • View info about how to remediate SAST vulnerabilities, including code samples

    • Links to Codebashing lessons

    • Apply Auto Remediation to automatically remediate open source vulnerabilities, by updating to a non-vulnerable package version.

  • Checkmarx KICS Realtime Scanning

    • Free tool, no Checkmarx account required

    • Run scans directly from your IDE

    • Scans are triggered automatically whenever a file is saved

    • Apply Auto Remediation to automatically fix IaC vulnerabilities

  • Checkmarx SCA Realtime Scanning

    • Free tool, no Checkmarx account required

    • Run scans directly from your IDE

    • View actionable results in your IDE, indicating which of your open-source packages are at risk

    • Provides links to detailed info about the vulnerabilities on the Checkmarx Developer Hub

Note

The plugin is available on marketplace. In addition, the code can be accessed here.

Prerequisites

  • For Checkmarx One Results:

    • An installation of VS Code version 1.63.0 or above

    • You have a Checkmarx One account and can run Checkmarx One scans on your source code.

      Notice

      Scans can be initiated via Checkmarx One, Checkmarx One CLI, SCM Plugins, CI/CD Plugins or REST APIs.

    • You have an API Key for your Checkmarx One account. To create an API key, see Generating an API Key.

      Notice

      In order to use this integration for running an end-to-end flow of scanning a project and viewing results, the API Key must have at a minimum the out-of-the-box composite role ast-scanner as well as the IAM role default-roles.

  • For KICS Realtime Scanning:

    • You must have a supported container engine (e.g., Docker, Podman etc.) installed and running in your environment.

  • For SCA Realtime Scanning:

In this section: