Skip to main content

VS Code Extension - Changelog

The following table lists of improvements and bug fixes have been implemented for the Visual Studio Code plugin with the relevant version release.


See full documentation of this plugin here.

Checkmarx One Version

CLI Version


Bug Fixes



  • Added the SCA Realtime scanner tool, which enables all VS Code users to run an SCA scan on the project in their workspace and view results in the VS Code console.


    This is a free tool that doesn't require a Checkmarx One or Checkmarx SCA account. For Checkmarx users, the results are not synced with their account.



  • The KICS scanner is now referred to in Checkmarx One as "IaC Security". All mentions of the scanner and the vulnerabilities identified by it, now refer to IaC Security.


    This change does not apply to the KICS Auto Scanning tool (free tool), which will continue to be referred to as KICS.

  • Scan results now differentiate between regular SCA vulnerabilities and Supply Chain Security (SCS) risks.

  • We added a new grouping category. For SCA vulnerabilities you can now differentiate between Direct Dependencies and Transitive Dependencies in the results tree.



  • The "Code samples" tab was renamed "Remediation Examples".



  • You can now initiate scans directly from your IDE. This empowers developers to identify vulnerabilities and remediate them as they code. This feature is currently supported for VS Code and JetBrains. This feature needs to be enabled for your organization's account by a Checkmarx admin user under Account Settings.

    You can run a new scan on an existing Checkmarx project by simply clicking on the "play" button in the Checkmarx panel. A Checkmarx scan runs on the files in your current workspace.

  • We have simplified the integration procedure for IDE plugins. It is no longer required to enter the Base URL or Tenant Name of your Checkmarx One account. Now, you just enter your API Key, and we extract all of the relevant account info from that Key.

  • In the Checkmarx AST settings, there is now a field for adding additional params. This can be used to manually submit the base url and tenant name (in case there is a problem extracting them from the API Key) or to add global params such as --debug or --proxy. To learn more about CLI params, see Checkmarx One CLI Commands.

  • Fixed results panel for KICS results. The code samples tab is no longer shown.



  • In the SAST results viewer, we added new tabs with additional info about each vulnerability.

    • Learn More - Gives detailed information about the the nature of the risk and their causes, as well as remediation recommendations.

    • Code Samples - Shows a sample of code that is subject to this vulnerability, followed by a remediated version of that code.

  • A notification is now shown in the Output section when KICS Auto-Scanning identifies an IaC vulnerability for which Checkmarx offers a suggested "quick-fix".



  • In the SCA results viewer, we added an automatic remediation button, which enables users to automatically replace a vulnerable package version with a non-vulnerable version of that package.


    This feature is currently supported only for NPM and only for direct dependencies.

  • It is now possible to add a comment to a vulnerability without changing the state or severity of the vulnerability.

  • All documentation links now point to the new Checkmarx documentation portal at



We added a "Quick Fix" feature, enabling users to automatically apply remediation recommendations for KICS risks. There is an option to fix a specific risk or to fix all risks in a particular file or in the entire project.



Fixed the issue that the extension wasn’t working if Git wasn’t enabled in VS Code.



Clicking on a node in the Attack Vector now takes you to the relevant code in the editor window (as expected).



  • General improvements and bug fixes



  • Added a new tool to the VS Code plugin that initiates KICS scans directly from their VS Code console. This is a free tool provided by Checkmarx for all VS Code users, and does not require the user to submit credentials for a Checkmarx One account. For more info, see Visual Studio Code - KICS Auto Scanning.

  • Added hover tooltip for codebashing links.

  • Once a project and branch are selected, the latest scan of that branch is automatically loaded.


  • Once the project and branch are selected, the latest scan is automatically loaded.



  • Added support for users that don’t have git installed.

  • Fixed issue loading result with Urgent state.


  • Added links to the relevant Codebashing lessons.



  • Enabled selecting multiple groups in order to create nested display

Fixed bugs affecting the UI


  • Added ability to triage results directly from the IDE console

  • Added a brief description for SAST vulnerabilities

  • Updated UI elements to reflect the new Checkmarx branding (e.g., logo)

  • Added filter results by “state”

  • General UI improvements


  • Updated CLI to version 2.0.4

  • Shows logs of Checkmarx One results in “Output” tab

  • Added a “Clear” button to “Projects” tab, enabling clearing the current selection and results.

  • Added integration tests and UI tests

  • Fixed display of line and column in the “Details” section to match the line and column shown in the editor


Initial release of the plugin. Enables you to import results from a Checkmarx One scan directly into your VS Code console.

  • Import Checkmarx One scan results

  • Show results from all scan types (SAST, SCA, and KICS)

  • Group results by file, language, severity, and status

  • Navigate from results directly to the vulnerable code in the editor

  • Vulnerable code is highlighted in the editor