All notable changes to the Checkmarx Security MCP Server will be documented below.
- Initial release of the Checkmarx Security MCP Server
- Multi-protocol transport support:
stdio,sse, andhttp(streamable HTTP) - Modular architecture enabling independent team contributions per module
- API Key authentication via
Authorizationheader - OAuth2 authentication with Dynamic Client Registration (DCR) support
planScan— Recommend scan engines before triggeringtriggerScan— Start scans in CLI (local code) or API (repository URL) modegetScanDetails— Retrieve scan status, progress, and severity summarygetLatestScans— Fetch recent scans for a projectlistScans— List scans with status, date range, and branch filterslistFindings— List vulnerabilities with severity filteringgetFindingDetails— Get detailed information for a specific finding
resolveProject— Resolve a project by name (exact match, candidates, or not found)createProject— Create a new Checkmarx One projectlistProjects— Browse or search all projectsgetProjectConfig— Retrieve full project configuration
listApplications— Browse or search applicationscreateApplication— Create a new applicationgetApplicationDetails— Get application details by IDassociateProject— Link projects to an application
getTenantVulnerabilitiesSummary— Returns org-wide severity counts by engine over a time window (trends).
codeRemediation— Provides fixes for code-level issues: SAST, secrets, and IaC misconfigurations.packageRemediation— Analyzes and remediates a specific vulnerable or malicious package/dependency.imageRemediation— Provides remediation for container image CVEs and safer base-image alternatives
cxone://engines— Supported scan engine definitions (SAST, SCA, KICS, Secret Detection)cxone://severity-levels— Vulnerability severity level definitionscxone://finding-states— Finding lifecycle statescxone://scan-statuses— Scan execution status definitionscxone://capabilities— Server capabilities and tool routing rules
security-scan— Guided end-to-end scan workflow with engine selection, project resolution, and results
- SAST — Static Application Security Testing (30+ languages)
- SCA — Software Composition Analysis (open-source dependencies)
- KICS — Infrastructure as Code security (Terraform, CloudFormation, Kubernetes, Dockerfile)
- Secret Detection — Hardcoded credentials, API keys, and tokens
- Checkmarx One platform (SAST, SCA, KICS, Container Security)
- OpenTelemetry for distributed tracing and structured logging
- All MCP client which supports API key and OAuth2 with DCR authentication
- Example: Windsurf, GitHub Copilot, Claude, Cursor etc.