Introducing Checkmarx MCP Server, a single connection that puts your security data inside Claude Code, Windsurf, ChatGPT, and any other MCP-compatible AI tool. No context switching. No custom integrations. Security where the work actually happens.

Security is falling behind how software actually gets built. 

Developers are spending more of their day inside AI assistants than inside any web platform. AppSec teams are answering the same questions, what are my riskiest projects, which findings need triage, how does this week compare to last, but still doing it by logging in, clicking through dashboards, and switching between tools. Security leaders need visibility on demand, not after a report gets pulled. 

The interface layer is changing. AI assistants are becoming the primary way people interact with their tools. In a growing number of cases, agents are executing workflows without a visible interface at all, triggering builds, resolving dependencies, making decisions without a human ever opening a tool. This is what headless application security looks like in practice: security that either participates in the workflow at execution time, or misses it entirely. 

If security is not present in that layer, it gets consulted after the fact. Or not at all. 

Why This Matters Now 

MCP has quickly become the standard for connecting AI tools to external systems. 

MCP-related SDKs reached 97 million monthly downloads within their first year. OpenAI adopted MCP in early 2025, deprecating its own Assistants API. In December 2025, Anthropic donated the protocol to the Linux Foundation, with OpenAI, Microsoft, AWS, Cloudflare, and Bloomberg as founding members. 

This is no longer an emerging standard. It is the standard. 

As AI assistants become the primary interface for software development and security operations, the question for every security tool is simple: are you present where decisions get made, or are you consulted after the fact? 

Today, that question has an answer. 

Introducing Checkmarx MCP Server 

Checkmarx MCP Server connects your Checkmarx One environment directly to any MCP-compatible AI tool, including your IDE assistant, your chat interface, and your automated pipeline. 

Configure it once, and Checkmarx becomes a native tool available everywhere your team already works. 

Built for How Security Work Actually Happens 

MCP serves the entire security workflow, not just developers. 

Developers stay in flow inside their IDE or CLI. They can trigger scans, retrieve findings, drill into vulnerabilities, and explore remediation options without switching tools. 

AppSec teams replace dashboards with queries. They can ask for findings across projects, compare scan results, and analyze application posture from a chat interface without logging into the platform. 

Security leaders get instant visibility. They can ask how many critical issues exist across the organization, which applications carry the highest risk, and how posture is changing — without waiting for reports. 

The result is simple: security moves from a system you visit to something that works alongside you. 

What You Can Do With It 

At launch, Checkmarx MCP Server ships with around 20 tools covering the core security workflow directly inside your AI assistant. You can: 

1. Trigger SAST, SCA, IaC, and Secrets scans 

2. Retrieve and filter findings with full context 

3. Get risk visibility across projects and applications 

4. Manage applications and projects 

5. Run the complete create to scan to review to act loop without leaving your environment 

These are not raw API calls wrapped in a tool. They are high-level, composable actions designed for natural language interaction, built so an AI agent can reason over them and chain them dynamically based on what you ask. 

Simple to Connect, Enterprise Ready by Design 

Connecting takes minutes. An admin enables access once and it becomes available across the organization. 

Developers can connect from any MCP-compatible client through marketplace and connector integrations — available now on Claude, GitHub, Cursor, Visual Studio Code, and OpenAI, that handle configuration automatically. For advanced setups, standard JSON-based configuration is also supported. 

Enterprise-grade controls are built in from the start, including RBAC passthrough, multi-tenant isolation, audit logging, and TLS. The same security posture you expect from Checkmarx One, extended to the agent layer.