README.md

Checkmarx Developer Assist Power for Kiro

This repo is the public repo for installing the "Checkmarx Developer Assist" Power into the Kiro (Amazon's AI agent) IDE. A Kiro Power is a packaged extension that adds specialized capabilities to the Kiro AI development environment. Extensive docs on what powers are, how to install them, and how to use them can be found here: https://kiro.dev/docs/powers/.

The Checkmarx Power brings AI-powered application security scanning directly into your development workflow, enabling real-time vulnerability detection and remediation for SAST, secrets, IaC, containers, and open source dependencies.

How to Use

Prerequisites

1. Kiro IDE - Free tier available at kiro.dev/pricing
2. Checkmarx One Account with Developer Assist enabled
   • Subscribe via AWS Marketplace
   • Or sign up at Checkmarx One
3. Checkmarx One Credentials:
   • Your Checkmarx One base URL (e.g., https://eu.ast.checkmarx.net)
   • A Checkmarx One API Key with plugin-scanner role

Installation

Install via GitHub

1. Open Kiro IDE
2. Access the Powers panel:
   • Use Ctrl/Cmd + Shift + P → "Configure Powers", OR
   • Click on the ghost with a lightning bolt icon in the left menu
3. Click on "Add Custom Power"
4. Select the "Import power from Github" option
5. Use this repository URL: https://github.com/Checkmarx/checkmarx-kiro-powers
   • Recommended direct power path: https://github.com/Checkmarx/checkmarx-kiro-powers/tree/main/checkmarx-power
   • IMPORTANT: If your repo has multiple folders, ensure you link directly to the power folder
6. The power will be installed and ready to configure

Authenticate with Checkmarx

💡 Tip: If you have the Checkmarx Developer Assist plugin installed, you can reuse the same credentials (URL and Authorization token) that the plugin uses.

You need to configure the MCP server for this Power:

1. Obtain Your API Key:

   • Log in to your Checkmarx One portal
   • Navigate to Account Settings → Access Management → API Keys
   • Generate a new API key with the plugin-scanner role
   • Copy the token value

2. Get Your Base URL:

   • While logged into Checkmarx One, copy the base URL from your browser
   • Examples: https://eu.ast.checkmarx.net, https://us.ast.checkmarx.net
   • Do NOT include /api/security-mcp/mcp - just the base URL

3. Configure the Power:

   • Open the mcp.json file in the power directory
   • Replace <Checkmarx_one_base_url> with your base URL
   • Replace <Checkmarx_one_API_key> with your API token
   • The final configuration should look like:

   {
     "mcpServers": {
       "checkmarx": {
         "url": "<Checkmarx_one_base_url>/api/security-mcp/mcp",
         "headers": {
           "cx-origin": "Kiro",
           "Authorization": "<Checkmarx_one_API_key>"
         }
       }
     }
   }

4. Reload Kiro IDE to apply the changes

Using Once Installed

Once the Checkmarx Power is installed in the Kiro IDE, you'll be able to use all of the Checkmarx MCP tools inside Kiro. In your chat with the Kiro agent, you can reference any of the security remediation commands:

Available MCP Tools

1. codeRemediation - Get AI-powered remediation for:

   • SAST (source code vulnerabilities)
   • Secrets (exposed credentials, tokens, keys)
   • IaC (Infrastructure as Code misconfigurations)

2. packageRemediation - Analyze and fix:

   • Open source dependency vulnerabilities (CVEs)
   • Malicious packages
   • Package version upgrades with Safe Refactor

3. imageRemediation - Secure container images:

   • Docker image vulnerabilities
   • Helm chart security issues
   • Docker Compose file analysis

Example Usage

Simply chat with Kiro and ask for security help:

You: "Can you check if there are any security vulnerabilities in this code?"

Kiro: [Uses Checkmarx codeRemediation to scan and analyze]
      "I found a SQL injection vulnerability on line 42. 
      Here's how to fix it using parameterized queries..."

You: "Are there any vulnerable dependencies in package.json?"

Kiro: [Uses Checkmarx packageRemediation]
      "Yes, lodash@4.17.15 has a critical CVE. 
      I recommend upgrading to version 4.17.21..."

For detailed workflows and examples, see POWER.md.

Troubleshooting

MCP Connection Issues

Problem: Error messages like "Connection refused" or "Authentication failed"

Solutions:

1. Verify your Checkmarx One base URL is correct:

   # Your URL should look like one of these:
   https://eu.ast.checkmarx.net
   https://us.ast.checkmarx.net
   https://deu.ast.checkmarx.net

2. Check that your API key is valid and not expired:

   • Log in to Checkmarx One
   • Go to Account Settings → Access Management → API Keys
   • Verify your key is active and hasn't expired
   • Generate a new key if needed

3. Ensure the URL format in mcp.json is correct:

   "url": "<base_url>/api/security-mcp/mcp"

4. Verify network connectivity:

   • Check if you can access your Checkmarx One portal in a browser
   • Ensure no firewall or proxy is blocking the connection

5. Confirm Developer Assist is enabled:

   • Contact your Checkmarx account administrator
   • Ensure your subscription includes Developer Assist

6. Restart Kiro IDE and try reconnecting

Remediation Tool Errors

Error: "Remediation not available for this risk type"

• Some risk types may require manual remediation
• Check POWER.md for supported remediation types

Error: "Package remediation failed"

• Verify the package name and version are correct
• Check if a remediated version exists in the package registry
• Consider alternative packages with equivalent functionality

Error: "Language not supported"

• ASCA currently supports: Java, JavaScript (Node.js), C#, Go, and Python
• Other languages may be added in future releases

Verifying Your Setup

Run these checks to verify everything is working:

1. Check MCP Configuration

// Your mcp.json should have valid values (not placeholders):
{
  "mcpServers": {
    "checkmarx": {
      "url": "https://eu.ast.checkmarx.net/api/security-mcp/mcp",  // Real URL
      "headers": {
        "cx-origin": "Kiro",
        "Authorization": "<Checkmarx_one_API_key>"  // Real token
      }
    }
  }
}

2. Test Authentication

• Open Kiro chat
• Ask: "Can you use Checkmarx to check for vulnerabilities?"
• If configured correctly, Kiro will acknowledge it can use Checkmarx tools

3. Verify Checkmarx One Access

• Log in to your Checkmarx One portal in a browser
• Ensure you can access the portal successfully

4. Check Power Installation

• In Kiro Powers panel, verify "Checkmarx" appears in the list
• Ensure it's enabled (not greyed out)

Features

• SAST - Source code security analysis for 5+ languages
• Secret Detection - Identifies 170+ types of credentials, tokens, and keys
• IaC Security - Scans Terraform, CloudFormation, Kubernetes configs (based on KICS)
• OSS Security - Analyzes npm, PyPI, Maven, NuGet, Go dependencies
• Container Security - Docker, Helm, and Docker Compose scanning
• AI-Powered Remediation - Context-aware automated fix suggestions
• Safe Refactor - Project-wide package update analysis

Documentation & Support

• Full Documentation: See POWER.md for detailed workflows, troubleshooting, and best practices
• Checkmarx Docs: https://docs.checkmarx.com/en/34965-405960-checkmarx-developer-assist.html
• Kiro Powers Guide: https://kiro.dev/docs/powers/
• Support: Contact Checkmarx Support or your account team

Community

We welcome your feedback and contributions!

• Report Issues or Feature Requests: GitHub Issues
• Support: Contact the Checkmarx One Integrations Team via the Checkmarx Support Portal
• Contributing: See CONTRIBUTING.md for contribution guidelines

This project is maintained by the Checkmarx One Integrations Team and released under the Apache 2.0 License.

Open Source Project Health

This repository includes standard FOSS governance files:

• LICENSE
• Code of Conduct
• Contributing Guide
• Maintainers
• Code Owners

Issue and pull request templates are available under .github/.