{"id":106199,"date":"2025-12-23T12:14:24","date_gmt":"2025-12-23T10:14:24","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?p=106199"},"modified":"2026-04-09T14:09:25","modified_gmt":"2026-04-09T12:09:25","slug":"bringing-ide-native-appsec-to-kiro-with-checkmarx-developer-assist","status":"publish","type":"post","link":"https:\/\/checkmarx.com\/blog\/bringing-ide-native-appsec-to-kiro-with-checkmarx-one-assist\/","title":{"rendered":"Bringing IDE-Native AppSec to Kiro with Checkmarx Developer Assist"},"content":{"rendered":"

\nWhy Kiro and IDE-Native AppSec Matter<\/strong> <\/h2>\n\n\n\n

New IDEs don\u2019t change how developers think about security, they change how fast security problems appear. <\/p>\n\n\n\n

Kiro<\/a>, an agentic development environment built by Amazon Web Services (AWS), is gaining attention because it fits neatly into modern development workflows: fast feedback, AI-assisted coding, and a familiar Visual Studio Code\u2013based experience.

But as with any productivity-focused Integrated Development Environment (IDE), increased speed also means increased risk. Code is written faster, dependencies are introduced more often, and vulnerabilities surface earlier in the lifecycle. <\/p>\n\n\n\n

That puts pressure on security tooling to meet developers where they already work. <\/p>\n\n\n\n

For developers and software builders  the requirement is straightforward: 
security controls must function\u202finside the IDE<\/em>, not downstream in CI\/CD pipelines or external dashboards. Developers should be able to identify issues as code is written, understand the impact, and move forward without context switching. <\/p>\n\n\n\n

The good news is that adopting a new IDE like Kiro does not require rethinking your security tooling from scratch. If an IDE is built on VS Code foundations, existing IDE-native security workflows can carry over with minimal friction. <\/p>\n\n\n\n

This post walks through how to use Checkmarx inside Kiro today, covering installation, configuration, and running real security scans directly in the IDE without relying on proprietary APIs, special agent commands, or experimental integrations. <\/p>\n\n\n\n

\n
Installing the\u00a0Checkmarx\u00a0Developer Assist\u00a0in Kiro<\/strong>\u00a0<\/h2>\n\n\n\n

Checkmarx\u00a0Developer Assist is delivered to developers through the\u00a0Checkmarx\u00a0IDE extension, which can be installed directly in Kiro.\u00a0<\/p>\n\n\n\n

From within the Kiro IDE, open the Extensions view and search for\u202fCheckmarx. Install the official\u00a0Checkmarx\u00a0extension, which enables\u00a0Checkmarx\u00a0Developer Assist capabilities inside the editor. The same extension is used across supported VS Code based IDEs, allowing developers to bring Assist into their existing workflows without\u00a0additional\u00a0setup.\u00a0<\/p>\n\n\n\n

After installation, the extension prompts you to authenticate and connect to your\u00a0Checkmarx\u00a0environment. Once authenticated,\u00a0Checkmarx\u00a0Developer Assist becomes active for the open workspace, using your existing tenant configuration and security policies.\u00a0<\/p>\n\n\n\n

No Kiro specific configuration is required. Assist operates within the IDE, analyzing the code and dependencies in your active project and providing security insight directly where development happens. <\/p>\n\n\n\n

With the extension installed and connected,\u00a0Checkmarx\u00a0Developer Assist is ready to support secure development inside Kiro.\u00a0<\/p>\n\n\n\n

\"Checkmarx<\/figure>\n\n\n\n

\u00a0
Getting\u00a0Checkmarx\u00a0Developer Assist Ready in Your Workspace<\/strong>\u00a0<\/h2>\n\n\n\n

Once the\u00a0Checkmarx\u00a0extension is installed, getting started with\u00a0Checkmarx\u00a0Developer Assist in Kiro is intentionally simple.\u00a0<\/p>\n\n\n\n

After signing in to your\u00a0Checkmarx\u00a0One environment, the extension uses the open workspace in Kiro as the context for analysis. There is no need for developers to manually create or configure projects inside the IDE.\u00a0Checkmarx\u00a0Developer Assist analyzes the source code and dependencies present in the workspace and\u00a0applies\u00a0your organization\u2019s existing security policies automatically.\u00a0<\/p>\n\n\n\n

Security rules, thresholds, and policy logic are inherited from Checkmarx One, so developers do not need to manage or customize security settings locally. This keeps the experience lightweight while ensuring that the guidance provided by Assist aligns with how your organization defines risk. <\/p>\n\n\n\n

With authentication complete and a workspace open,\u00a0Checkmarx\u00a0Developer Assist is ready to\u00a0provide\u00a0security insight as developers write and review code in Kiro.\u00a0<\/p>\n\n\n\n

\nUsing\u00a0Checkmarx\u00a0Developer Assist During Development in Kiro<\/strong>\u00a0<\/h2>\n\n\n\n

With\u00a0Checkmarx\u00a0Developer Assist active in the workspace, security analysis becomes part of the normal development flow inside Kiro.\u00a0<\/p>\n\n\n\n

As developers write or review code, Assist analyzes the source files and dependencies in the open workspace and surfaces security findings directly in the IDE. These insights are presented with context, including severity and location, helping developers understand potential risk without leaving their editor. <\/p>\n\n\n\n

\"Checkmarx
Checkmarx Developer Developer Assist scanning in real time from within the Kiro IDE<\/figcaption><\/figure>\n\n\n\n

Rather than acting as a separate security step, Assist supports developers as they work, highlighting issues early and reducing the likelihood of discovering problems later in the pipeline. Because the analysis is based on the current state of the workspace, the feedback developers receive is directly tied to the code they are editing. <\/p>\n\n\n\n

Checkmarx\u00a0Developer Assist focuses on visibility and understanding. It helps developers\u00a0identify\u00a0insecure patterns and vulnerable dependencies as they appear, using the same policies and rules defined in\u00a0Checkmarx\u00a0One. This ensures that the guidance provided in Kiro reflects organizational standards without requiring developers to manage security settings themselves.\u00a0<\/p>\n\n\n\n