Checkmarx • Application security
Checkmarx Developer Assist embeds an AI agent in the IDE and the pull request that grounds fix suggestions in the customer's actual SAST, SCA, DAST, and API findings rather than generic LLM output, and writes guidance the developer can act on inside the workflow they already use.
Through Merito, Developer Assist gets embedded in the IDE and pull-request flow, tuned against the customer's CxQL rules and prior triage history, and paired with Triage and Remediation on the security side so AI suggestions reflect the actual codebase rather than generic LLM output.
What it is
Checkmarx Developer Assist is the developer-side member of the Checkmarx Agentic AI pillar. It plugs into VS Code, IntelliJ, Eclipse, and the GitHub or GitLab pull request, surfaces Checkmarx findings inside the file the developer is editing, and writes fix suggestions grounded in the customer's own scan results, codebase patterns, and historical triage decisions. The output is contextual to the actual application rather than the generic suggestions a free-floating coding LLM would produce.
The agent reads from the same Checkmarx One findings model that powers SAST, SCA, DAST, API Security, and the cloud-native scanners. When a developer touches a file with an open SAST finding, Developer Assist proposes the fix in line, points at the specific flow path that triggered the issue, and emits the correction as a diff the developer can accept, edit, or reject. On pull-request time, it leaves comments on the changed lines that map back to Checkmarx findings rather than restating what the static analyzer already said.
What separates Developer Assist from generic AppSec AI is the grounding. Vendors that fine-tune on public code without hooking into the customer's findings store give suggestions that look correct and frequently are not, because the model has no awareness of the internal crypto wrapper the customer mandates, the input gateway every request must traverse, or the logging fields that are forbidden from carrying PII. Developer Assist consumes those rules through CxQL custom-rule output and proposes fixes that respect them. Triage and Remediation, the security-side counterpart, learns from how the AppSec team triaged the last hundred similar findings and feeds that pattern back into the developer-side suggestions.
What undermines Developer Assist adoption is treating it as an autonomous coder. The agent is a fix proposer, not a fix applier. Programs that turn on auto-merge for AI-suggested fixes ship regressions; programs that treat it as a high-quality first draft for the developer to review ship faster with fewer false starts. Merito's engagement defines the workflow boundary, tunes the agent against CxQL rules and prior triage history, and writes the guardrails into the IDE configuration before broad rollout.
Ideal use cases
What it is best at
Suggestions reference the specific Checkmarx finding, the exact flow path, and the customer's CxQL custom rules. Generic AppSec AI tools fine-tuned on public code cannot match that context, so their suggestions are confidently wrong on internal patterns.
VS Code, IntelliJ, Eclipse, GitHub, and GitLab plugins. The developer never leaves the editor or PR review. AppSec output stops being a separate dashboard nobody opens.
Same Checkmarx One findings model. The security-side agent's clustering and triage decisions feed back into the developer-side suggestions, so the AI gets sharper with use rather than drifting on stale patterns.
When AppSec encodes rules in CxQL (must use this internal crypto wrapper, must validate input through this gateway), Developer Assist proposes fixes that conform. Internal standards become enforceable rather than aspirational.
Output is reviewable code the developer accepts, edits, or rejects. The boundary between AI-assisted and AI-autonomous stays clear, which is how regressions get avoided.
Core capabilities
Developer Assist inside the editor, working on the file open in front of the developer.
VS Code, IntelliJ, Eclipse plugins
Surfaces Checkmarx findings on the open file, marks vulnerable lines, and exposes fix suggestions as inline diffs.
Context-aware fix proposals
Suggestions reference the customer's CxQL rules, prior triage decisions, and codebase patterns. Output is shaped to fit how this team already writes code.
Inline explanation
Plain-language explanation of why the finding is a vulnerability and which flow path triggered it. Reduces the time developers spend learning the finding before fixing it.
Severity context
Pulls the EPA reachability score and Best Fix Location data so developers see whether the finding is exploitable from a real entry point before fixing.
Developer Assist on the PR diff before the human reviewer reads it.
GitHub and GitLab PR comments
Posts findings as PR comments on the changed lines, with fix proposals attached. Survives the developer's review without leaving the PR view.
Findings-aware diff analysis
Cross-references the diff against open Checkmarx findings to flag regressions or new vulnerabilities introduced by the change.
Triage handoff
Findings the developer cannot fix get handed off to Triage and Remediation with full context preserved.
What makes the AI better than generic coding AI is what it consumes for context.
CxQL rule respect
Reads the customer's CxQL custom rules and proposes fixes that conform. Internal coding standards become enforceable.
Triage history feedback
Triage and Remediation decisions feed back into Developer Assist so the suggestions improve over time as the program matures.
Findings model integration
Reads from the same Checkmarx One findings model that powers SAST, SCA, DAST, API Security, IaC, and Container Security. Cross-product context is native.
Where it fits in the stack
Deployment and implementation
Licensing and packaging
Checkmarx One Enterprise (includes Developer Assist)
Adds Developer Assist and Triage and Remediation to the Checkmarx One Advanced bundle, plus AI Supply Chain Security, Software Supply Chain Security, and premium SLAs.
Best for: Enterprise programs that want both dev-side and sec-side AI grounded in the same findings model.
Developer Assist add-on (Advanced bundle customers)
Developer Assist seats added to an existing Checkmarx One Advanced subscription without the full Enterprise bundle.
Best for: Programs piloting AI-grounded developer assistance without a full Enterprise upgrade.
Merito services
Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.
IDE plugin distribution, CxQL grounding configuration, PR-review wiring, and governance design.
Explore service02AppSec program scoping for Developer Assist alongside generic coding AI tools and competing AppSec AI.
Explore service03Developer Assist embedded in PR review and IDE workflow across GitHub, GitLab, Bitbucket, and Azure DevOps Repos.
Explore service04Developer enablement and AppSec champion programs for AI-grounded fix workflows.
Explore service05Named engineer, priority SLAs, and release-time coverage for Developer Assist.
Explore service06Long-term run support including grounding rule maintenance, suggestion-quality monitoring, and rollout to additional teams.
Explore service07Role-based training for developers using AI suggestions and AppSec architects tuning the grounding.
Explore service08Merito-placed AppSec engineers and Checkmarx specialists embedded on long-running programs.
Explore serviceCheckmarx Developer Assist licensing
Developer Assist pricing arrives with the IDE rollout, CxQL grounding configuration, PR-review wiring, and governance design that ensure AI suggestions reflect this codebase rather than a generic public corpus.
Merito point of view
Merito has sat in front of programs adopting generic coding AI assistants and watched them write fixes that pass static analysis, fail the customer's internal crypto policy, and ship anyway. The reason is grounding. A coding LLM fine-tuned on public GitHub has no awareness of the internal crypto wrapper, the input gateway, or the logging field rules that AppSec encoded last quarter. It writes plausible code that is wrong for this codebase. Developer Assist works because it consumes the actual findings, the actual CxQL rules, and the actual triage history.
Merito recommends Developer Assist specifically when the AppSec program already has Checkmarx One running, CxQL custom rules are drafted or in progress, and the engineering org is willing to treat AI suggestions as a first draft rather than autonomous output. For programs without those preconditions, Developer Assist is still useful but the grounding advantage is muted. Merito surfaces that honestly during scoping rather than letting customers buy AI seats that will not differentiate from a free coding assistant.
The pairing with Triage and Remediation is the load-bearing move. Dev-side AI on its own gets stale; sec-side triage feeding back into the dev-side suggestions is what makes the agent improve over time. Programs licensing Developer Assist without Triage and Remediation are running half the loop. Merito recommends both or neither.
What buyers usually underestimate
Related from Merito
Related solutions
Related services
Related products
Frequently Asked Questions
Consultation request
Share your IDE landscape, current AI assistant if any, and Checkmarx One footprint. A Merito Checkmarx specialist follows up within one business day.
Grounded AI
Developer Assist reads from the Checkmarx One findings model and respects CxQL rules. Generic coding LLMs cannot match that grounding.
Pair with Triage
Triage and Remediation feeds triage history back into Developer Assist suggestions. Merito recommends licensing both.
Next step
A Merito Developer Assist engagement starts with grounding configuration against CxQL rules and prior triage history. Generic coding AI suggestions look correct and frequently are not.