Checkmarx this week revealed it has added support for the Kiro artificial intelligence (AI) coding tool provided by Amazon Web Services (AWS) to its Checkmarx Developer Assist that leverages AI to surface vulnerabilities before code is committed.
The Checkmarx IDE extension for Kiro is designed to be activated from within the Developer Assist tab that AWS provides within the AI coding tool. Once authenticated, Developer Assist analyzes source code and dependencies in the active workspace, applying policies automatically via the Checkmarx One platform that already runs on the AWS cloud.
The Checkmarx Developer Assist tool already supports other AI coding tools, including Cursor, Windsurf and others that are similarly based on extensions of the open source VS Code integrated developer environment (IDE).
Eran Kinsbruner, vice president of product marketing for Checkmarx, said support for Kiro requires more time and effort to plug into Kiro Powers, a set of specialized agents that enable developers to invoke steering files that are extensions to the specification-based approach that AWS has adopted to improve the quality of the code generated.
Rather than relying completely on scans that are run as code is moving through a continuous integration/continuous delivery (CI/CD) pipeline, Checkmarx Developer Assist can eliminate 90% of vulnerabilities before they enter the DevOps workflow, said Kinsbruner.
That’s critical because the first generation of AI coding tools are creating more vulnerabilities that, unless discovered and remediated, are actually making applications less secure than ever, he added. Most of those issues can be traced back to the vulnerabilities that existed in the open source code that was used to train the large language model (LLM) that the AI coding tool invokes, noted Kinsbruner.
Of course, as AI coding tools continue to improve the number of vulnerabilities being generated will hopefully continue to decline. However, in the short term DevSecOps teams should assume the overall state of application security is going to get worse, he noted.
It’s not clear to what degree organizations are generating code using AI tools that actually winds up running in a production environment, but a recent Futurum Group survey finds a full 60% of respondents said their organization is now actively using AI to build and deploy software. The top areas of investment over the same period are AI Copilot/AI code tools (38%), AI agent development (37%), AI-assisted testing (37%), followed closely by DevOps (37%), automated deployment (34%), software security testing (31%).
Mitch Ashley, vice president and practice lead for software lifecycle engineering at the Futurum Group, said, in general, AI coding tools are generating vulnerabilities faster than pipeline security can catch them. LLMs trained on open source code inherit its flaws and reproduce them at scale, and Checkmarx extending Developer Assist into Kiro signals that security must move into the AI coding environment itself.
DevSecOps teams should assume application security is getting worse before it gets better, he added. Shifting vulnerability detection before code enters the workflow transforms security from a quality gate into a development control plane, which is where it must be when agents are writing the code, said Ashley.
In the meantime, the one thing that is certain is that adversaries are experimenting with AI to not only discover vulnerabilities but also generate the exploits needed faster than ever.
