Cursor Integration for Mend Code
Overview
Mend.io’s Cursor IDE integration enables developers to verify the security of their AI-generated code within Cursor IDE, offering a seamless real-time security check.
Use Cases
Developers can trigger security checks manually while generating code with Cursor AI.
Developers can configure auto-triggers for security checks.
Getting it done
As a first step, make sure you have an application to run security checks on (the application in our example is “vulnerable.js”):
Demo JavaScript project
Part 1 - Configure the Mend.io MCP using mcp.json
Within Cursor:
Click on “Cursor” or the cogwheel in the top menu.
Select “Settings…” and then “Cursor Settings” from the drop down menu.
In the new window open the “MCP Tools” tab.
Click on the “New MCP Server” button.
Cursor will open the
mcp.jsonfile.
Add the following code to it and make sure to specify the correct Mend environment URL:
{
"mcpServers": {
"mend-mcp-server": {
"headers": {
"X-UserEmail": "<EMAIL>",
"X-UserKey": "<USER_KEY>"
},
"url": "[Mend Environment URL]/mcp"
}
}
}
Note:
Mend Environment URL example: https://saas.mend.io
This will translate into the following “url” line in the mcp.json file:
"url": "https://saas.mend.io/mcp"
It is recommended to create and specify a service user for this integration.
At this point, the configured Mend.io MCP server will show up in your Cursor Settings:
Note: Cursor will automatically detect the sast-code-analysis tool, which is the tool used to create the security checks for your AI-generated code.
Part 2 - Configure Rules using sast.mdc
In order to automatically run SAST security checks after code is generated in Cursor AI, project rules need to be configured.
Within Cursor:
click on “Cursor” in the top menu,
then select “Settings…” and then “Cursor Settings” from a drop down menu.
In the new window open the “Rules” tab.
Within “Project rules” section, click on “Add Rule“
Provide the name of the rules file, for example “sast“
Copy and paste the rules from the section below
Make sure that the Rule Type is set to “Always”
Rule Example
In this example, we’re instructing the tool to run twice (before and after a code change), achieving the goal of running iteratively until the code is secure.
### SAST Security Analysis Rules
1. **Mandatory SAST Check for New Vulnerabilities After Code Generation**
- After generating any code, you must always run the mend-code-security-assistant tool from mend-mcp-server MCP server on the generated code. This is true for any source code, in any language, weather it is a complete method, or even a fix in existing method.
2. **Analyze and Apply Results**
- Carefully review the results provided by the mend-code-security-assistant tool from mend-mcp-server MCP server.
- If the mend-code-security-assistant tool from mend-mcp-server MCP server respose with vulnerability information, adjust the code to remediate this vulnarability and re-try.
- Do not ask the user if she wants to proceed with a safer alternative, just create a safer alternative and retry.
- Do not re-try more than once.
3. **Error Handling**
- If an error occurs while running the mend-code-security-assistant tool from mend-mcp-server MCP server, attempt to run it again with adjusted parameters as needed.Part 3 - Run Security Checks on your Application
At this stage, you use the Cursor AI chat to continue developing your application.
Please make sure that the “Agent” and not the default “Ask” mode is selected.
For example:
“Add a new endpoint to vulnerable.js that accepts a string and log it into the console”.
The sast-code-analysis tool will run on the application to detect CWEs and sanitize them.
First Run - Detection of CWE-117
Sanitization of CWE-117 by Cursor AI
Second Run - After Sanitization of CWE-117