Breadcrumbs

Mend Agentic Integrations

Overview

Mend Agentic Integration provides developers with clear, intelligent security guidance and ensures security best practices are followed during AI-assisted development.

When the IDE’s agent generates code or attempts to add a new dependency, it can call the Mend.io MCP server to run an immediate security check. The MCP server analyzes the proposed code for CWEs and the requested libraries for known CVEs, then returns actionable guidance for the agent to address any discovered issues.

Use Cases

  1. Developers can trigger security checks manually while generating code using the IDE’s AI.

  2. Developers can configure auto-triggers for security checks. 

  3. List Security Findings: Developers can expose SAST and SCA security findings from a selected project in the Mend AppSec Platform

  4. Develoeprs can get actionable remediation suggestions for some SAST findings

  5. Developers can secure AI-generated code

    1. After every code change, the agent runs a security check on the modifications

    2. Before any new library is installed, the agent scans it for known vulnerabilities

Prerequisites

Note:

  • This feature uses AI. Your organization must sign an addendum to your Mend.io contract to use it. Please contact your CSM to initiate this process.

  • The use of the service indicated under this page is subject to the terms and conditions set forth under our AI Supplemental Terms-of-Service.

Demo

The following is a short demo of the mend-dependencies tool in Cursor. It covers multiple use-cases, demonstrating the flow of the Mend Agentic Integration within the IDE.

Available IDEs

Note: Some IDEs have integration cards in the Mend AppSec Platform UI to simplify the setup/configuration process, while others are set up and configured entirely within the IDE.

List Security Findings

Prompt: What are the top 5 security findings I should fix in this repo?

  1. The agent identifies the project ID for the specified workspace.

  2. The agent returns 5 findings from each scanning engine (SAST, SCA), ordered by severity.

Note: If the workspace cannot be matched with a project in the Mend AppSec Platform by the Git URL, the user will be prompted to provide the project name.

Get Specific Security Finding

Prompt: Explain X vulnerability detected by Mend.io

Where X can be:

  • A finding ID

  • A CVE (for SCA and Containers)

  • A CWE name or CWE number (for SAST)

  1. The agent fetches the finding by ID if possible

  2. If there are multiple findings fitting the description, the agent returns a summary of all and asks the user to specify the relevant one