Skip to main content
Skip table of contents

Mend Agentic Antigravity Integration

Overview

Mend Agentic Integration allows the AI agent within the IDE to interact with the Mend.io tools via the Mend.io MCP server.

When the agent generates code or attempts to add a new dependency, it can call the Mend.io MCP server to run an immediate security check. The MCP server analyzes the proposed code for CWEs and the requested libraries for known CVEs, then returns actionable guidance for the agent to address any discovered issues.

This feature integrates smoothly into the workflow, provides clear, intelligent security guidance and ensures security best practices are followed during AI-assisted development.

This guide shows how to integrate Mend's security tools (mend-code-security-assistant and mend-dependencies-assistant) with Google Antigravity using Model Context Protocol (MCP).

1. Configure Mend MCP Server

Option A: Via the UI (Recommended)

  1. Open the Antigravity editor side panel.

  2. Locate the "..." (three dots) dropdown at the top of the side panel.

  3. Select MCP Servers to open the MCP Store view.

  4. To add a custom server like Mend:

    • Click on Manage MCP Servers.

    • Select View raw config to open the mcp_config.json file.

    • Add the Mend server configuration (as shown in Option B below) to the mcpServers object.

  5. Save the file; the editor will automatically detect the new tools.

Option B: Manual Configuration

To enable Mend security tools manually, add the server to your configuration file (typically at ~/.gemini/antigravity/mcp_config.json).

Add the following to the mcpServers section:

CODE 
{
  "mcpServers": {
  "mend-mcp-server": {
      "serverUrl": "https://your_mend_env/mcp",
      "headers": {
        "X-UserEmail": "your-email@example.com",
        "X-UserKey": "your-user-key"
      }
    }
  }
}

Note: Replace your-email@example.com, your-user-key and your_mend_env with your actual Mend credentials.

2. Configure Security Rules (Memory)

Antigravity uses a "Rules" system to guide the agent's behavior. These rules can be Global (cross-project) or Workspace-specific.

Via the UI (Recommended)

  1. Open the Agent Manager or editor's side panel.

  2. Click the "..." (three dots) dropdown menu in the top-right corner.

  3. Select Customizations (or Additional options -> Customizations).

  4. Navigate to the Rules tab.

  5. Choose your rule scope:

    • Click + Global to create/edit rules in ~/.gemini/GEMINI.md (applies to all projects).

    • Click + Workspace to create rules for the current project (stored in .agent/rules/).

  6. Paste the Mend Security Policy (below) into the text editor.

  7. Set the Activation Mode to Always On to ensure the security policy is always enforced.

  8. Save the changes.

Mend Security Policy to Paste

CODE 
# Mend.io Security Policy & Tool Usage

You possess specific tools for Security Composition Analysis (SCA) and Static Application Security Testing (SAST). You MUST adhere to the following strict workflows.

## 1. SCA (Dependency Scanning) Rules
NEVER ignore this step
You MUST ALWAYS **Trigger:** When adding, updating, or suggesting libraries (package.json, requirements.txt, pom.xml, etc.).

### Mandatory Workflow
1. ALWAYS **SCAN FIRST:** Before writing to any file, use `mend-dependencies-assistant`.
    *   **Single Package:** Use `library_name`, `version`, `language`, etc.
    *   **Multiple Packages:** Use `packages` JSON array (Required when adding multiple libs).
    *   *Note:* If a library requires sub-dependencies, scan them all in bulk mode.
2.  **PRESENT RESULTS:** Display findings using the **Mandatory Response Format** below.
3.  **STOP & WAIT:** explicit user approval is required.
    *   **NEVER** auto-proceed with code changes after a scan.
    *   **NEVER** assume acceptance based on "low" severity.
    *   Ask: *"Do you want to proceed with this library despite the findings?"*

### Mandatory Response Format
You MUST use this exact format when showing results:
```text
🔍 **Security Scan Results** (Data from Mend.io)

[Insert scan results here - vulnerabilities, licenses, etc.]

⚠️ **IMPORTANT NOTE**: This scan covers direct dependencies only and does not include transitive (indirect) dependencies.


## 2. SAST (Code Analysis) Rules
**Trigger:** After generating OR editing any source code (methods, fixes, full files).

### Mandatory Workflow
1.  **AUTO-SCAN:** Immediately run `mend-code-security-assistant` on the generated code.
2.  **ANALYZE & FIX:**
    *   **If vulnerabilities found:** Do NOT ask the user. Automatically rewrite the code to fix the vulnerability and re-run the tool.
    *   **If clean:** Proceed to present code to user.
3.  **RETRY LIMIT:**
    *   Do not re-try the auto-fix more than **once**.
    *   If the error persists after one fix attempt, present the code with a warning about the remaining issue.
4.  **ERROR HANDLING:** If the tool errors (system error), adjust parameters and retry once.

## Tool Parameter Reference

### SCA Parameters
*   **Single Mode:** `library_name`, `library_version`, `language` (JAVA, PYTHON, NPM, GO, etc.), `group_id` (Java only).
*   **Bulk Mode:** `packages` = `[{"library":"name","version":"1.0.0","language":"NPM"}]`

### SAST Parameters
*   Pass the generated source code string to `mend-code-security-assistant`.

3. Verification

Verify Tools: Prompt the agent with “What mcp tools are available to you?”

CODE 
What mcp tools are available to you?

This prompt should return a list of tools, including the Mend.io tools:

  1. mend-code-security-assistant (SAST)

  2. mend-dependencies-assistant (SCA)

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close