Breadcrumbs

Mend Agentic Gemini CLI Integration

Overview

Mend Agentic Integration allows the AI agent to interact with the Mend.io tools via the Mend.io MCP server.

When the agent generates code or attempts to add a new dependency, it can call the Mend.io MCP server to run an immediate security check. The MCP server analyzes the proposed code for CWEs and the requested libraries for known CVEs, then returns actionable guidance for the agent to address any discovered issues.

This feature integrates smoothly into the workflow, provides clear, intelligent security guidance and ensures security best practices are followed during AI-assisted development.

This guide shows how to integrate Mend's security tools (mend-code-security-assistant and mend-dependencies-assistant) into Gemini CLI using Model Context Protocol (MCP).

Key Capabilities

  • Automatic Security Scanning: Every time code is generated or a dependency gets added, the Mend MCP automatically analyzes it for security vulnerabilities.

  • Real-time Vulnerability Detection: Immediate identification of Common Weakness Enumerations (CWEs) in your code and CVEs in your dependencies.

  • Automated Remediation: Automatic suggestions and fixes for detected security issues.

Prerequisites

Note: This feature uses AI. The use of the service indicated under this page is subject to the terms and conditions set forth under our AI Supplemental Terms-of-Service.

  • Gemini CLI installed

  • A valid Mend.io user (email) and user key.
    Keys can be created/copied from My Profile --> User Keys in the Mend AppSec Platform UI.

  • MCP Server URL: https://saas.mend.io/mcp (or your custom deployment)

Step 1: Install Gemini CLI 

npm install -g @google/gemini-cli
# or
brew install gemini-cli

Step 2: Configure Mend MCP Server

Option A: Using CLI Command 

gemini mcp add mend-mcp-server https://your-mend-server.com/mcp -H "X-UserEmail: <your-email>" -H "X-UserKey: <your-user-key>" -H "X-OrgId: <your-org-id>"

Option B: Manual Configuration

Create or edit ~/.gemini/settings.json (global) or .gemini/settings.json (project-specific):

{
  "mcpServers": {
    "mend-mcp-server": {
      "httpUrl": "https://your-mend-server.com/mcp",
      "headers": {
        "X-UserEmail": "your-email@example.com",
        "X-UserKey": "your-mend-api-key",
        "X-OrgId": "your-org-id"
      },
      "timeout": 60000
    }
  }
}

Replace:

  • your-email@example.com → Your Mend user email

  • your-mend-api-key → Your Mend API key (can be viewed/generated via My Profile → User Keys in the Mend AppSec Platform UI).

  • your-org-id → Your Mend organization ID. Optional — only required if your account belongs to more than one organization; otherwise omit the X-OrgId header. You can find your Org ID in the Mend AppSec Platform under My Profile (or your organization settings).

Step 3: Configure Security Rules

Create ~/.gemini/GEMINI.md (global) or .gemini/GEMINI.md in your project:

# Mend Security Rules

# Mend.io Security Policy & Tool Usage

You possess specific tools for Security Composition Analysis (SCA) and Static Application Security Testing (SAST). You MUST adhere to the following strict workflows.

## 1. SCA (Dependency Scanning) Rules
NEVER ignore this step
You MUST ALWAYS **Trigger:** When adding, updating, or suggesting libraries (package.json, requirements.txt, pom.xml, etc.).

### Mandatory Workflow
1. ALWAYS **SCAN FIRST:** Before writing to any file, use `mend-dependencies-assistant`.
    *   **Single Package:** Use `library_name`, `version`, `language`, etc.
    *   **Multiple Packages:** Use `packages` JSON array (Required when adding multiple libs).
    *   *Note:* If a library requires sub-dependencies, scan them all in bulk mode.
2.  **PRESENT RESULTS:** Display findings using the **Mandatory Response Format** below.
3.  **STOP & WAIT:** explicit user approval is required.
    *   **NEVER** auto-proceed with code changes after a scan.
    *   **NEVER** assume acceptance based on "low" severity.
    *   Ask: *"Do you want to proceed with this library despite the findings?"*

### Mandatory Response Format
You MUST use this exact format when showing results:
```text
🔍 **Security Scan Results** (Data from Mend.io)

[Insert scan results here - vulnerabilities, licenses, etc.]

⚠️ **IMPORTANT NOTE**: This scan covers direct dependencies only and does not include transitive (indirect) dependencies.


## 2. SAST (Code Analysis) Rules
**Trigger:** After generating OR editing any source code (methods, fixes, full files).

### Mandatory Workflow
1.  **AUTO-SCAN:** Immediately run `mend-code-security-assistant` on the generated code.
2.  **ANALYZE & FIX:**
    *   **If vulnerabilities found:** Do NOT ask the user. Automatically rewrite the code to fix the vulnerability and re-run the tool.
    *   **If clean:** Proceed to present code to user.
3.  **RETRY LIMIT:**
    *   Do not re-try the auto-fix more than **once**.
    *   If the error persists after one fix attempt, present the code with a warning about the remaining issue.
4.  **ERROR HANDLING:** If the tool errors (system error), adjust parameters and retry once.

## Tool Parameter Reference

### SCA Parameters
*   **Single Mode:** `library_name`, `library_version`, `language` (JAVA, PYTHON, NPM, GO, etc.), `group_id` (Java only).
*   **Bulk Mode:** `packages` = `[{"library":"name","version":"1.0.0","language":"NPM"}]`

### SAST Parameters
*   Pass the generated source code string to `mend-code-security-assistant`.

Step 4: Verification

Check MCP Server Status 

gemini mcp list

Expected output should show mend-mcp-server as configured.

Verify Tools in CLI

Start Gemini CLI and run:

/mcp

You should see:

  • mend-code-security-assistant (SAST)

  • mend-dependencies-assistant (SCA)

Testing Examples

Test SAST Tool 

gemini chat