Skip to main content
Skip table of contents

Mend Agentic Gemini CLI Integration

Overview

Mend Agentic Integration allows the AI agent to interact with the Mend.io tools via the Mend.io MCP server.

When the agent generates code or attempts to add a new dependency, it can call the Mend.io MCP server to run an immediate security check. The MCP server analyzes the proposed code for CWEs and the requested libraries for known CVEs, then returns actionable guidance for the agent to address any discovered issues.

This feature integrates smoothly into the workflow, provides clear, intelligent security guidance and ensures security best practices are followed during AI-assisted development.

This guide shows how to integrate Mend's security tools (mend-code-security-assistant and mend-dependencies-assistant) into Gemini CLI using Model Context Protocol (MCP).

Key Capabilities

  • Automatic Security Scanning: Every time code is generated or a dependency gets added, the Mend MCP automatically analyzes it for security vulnerabilities.

  • Real-time Vulnerability Detection: Immediate identification of Common Weakness Enumerations (CWEs) in your code and CVEs in your dependencies.

  • Automated Remediation: Automatic suggestions and fixes for detected security issues.

Prerequisites

Note: This feature uses AI. Your organization must sign an addendum to your Mend.io contract to use it. Please contact your Customer Success Manager to initiate this process.

  • Gemini CLI installed

  • A valid Mend.io user (email) and user key.
    Keys can be created/copied from My Profile --> User Keys in the Mend AppSec Platform UI.

  • MCP Server URL: https://saas.mend.io/mcp (or your custom deployment)

Step 1: Install Gemini CLI

CODE 
npm install -g @google/gemini-cli
# or
brew install gemini-cli

Step 2: Configure Mend MCP Server

Option A: Using CLI Command

CODE 
gemini mcp add mend-mcp-server https://your-mend-server.com/mcp -H "X-UserEmail: <your-email>" -H "X-UserKey: <your-user-key>"

Option B: Manual Configuration

Create or edit ~/.gemini/settings.json (global) or .gemini/settings.json (project-specific):

CODE 
{
  "mcpServers": {
    "mend-mcp-server": {
      "httpUrl": "https://your-mend-server.com/mcp",
      "headers": {
        "X-UserEmail": "your-email@example.com",
        "X-UserKey": "your-mend-api-key"
      },
      "timeout": 60000
    }
  }
}

Replace:

  • your-email@example.com → Your Mend user email

  • your-mend-api-key → Your Mend API key (can be viewed/generated via My Profile → User Keys in the Mend AppSec Platform UI).

Step 3: Configure Security Rules

Create ~/.gemini/GEMINI.md (global) or .gemini/GEMINI.md in your project:

CODE 
# Mend Security Rules

# Mend.io Security Policy & Tool Usage

You possess specific tools for Security Composition Analysis (SCA) and Static Application Security Testing (SAST). You MUST adhere to the following strict workflows.

## 1. SCA (Dependency Scanning) Rules
NEVER ignore this step
You MUST ALWAYS **Trigger:** When adding, updating, or suggesting libraries (package.json, requirements.txt, pom.xml, etc.).

### Mandatory Workflow
1. ALWAYS **SCAN FIRST:** Before writing to any file, use `mend-dependencies-assistant`.
    *   **Single Package:** Use `library_name`, `version`, `language`, etc.
    *   **Multiple Packages:** Use `packages` JSON array (Required when adding multiple libs).
    *   *Note:* If a library requires sub-dependencies, scan them all in bulk mode.
2.  **PRESENT RESULTS:** Display findings using the **Mandatory Response Format** below.
3.  **STOP & WAIT:** explicit user approval is required.
    *   **NEVER** auto-proceed with code changes after a scan.
    *   **NEVER** assume acceptance based on "low" severity.
    *   Ask: *"Do you want to proceed with this library despite the findings?"*

### Mandatory Response Format
You MUST use this exact format when showing results:
```text
🔍 **Security Scan Results** (Data from Mend.io)

[Insert scan results here - vulnerabilities, licenses, etc.]

⚠️ **IMPORTANT NOTE**: This scan covers direct dependencies only and does not include transitive (indirect) dependencies.


## 2. SAST (Code Analysis) Rules
**Trigger:** After generating OR editing any source code (methods, fixes, full files).

### Mandatory Workflow
1.  **AUTO-SCAN:** Immediately run `mend-code-security-assistant` on the generated code.
2.  **ANALYZE & FIX:**
    *   **If vulnerabilities found:** Do NOT ask the user. Automatically rewrite the code to fix the vulnerability and re-run the tool.
    *   **If clean:** Proceed to present code to user.
3.  **RETRY LIMIT:**
    *   Do not re-try the auto-fix more than **once**.
    *   If the error persists after one fix attempt, present the code with a warning about the remaining issue.
4.  **ERROR HANDLING:** If the tool errors (system error), adjust parameters and retry once.

## Tool Parameter Reference

### SCA Parameters
*   **Single Mode:** `library_name`, `library_version`, `language` (JAVA, PYTHON, NPM, GO, etc.), `group_id` (Java only).
*   **Bulk Mode:** `packages` = `[{"library":"name","version":"1.0.0","language":"NPM"}]`

### SAST Parameters
*   Pass the generated source code string to `mend-code-security-assistant`.

Step 4: Verification

Check MCP Server Status

CODE 
gemini mcp list

Expected output should show mend-mcp-server as configured.

Verify Tools in CLI

Start Gemini CLI and run:

CODE 
/mcp

You should see:

  • mend-code-security-assistant (SAST)

  • mend-dependencies-assistant (SCA)

Testing Examples

Test SAST Tool

CODE 
gemini chat
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close