Mend Agentic Gemini Code Assist Integration
Overview
Mend Agentic Integration allows the AI agent to interact with the Mend.io tools via the Mend.io MCP server.
When the agent generates code or attempts to add a new dependency, it can call the Mend.io MCP server to run an immediate security check. The MCP server analyzes the proposed code for CWEs and the requested libraries for known CVEs, then returns actionable guidance for the agent to address any discovered issues.
This feature integrates smoothly into the workflow, provides clear, intelligent security guidance and ensures security best practices are followed during AI-assisted development.
This guide shows how to integrate Mend's security tools (mend-code-security-assistant and mend-dependencies-assistant) with Gemini Code Assist extension in VS Code using Model Context Protocol (MCP).
Key Capabilities
Automatic Security Scanning: Every time code is generated or a dependency gets added, the Mend MCP automatically analyzes it for security vulnerabilities.
Real-time Vulnerability Detection: Immediate identification of Common Weakness Enumerations (CWEs) in your code and CVEs in your dependencies.
Automated Remediation: Automatic suggestions and fixes for detected security issues.
Prerequisites
Note: This feature uses AI. Your organization must sign an addendum to your Mend.io contract to use it. Please contact your Customer Success Manager to initiate this process.
VS Code installed
Gemini Code Assist Extension from VS Code Marketplace
Mend Account with:
A valid Mend.io user (email) and user key.
Keys can be created/copied from My Profile --> User Keys in the Mend AppSec Platform UI.
MCP Server URL:
https://saas.mend.io/mcp(or your custom deployment)
Limitations (SCA)
The automated remediation suggestions are currently based on agent research to identify a secure version of a vulnerable library.
Mend Agentic Integration only reports vulnerabilities in direct libraries, not transitive dependencies.
Step 1: Install Gemini Code Assist Extension
Open VS Code
Go to Extensions (⇧⌘X)
Search for "Gemini Code Assist"
Click Install
Reload VS Code when prompted
Note: Agent mode is required for MCP server support.
Step 2: Configure Mend MCP Server
Create or edit ~/.gemini/settings.json:
{
"mcpServers": {
"mend-mcp-server": {
"httpUrl": "https://saas.mend.io/mcp",
"headers": {
"X-UserEmail": "your-email@example.com",
"X-UserKey": "your-mend-api-key"
},
"timeout": 60000
}
}
}Replace:
your-email@example.com→ Your Mend user emailyour-mend-api-key→ Your Mend API key (can be viewed/generated via My Profile → User Keys in the Mend AppSec Platform UI).
Step 3: Configure Security Rules
Add rules in VS Code Settings:
Open Command Palette (⇧⌘P)
Select "Preferences: Open Settings (UI)"
Search for "Geminicodeassist: Rules"
Add the following rules :
# Mend.io Security Policy & Tool Usage
You possess specific tools for Security Composition Analysis (SCA) and Static Application Security Testing (SAST). You MUST adhere to the following strict workflows.
## 1. SCA (Dependency Scanning) Rules
NEVER ignore this step
You MUST ALWAYS **Trigger:** When adding, updating, or suggesting libraries (package.json, requirements.txt, pom.xml, etc.).
### Mandatory Workflow
1. ALWAYS **SCAN FIRST:** Before writing to any file, use `mend-dependencies-assistant`.
* **Single Package:** Use `library_name`, `version`, `language`, etc.
* **Multiple Packages:** Use `packages` JSON array (Required when adding multiple libs).
* *Note:* If a library requires sub-dependencies, scan them all in bulk mode.
2. **PRESENT RESULTS:** Display findings using the **Mandatory Response Format** below.
3. **STOP & WAIT:** explicit user approval is required.
* **NEVER** auto-proceed with code changes after a scan.
* **NEVER** assume acceptance based on "low" severity.
* Ask: *"Do you want to proceed with this library despite the findings?"*
### Mandatory Response Format
You MUST use this exact format when showing results:
```text
🔍 **Security Scan Results** (Data from Mend.io)
[Insert scan results here - vulnerabilities, licenses, etc.]
⚠️ **IMPORTANT NOTE**: This scan covers direct dependencies only and does not include transitive (indirect) dependencies.
## 2. SAST (Code Analysis) Rules
**Trigger:** After generating OR editing any source code (methods, fixes, full files).
### Mandatory Workflow
1. **AUTO-SCAN:** Immediately run `mend-code-security-assistant` on the generated code.
2. **ANALYZE & FIX:**
* **If vulnerabilities found:** Do NOT ask the user. Automatically rewrite the code to fix the vulnerability and re-run the tool.
* **If clean:** Proceed to present code to user.
3. **RETRY LIMIT:**
* Do not re-try the auto-fix more than **once**.
* If the error persists after one fix attempt, present the code with a warning about the remaining issue.
4. **ERROR HANDLING:** If the tool errors (system error), adjust parameters and retry once.
## Tool Parameter Reference
### SCA Parameters
* **Single Mode:** `library_name`, `library_version`, `language` (JAVA, PYTHON, NPM, GO, etc.), `group_id` (Java only).
* **Bulk Mode:** `packages` = `[{"library":"name","version":"1.0.0","language":"NPM"}]`
### SAST Parameters
* Pass the generated source code string to `mend-code-security-assistant`.Note: These rules apply to every prompt you make in Gemini Code Assist.
Step 4: Verification
Reload VS Code: Open Command Palette (⇧⌘P) → "Developer: Reload Window"
Open Agent Mode: Click the Gemini icon in the Activity Bar → Enable Agent mode
Verify Tools: In Agent mode chat, type:
CODEList available toolsYou should see:
mend-code-security-assistant(SAST)mend-dependencies-assistant(SCA)
Testing Examples
Test Security Instructions
Test SAST Integration:
CODECreate a secure user authentication system with password validationShould trigger
mend-code-security-assistantdue to authentication context.Test SCA Integration:
CODEAdd the express framework to my Node.js projectShould trigger
mend-dependencies-assistantdue to dependency file context.Test Combined Workflow:
CODEBuild a secure file upload API endpoint with proper validationShould trigger both security tools for comprehensive analysis.