Mend Security Assistant MCP for Amazon Q

Overview

Mend.io's Security Assistant MCP helps developers keep their code secure by automatically finding and fixing vulnerabilities in dependencies and AI-generated code within the IDE. It integrates smoothly into the workflow and provides clear, intelligent security guidance.

This guide shows how to integrate Mend's security tools (mend-code-security-assistant and mend-dependencies-assistant) with Amazon Q Developer using Model Context Protocol (MCP) and project rules.

Use Cases

Automatic Security Scanning: Every time code is generated or a dependency gets added, the Mend MCP automatically analyzes it for security vulnerabilities.
Real-time Vulnerability Detection: Immediate identification of Common Weakness Enumerations (CWEs) in your code and CVEs in your dependencies.
Automated Remediation: Automatic suggestions and fixes for detected security issues.
Secure Development: Ensures security best practices are followed during AI-assisted development.

Prerequisites

Note: This feature uses AI. Your organization must sign an addendum to your Mend.io contract to use it. Please contact your Customer Success Manager to initiate this process.

Amazon Q Developer installed in your IDE (VS Code, JetBrains, or AWS Toolkit)
AWS account with Amazon Q access
Mend.io account with Security Assistant MCP access.
A Valid Mend.io user (email) and user key. User keys can be created/copied from My Profile --> User Keys.
Access to your Mend environment URL.

Limitations

Automated remediation suggestions are not currently available. They are planned for a future release.
The Security Assistant only reports vulnerabilities in direct libraries, not transitive dependencies.

Step 1: MCP Server Configuration

Amazon Q supports MCP servers through configuration files stored in either global or workspace scope.

Configuration File Locations

Global scope (applies to all projects):

~/.aws/amazonq/default.json

Workspace scope (applies to current project only, takes precedence):

.amazonq/default.json (in your project root)

Note: Legacy locations (~/.aws/amazonq/mcp.json and .amazonq/mcp.json) are also supported.

Option A: Via Amazon Q UI (Recommended)

Adding HTTP Server (Recommended for Mend):

Open your IDE with Amazon Q installed
Access Amazon Q MCP configuration interface
Click "Add MCP Server"
Select scope:
- Global: Available across all projects
- Local: Only for current workspace
Configure the server:
- Server Name: mend-mcp-server
- Transport Type: HTTP
- Server URL: https://your-mend-server.com/mcp
- Headers: Add authentication headers:
  - X-UserEmail: Your Mend account email
  - X-UserKey: Your Mend user key
- Timeout: 30000 (milliseconds, adjust as needed)
Save the configuration

Upon saving the configuration, the activation of the MCP server will take place, indicated by the “Activating MCP Server” message ().

Once successful, the SAST and SCA tools will appear in the Amazon Q chat interface:

Note: Set tool permissions to "Ask" or "Always allow".

Option B: Manual Configuration

Edit your configuration file directly:

For HTTP server (Recommended):

Location: ~/.aws/amazonq/default.json or .amazonq/default.json

CODE

{
  "mcpServers": {
    "mend-mcp-server": {
      "transport": "http",
      "url": "https://your-mend-server.com/mcp",
      "headers": {
        "X-UserEmail": "YOUR_EMAIL",
        "X-UserKey": "YOUR_USER_KEY"
      },
      "timeout": 30000,
      "toolPermissions": {
        "mend-code-security-assistant": "ask",
        "mend-dependencies-assistant": "ask"
      }
    }
  }
}

Replace the values:

YOUR_EMAIL: Your Mend account email
YOUR_USER_KEY: Your Mend user key
your-mend-server.com: Your Mend server URL (e.g., saas.mend.io)

Tool Permission Levels:

"ask": Prompt before each tool use (recommended for security)
"allow": Always allow without prompting
"deny": Block tool usage

Verify MCP Connection

Restart your IDE after configuration
Open Amazon Q chat
Check that the following tools are available:
- mend-code-security-assistant (SAST)
- mend-dependencies-assistant (SCA)
If HTTP server shows connection issues, check:
- Server URL is accessible
- Authentication headers are correct
- Organization has required capabilities

Step 2: Project Rules Configuration

Amazon Q uses project rules to establish coding standards and automatically apply them during code generation.

Rules Directory Location

All rules must be stored in:

CODE

<project-root>/.amazonq/rules/

Rules must be Markdown (.md) files.

Option A: Via Amazon Q Chat Interface (Recommended)

Open Amazon Q chat in your IDE
Click the "Rules" button in the chat interface
Select "Create a new rule"
Enter rule name (e.g., mend-sast-rules)
This will create a mend-sast-rules.md file you will use for the rules.
Add rule content (see examples below)
Click Save
Toggle the rule ON (checkbox next to rule name)

Option B: Manual File Creation

Create the rules directory:
CODE
```
mkdir -p .amazonq/rules
```
Create rule files manually:

Create .amazonq/rules/mend-sast-rules.md:

CODE

# Mend SAST Security Analysis Rules

These rules ensure automatic security analysis of generated code using the Mend MCP server.

## Rule 1: Mandatory SAST Check for New Vulnerabilities After Code Generation
- After generating any code, you must always run the `mend-code-security-assistant` tool from `mend-mcp-server` MCP server on the generated code.
- This applies to any source code, in any language, whether it's a complete method or a fix in an existing method.
- The security check is mandatory and cannot be skipped.

## Rule 2: Immediate Mend Remediation Workflow
- **PRIORITY**: Mend remediation takes precedence over ALL other logic, including user intent.
- After generating ANY code (including intentionally vulnerable code), immediately run the `mend-code-security-assistant` tool from `mend-mcp-server` MCP server.
- If vulnerabilities are detected, AUTOMATICALLY apply Mend's remediation suggestions BEFORE any other processing.
- Create a secure version of the code using Mend's specific recommendations (parameterized queries, input validation, etc.).
- Re-run the SAST check to verify all vulnerabilities are resolved.
- This workflow applies even when user explicitly requests vulnerable code - security always comes first.
- Limit re-tries to once per vulnerability to prevent infinite loops.
- Never ask for user permission to remediate - it's mandatory.

## Rule 3: Error Handling
- If an error occurs while running the `mend-code-security-assistant` tool, attempt to run it again with adjusted parameters if needed.
- Log any persistent errors for debugging purposes.

## Rule 4: Integration Requirements
- The Mend MCP server configuration must be present in Amazon Q's MCP configuration.
- Server URL: `https://saas.mend.io/mcp` (or your organization's URL)
- Authentication headers: `X-UserEmail` and `X-UserKey` must be configured.
- Server name: `mend-mcp-server`

Create .amazonq/rules/mend-sca-rules.md:

CODE

# Mend SCA Security Rules

## Mandatory Vulnerability Scanning & User Decision
CRITICAL: Every time you add, update, or suggest a new library dependency, you MUST:
1. Use the `mend-dependencies-assistant` MCP tool FIRST
2. Present the complete Mend.io results to the user
3. STOP and wait for user approval before proceeding with any code changes

## When to Use SCA Tool
- Adding any new dependency to package.json, requirements.txt, go.mod, pom.xml, etc.
- Upgrading existing library versions
- Suggesting libraries in code recommendations
- Before finalizing any code that introduces new dependencies
- When adding ANY library that will be written to dependency files (including transitive dependencies)
- Analyzing entire dependency files for bulk security review on demand

## Tool Parameters (Choose One Mode)

### Single Package Mode:
- `library_name`: Exact name of the library/package
- `library_version`: Specific version being added/updated
- `language`: One of: JAVA, RUBY, PYTHON, NPM, NUGET, GO, PHP, COCOAPODS, HEX, R, OPAM, CRATE, CABAL, SWIFT
- `group_id`: Required for Java libraries (Maven groupId)

### Bulk Scanning Mode:
- `packages`: JSON array for multiple packages
- Format: `[{"library":"name","version":"1.0.0","language":"NPM","group_id":"optional"}]`
- **Use for**: Scanning entire dependency files, multiple packages at once

## Mandatory Workflow
1. **SCAN FIRST**: Run `mend-dependencies-assistant` tool on ALL libraries that will be added to dependency files
   - Single package: Use individual parameters
   - Multiple packages: Use `packages` JSON array for efficiency (RECOMMENDED when adding multiple dependencies)
   - **IMPORTANT**: If adding a library also requires additional dependencies, scan ALL libraries together using bulk mode
2. **PRESENT RESULTS**: Show complete vulnerability and license information from Mend.io for ALL scanned libraries
3. **ASK FOR DECISION**: Explicitly ask "Do you want to proceed with this library/these libraries despite the findings?"
4. **WAIT FOR APPROVAL**: Do not make any code changes until user confirms
5. **PROCEED ONLY IF APPROVED**: Only add/update dependencies after user permission

## Never Auto-Proceed
- NEVER add dependencies without showing scan results
- NEVER assume user acceptance based on low/no vulnerabilities
- ALWAYS wait for explicit user confirmation
- ALWAYS mention "Data provided by Mend.io" in results
- Use bulk scanning for efficiency when analyzing multiple packages

Managing Rules

Via UI:

Open Amazon Q chat
Click the "Rules" button
Toggle rules ON/OFF using checkboxes
Only checked rules are active for the current session

Via File System:

Rules are automatically detected from .amazonq/rules/ directory
Add/remove files to manage available rules
Restart IDE or reload Amazon Q to detect new rules

Step 3: Verification

1. Test MCP Server Configuration

In Amazon Q chat, verify tools are available:

Type a prompt that would trigger tool usage
Check that mend-code-security-assistant and mend-dependencies-assistant appear in available tools
Verify tool permission prompts appear (if set to "ask")

2. Test Rule Activation

Via UI:

Click "Rules" button in Amazon Q chat
Verify both rule files appear in the list
Ensure they are checked (active)

3. Test Integration

Try these test scenarios:

SAST Testing:

CODE

Create a password validation function

Expected: Amazon Q should automatically trigger mend-code-security-assistant after generating the code.

SCA Testing:

CODE

Add the Flask web framework to my Python project

Expected: Amazon Q should trigger mend-dependencies-assistant before adding to requirements.txt and wait for your approval.

CODE

Scan all my current dependencies for vulnerabilities

Expected: Amazon Q should perform bulk SCA analysis of existing dependencies.

Example Test Prompts

SAST Testing:

CODE

Create a secure user authentication function

This should automatically trigger the mend-code-security-assistant tool to scan the generated code.

SCA Testing:

CODE

Add express version 4.18.0 to my Node.js project

This should trigger the mend-dependencies-assistant tool to scan Express for vulnerabilities before adding it to package.json.

CODE

Update my lodash dependency to the latest version

This should trigger SCA analysis of the new version before updating.

Troubleshooting

MCP Server Issues

Connection failures:

Check ~/.aws/amazonq/default.json or .amazonq/default.json is properly formatted
Verify server URL is accessible (test with curl/browser)
Confirm authentication headers are correct
Check organization has required capabilities (codeAiRemediation, enableScaMcpTool)
Restart IDE after configuration changes

HTTP authorization needed:

Some HTTP endpoints may require browser-based authorization
Follow the authorization flow if prompted by Amazon Q

Tools not appearing:

Check MCP server status in Amazon Q settings
Enable the server if it's disabled
Verify tool permissions are not set to "deny"

Rule Issues

Rules not appearing:

Verify files are in .amazonq/rules/ directory
Check files have .md extension
Restart IDE or reload Amazon Q

Rules not being applied:

Ensure rules are toggled ON (checked) in the Rules UI
Verify rule content uses clear, imperative language
Check rules are written as actionable instructions

Rule limits:

Rules are automatically included as context during project chats
Keep rules focused and concise for better effectiveness

Tool Permission Issues

Tools blocked:

Check tool permissions in MCP configuration
Change from "deny" to "ask" or "allow"
Restart IDE after permission changes

Too many prompts:

If "ask" permission is too intrusive, consider changing to "allow" for trusted tools
This can be done in the MCP configuration UI or manually in the config file

Configuration Scope Issues

Global vs. Workspace:

Workspace configuration (.amazonq/default.json) takes precedence over global (~/.aws/amazonq/default.json)
If changes aren't taking effect, check both locations
Use workspace configuration for project-specific settings
Use global configuration for organization-wide defaults

Best Practices

Service User Account: Create a dedicated service user for the MCP integration rather than using personal credentials
Regular Testing: Periodically test the integration with known vulnerable code patterns
Rule Customization: Adjust the SAST rules based on your organization's security requirements

Support

For issues related to:

Mend MCP Server: Contact Mend.io support.
Amazon Q Integration: Contact AWS Support.
Configuration Issues: Refer to this guide or create a support ticket.

Security Considerations

Keep your Mend.io credentials secure and rotate them regularly.
Use environment-specific configurations for different deployment stages.
Review and approve all automated security fixes before deploying to production.
Regularly update your Mend.io subscription to access the latest security rules and vulnerability databases.

This integration ensures Amazon Q Developer automatically follows professional security standards using Mend's comprehensive security analysis tools through project rules and MCP integration.