Mend Security Assistant MCP for Claude Code

Overview

Mend.io's Security Assistant MCP helps developers keep their code secure by automatically finding and fixing vulnerabilities in dependencies and AI-generated code within the IDE. It integrates smoothly into the workflow and provides clear, intelligent security guidance.

This guide shows how to integrate Mend's security tools (mend-code-security-assistant and mend-dependencies-assistant) with Claude Code using Model Context Protocol (MCP) and a custom security subagent.

Use Cases

• Automatic Security Scanning: Every time code is generated or a dependency gets added, the Mend MCP automatically analyzes it for security vulnerabilities.

• Real-time Vulnerability Detection: Immediate identification of Common Weakness Enumerations (CWEs) in your code and CVEs in your dependencies.

• Automated Remediation: Automatic suggestions and fixes for detected security issues.

• Secure Development: Ensures security best practices are followed during AI-assisted development.

Prerequisites

Note: This feature uses AI. Your organization must sign an addendum to your Mend.io contract to use it. Please contact your Customer Success Manager to initiate this process.

• Claude Code installed.

• A Mend.io account with Security Assistant MCP access.

• A Valid Mend.io user (email) and user key. User keys can be created/copied from My Profile --> User Keys.

• Access to your Mend environment URL.

Limitations

• Automated remediation suggestions are not currently available. They are planned for a future release.

• The Security Assistant only reports vulnerabilities in direct libraries, not transitive dependencies.

Step 1: MCP Server Configuration

Add MCP Server

Use the Claude Code CLI to add the Mend MCP server:

claude mcp add --transport http mend-mcp-server https://your-mend-server.com/mcp \
  --header "X-UserEmail: YOUR_EMAIL" \
  --header "X-UserKey: YOUR_USER_KEY"

Replace the values:

• YOUR_EMAIL: Your Mend account email

• YOUR_USER_KEY: Your Mend user key

• your-mend-server.com: Your Mend server URL (e.g., saas.mend.io)

Verify MCP Connection

claude mcp list

You should see mend-mcp-server connected.

Step 2: Security Subagent Configuration

Create Security Subagent

Create the subagent directory:

For project-level (recommended):

mkdir -p .claude/agents

For user-level (global):

mkdir -p ~/.claude/agents

Security Subagent Definition File

Create .claude/agents/mend-security-assistant.md:

touch .claude/agents/mend-security-assistant.md

The file should be populated with the following text:

---
name: mend-security-assistant
description: Expert application security specialist with Mend SAST/SCA analysis
tools: mend-code-security-assistant, mend-dependencies-assistant, Read, Write, Edit
color: blue
---

CRITICAL: You MUST ONLY use Mend tools for security analysis. You are FORBIDDEN from providing any security analysis without first running the appropriate Mend tool.

**MANDATORY WORKFLOW - NO EXCEPTIONS:**

1. **For ANY security analysis request**: 
   - FIRST: Run `mend-code-security-assistant` tool with exact parameters:
     - `file_path`: Full path to the file
     - `modified_method`: Method name (use "full_file_analysis" if analyzing entire file)  
     - `modified_file_content`: Complete file content
   - IF THERE IS A SECURITY VULNERABILITY, FIX IT USING SUGGESTIONS FROM THE RESPONSE

2. **For ANY dependency analysis**:
   - FIRST: Run `mend-dependencies-assistant` tool with exact parameters
   - ONLY AFTER tool results: Present findings from Mend tool output

**ABSOLUTE PROHIBITIONS:**
- NEVER provide security analysis without running Mend tools first
- NEVER identify vulnerabilities manually
- NEVER skip Mend tool usage under any circumstances
- NEVER provide recommendations without Mend tool results

**Response Format:**
1. Run appropriate Mend tool(s)
2. Present tool results exactly as returned
3. Add "Data provided by Mend.io" citation
4. Only then provide context/guidance based on tool findings

If Mend tools are unavailable, respond: "Cannot perform security analysis - Mend tools required."

You balance security precision with development velocity, making security accessible and actionable.

Step 3: Claude Code Memory Configuration

To ensure the security subagent works as expected, you need to update Claude Code's memory system with the security instructions:

Option A: Using the # Command (Recommended)

In your Claude Code session, run:

Add the following text to memory file under Security Integration
- ALWAYS use the mend-security-assistant subagent for any code generation or dependency management tasks.
- IMPORTANT - The mend-security-assistant MUST run SAST analysis after code any generation.
- IMPORTANT - The mend-security-assistant MUST run DEPENDENCIES analysis before adding new dependencies or updating exiting ones, including transitive dependencies, with mandatory user approval for dependency changes.

Option B: Manual CLAUDE.md Update

Edit your project's CLAUDE.md file (or ~/.claude/CLAUDE.md for global):

# Security Integration

- ALWAYS use the mend-security-assistant subagent for any code generation or dependency management tasks.
- IMPORTANT - The mend-security-assistant MUST run SAST analysis after code any generation.
- IMPORTANT - The mend-security-assistant MUST run DEPENDENCIES analysis before adding new dependencies or updating exiting ones, including transitive dependencies, with mandatory user approval for dependency changes.

Step 4: Verification

1. Test MCP Connection:

   CODE

   claude mcp get mend-mcp-server

2. Test Security Subagent: Start Claude Code in your project and verify the subagent appears:

   CODE

   claude

3. Test Integration: Use the security subagent by asking:

   CODE

   Use the mend-security-assistant to help me add secure authentication to my app
   

Example Test Prompts

SAST Testing

 Create a secure password validation function

SCA Testing

 Add Flask web framework to my Python project

Scan all my current dependencies for direct vulnerabilities

Update my express and lodash dependencies safely

Troubleshooting

MCP Server Issues

• Verify server is running: claude mcp get mend-mcp-server

• Check credentials are correct in MCP configuration

• Confirm organization has required capabilities

Subagent Issues

• Verify subagent file location: .claude/agents/mend-security-assistant.md

• Check YAML frontmatter syntax is correct

• Restart Claude Code after creating/modifying subagent

Tool Access Issues

• Confirm mend-code-security-assistant and mend-dependencies-assistant tools are available

• Verify network access to Mend server

File Structure Summary

your-project/
├── .claude/
│   └── CLAUDE.md
│   └── agents/
│       └── mend-security-assistant.md  # Security subagent definition
 
└── your-code-files...

Best Practices

1. Service User Account: Create a dedicated service user for the MCP integration rather than using personal credentials

2. Regular Testing: Periodically test the integration with known vulnerable code patterns

3. Rule Customization: Adjust the SAST rules based on your organization's security requirements

Support

For issues related to:

• Mend MCP Server: Contact Mend.io support.

• Claude Integration: Refer to the Claude Support Center.

• Configuration Issues: Refer to this guide or create a support ticket.

Security Considerations

• Keep your Mend.io credentials secure and rotate them regularly.

• Use environment-specific configurations for different deployment stages.

• Review and approve all automated security fixes before deploying to production.

• Regularly update your Mend.io subscription to access the latest security rules and vulnerability databases.

This integration provides Claude Code with a dedicated security specialist that automatically ensures all code generation and dependency management follows Mend's professional security standards.