Mend Security Assistant MCP for Cursor IDE
Overview
Mend.io's Security Assistant MCP enables developers to verify the security of their AI-generated code within Cursor IDE, offering a seamless integration that automatically scans code for vulnerabilities and provides remediation suggestions.
The Mend Security Assistant MCP integrates with Cursor’s AI coding assistant to automatically run Static Application Security Testing (SAST) on generated code, detecting vulnerabilities like SQL injection, XSS, path traversal, and other security issues.
Use Cases
Automatic Security Scanning: Every time code is generated in Cursor, the Mend MCP automatically analyzes it for security vulnerabilities
Real-time Vulnerability Detection: Immediate identification of Common Weakness Enumerations (CWEs) in your code
Automated Remediation: Automatic suggestions and fixes for detected security issues
Secure Development: Ensures security best practices are followed during AI-assisted development
Prerequisites
Note: This feature uses AI. Your organization must sign an addendum to your Mend.io contract to use it. Please contact your Customer Success Manager to initiate this process.
Requirements:
Cursor IDE installed.
Mend.io account with Security Assistant MCP access.
Valid Mend.io user credentials (email and user key).
Access to your Mend environment URL.
Getting Started
As a first step, make sure you have an application to run security checks on (the application in our example is “vulnerable.js”):
Demo JavaScript project in Cursor
Then, configure the Mend MCP in your IDE. Make sure to specify the correct Mend environment URL.
Example .json of Mend MCP server configuration:
{
"mcpServers": {
"mend-mcp-server": {
"headers": {
"X-UserEmail": "<EMAIL>",
"X-UserKey": "<USER_KEY>"
},
"url": "[Mend Environment URL]/mcp"
}
}
}
Note:
Mend Environment URL example: https://saas.mend.io
This will translate into the following “url” line in the mcp.json file:
"url": "https://saas.mend.io/mcp"
It is recommended to create and specify a service user for this integration.
Step 1 - Configure the Mend.io MCP using mcp.json
Within Cursor:
Click on “Cursor” or the cogwheel in the top menu.
Select “Settings…” and then “Cursor Settings” from the drop down menu.
In the new window open the “Tools & Integrations” tab.
Click on the “New MCP Server” button.
Cursor will open the
mcp.jsonfile.
Add the following code to it and make sure to specify the correct Mend environment URL:
{
"mcpServers": {
"mend-mcp-server": {
"headers": {
"X-UserEmail": "<EMAIL>",
"X-UserKey": "<USER_KEY>"
},
"url": "[Mend Environment URL]/mcp"
}
}
}Note:
Mend Environment URL example: https://saas.mend.io
This will translate into the following “url” line in the mcp.json file:
"url": "https://saas.mend.io/mcp"
It is recommended to create and specify a service user for this integration.
At this point, the configured Mend.io MCP server will show up in your Cursor Settings:
Note: Cursor will automatically detect the sast-code-analysis tool, which is the tool used to create the security checks for your AI-generated code.
Step 2 - Configure Rules using sast.mdc
In order to automatically run SAST security checks after code is generated in Cursor AI, project rules need to be configured.
Within Cursor:
click on “Cursor” in the top menu,
then select “Settings…” and then “Cursor Settings” from a drop down menu.
In the new window open the “Rules” tab.
Within “Project rules” section, click on “Add Rule“
Provide the name of the rules file, for example “sast“
Copy and paste the rules from the section below
Make sure that the Rule Type is set to “Always”
“Project Rules” apply only within the workspace where they are created. If you want to perform security checks across all projects, use “User Rules” instead of “Project Rules”.
Rule Example
In this example, we’re instructing the tool to run twice (before and after a code change), achieving the goal of running iteratively until the code is secure.
### SAST Security Analysis Rules
1. **Mandatory SAST Check for New Vulnerabilities After Code Generation**
- After generating any code, you must always run the mend-code-security-assistant tool from mend-mcp-server MCP server on the generated code. This is true for any source code, in any language, weather it is a complete method, or even a fix in existing method.
2. **Analyze and Apply Results**
- Carefully review the results provided by the mend-code-security-assistant tool from mend-mcp-server MCP server.
- If the mend-code-security-assistant tool from mend-mcp-server MCP server respose with vulnerability information, adjust the code to remediate this vulnarability and re-try.
- Do not ask the user if she wants to proceed with a safer alternative, just create a safer alternative and retry.
- Do not re-try more than once.
3. **Error Handling**
- If an error occurs while running the mend-code-security-assistant tool from mend-mcp-server MCP server, attempt to run it again with adjusted parameters as needed.Step 3 - Run Security Checks on your Application
At this stage, you use the Cursor AI chat to continue developing your application.
Please make sure that the “Agent” and not the default “Ask” mode is selected.
For example:
“Add a new endpoint to vulnerable.js that accepts a string and log it into the console”.
The sast-code-analysis tool will run on the application to detect CWEs and sanitize them.
First Run - Detection of CWE-117
Sanitization of CWE-117 by Cursor AI
Second Run - After Sanitization of CWE-117
Step 4 - Optionally enable Auto-Run Mode
By default, each run of any MCP tool must be confirmed manually by the user. If you prefer to run the Mend SAST Code Analysis automatically without manual confirmation, you can enable the Auto-Run Mode.
Within Cursor:
Click on “Cursor” or the cogwheel in the top menu.
Select “Settings…” and then “Cursor Settings” from the drop down menu.
In the new window open the “Chat” tab.
Scroll down to “Auto-Run” section
Enable “Auto-Run Mode” toggle