Mend Security Assistant MCP for VS Code Copilot

Overview

Mend.io's Security Assistant MCP helps developers keep their code secure by automatically finding and fixing vulnerabilities in dependencies and AI-generated code within the IDE. It integrates smoothly into the workflow and provides clear, intelligent security guidance.

This guide shows how to integrate Mend's security tools (mend-code-security-assistant and mend-dependencies-assistant) with VS Code Copilot using Model Context Protocol (MCP) and custom .instructions.md files.

Use Cases

• Automatic Security Scanning: Every time code is generated or a dependency gets added, the Mend MCP automatically analyzes it for security vulnerabilities.

• Real-time Vulnerability Detection: Immediate identification of Common Weakness Enumerations (CWEs) in your code and CVEs in your dependencies.

• Automated Remediation: Automatic suggestions and fixes for detected security issues.

• Secure Development: Ensures security best practices are followed during AI-assisted development.

Prerequisites

Note: This feature uses AI. Your organization must sign an addendum to your Mend.io contract to use it. Please contact your Customer Success Manager to initiate this process.

• VS Code 1.99+ with GitHub Copilot

• Mend.io account with Security Assistant MCP access.

• Valid Mend.io user credentials (email and user key).

• Access to your Mend environment URL.

Limitations

• Automated remediation suggestions are not currently available. They are planned for a future release.

• The Security Assistant only reports vulnerabilities in direct libraries, not transitive dependencies.

Step 1: MCP Server Setup

Quick Installation Command

Replace YOUR_USERKEY and YOUR_EMAIL with your actual Mend credentials:

code --add-mcp '{"name":"mend-mcp-server","type":"http","url":"http://localhost:8998/mcp","inputs":[{"type":"promptString","id":"userkey","description":"Mend User Key","password":true},{"type":"promptString","id":"useremail","description":"Mend User Email"}],"headers":{"X-UserKey":"${input:userkey}","X-UserEmail":"${input:useremail}"}}'

Production Server Installation

For production Mend server deployment:

code --add-mcp '{"name":"mend-dependencies-assistant","type":"http","url":"https://your-mend-server.com/mcp","inputs":[{"type":"promptString","id":"userkey","description":"Mend User Key","password":true},{"type":"promptString","id":"useremail","description":"Mend User Email"}],"headers":{"X-UserKey":"${input:userkey}","X-UserEmail":"${input:useremail}"}}'

• Replace your-mend-server.com with your Mend.io server URL (e.g., saas.mend.io)

Verification

1. Restart VS Code after running the command

2. Open Copilot Chat (Ctrl+Alt+I)

3. Switch to Agent mode

4. Verify tool availability: Look for "mend-dependencies-assistant" in tools panel

5. Input credentials when prompted (first use only)

Step 2: Create Security Instructions Files

Method 1: Using VS Code UI

1. Open Chat view in VS Code

2. Select Configure Chat > Instructions

3. Select "New instruction file"

4. Choose location: Workspace (.github/instructions/) or User profile

5. Enter filename (e.g., security-sast.instructions.md)

6. Author the instructions using the templates below

Method 2: Manual File Creation

Create files directly in .github/instructions/ folder of your workspace.

Step 3: Security Instructions Templates

SAST Security Instructions

File: .github/instructions/security-sast.instructions.md

---
description: "SAST security scanning for code generation"
applyTo: "**/*.{js,ts,py,java,go,php,rb,cs,cpp,c,jsx,tsx}"
---

# SAST Security Analysis Rules

## Mandatory Security Scanning
- **ALWAYS** use `mend-code-security-assistant` tool to scan code before providing implementation
- **NEVER** generate code without security analysis when handling:
  - Authentication & authorization systems
  - Input validation & sanitization
  - Cryptography & password hashing
  - Database queries & API calls
  - File operations & system commands
  - Network communications & HTTP requests

## Security Implementation Standards
- Follow secure coding practices for the target language
- Implement proper input validation and output encoding
- Use parameterized queries for database operations
- Avoid hardcoded credentials or sensitive data in code
- Implement proper error handling without information disclosure
- Use established security libraries instead of custom implementations

## Security Verification Process
1. Generate secure code implementation following best practices
2. Use `mend-code-security-assistant` to scan for vulnerabilities
3. Address any security findings before presenting final code
4. Document security considerations in code comments
5. Explain security measures taken in response

## Response Format Requirements
When security issues are found:
- Explain the vulnerability type, severity, and potential impact
- Provide secure alternative implementation
- Include detailed code comments explaining security measures
- Reference relevant security standards (OWASP, CWE, etc.)

SCA Dependency Instructions

File: .github/instructions/security-dependencies.instructions.md

---
description: "SCA vulnerability scanning for dependency management"
applyTo: "**/*.{json,txt,yml,yaml,gradle,xml,lock,toml}"
---

# SCA Dependency Security Rules

## Mandatory Dependency Scanning
- **ALWAYS** use `mend-dependencies-assistant` tool before recommending dependencies
- **NEVER** suggest adding libraries without vulnerability analysis
- **VERIFY** all dependency versions for direct security vulnerabilities
- **SCAN** existing dependencies when updating or auditing projects

## Dependency Management Standards
- Prioritize well-maintained libraries with active security updates
- Use specific versions instead of version ranges when possible
- Document the purpose and necessity of each dependency
- Suggest security-focused alternatives when vulnerabilities are found
- Consider licensing implications alongside security findings

## Vulnerability Response Process
1. **Before adding dependencies**: Scan proposed packages using `mend-dependencies-assistant`
2. **If vulnerabilities found**:
   - Report vulnerability details (CVE ID, severity, description)
   - Suggest secure alternative libraries or updated versions
   - Provide clear upgrade path if newer secure version exists
   - Explain the risk if no alternatives available
3. **For bulk scanning**: Analyze all dependencies in package files
4. **Document findings**: Include vulnerability summary in response

## Tool Usage Guidelines
- **Java packages**: Always include `groupId` parameter
- **Bulk scanning format**: `[{"library":"name","version":"1.0.0","language":"LANG","groupId":"optional"}]`
- **Supported languages**: JAVA, RUBY, PYTHON, NPM, NUGET, GO, PHP, COCOAPODS, HEX, R, OPAM, CRATE, CABAL, SWIFT
- **Focus**: Direct vulnerabilities (not transitive dependencies)

## Response Format Requirements
When vulnerabilities are discovered:
- List vulnerable packages with CVE IDs and severity levels
- Provide specific remediation steps and commands
- Suggest secure alternatives with clear justification
- Include package manager upgrade commands
- Summarize overall security posture of dependencies

Step 4: Testing and Verification

Test Security Instructions

1. Test SAST Integration:

   CODE

   Create a secure user authentication system with password validation
   

   Should trigger mend-code-security-assistant due to authentication context.

2. Test SCA Integration:

   CODE

   Add the express framework to my Node.js project
   

   Should trigger mend-dependencies-assistant due to dependency file context.

3. Test Combined Workflow:

   CODE

   Build a secure file upload API endpoint with proper validation
   

   Should trigger both security tools for comprehensive analysis.

Step 5: Management and Updates

View Instructions Files

• Command Palette: Chat: Configure Instructions

• Chat View: Configure Chat > Instructions

• File Explorer: Navigate to .github/instructions/

Modify Instructions

1. Open existing .instructions.md file

2. Edit content using Markdown format

3. Update applyTo patterns as needed

4. Save changes (takes effect immediately)

Remove Instructions

• Delete the .instructions.md file from .github/instructions/

• Or use VS Code UI to remove through Chat configuration

Troubleshooting

MCP Connection Issues

• Run MCP: List Servers from Command Palette to verify server registration

• Check VS Code Output panel → "MCP" for connection errors

• Verify server URL accessibility

Instructions Not Applied

• Check file location: .github/instructions/ for workspace instructions

• Verify YAML frontmatter syntax and applyTo patterns

• Use Chat: Configure Instructions to validate file recognition

• Test with simple prompts matching applyTo patterns

Authentication Issues

• Verify Mend User Key and Email credentials

• Check organization capabilities in Mend platform

• Test MCP server connectivity manually

Best Practices

1. Service User Account: Create a dedicated service user for the MCP integration rather than using personal credentials

2. Environment-Specific Configuration: Use the correct Mend environment URL for your organization

3. Regular Testing: Periodically test the integration with known vulnerable code patterns

4. Rule Customization: Adjust the SAST rules based on your organization's security requirements

Support

For issues related to:

• Mend MCP Server: Contact Mend.io support.

• VS Code Integration: Contact Microsoft support.

• Configuration Issues: Refer to this guide or create a support ticket.

Security Considerations

• Keep your Mend.io credentials secure and rotate them regularly.

• Use environment-specific configurations for different deployment stages.

• Review and approve all automated security fixes before deploying to production.

• Regularly update your Mend.io subscription to access the latest security rules and vulnerability databases.

This integration ensures VS Code Copilot automatically follows enterprise security standards using Mend's comprehensive security analysis tools through targeted instruction files.