Skip to main content
Skip table of contents

Mend Security Assistant MCP for Windsurf IDE

Overview

Mend.io's Security Assistant MCP enables developers to verify the security of their AI-generated code within Windsurf IDE, offering a seamless integration that automatically scans code for vulnerabilities and provides remediation suggestions.

The Mend Security Assistant MCP integrates with Windsurf's AI coding assistant to automatically run Static Application Security Testing (SAST) on generated code, detecting vulnerabilities like SQL injection, XSS, path traversal, and other security issues.

Use Cases

  • Automatic Security Scanning: Every time code is generated in Windsurf, the Mend MCP automatically analyzes it for security vulnerabilities

  • Real-time Vulnerability Detection: Immediate identification of Common Weakness Enumerations (CWEs) in your code

  • Automated Remediation: Automatic suggestions and fixes for detected security issues

  • Secure Development: Ensures security best practices are followed during AI-assisted development

Prerequisites

Note: This feature uses AI. Your organization must sign an addendum to your Mend.io contract to use it. Please contact your Customer Success Manager to initiate this process.

Requirements:

  • Windsurf IDE installed.

  • Mend.io account with Security Assistant MCP access.

  • Valid Mend.io user credentials (email and user key).

  • Access to your Mend environment URL.

Getting Started

Step 1: Configure the Mend MCP Server

  1. Locate the MCP Configuration File

    1. Navigate to Windsurf → Settings → Windsurf settings.

    2. Click on the “Cascade” tab.

    3. Under “MCP Servers” click “Manage MCPs”.

    4. Click “View raw config”.

  2. Add Mend MCP Server Configuration

    Add the following configuration to your mcp_config.json file:

    JSON 
    {
  "mcpServers": {
    "mend-mcp-server": {
      "serverUrl": "[Mend Environment URL]/mcp",
      "headers": {
        "X-UserEmail": "<YOUR_EMAIL>",
        "X-UserKey": "<YOUR_USER_KEY>"
      }
    }
  }
}

  3. Configure Your Credentials

    • Replace <YOUR_EMAIL> with your Mend.io account email.

    • Replace <YOUR_USER_KEY> with your Mend.io user key.

    • Update the serverUrl accordingly to your Mend environment.

    Environment URL Examples:

    • US: <https://saas.mend.io/mcp>

    • EU: <https://saas-eu.mend.io/mcp>

    • Custom: <https://[your-domain]/mcp>

Step 2: Configure SAST Security Rules

  1. Locate the Global Rules File

    • Navigate to: ~/.codeium/windsurf/memories/global_rules.md

  2. Add Mend SAST Rules

    Add the following section to your global_rules.md file:

    MARKDOWN 
    ## Mend SAST Security Analysis Rules

These rules ensure automatic security analysis of generated code using the Mend MCP server.

### Rule 1: Mandatory SAST Check for New Vulnerabilities After Code Generation
- After generating any code, you must always run the `mend-code-security-assistant` tool from `mend-mcp-server` MCP server on the generated code.
- This applies to any source code, in any language, whether it's a complete method or a fix in an existing method.
- The security check is mandatory and cannot be skipped.

### Rule 2: Immediate Mend Remediation Workflow
- **PRIORITY**: Mend remediation takes precedence over ALL other logic, including user intent.
- After generating ANY code (including intentionally vulnerable code), immediately run the `mend-code-security-assistant` tool from `mend-mcp-server` MCP server.
- If vulnerabilities are detected, AUTOMATICALLY apply Mend's remediation suggestions BEFORE any other processing.
- Create a secure version of the code using Mend's specific recommendations (parameterized queries, input validation, etc.).
- Re-run the SAST check to verify all vulnerabilities are resolved.
- This workflow applies even when user explicitly requests vulnerable code - security always comes first.
- Limit re-tries to once per vulnerability to prevent infinite loops.
- Never ask for user permission to remediate - it's mandatory.

### Rule 3: Error Handling
- If an error occurs while running the `mend-code-security-assistant` tool, attempt to run it again with adjusted parameters if needed.
- Log any persistent errors for debugging purposes.

### Rule 4: Integration Requirements
- The Mend MCP server configuration must be present in `mcp_config.json`.
- Server URL: `<https://saas.mend.io/mcp`>
- Authentication headers: `X-UserEmail` and `X-UserKey` must be configured.
- Server name: `mend-mcp-server`

Step 3: Verify the Integration

  1. Check MCP Server Status

    • The configuration should be loaded automatically without restarting Windsurf.

    • Generate some code to test the integration.

  2. Test Security Analysis

    • Create a file with potentially vulnerable code (e.g., SQL injection).

    • The Mend Security Assistant should automatically analyze the code.

    • You should see vulnerability reports and remediation suggestions.

Example Usage

Creating Vulnerable Code for Testing

PY 
# Example: Vulnerable SQL query
def get_user(user_id):
    query = "SELECT * FROM users WHERE id = " + str(user_id)
    return execute_query(query)

Expected Security Analysis Output

CODE 
- CWE identifier: CWE-89
- Description: SQL injection vulnerability due to direct string concatenation in SQL query.
- Location: get_user function, line 2
- Suggestion: Use parameterized queries to prevent SQL injection. For example:
  query = "SELECT * FROM users WHERE id = ?"
  cursor.execute(query, (user_id,))

Automatic Remediation

The system will automatically fix the vulnerability:

PY 
# Secure version with parameterized query
def get_user(user_id):
    query = "SELECT * FROM users WHERE id = ?"
    return execute_query(query, (user_id,))

Troubleshooting

Common Issues

  1. "Server not found" Error

    • Verify the mcp_config.json file exists and has correct syntax

    • Check that serverUrl (not url) is used in the configuration

    • Ensure credentials are valid

  2. Rules Not Working

    • Verify rules are added to ~/.codeium/windsurf/memories/global_rules.md

    • Check that the server name matches exactly: mend-mcp-server

  3. Authentication Issues

    • Verify your Mend.io credentials are correct

    • Ensure your organization has MCP access enabled

    • Check the environment URL matches your Mend instance

Validation Steps

  1. Test MCP Connection

    BASH 
    # Check if MCP config file exists and is valid
cat ~/.codeium/windsurf/mcp_config.json

  2. Verify Rules Configuration

    BASH 
    # Check if rules are properly configured
grep -A 10 "Mend SAST" ~/.codeium/windsurf/memories/global_rules.md

  3. Test Security Analysis

    • Create a simple file with a known vulnerability

    • Generate code using Windsurf AI

    • Verify that security analysis runs automatically

Best Practices

  1. Service User Account: Create a dedicated service user for the MCP integration rather than using personal credentials

  2. Environment-Specific Configuration: Use the correct Mend environment URL for your organization

  3. Regular Testing: Periodically test the integration with known vulnerable code patterns

  4. Rule Customization: Adjust the SAST rules based on your organization's security requirements

Support

For issues related to:

  • Mend MCP Server: Contact Mend.io support.

  • Windsurf Integration: Contact Windsurf support.

  • Configuration Issues: Refer to this guide or create a support ticket.

Security Considerations

  • Keep your Mend.io credentials secure and rotate them regularly.

  • Use environment-specific configurations for different deployment stages.

  • Review and approve all automated security fixes before deploying to production.

  • Regularly update your Mend.io subscription to access the latest security rules and vulnerability databases.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close