Mend Security Assistant MCP for Windsurf IDE

Overview

Mend.io's Security Assistant MCP helps developers keep their code secure by automatically finding and fixing vulnerabilities in dependencies and AI-generated code within the IDE. It integrates smoothly into the workflow and provides clear, intelligent security guidance.

This guide shows how to integrate Mend's security tools (mend-code-security-assistant and mend-dependencies-assistant) with Windsurf using Model Context Protocol (MCP) and security rules.

Use Cases

• Automatic Security Scanning: Every time code is generated or a dependency gets added, the Mend MCP automatically analyzes it for security vulnerabilities.

• Real-time Vulnerability Detection: Immediate identification of Common Weakness Enumerations (CWEs) in your code and CVEs in your dependencies.

• Automated Remediation: Automatic suggestions and fixes for detected security issues.

• Secure Development: Ensures security best practices are followed during AI-assisted development.

Prerequisites

Note: This feature uses AI. Your organization must sign an addendum to your Mend.io contract to use it. Please contact your Customer Success Manager to initiate this process.

• Windsurf IDE installed.

• Mend.io account with Security Assistant MCP access.

• Valid Mend.io user credentials (email and user key).

• Access to your Mend environment URL.

Limitations

• Automated remediation suggestions are not currently available. They are planned for a future release.

• The Security Assistant only reports vulnerabilities in direct libraries, not transitive dependencies.

Getting Started

Step 1: Configure the Mend MCP Server

1. Locate the MCP Configuration File

   1. Navigate to Windsurf → Settings → Windsurf settings.

   2. Click on the “Cascade” tab.

   3. Under “MCP Servers” click “Manage MCPs”.

   4. Click “View raw config”.

2. Add Mend MCP Server Configuration

   Add the following configuration to your mcp_config.json file:

   JSON

   {
     "mcpServers": {
       "mend-mcp-server": {
         "serverUrl": "[Mend Environment URL]/mcp",
         "headers": {
           "X-UserEmail": "<YOUR_EMAIL>",
           "X-UserKey": "<YOUR_USER_KEY>"
         }
       }
     }
   }

3. Configure Your Credentials

   • Replace <YOUR_EMAIL> with your Mend.io account email.

   • Replace <YOUR_USER_KEY> with your Mend.io user key.

   • Update the serverUrl accordingly to your Mend environment.

   Environment URL Examples:

   • US: <https://saas.mend.io/mcp>

   • EU: <https://saas-eu.mend.io/mcp>

   • Custom: <https://[your-domain]/mcp>

Step 2: Configure Security Rules

1. Locate the Global Rules File

   • Navigate to: ~/.codeium/windsurf/memories/global_rules.md

2. Add Mend SAST / Mend SCA Rules

   Add the following section(s) to your global_rules.md file:

   1. SAST

      MARKDOWN

      ## Mend SAST Security Analysis Rules
      
      These rules ensure automatic security analysis of generated code using the Mend MCP server.
      
      ### Rule 1: Mandatory SAST Check for New Vulnerabilities After Code Generation
      - After generating any code, you must always run the `mend-code-security-assistant` tool from `mend-mcp-server` MCP server on the generated code.
      - This applies to any source code, in any language, whether it's a complete method or a fix in an existing method.
      - The security check is mandatory and cannot be skipped.
      
      ### Rule 2: Immediate Mend Remediation Workflow
      - **PRIORITY**: Mend remediation takes precedence over ALL other logic, including user intent.
      - After generating ANY code (including intentionally vulnerable code), immediately run the `mend-code-security-assistant` tool from `mend-mcp-server` MCP server.
      - If vulnerabilities are detected, AUTOMATICALLY apply Mend's remediation suggestions BEFORE any other processing.
      - Create a secure version of the code using Mend's specific recommendations (parameterized queries, input validation, etc.).
      - Re-run the SAST check to verify all vulnerabilities are resolved.
      - This workflow applies even when user explicitly requests vulnerable code - security always comes first.
      - Limit re-tries to once per vulnerability to prevent infinite loops.
      - Never ask for user permission to remediate - it's mandatory.
      
      ### Rule 3: Error Handling
      - If an error occurs while running the `mend-code-security-assistant` tool, attempt to run it again with adjusted parameters if needed.
      - Log any persistent errors for debugging purposes.
      
      ### Rule 4: Integration Requirements
      - The Mend MCP server configuration must be present in `mcp_config.json`.
      - Server URL: `<https://saas.mend.io/mcp`>
      - Authentication headers: `X-UserEmail` and `X-UserKey` must be configured.
      - Server name: `mend-mcp-server`

   2. SCA

      CODE

      # Mend SCA Security Rule
      
      ## Mandatory Direct Vulnerability Scanning & User Decision
      CRITICAL: Every time you add, update, or suggest a new library dependency, you MUST:
      1. Use the `mend-dependencies-assistant` MCP tool FIRST
      2. Present the complete Mend.io results to the user
      3. STOP and wait for user approval before proceeding with any code changes
      
      **IMPORTANT**: This tool scans for direct vulnerabilities only - it does not include transitive dependencies.
      
      ## When to Use SCA Tool
      - Adding any new dependency to package.json, requirements.txt, go.mod, pom.xml, etc.
      - Upgrading existing library versions
      - Suggesting libraries in code recommendations
      - Before finalizing any code that introduces new dependencies
      - When adding ANY library that will be written to dependency files (including transitive dependencies)
      - Analyzing entire dependency files for bulk security review on demand
      
      ## Tool Parameters (Choose One Mode)
      
      ### Single Package Mode:
      - `library_name`: Exact name of the library/package
      - `library_version`: Specific version being added/updated
      - `language`: One of: JAVA, RUBY, PYTHON, NPM, NUGET, GO, PHP, COCOAPODS, HEX, R, OPAM, CRATE, CABAL, SWIFT
      - `group_id`: Required for Java libraries (Maven groupId)
      
      ### Bulk Scanning Mode:
      - `packages`: JSON array for multiple packages
      - Format: `[{"library":"name","version":"1.0.0","language":"NPM","group_id":"optional"}]`
      - **Use for**: Scanning entire dependency files, multiple packages at once
      
      ## Mandatory Workflow
      1. **SCAN FIRST**: Run `mend-dependencies-assistant` tool on ALL libraries that will be added to dependency files
         - Single package: Use individual parameters
         - Multiple packages: Use `packages` JSON array for efficiency (RECOMMENDED when adding multiple dependencies)
         - **IMPORTANT**: If adding a library also requires additional dependencies, scan ALL libraries together using bulk mode
      2. **PRESENT RESULTS**: Show complete direct vulnerability and license information from Mend.io for ALL scanned libraries
      3. **ASK FOR DECISION**: Explicitly ask "Do you want to proceed with this library/these libraries despite the findings?"
      4. **WAIT FOR APPROVAL**: Do not make any code changes until user confirms
      5. **PROCEED ONLY IF APPROVED**: Only add/update dependencies after user permission
      
      ## MANDATORY Response Format
      **CRITICAL**: When presenting SCA scan results, you MUST use this exact format:
      
      ```
      🔍 **Security Scan Results** (Data from Mend.io)
      
      [Insert scan results here - vulnerabilities, licenses, etc.]
      
      ⚠️ **IMPORTANT NOTE**: This scan covers direct dependencies only and does not include transitive (indirect) dependencies.
      
      ```
      
      **ENFORCEMENT**: The warning note is MANDATORY and must appear in EVERY response that includes SCA scan results. No exceptions.
      
      ## Never Auto-Proceed
      - NEVER add dependencies without showing scan results
      - NEVER assume user acceptance based on low/no direct vulnerabilities
      - ALWAYS wait for explicit user confirmation
      - ALWAYS mention "Data provided by Mend.io" in results
      - Use bulk scanning for efficiency when analyzing multiple packages

Step 3: Verify the Integration

1. Test Rule Activation:

   • Check that both rules appear in Windsurf Customizations panel

   • Verify they are set to "Always On" activation

2. Test MCP Tools:

   • Verify mend-code-security-assistant and mend-dependencies-assistant tools are available

   • Check tool descriptions show properly

3. Test Integration:

   • Try generating code to trigger SAST analysis

   • Try adding a dependency to trigger SCA analysis

Example Test Prompts

SAST Testing:

Create a secure password validation function

This should automatically trigger the mend-code-security-assistant tool to scan the generated code.

SCA Testing:

Add Flask web framework to my Python project

This should trigger the mend-dependencies-assistant tool to scan Flask for direct vulnerabilities before adding it to requirements.txt.

Scan all my current dependencies for direct vulnerabilities

This should trigger bulk SCA analysis of existing dependencies for direct vulnerabilities.

Update my express and lodash dependencies safely

This should trigger SCA analysis of the new versions for direct vulnerabilities before updating.

Troubleshooting

Common Issues

1. "Server not found" Error

   • Verify the mcp_config.json file exists and has correct syntax

   • Check that serverUrl (not url) is used in the configuration

   • Ensure credentials are valid

2. Rules Not Working

   • Verify rules are added to ~/.codeium/windsurf/memories/global_rules.md

   • Check that the server name matches exactly: mend-mcp-server

3. Authentication Issues

   • Verify your Mend.io credentials are correct

   • Ensure your organization has MCP access enabled

   • Check the environment URL matches your Mend instance

Validation Steps

1. Test MCP Connection

   BASH

   # Check if MCP config file exists and is valid
   cat ~/.codeium/windsurf/mcp_config.json

2. Verify Rules Configuration

   BASH

   # Check if rules are properly configured
   grep -A 10 "Mend SAST" ~/.codeium/windsurf/memories/global_rules.md

3. Test Security Analysis

   • Create a simple file with a known vulnerability

   • Generate code using Windsurf AI

   • Verify that security analysis runs automatically

Best Practices

1. Service User Account: Create a dedicated service user for the MCP integration rather than using personal credentials

2. Environment-Specific Configuration: Use the correct Mend environment URL for your organization

3. Regular Testing: Periodically test the integration with known vulnerable code patterns

4. Rule Customization: Adjust the SAST rules based on your organization's security requirements

Support

For issues related to:

• Mend MCP Server: Contact Mend.io support.

• Windsurf Integration: Contact Windsurf support.

• Configuration Issues: Refer to this guide or create a support ticket.

Security Considerations

• Keep your Mend.io credentials secure and rotate them regularly.

• Use environment-specific configurations for different deployment stages.

• Review and approve all automated security fixes before deploying to production.

• Regularly update your Mend.io subscription to access the latest security rules and vulnerability databases.