This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Scan from your IDE

Use Endor Labs to assess risk as you write code.

Table of Contents

This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Use Endor Labs to assess risk as you write code.

Endor Labs helps developers fix code at its origin phase and during the early stages of development. You can successfully perform early security reviews and mitigate the need for expensive fixes during later stages of development. It accelerates the process of creating, delivering, and shipping secure applications.

  • Endor Labs Visual Studio Code extension: Endor Labs provides a plug-in for Visual Studio Code that developers can install from Visual Studio’s marketplace and get started with early vulnerability and dependency scanning.
  • Endor Labs MCP server: Endor Labs MCP (Model Context Protocol) server enables secure deployment of Endor Labs capabilities within your IDE. You can run the Endor Labs MCP server in your IDE during the development process to ensure that your code is free from vulnerabilities.

Endor Labs Visual Studio Code extension

The Endor Labs extension for Visual Studio Code scans your repositories and highlights issues that may exist in the open-source dependencies. You can use the extension with Endor Labs API credentials.

Prerequisites

The following prerequisites must be fulfilled to use the Endor Labs VS Code extension:

  • The minimum supported version of Visual Studio Code is 1.71 and higher.
  • See the following table for supported languages, package managers, and file extensions. The extension reads the manifest files to fetch the list of dependencies and displays the results in both manifest and source code files.
Supported Language Manifest file Source code file
JavaScript package.json .js, .ts, .jsx, .tsx, .mjs, .cjs extensions
Python requirements.txt .py extension
Go go.mod .go extension
  • Generate Endor Labs API keys and have them handy. You must enter these details in the VS Code extension. See Managing API Keys for details.

Install the Endor Labs extension

Developers can install the extension from the Visual Studio marketplace and configure it with Endor Labs API keys.

  1. Launch Visual Studio Code and click Extensions.
  2. Look for the Endor Labs using the search bar and click Install. See Visual Studio Extension documentation for details on managing the extension.
  3. Select the Endor Labs extension, click Settings, and choose Extension Settings.
  4. Enter the API Key and API Secret of the Endor Labs application.

View scan results

The Endor Labs Visual Studio extension reads all the manifest files in your project and fetches the list of dependencies.

  • Hover over a dependency to view the package version, released date, findings, and Endor Labs scores in a pop-up.
  • For effective prioritization, issues with dependencies are classified into four severity levels: Critical, High, Medium, and Low.
  • Click a specific version to view the same results in the Endor Labs user interface.
  • The dependencies are color-coded in the following ways:
    • Red underline - Has critical findings and is also on an outdated version
    • Orange underline - Has critical findings and is on the latest version
    • Yellow underline - Has no critical findings but is an outdated version
    • No Underline - Has no critical findings and is on the latest version
  • Use Update to latest version to update the package to its latest version.

Endor Labs MCP server

Alpha

MCP (Model Context Protocol) is an open standard that defines a consistent way for applications to share relevant context and information with Large Language Models (LLMs). MCP servers expose specific capabilities through the standardized Model Context Protocol. For more information on MCP, refer to the MCP documentation.

The Endor Labs MCP server slots right into your development workflow, scanning your code as you write. You can catch issues long before they’re a problem in production. It plugs directly into your IDE, tightening the feedback loop for both human and AI-generated code can quickly be secured from the start. With Endor Labs, you’re bringing security all the way left, getting real-time, proactive insights and automated fixes in your editor, while you build, minimizing last-minute security scrambles.

Tools in the Endor Labs MCP server

The Endor Labs MCP server provides the following tools:

  • check_dependency_for_vulnerabilities: Check if the dependencies in your project are vulnerable.
  • get_endor_vulnerability: Get the details of a specific vulnerability from the Endor Labs vulnerability database.
  • get_resource: Add additional context from commonly used Endor Labs resources about your software such as findings, vulnerabilities, and projects.
  • scan: Run an Endor Labs security scan to detect risks in your open source dependencies, find common security issues, and spot any credentials accidentally exposed in your Git repo.

After you set up the MCP server, you can choose to disable the tools that you do not want to use.

Prerequisites to run the Endor Labs MCP server

Before running the Endor Labs MCP server, ensure that you install the latest version of endorctl and authenticate to Endor Labs.

If you wish to run SAST scans, ensure that you install Semgrep in your local system. See Download and install Semgrep to learn how you can download and install the specific version of Semgrep that is compatible with Endor Labs.

Configure the MCP server in Cursor

Complete the following tasks to configure the Endor Labs MCP server in Cursor.

Add the Endor Labs MCP server to local Cursor settings

We recommend that you add the MCP server to the local Cursor settings rather than the user settings to keep the configuration project-specific.

  1. Navigate to the root of your repository.

  2. Create a .cursor directory if it doesn’t exist and create an mcp.json file in the .cursor directory.

    mkdir -p .cursor && touch .cursor/mcp.json

Configure the MCP server

Add the following configuration to the .cursor/mcp.json file.

{
  "mcpServers": {
    "endor-cli-tools": {
      "type": "stdio",
      "command": "endorctl",
      "args": [
        "ai-tools",
        "mcp-server"
      ],
      "env": {
        "MCP_ENDOR_SCAN_LANGUAGES": "<languages to scan>"
      }
    }
  }
}

The following parameters are commonly used to optimize MCP server performance.

  • command: The full path to the endorctl executable. Run which endorctl to fetch the path of the endorctl executable.
  • MCP_ENDOR_SCAN_LANGUAGES: The programming languages to scan. You can use the following languages: c#, go, java, javascript, kotlin, objective-c, php, python, ruby, rust, scala, swift, typescript. Enter multiple languages separated by commas. For example, "go,java,python".

Configure Cursor rules

To enhance the MCP server integration you can add custom rules for your project. These rules are custom prompts specific to your project.

  1. Navigate to the root of your repository.

  2. In the .cursor directory, create an .mdc file to add the specific instructions.

    touch .cursor/rules.mdc

  3. Add appropriate rules for your project in the .cursor/endorlabs-rules.mdc file.

    For example, you can add a rule to check if the code is free from vulnerabilities.

Manage Endor Labs MCP server tools in Cursor

  1. Navigate to the Settings > Cursor Settings > MCP.

  2. Click the tool that you want to disable under endor-mcp-tools.

    Click on a disabled tool to enable it.

Configure the MCP server in Visual Studio Code

Complete the following tasks to configure the Endor Labs MCP server in Visual Studio Code.

Prerequisites for Visual Studio Code

Before running the Endor Labs MCP server, ensure that you have Visual Studio Code version 1.99 or later and enable MCP support by setting chat.mcp.enabled to true in your Visual Studio Code settings.

Add the Endor Labs MCP server to local Visual Studio Code settings

We recommend that you add the MCP server to the local Visual Studio Code settings rather than the user settings to keep the configuration project-specific.

  1. Navigate to the root of your repository.

  2. Create a .vscode directory if it doesn’t exist and create an mcp.json file in the .vscode directory.

    mkdir -p .vscode && touch .vscode/mcp.json

  3. Add the following configuration to the .vscode/mcp.json file.

{
  "servers": {
    "endor-cli-tools": {
      "type": "stdio",
      "command": "endorctl",
      "args": [
        "ai-tools",
        "mcp-server"
      ],
      "env": {
        "MCP_ENDOR_SCAN_LANGUAGES": "<languages to scan>"
      }
    }
  }
}

The following parameters are commonly used to optimize MCP server performance.

  • command: The full path to the endorctl executable. Run which endorctl to fetch the path of the endorctl executable.
  • MCP_ENDOR_SCAN_LANGUAGES: The programming languages to scan. You can use the following languages: c#, go, java, javascript, kotlin, objective-c, php, python, ruby, rust, scala, swift, typescript. Enter multiple languages separated by commas. For example, "go,java,python".

Use the MCP server with GitHub Copilot

To use the Endor Labs MCP server with GitHub Copilot in Visual Studio Code:

  1. Open the Chat view by pressing Cmd+Option+I.

  2. Switch to the Agent mode.

  3. Click the Settings icon.

  4. Select MCP Server: endor-cli-tools from the dropdown menu.

    You can now use Endor Labs tools in your chat prompts to scan for vulnerabilities.

Manage Endor Labs MCP server tools in Visual Studio Code

  1. Open the Chat view by pressing Cmd+Option+I.

  2. Switch to the Agent mode.

  3. Click the Settings icon.

  4. Select the tools that you want to enable or disable under MCP Server: endor-cli-tools.