Endor Labs MCP server

Learn how to deploy and run the Endor Labs MCP server in your IDE.

Alpha

MCP (Model Context Protocol) is an open standard that defines a consistent way for applications to share relevant context and information with Large Language Models (LLMs). MCP servers expose specific capabilities through the standardized Model Context Protocol. For more information on MCP, refer to the MCP documentation.

The Endor Labs MCP server integrates seamlessly into your development workflow, scanning your code as you write. You can catch issues long before they’re a problem in production. It plugs directly into your IDE, tightening the feedback loop for both human and AI-generated code. Thus, you can quickly secure your code from the start. With Endor Labs, you’re bringing security all the way left, getting real-time, proactive insights and automated fixes in your editor, while you build, minimizing last-minute security scrambles.

Note

Endor Labs MCP server is available on macOS. Endor Labs MCP server is not currently tested or fully supported on Windows workstations.

Tools in the Endor Labs MCP server

The Endor Labs MCP server provides the following tools:

check_dependency_for_vulnerabilities: Check if the dependencies in your project are vulnerable.
get_endor_vulnerability: Get the details of a specific vulnerability from the Endor Labs vulnerability database.
get_resource: Add additional context from commonly used Endor Labs resources about your software such as findings, vulnerabilities, and projects.
scan: Run an Endor Labs security scan to detect risks in your open source dependencies, find common security issues, and spot any credentials accidentally exposed in your Git repo.

After you set up the MCP server, you can choose to disable the tools that you do not want to use.

Prerequisites to run the Endor Labs MCP server

Before running the Endor Labs MCP server, ensure that you install the latest version of endorctl and authenticate to Endor Labs. The authenticated user must have at least Code Scanner and Read-Only permissions.

If you wish to run SAST scans, ensure that you install Semgrep in your local system. See Download and install Semgrep to learn how you can download and install the specific version of Semgrep that is compatible with Endor Labs.

Configure the MCP server in Cursor

Complete the following tasks to configure the Endor Labs MCP server in Cursor.

Add the Endor Labs MCP server to local Cursor settings

We recommend that you add the MCP server to the local Cursor settings rather than the user settings to keep the configuration project-specific.

Navigate to the root of your repository.
Create a .cursor directory if it doesn’t exist and create an mcp.json file in the .cursor directory.
```
mkdir -p .cursor && touch .cursor/mcp.json
```

Configure the MCP server

Add the following configuration to the .cursor/mcp.json file.

{
  "mcpServers": {
    "endor-cli-tools": {
      "type": "stdio",
      "command": "endorctl",
      "args": [
        "ai-tools",
        "mcp-server"
      ],
      "env": {
        "MCP_ENDOR_SCAN_LANGUAGES": "<languages to scan>"
      }
    }
  }
}

The following parameters are commonly used to optimize MCP server performance.

command: The full path to the endorctl executable. Run which endorctl to fetch the path of the endorctl executable.
MCP_ENDOR_SCAN_LANGUAGES: The programming languages to scan. You can use the following languages: c#, go, java, javascript, kotlin, objective-c, php, python, ruby, rust, scala, swift, typescript. Enter multiple languages separated by commas. For example, "go,java,python".

Note

You can use any Endor Labs environment variable for the endorctl scan command in the MCP server configuration. However, you must prefix all Endor Labs environment variables with MCP_. See Endor Labs environment variables for more information.

Manage Endor Labs MCP server tools in Cursor

Navigate to the Settings > Cursor Settings > MCP.
Click the tool that you want to disable under endor-mcp-tools.

Click on a disabled tool to enable it.

Configure Cursor rules

To enhance the MCP server integration you can add custom rules for your project. These rules are custom prompts specific to your project.

Navigate to the root of your repository.
In the .cursor/rules directory, create an .mdc file to add the specific instructions.
```
mkdir -p .cursor/rules && touch endorlabs.mdc
```
Add appropriate rules for your project in the .cursor/endorlabs.mdc file.

For example, you can add a rule to check if the code is free from vulnerabilities.

Example Cursor rules

You can use the following Cursor rules as a quick start for the Endor Labs MCP server. Modify the rules to meet your specific organization’s needs. We recommended that you store each cursor rule in a separate file. For more information, refer to the Cursor documentation.

Cursor rule to check for vulnerabilities in new dependencies

Use the following rule to check for vulnerabilities when a dependency is added to your codebase.

---
description: Ensure newly added dependencies are checked for vulnerabilities and project stays clean
globs: '**/package.json, **/package-lock.json, **/yarn.lock, **/pnpm-lock.yaml, **/requirements.txt, **/Pipfile, **/Pipfile.lock, **/pyproject.toml, **/poetry.lock, **/go.mod, **/go.sum, **/Cargo.toml, **/Cargo.lock, **/pom.xml, **/build.gradle, **/build.gradle.kts, **/gradle.lockfile, **/composer.json, **/composer.lock'
alwaysApply: true
---
# Dependency Vulnerability Safety Rule
Whenever you add or modify a dependency in any of the files above:
- Run `endor-cli-tools` using the `check_dependency_for_vulnerabilities` tool.
- Provide the **language**, **dependency name**, and **version**.
- If the tool identifies a vulnerability:
- Upgrade to the suggested safe version, or
- Replace the dependency with a non-vulnerable alternative.
At the **end of every agent session**:
- Run a **full vulnerability scan** using `endor-cli-tools`.
- If any findings are returned:
- Review and fix each issue.
- Re-scan after every fix.
- Repeat until **no findings remain**.
This rule ensures that all dependency changes are evaluated for risk at the time of introduction, and that the project remains clean and secure after each coding session.

Cursor rule to check for leaked secrets

Use the following rule to check for leaked secrets in your codebase.

---
description: Scan for leaked secrets on file modification
globs: '**/*'
alwaysApply: true
---
# Leaked Secrets Detection Rule
Whenever a file is modified in the repository:
- Run `endor-cli-tools` using the `scan` tool with the appropriate arguments to check for leaked secrets.
- Ensure the scan includes all file types and respects `.gitignore` unless otherwise configured.
- If any secrets are detected:
- Remove the exposed secret immediately.
- Re-scan to verify the secret has been properly removed.
This rule ensures no accidental credentials, tokens, API keys, or secrets are committed or remain in the project history.

Cursor rule to check for code weakness

Use the following rule to check for code weaknesses in your codebase.

---
description: Run SAST scan using endor-cli-tools on source code changes
globs: '**/*.c, **/*.cpp, **/*.cc, **/*.cs, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.py, **/*.php, **/*.rb, **/*.rs, **/*.kt, **/*.kts, **/*.scala, **/*.swift, **/*.dart, **/*.html, **/*.yaml, **/*.yml, **/*.json, **/*.xml, **/*.sh, **/*.bash, **/*.clj, **/*.cljs, **/*.ex, **/*.exs, **/*.lua'
alwaysApply: true
---
# Static Application Security Testing (SAST) Rule
Whenever a supported source code file is modified:
1. Ensure Semgrep is installed and available at version 1.99.0.
- If Semgrep is not installed or the version is incorrect, prompt the user to install it.
- Do not proceed with the scan unless Semgrep is available and valid.
- To install Semgrep, the user must have a working Python environment with pip. Recommend installing version 1.99.0.
2. Use the MCP server and `endor-cli-tools` to perform a SAST scan on the modified source files.
3. If any vulnerabilities are found:
- Present the issues to the user.
- Recommend appropriate fixes (e.g., input sanitization, validation, escaping, secure APIs).
- Continue scanning until all critical issues have been resolved.
This rule ensures all code changes are automatically reviewed for common security vulnerabilities using `endor-cli-tools` and the MCP server, with Semgrep as the underlying engine.

Configure the MCP server in Visual Studio Code

Complete the following tasks to configure the Endor Labs MCP server in Visual Studio Code.

Prerequisites for Visual Studio Code

Before running the Endor Labs MCP server, ensure that you have Visual Studio Code version 1.99 or later and enable MCP support by setting chat.mcp.enabled to true in your Visual Studio Code settings.

Add the Endor Labs MCP server to local Visual Studio Code settings

We recommend that you add the MCP server to the local Visual Studio Code settings rather than the user settings to keep the configuration project-specific.

Navigate to the root of your repository.
Create a .vscode directory if it doesn’t exist and create an mcp.json file in the .vscode directory.
```
mkdir -p .vscode && touch .vscode/mcp.json
```
Add the following configuration to the .vscode/mcp.json file.

{
  "servers": {
    "endor-cli-tools": {
      "type": "stdio",
      "command": "endorctl",
      "args": [
        "ai-tools",
        "mcp-server"
      ],
      "env": {
        "MCP_ENDOR_SCAN_LANGUAGES": "<languages to scan>"
      }
    }
  }
}

The following parameters are commonly used to optimize MCP server performance.

command: The full path to the endorctl executable. Run which endorctl to fetch the path of the endorctl executable.
MCP_ENDOR_SCAN_LANGUAGES: The programming languages to scan. You can use the following languages: c#, go, java, javascript, kotlin, objective-c, php, python, ruby, rust, scala, swift, typescript. Enter multiple languages separated by commas. For example, "go,java,python".

Note

Manage Endor Labs MCP server tools in Visual Studio Code

Open the Chat view by pressing Cmd+Option+I.
Switch to the Agent mode.
Click the Settings icon.
Select the tools that you want to enable or disable under MCP Server: endor-cli-tools.

Use the MCP server with GitHub Copilot

To use the Endor Labs MCP server with GitHub Copilot in Visual Studio Code:

Open the Chat view by pressing Cmd+Option+I.
Switch to the Agent mode.
Click the Settings icon.
Select MCP Server: endor-cli-tools from the dropdown menu.

You can now use Endor Labs tools in your chat prompts to scan for vulnerabilities.

Setup Copilot Rules

Set up Copilot rules in, .github/copilot-instructions.md, to use the Endor Labs MCP server throughout the development process.

Example Copilot rules

Copilot instructions will add instructions for copilot to follow throughout the development process. The following examples show how to use the Endor Labs MCP server in Copilot rules.

Copilot rule to check for vulnerabilities in new dependencies

Use the following rule to check for vulnerabilities when a dependency is added to your codebase.

## Ensure newly added dependencies are checked for vulnerabilities and project stays clean
- globs: '**/package.json, **/package-lock.json, **/yarn.lock, **/pnpm-lock.yaml, **/requirements.txt, **/Pipfile, **/Pipfile.lock, **/pyproject.toml, **/poetry.lock, **/go.mod, **/go.sum, **/Cargo.toml, **/Cargo.lock, **/pom.xml, **/build.gradle, **/build.gradle.kts, **/gradle.lockfile, **/composer.json, **/composer.lock'

Whenever you add or modify a dependency in any of the files above:

- Run the MCP server `endor-cli-tools` using the `check_dependency_for_vulnerabilities` tool.
- Provide the **language**, **dependency name**, and **version**.
- If the tool identifies a vulnerability:
  - Upgrade to the suggested safe version, or
  - Replace the dependency with a non-vulnerable alternative.

This rule ensures that all dependency changes are evaluated for risk at the time of introduction, and that the project remains clean and secure after each coding session.

Copilot rule to check for code weakness

Use the following rule to check for code weakness in your codebase.

# Static Application Security Testing (SAST) Rule

- globs: '**/*.c, **/*.cpp, **/*.cc, **/*.cs, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.py, **/*.php, **/*.rb, **/*.rs, **/*.kt, **/*.kts, **/*.scala, **/*.swift, **/*.dart, **/*.html, **/*.yaml, **/*.yml, **/*.json, **/*.xml, **/*.sh, **/*.bash, **/*.clj, **/*.cljs, **/*.ex, **/*.exs, **/*.lua'

Whenever a supported source code file is modified:

1. Ensure Semgrep is installed and available at version 1.99.0.
   - If Semgrep is not installed or the version is incorrect, prompt the user to install it.
   - Do not proceed with the scan unless Semgrep is available and valid.
   - To install Semgrep, the user must have a working Python environment with pip. Recommend installing version 1.99.0.

2. Use the MCP server `endor-cli-tools` using the tool `scan` to perform a SAST scan on the modified source files.

3. If any vulnerabilities are found:
   - Present the issues to the user.
   - Recommend appropriate fixes (e.g., input sanitization, validation, escaping, secure APIs).
   - Continue scanning until all critical issues have been resolved.

This rule ensures all code changes are automatically reviewed for common security vulnerabilities using `endor-cli-tools` and the MCP server, with Semgrep as the underlying engine.

Copilot rule to check for leaked secrets

Use the following rule to check for leaked secrets in your codebase.

# Leaked Secrets Detection Rule

Whenever a file is modified in the repository:

- Run `endor-cli-tools` using the `scan` tool with the appropriate arguments to check for leaked secrets.
- Ensure the scan includes all file types and respects `.gitignore` unless otherwise configured.
- If any secrets are detected:
  - Remove the exposed secret immediately.
  - Re-scan to verify the secret has been properly removed.

This rule ensures no accidental credentials, tokens, API keys, or secrets are committed or remain in the project history.

Feedback

Was this page helpful?

Thanks for the feedback. Write to us at support@endor.ai to tell us more.