This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Endor Labs MCP server in Cursor

Learn how to deploy and run the Endor Labs MCP server in Cursor.

This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Learn how to deploy and run the Endor Labs MCP server in Cursor.

Beta

The Endor Labs Model Context Protocol (MCP) server integrates seamlessly into your AI-native development workflows to help you keep your code secure and fix security risks faster. You can catch issues long before they’re a problem in production and fix them faster when they already are.

This guide details how to integrate Endor Labs security capabilities directly into your Cursor development workflows using MCP.

How Endor Labs MCP server helps your Cursor workflow

Endor Labs MCP server helps your developers and AI agents in their development workflows in the following ways:

Provide guardrails for agents before code review: Reduce the number of known vulnerabilities entering your code and save developers time by checking AI agent suggestions in real time. Integrate security before an issue is discovered in CI or in production.
Improve the speed of remediating security risks: Agents uses vulnerability context from Endor Labs to help implement secure changes, from writing more secure code to upgrading dependencies.

Integrate Endor Labs MCP server into Cursor

Complete the following tasks to integrate Endor Labs MCP Server into Cursor.

Configure permissions for your developers: Ensure that your developers have Read-Only permissions to Endor Labs. See Endor Lab’s Authorization policies for more details.
Configure the MCP server: Configure the MCP server in Cursor. You can use the interactive configuration tool or manually configure the MCP server. See Configure the MCP server in Cursor for more details.
Configure Cursor rules: Configure Cursor rules to guide AI development with Endor Labs. See Configure Cursor rules for more details.

Configure the MCP server in Cursor

Cursor allows you to set MCP configurations at the project and the user level.

You can manually configure the MCP server or use the interactive configuration tool to generate a one-click installation link for Cursor.

Interactive MCP server configuration

Use our interactive configuration tool to generate a one-click installation link for Cursor. You can configure all the necessary parameters and generate a Cursor link that you can click to automatically install the MCP server.

Endor Labs MCP Server Installation

Configure your MCP server parameters and generate a one-click install link for Cursor.

Authentication Mode *

Authentication mode for Endor Labs MCP server.

Required. Select "automatic" if you've already run endorctl init. Otherwise, select your external identity provider.

Tenant *

Tenant name for SSO authentication.

Required when using SSO authentication mode. Enter your tenant name.

Namespace

Your Endor Labs namespace.

Required for the MCP server configuration. Only alphanumeric characters, dots, hyphens, and underscores are allowed.

Fill in your configuration above and click Generate to create a one-click installation link for Cursor.

After you click Add Endor Labs MCP server, MCP Settings opens in Cursor.

You can verify the configuration and click Install to complete the installation.

Manual MCP server configuration at the repository level

Navigate to the root of your repository.
Create a .cursor directory if it doesn’t exist and create an mcp.json file in the .cursor directory.
```
mkdir -p .cursor && touch .cursor/mcp.json
```

Add the following configuration to the .cursor/mcp.json file.

{
  "mcpServers": {
    "endor-cli-tools": {
      "command": "npx",
      "args": [
        "-y",
        "endorctl",
        "ai-tools",
        "mcp-server"
      ],
      "env": {
        "ENDOR_MCP_SERVER_AUTH_MODE": "<authentication mode>",
        "ENDOR_NAMESPACE": "<namespace>",
        "ENDOR_TOKEN": "automatic",
        "MCP_ENDOR_SCAN_DRY_RUN": "true"
      }
    }
  }
}

The following parameters are used to configure the MCP server.

ENDOR_MCP_SERVER_AUTH_MODE: The authentication mode to use for the MCP server. You can use the following authentication modes: automatic, google, github, sso. Use automatic if you’ve already logged in to Endor Labs through endorctl and do not need to authenticate again. If you choose sso, you must add ENDOR_MCP_SERVER_AUTH_TENANT as an additional parameter.
ENDOR_NAMESPACE: The namespace to use for the MCP server.
ENDOR_TOKEN: The token to use for the MCP server. Do not set this value manually. It will be set automatically by the MCP server.
MCP_ENDOR_SCAN_DRY_RUN: Whether to run the MCP server in dry run mode. Always set this value to true for the MCP server. When enabled, dry run mode allows local scanning with read-only access to Endor Labs. Scan results are not stored in dry run mode, enabling you to perform faster security scans locally without requiring write permissions to your Endor Labs account.
ENDOR_MCP_SERVER_AUTH_TENANT: The tenant name for SSO authentication. Required when ENDOR_MCP_SERVER_AUTH_MODE is set to sso.

Manage Endor Labs MCP server tools in Cursor

Navigate to the Settings > Cursor Settings > Tools & MCP.
Click the tool that you want to disable under endor-cli-tools.

Click on a disabled tool to enable it.

Configure Cursor rules

To enhance the MCP server integration you can add custom rules for your project. These rules are custom prompts specific to your project.

Navigate to the root of your repository.
In the .cursor/rules directory, create an .mdc file to add specific instructions.
Add appropriate rules for your project in the .cursor/rules/endorlabs.mdc file. For example, you can add a rule to check if the code is free from vulnerabilities.

Example Cursor rules

You can use the following Cursor rules as a quick start for the Endor Labs MCP server. Modify the rules to meet your specific organization’s needs. We recommended that you store each cursor rule in a separate file. For more information, refer to the Cursor documentation.

---
description: "Ensure newly added dependencies are checked for vulnerabilities and project stays clean"
globs: '**/package.json, **/package-lock.json, **/yarn.lock, **/pnpm-lock.yaml, **/requirements.txt, **/Pipfile, **/Pipfile.lock, **/pyproject.toml, **/poetry.lock, **/go.mod, **/go.sum, **/Cargo.toml, **/Cargo.lock, **/pom.xml, **/build.gradle, **/build.gradle.kts, **/gradle.lockfile, **/composer.json, **/composer.lock'
alwaysApply: true
---

# Software Composition Analysis (SCA) Rule (Endor Labs via MCP)
This project uses Endor Labs for automated dependency (SCA) scanning, integrated through the MCP server as configured in `.cursor/mcp.json`.

## Workflow

Every time a manifest or lockfile listed above is created or modified in any way immediately do the following prior to performing your next task.

**Important**: Do not proceed after creating or modifying a manifest file without running this first. Do not write any other code or continue with your existing prompt. This is top priority whenever a manifest file is created or updated.

- Run `endor-cli-tools` using the `check_dependency_for_vulnerabilities` tool via the MCP server.
- Provide the **language**, **dependency name**, and **version** always when making this tool call. Do not forget to provide a version.
- If a vulnerability or error is identified:
  - Upgrade to the suggested safe version, or
  - Replace the dependency with a non-vulnerable alternative.
  - The AI agent must attempt to automatically correct all detected errors and vulnerabilities before session completion.
- Re-run the check using `endor-cli-tools` to confirm the issue is resolved.
- If an error occurs in any MCP server tool call (such as missing required parameters like version, invalid arguments, or tool invocation failures):
  - The AI agent must review the error, determine the cause, and automatically correct the tool call or input parameters.
  - Re-attempt the tool call with the corrected parameters.
  - Continue this process until the tool call succeeds or it is determined that remediation is not possible, in which case the issue and reason must be reported.

## Notes
- All scans must be performed using the MCP server integration (`endor-cli-tools`) as configured in `.cursor/mcp.json`. Do not invoke `endorctl` directly.
- For troubleshooting, ensure the MCP server is running and `endorctl` is installed and accessible in your environment.

This rule ensures that all dependency changes are evaluated for risk at the time of introduction, and that the project remains clean and secure after each coding session. The scan may be performed at the end of an agent session, provided all modifications are checked and remediated before session completion.

---
description: "Scan for leaked secrets on file modification"
globs: '**/*'
alwaysApply: true
---

# Leaked Secrets Detection Rule (Endor Labs via MCP)
This project uses @Endor Labs for automated security scanning, integrated through the MCP server as configured in `.cursor/mcp.json`.

## Workflow
Whenever a file is modified in the repository, and before the end of an agent session:
- Run `endor-cli-tools` using the `scan` tool via the MCP server to check for leaked secrets.
- Ensure the scan includes all file types and respects `.gitignore` unless otherwise configured.
- If any secrets or errors are detected:
  - Remove the exposed secret or correct the error immediately.
  - The AI agent must attempt to automatically correct all detected secrets and errors before session completion.
  - Re-run the scan to verify the secret or error has been properly removed or resolved.
- If an error occurs in any MCP server tool call (such as missing required parameters like version, invalid arguments, or tool invocation failures):
  - The AI agent must review the error, determine the cause, and automatically correct the tool call or input parameters.
  - Re-attempt the tool call with the corrected parameters.
  - Continue this process until the tool call succeeds or it is determined that remediation is not possible, in which case the issue and reason must be reported.
- Save scan results and remediation steps in a security log or as comments for audit purposes.

## Notes
- All scans must be performed using the MCP server integration (`endor-cli-tools`) as configured in `.cursor/mcp.json`. Do not invoke `endorctl` directly.
- For troubleshooting, ensure the MCP server is running and `endorctl` is installed and accessible in your environment.
- **Important**: This scan must use the path of the directory from which the changed files are in. Do not attempt to set the path directly to a file as it must be a directory. Use absolute paths like /Users/username/mcp-server-demo/backend rather than relative paths like 'backend'

This rule ensures no accidental credentials, tokens, API keys, or secrets are committed or remain in the project history. The scan may be performed at the end of an agent session, provided all modifications are checked and remediated before session completion.

---
description: "Run SAST scan using endor-cli-tools on source code changes"
globs: '**/*.c, **/*.cpp, **/*.cc, **/*.cs, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.py, **/*.php, **/*.rb, **/*.rs, **/*.kt, **/*.kts, **/*.scala, **/*.swift, **/*.dart, **/*.html, **/*.yaml, **/*.yml, **/*.json, **/*.xml, **/*.sh, **/*.bash, **/*.clj, **/*.cljs, **/*.ex, **/*.exs, **/*.lua'
alwaysApply: true
---

# Static Application Security Testing (SAST) Rule (Endor Labs via MCP)

This project uses @Endor Labs for automated SAST, integrated through the MCP server as configured in `.cursor/mcp.json`.

## Workflow

Whenever a file is modified in the repository, and before the end of an agent session perform the following workflow:

- Run `endor-cli-tools` using the `scan` tool via the MCP server to perform SAST scans as described above.
- If any vulnerabilities or errors are found:
  - Present the issues to the user.
  - The AI agent must attempt to automatically correct all errors and vulnerabilities, including code errors, security issues, and best practice violations, before session completion.
  - Recommend and apply appropriate fixes (e.g., input sanitization, validation, escaping, secure APIs).
  - Continue scanning and correcting until all critical issues have been resolved or no further automated remediation is possible.
- If an error occurs in any MCP server tool call (such as missing required parameters like version, invalid arguments, or tool invocation failures):
  - The AI agent must review the error, determine the cause, and automatically correct the tool call or input parameters.
  - Re-attempt the tool call with the corrected parameters.
  - Continue this process until the tool call succeeds or it is determined that remediation is not possible, in which case the issue and reason must be reported.
- Save scan results and remediation steps in a security log or as comments for audit purposes.

## Notes
- All scans must be performed using the MCP server integration (`endor-cli-tools`) as configured in `.cursor/mcp.json`. Do not invoke `endorctl` directly.
- For troubleshooting, ensure the MCP server is running and `endorctl` is installed and accessible in your environment.
- Do not invoke Opengrep directly.
- **Important**: This scan must use the path of the directory from which the changed files are in. Do not attempt to set the path directly to a file as it must be a directory. Use absolute paths like /Users/username/mcp-server-demo/backend rather than relative paths like 'backend'

This rule ensures all code changes are automatically reviewed and remediated for common security vulnerabilities and errors using `endor-cli-tools` and the MCP server, with Opengrep as the underlying engine.