> ## Documentation Index
> Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Endor Labs MCP server in Devin
> Beta Learn how to deploy and run the Endor Labs MCP server in Devin.
Scan dependencies, detect vulnerabilities, find leaked secrets, and review code for security issues directly inside Devin, powered by your AI agent.
You can also connect the [Endor Labs documentation MCP server](/introduction/docs-mcp-server) to get accurate, real-time answers about Endor Labs directly in your AI tools.
**Developer Edition not supported**
The Endor Labs MCP server Developer Edition is currently not supported with Devin AI.
## Prerequisites for Endor Labs MCP server
Ensure that the following prerequisites are met:
* A [Devin](https://devin.ai/) account with access to the MCP Marketplace
* Your organization's Endor Labs namespace
* Endor Labs API key and secret. See [Endor Labs' API keys](/platform-administration/api-keys/) for more information
## Tools in the Endor Labs MCP server
The Endor Labs MCP server provides the following tools:
* `check_dependency_for_vulnerabilities`: Check if a dependency in your project is vulnerable.
* `check_dependency_for_risks`: Check a dependency for security risks including vulnerabilities and malware.
* `get_endor_vulnerability`: Get the details of a specific vulnerability from the Endor Labs vulnerability database.
* `get_resource`: Retrieve additional context from commonly used Endor Labs resources about your software, such as findings, vulnerabilities, and projects.
* `scan`: Run an Endor Labs security scan to detect risks in your open source dependencies, find common security issues, and spot any credentials accidentally exposed in your Git repository.
* `security_review`: Perform security review analysis on code diffs. Analyzes local uncommitted changes (both staged and unstaged) compared to HEAD, or diffs between the main branch and the last commit. Requires the Enterprise Edition. You must specify your namespace in the MCP server configuration. You must also enable AI security code review for your namespace in the Endor Labs platform. See [AI security code review](/secure-ai-coding/ai-security-review/) for setup instructions.
After you set up the MCP server, you can choose to disable the tools that you do not want to use.
**Recommended: Node.js 24 LTS or later**
The Endor Labs MCP server runs `endorctl` through `npx`. On Node.js versions older than 24, you may see a harmless warning printed before scan output.
```text theme={null}
(node:NNNNN) ExperimentalWarning: CommonJS module .../debug/src/node.js is loading ES Module .../supports-color/index.js using require().
```
This is a Node.js runtime notice, not an error from `endorctl` or the MCP server, and it does not affect scan results. To silence it, upgrade Node.js to 24 LTS or later, then restart your IDE or CLI. Verify with `node --version`.
## Add Endor Labs MCP server through the MCP Marketplace
1. Navigate to [Settings > MCP Marketplace](https://app.devin.ai/settings/mcp-marketplace) in Devin.
2. Click **Add Your Own** to add a custom MCP server.
3. Add the following secrets with the corresponding values:
* `ENDOR_API_CREDENTIALS_KEY`: Your Endor Labs API key
* `ENDOR_API_CREDENTIALS_SECRET`: Your Endor Labs API secret
* `ENDOR_NAMESPACE`: Your Endor Labs namespace
4. Add the following configuration under STDIO Configuration:
* **Command**: `npx`
* **Arguments**: `-y endorctl ai-tools mcp-server -n $ENDOR_NAMESPACE --api-key $ENDOR_API_CREDENTIALS_KEY --api-secret $ENDOR_API_CREDENTIALS_SECRET`
5. Click **Save Changes** to save the MCP server configuration.
### Configuration parameters
The following parameters are used to configure the MCP server in Devin:
* `ENDOR_API_CREDENTIALS_KEY`: (Required) Your Endor Labs API key. See [API keys](/platform-administration/api-keys) for more information.
* `ENDOR_API_CREDENTIALS_SECRET`: (Required) Your Endor Labs API secret.
* `ENDOR_NAMESPACE`: (Required) Your Endor Labs namespace to access your organization's policies.
## Manage MCP server tools
1. Navigate to [Settings > MCP Marketplace](https://app.devin.ai/settings/mcp-marketplace) in Devin.
2. Locate the **endor-cli-tools** server in the list.
3. Click the server to view its details and manage its tools.
## Configure Devin Knowledge
To enhance the MCP server integration, you can add instructions through Devin Knowledge. Knowledge entries guide Devin's AI development with your project-specific instructions.
1. Navigate to [Settings > Knowledge](https://app.devin.ai/settings/knowledge) in Devin.
2. Create a new Knowledge entry for Endor Labs security scanning.
3. Add appropriate instructions for your project. For example, you can add a rule to check if the code is free from vulnerabilities.
You can also create a [Playbook](https://docs.devin.ai/product-guides/creating-playbooks) to automate security scanning workflows with the Endor Labs MCP server.
### Example Knowledge instructions
You can use the following Knowledge instructions as a quick start for the Endor Labs MCP server. Modify the instructions to meet your specific organization's needs. For more information, refer to the [Devin Knowledge documentation](https://docs.devin.ai/product-guides/knowledge).
```markdown theme={null}
# Software Composition Analysis (SCA) Rule (Endor Labs MCP server)
This project uses Endor Labs for automated dependency (SCA) scanning, integrated through the MCP server.
## Workflow
Every time a manifest or lockfile (`package.json`, `requirements.txt`, `go.mod`, `pom.xml`, etc.) is created or modified in any way, immediately do the following prior to performing your next task.
**Important**: Do not proceed after creating or modifying a manifest file without running this first.
- Run `endor-cli-tools` using the `check_dependency_for_vulnerabilities` tool via the MCP server.
- Provide the **ecosystem**, **dependency name**, and **version** always when making this tool call.
- If a vulnerability or error is identified:
- Upgrade to the suggested safe version, or
- Replace the dependency with a non-vulnerable alternative.
- Re-run the check using `endor-cli-tools` to confirm the issue is resolved.
## Notes
- All scans must be performed using the MCP server integration (`endor-cli-tools`). Do not invoke `endorctl` directly.
```
```markdown theme={null}
# Leaked Secrets Detection Rule (Endor Labs MCP server)
This project uses Endor Labs for automated security scanning, integrated through the MCP server.
## Workflow
Whenever a file is modified in the repository, and before the end of a session:
- Run `endor-cli-tools` using the `scan` tool via the MCP server to check for leaked secrets.
- If any secrets or errors are detected:
- Remove the exposed secret or correct the error immediately.
- Re-run the scan to verify the secret has been properly removed.
- Save scan results and remediation steps in a security log or as comments for audit purposes.
## Notes
- All scans must be performed using the MCP server integration (`endor-cli-tools`). Do not invoke `endorctl` directly.
- This scan must use the path of the directory from which the changed files are in. Use absolute paths.
```
```markdown theme={null}
# Static Application Security Testing (SAST) Rule (Endor Labs MCP server)
This project uses Endor Labs for automated SAST, integrated through the MCP server.
## Workflow
Whenever a file is modified in the repository, and before the end of a session:
- Run `endor-cli-tools` using the `scan` tool via the MCP server to perform SAST scans.
- If any vulnerabilities or errors are found:
- Present the issues to the user.
- Recommend and apply appropriate fixes (e.g., input sanitization, validation, escaping, secure APIs).
- Save scan results and remediation steps in a security log or as comments for audit purposes.
## Notes
- All scans must be performed using the MCP server integration (`endor-cli-tools`). Do not invoke `endorctl` directly.
- Do not invoke Opengrep directly.
- This scan must use the path of the directory from which the changed files are in. Use absolute paths.
```
## Watch how to use Endor Labs with Devin
## Troubleshooting
Use the following troubleshooting steps to resolve common issues with the Endor Labs MCP server.
Run `npx --version` in your terminal. If the command fails, install [Node.js](https://nodejs.org/) version 18 or later. After installing, restart your IDE or CLI to reload the MCP server configuration.
Ensure your IDE or CLI can open a browser. Check firewall or security software that might block browser launch. For Enterprise Edition with SSO, verify that `ENDOR_MCP_SERVER_AUTH_MODE` and `ENDOR_MCP_SERVER_AUTH_TENANT` are set correctly in your MCP configuration.
Install endorctl using your preferred method and configure the MCP server to call it directly instead of using npx. In the Enterprise Edition install wizard, select **No** under **Using npx?** to generate the correct configuration. Alternatively, replace the `command` and `args` entries in your MCP configuration manually:
```json theme={null}
"command": "endorctl",
"args": ["ai-tools", "mcp-server"]
```
For installation options, see [Install endorctl](/setup-deployment/cli/). For more details on how npx and a system-installed endorctl differ, see the FAQ entry below.
The default MCP server configuration uses `npx -y endorctl` to run endorctl. This command downloads endorctl from the npm registry into a temporary cache (`~/.npm/_npx/`) and runs it from there. It does **not** install endorctl globally and does **not** interact with any existing endorctl binary on your system.
If you have endorctl installed separately (for example, through Homebrew or a direct download), the `npx` command runs its own copy and ignores the system-installed version. These two copies are completely independent.
To use your existing endorctl installation instead of npx, select **No** under **Using npx?** in the Enterprise Edition install wizard. This generates a configuration that calls `endorctl` directly:
```json theme={null}
"command": "endorctl",
"args": ["ai-tools", "mcp-server"]
```
With this approach, updates are managed by your existing package manager (for example, `brew upgrade endorctl`).
Verify your namespace is correct and your user has `Read-Only` permissions in Endor Labs. See [Authorization policies](/platform-administration/rbac/authorization-policies/) for details. Also ensure endorctl is on your PATH if you installed it globally instead of using npx.
On Windows, ensure the following prerequisites are met:
* Node.js is installed
* npm global bin directory is in your PATH
#### Install Node.js
If Node.js is not installed, download and install the **LTS version** from [nodejs.org](https://nodejs.org/). During installation, ensure the option to add Node.js to PATH is selected.
#### Configure the PATH environment variable
After installing Node.js, verify that the npm global bin directory is in your PATH:
1. Run the following command in the command line.
```powershell theme={null}
npm config get prefix
```
This returns the npm global directory path, typically `C:\Users\\AppData\Roaming\npm`.
2. Add the npm global directory path to the **Path** variable under **User variables** in your system's environment variables settings.
3. Restart for the PATH changes to take effect.
#### Verify the setup
Run the following command in your terminal.
```powershell theme={null}
npx --version
```
If this returns a version number, your Windows setup is complete and the MCP server can use `npx` to run endorctl.