Endor Labs MCP server in Augment Code

Learn how to deploy and run the Endor Labs MCP server in Augment Code.
Beta

Scan dependencies, detect vulnerabilities, find leaked secrets, and review code for security issues directly inside Augment Code, powered by your AI agent.

With the Endor Labs MCP server, you can:

  • Check dependency safety before adding a new package
  • Scan for vulnerabilities and malware in your open source dependencies
  • Find leaked secrets accidentally committed in your Git history
  • Run AI security reviews on your code changes (Enterprise Edition)

The Developer Edition is free and uses default security policies from Endor Labs. When you use the MCP server for the first time, a browser window opens for authentication through GitHub, GitLab, or Google.

Open the Augment Code extension in Visual Studio Code, click the Settings icon in the upper right of the Augment panel, then in the MCP section choose Import from JSON or + to add a server. Copy and paste the generated configuration.

Developer Edition Configuration

Copy the JSON configuration for your MCP configuration file.

For manual configuration, copy and paste the following JSON directly into your MCP configuration file.

MCP server configuration 

      

    

  












Alternatively, when adding through the settings panel, set Name to endor-cli-tools and Command to npx -y endorctl ai-tools mcp-server.



  

    
    Support
  

  

    Have questions? Email us at community-support@endor.ai.
  




  


  








    

  1. 

    Open the Augment Code extension in Visual Studio Code.
    

    2. 

  2. 

    Click the Settings icon and confirm that endor-cli-tools appears in the MCP section.
    

    3. 






After installing the MCP server, try the following prompt in your AI chat or CLI to verify that the tools are working.


Check if the npm package lodash version 4.17.20 has any vulnerabilities

The MCP server uses the check_dependency_for_vulnerabilities tool to check for known vulnerabilities and return the results. If you see a response with vulnerability details, the MCP server is working correctly.




    

  1. 

    Open the Augment Code extension in Visual Studio Code.
    

    2. 

  2. 

    Click the Settings icon in the upper right of the Augment panel.
    

    3. 

  3. 

    In the MCP section, click the  button next to endor-cli-tools.
    

    4. 

  4. 

    Edit the configuration or remove the server as needed.
    

    5. 







    
The Endor Labs MCP server provides the following tools:


    

  • check_dependency_for_vulnerabilities: Check if a dependency in your project is vulnerable.
    • 

  • check_dependency_for_risks: Check a dependency for security risks including vulnerabilities and malware.
    • 

  • get_endor_vulnerability: Get the details of a specific vulnerability from the Endor Labs vulnerability database.
    • 

  • get_resource: Retrieve additional context from commonly used Endor Labs resources about your software, such as findings, vulnerabilities, and projects.
    • 

  • scan: Run an Endor Labs security scan to detect risks in your open source dependencies, find common security issues, and spot any credentials accidentally exposed in your Git repository.
    • 

  • security_review: Perform security review analysis on code diffs. Analyzes local uncommitted changes (both staged and unstaged) compared to HEAD, or diffs between the main branch and the last commit. Requires the Enterprise Edition. You must specify your namespace in the MCP server configuration. You must also enable AI security code review for your namespace in the Endor Labs platform. See AI security code review for setup instructions.
    • 



After you set up the MCP server, you can choose to disable the tools that you do not want to use.











    
Use the following troubleshooting steps to resolve common issues with the Endor Labs MCP server.







    
        
        MCP server shows disconnected
    
    

        Run npx --version in your terminal. If the command fails, install Node.js version 18 or later. After installing, restart your IDE or CLI to reload the MCP server configuration.
    









    
        
        Browser auth window does not open
    
    

        Ensure your IDE or CLI can open a browser. Check firewall or security software that might block browser launch. For Enterprise Edition with SSO, verify that ENDOR_MCP_SERVER_AUTH_MODE and ENDOR_MCP_SERVER_AUTH_TENANT are set correctly in your MCP configuration.
    









    
        
        npx times out behind a corporate proxy
    
    

        
Install endorctl using your preferred method and configure the MCP server to call it directly instead of using npx. In the Enterprise Edition install wizard, select No under Using npx? to generate the correct configuration. Alternatively, replace the command and args entries in your MCP configuration manually:


"command": "endorctl",
"args": ["ai-tools", "mcp-server"]

For installation options, see Install endorctl. For more details on how npx and a system-installed endorctl differ, see the FAQ entry below.


    









    
        
        Understanding npx vs. a system-installed endorctl
    
    

        
The default MCP server configuration uses npx -y endorctl to run endorctl. This command downloads endorctl from the npm registry into a temporary cache (~/.npm/_npx/) and runs it from there. It does not install endorctl globally and does not interact with any existing endorctl binary on your system.


If you have endorctl installed separately (for example, through Homebrew or a direct download), the npx command runs its own copy and ignores the system-installed version. These two copies are completely independent.


To use your existing endorctl installation instead of npx, select No under Using npx? in the Enterprise Edition install wizard. This generates a configuration that calls endorctl directly:


"command": "endorctl",
"args": ["ai-tools", "mcp-server"]

With this approach, updates are managed by your existing package manager (for example, brew upgrade endorctl).


    









    
        
        Tools return errors (Enterprise)
    
    

        Verify your namespace is correct and your user has Read-Only permissions in Endor Labs. See Authorization policies for details. Also ensure endorctl is on your PATH if you installed it globally instead of using npx.
    









    
        
        MCP server fails to start on Windows
    
    

        
On Windows, ensure the following prerequisites are met:


    

  • Node.js is installed
    • 

  • npm global bin directory is in your PATH
    • 



If Node.js is not installed, download and install the LTS version from nodejs.org. During installation, ensure the option to add Node.js to PATH is selected.


After installing Node.js, verify that the npm global bin directory is in your PATH:


    

  1. 

    Run the following command in the command line.
    

    npm config get prefix

    This returns the npm global directory path, typically C:\Users\<YourUsername>\AppData\Roaming\npm.
    

    2. 

  2. 

    Add the npm global directory path to the Path variable under User variables in your system’s environment variables settings.
    

    3. 

  3. 

    Restart for the PATH changes to take effect.
    

    4. 



Run the following command in your terminal.


npx --version

If this returns a version number, your Windows setup is complete and the MCP server can use npx to run endorctl.