Endor Labs MCP server in Devin

Learn how to deploy and run the Endor Labs MCP server in Devin.
Beta

The Endor Labs MCP server helps developers and AI agents in the following ways:

  • Provide guardrails for agents before code review: Reduce the number of known vulnerabilities entering your code and save developers time by checking AI agent suggestions in real time. Integrate security before an issue is discovered in CI or in production.
  • Improve the speed of remediating security risks: Agents use vulnerability context from Endor Labs to help implement secure changes, from writing more secure code to upgrading dependencies.

The Endor Labs MCP server integrates directly into Devin to scan your code as you write, catching security issues before they reach production.

Developer Edition not supported
The Endor Labs MCP server Developer Edition is currently not supported with Devin AI.

The following sections walk you through setting up the Endor Labs MCP server:

The Endor Labs MCP server provides the following tools:

  • check_dependency_for_vulnerabilities: Check if a dependency in your project is vulnerable.
  • check_dependency_for_risks: Check a dependency for security risks including vulnerabilities and malware.
  • get_endor_vulnerability: Get the details of a specific vulnerability from the Endor Labs vulnerability database.
  • get_resource: Retrieve additional context from commonly used Endor Labs resources about your software, such as findings, vulnerabilities, and projects.
  • scan: Run an Endor Labs security scan to detect risks in your open source dependencies, find common security issues, and spot any credentials accidentally exposed in your Git repository.
  • security_review: Perform security review analysis on code diffs. Analyzes local uncommitted changes (both staged and unstaged) compared to HEAD, or diffs between the main branch and the last commit. Requires the Enterprise Edition. You must specify your namespace in the MCP server configuration. You must also enable AI security code review for your namespace in the Endor Labs platform. See AI security code review for setup instructions.

After you set up the MCP server, you can choose to disable the tools that you do not want to use.

Ensure that the following prerequisites are met:

  • A Devin account with access to the MCP Marketplace
  • Your organization’s Endor Labs namespace
  • Endor Labs API key and secret. See Endor Labs’ API keys for more information

  1. Navigate to Settings > MCP Marketplace in Devin.

  2. Click Add Your Own to add a custom MCP server.

  3. Add the following secrets with the corresponding values:

    • ENDOR_API_CREDENTIALS_KEY: Your Endor Labs API key
    • ENDOR_API_CREDENTIALS_SECRET: Your Endor Labs API secret
    • ENDOR_NAMESPACE: Your Endor Labs namespace

  4. Add the following configuration under STDIO Configuration:

    • Command: npx
    • Arguments: -y endorctl ai-tools mcp-server -n $ENDOR_NAMESPACE --api-key $ENDOR_API_CREDENTIALS_KEY --api-secret $ENDOR_API_CREDENTIALS_SECRET

  5. Click Save Changes to save the MCP server configuration.

The following parameters are used to configure the MCP server in Devin:

  • ENDOR_API_CREDENTIALS_KEY: (Required) Your Endor Labs API key. See API keys for more information.
  • ENDOR_API_CREDENTIALS_SECRET: (Required) Your Endor Labs API secret.
  • ENDOR_NAMESPACE: (Required) Your Endor Labs namespace to access your organization’s policies.

  1. Navigate to Settings > MCP Marketplace in Devin.

  2. Locate the endor-cli-tools server in the list.

  3. Click the server to view its details and manage its tools.

To enhance the MCP server integration, you can add instructions through Devin Knowledge. Knowledge entries guide Devin’s AI development with your project-specific instructions.

  1. Navigate to Settings > Knowledge in Devin.

  2. Create a new Knowledge entry for Endor Labs security scanning.

  3. Add appropriate instructions for your project. For example, you can add a rule to check if the code is free from vulnerabilities.

You can also create a Playbook to automate security scanning workflows with the Endor Labs MCP server.

You can use the following Knowledge instructions as a quick start for the Endor Labs MCP server. Modify the instructions to meet your specific organization’s needs. For more information, refer to the Devin Knowledge documentation.

# Software Composition Analysis (SCA) Rule (Endor Labs MCP server)

This project uses Endor Labs for automated dependency (SCA) scanning, integrated through the MCP server.

## Workflow

Every time a manifest or lockfile (`package.json`, `requirements.txt`, `go.mod`, `pom.xml`, etc.) is created or modified in any way, immediately do the following prior to performing your next task.

**Important**: Do not proceed after creating or modifying a manifest file without running this first.

- Run `endor-cli-tools` using the `check_dependency_for_vulnerabilities` tool via the MCP server.
- Provide the **ecosystem**, **dependency name**, and **version** always when making this tool call.
- If a vulnerability or error is identified:
  - Upgrade to the suggested safe version, or
  - Replace the dependency with a non-vulnerable alternative.
- Re-run the check using `endor-cli-tools` to confirm the issue is resolved.

## Notes
- All scans must be performed using the MCP server integration (`endor-cli-tools`). Do not invoke `endorctl` directly.

# Leaked Secrets Detection Rule (Endor Labs MCP server)

This project uses Endor Labs for automated security scanning, integrated through the MCP server.

## Workflow

Whenever a file is modified in the repository, and before the end of a session:

- Run `endor-cli-tools` using the `scan` tool via the MCP server to check for leaked secrets.
- If any secrets or errors are detected:
  - Remove the exposed secret or correct the error immediately.
  - Re-run the scan to verify the secret has been properly removed.
- Save scan results and remediation steps in a security log or as comments for audit purposes.

## Notes
- All scans must be performed using the MCP server integration (`endor-cli-tools`). Do not invoke `endorctl` directly.
- This scan must use the path of the directory from which the changed files are in. Use absolute paths.

# Static Application Security Testing (SAST) Rule (Endor Labs MCP server)

This project uses Endor Labs for automated SAST, integrated through the MCP server.

## Workflow

Whenever a file is modified in the repository, and before the end of a session:

- Run `endor-cli-tools` using the `scan` tool via the MCP server to perform SAST scans.
- If any vulnerabilities or errors are found:
  - Present the issues to the user.
  - Recommend and apply appropriate fixes (e.g., input sanitization, validation, escaping, secure APIs).
- Save scan results and remediation steps in a security log or as comments for audit purposes.

## Notes
- All scans must be performed using the MCP server integration (`endor-cli-tools`). Do not invoke `endorctl` directly.
- Do not invoke Opengrep directly.
- This scan must use the path of the directory from which the changed files are in. Use absolute paths.

Use the following troubleshooting steps to resolve common issues with the Endor Labs MCP server.

MCP server shows as disconnected or errored
  • Verify Node.js and npx are available: run npx --version in your terminal. If the command fails, install Node.js version 18 or later.
  • Restart your IDE or CLI to reload the MCP server configuration.
  • Check your config for syntax errors. Use a JSON or TOML validator, or switch to the configuration tool or CLI command instead of manual editing.
Authentication browser window does not open
  • Ensure your IDE or CLI can open a browser. Check firewall or security software that might block browser launch.
  • For Enterprise Edition, confirm ENDOR_MCP_SERVER_AUTH_MODE is set correctly (google, github, gitlab, or sso). For SSO, ensure ENDOR_MCP_SERVER_AUTH_TENANT is provided.
endorctl download times out

If npx -y endorctl hangs or times out (for example, behind a corporate proxy or firewall), install endorctl globally and update your MCP config to use it. For more information, see Install endorctl.

After installing endorctl, update your MCP config to call endorctl directly instead of npx.

Replace the command and args entries with:

"command": "endorctl",
"args": ["ai-tools", "mcp-server"]

Alternatively, configure your proxy settings for npm.

Tools return errors when invoked
  • If you are using the Enterprise Edition, verify whether your namespace is correct and that your user has Read-Only permissions. See Authorization policies for details.
  • Ensure endorctl is on your PATH if you installed it globally instead of using npx.
  • Check that the working directory or project path is valid when invoking tools.
Config file has a syntax error and the IDE gives no useful message
IDEs often fail silently on invalid configuration. Validate your config file (for example, .cursor/mcp.json, .vscode/mcp.json, .mcp.json, or .codex/config.toml) with a JSON or TOML linter. Alternatively, use the configuration tool or CLI command for your platform instead of editing the file manually.