Endor Labs MCP server in Devin

​

Prerequisites for Endor Labs MCP server

• A Devin account with access to the MCP Marketplace
• Your organization’s Endor Labs namespace
• Endor Labs API key and secret. See Endor Labs’ API keys for more information

​

Tools in the Endor Labs MCP server

• check_dependency_for_vulnerabilities: Check if a dependency in your project is vulnerable.
• check_dependency_for_risks: Check a dependency for security risks including vulnerabilities and malware.
• get_endor_vulnerability: Get the details of a specific vulnerability from the Endor Labs vulnerability database.
• get_resource: Retrieve additional context from commonly used Endor Labs resources about your software, such as findings, vulnerabilities, and projects.
• scan: Run an Endor Labs security scan to detect risks in your open source dependencies, find common security issues, and spot any credentials accidentally exposed in your Git repository.
• security_review: Perform security review analysis on code diffs. Analyzes local uncommitted changes (both staged and unstaged) compared to HEAD, or diffs between the main branch and the last commit. Requires the Enterprise Edition. You must specify your namespace in the MCP server configuration. You must also enable AI security code review for your namespace in the Endor Labs platform. See AI security code review for setup instructions.

​

Add Endor Labs MCP server through the MCP Marketplace

1. Navigate to Settings > MCP Marketplace in Devin.
2. Click Add Your Own to add a custom MCP server.
3. Add the following secrets with the corresponding values:
   • ENDOR_API_CREDENTIALS_KEY: Your Endor Labs API key
   • ENDOR_API_CREDENTIALS_SECRET: Your Endor Labs API secret
   • ENDOR_NAMESPACE: Your Endor Labs namespace
4. Add the following configuration under STDIO Configuration:
   • Command: npx
   • Arguments: -y endorctl ai-tools mcp-server -n $ENDOR_NAMESPACE --api-key $ENDOR_API_CREDENTIALS_KEY --api-secret $ENDOR_API_CREDENTIALS_SECRET
5. Click Save Changes to save the MCP server configuration.

​

Configuration parameters

• ENDOR_API_CREDENTIALS_KEY: (Required) Your Endor Labs API key. See API keys for more information.
• ENDOR_API_CREDENTIALS_SECRET: (Required) Your Endor Labs API secret.
• ENDOR_NAMESPACE: (Required) Your Endor Labs namespace to access your organization’s policies.

​

Manage MCP server tools

1. Navigate to Settings > MCP Marketplace in Devin.
2. Locate the endor-cli-tools server in the list.
3. Click the server to view its details and manage its tools.

​

Configure Devin Knowledge

1. Navigate to Settings > Knowledge in Devin.
2. Create a new Knowledge entry for Endor Labs security scanning.
3. Add appropriate instructions for your project. For example, you can add a rule to check if the code is free from vulnerabilities.

​

Example Knowledge instructions

# Software Composition Analysis (SCA) Rule (Endor Labs MCP server)

This project uses Endor Labs for automated dependency (SCA) scanning, integrated through the MCP server.

## Workflow

Every time a manifest or lockfile (`package.json`, `requirements.txt`, `go.mod`, `pom.xml`, etc.) is created or modified in any way, immediately do the following prior to performing your next task.

**Important**: Do not proceed after creating or modifying a manifest file without running this first.

- Run `endor-cli-tools` using the `check_dependency_for_vulnerabilities` tool via the MCP server.
- Provide the **ecosystem**, **dependency name**, and **version** always when making this tool call.
- If a vulnerability or error is identified:
  - Upgrade to the suggested safe version, or
  - Replace the dependency with a non-vulnerable alternative.
- Re-run the check using `endor-cli-tools` to confirm the issue is resolved.

## Notes
- All scans must be performed using the MCP server integration (`endor-cli-tools`). Do not invoke `endorctl` directly.

# Leaked Secrets Detection Rule (Endor Labs MCP server)

This project uses Endor Labs for automated security scanning, integrated through the MCP server.

## Workflow

Whenever a file is modified in the repository, and before the end of a session:

- Run `endor-cli-tools` using the `scan` tool via the MCP server to check for leaked secrets.
- If any secrets or errors are detected:
  - Remove the exposed secret or correct the error immediately.
  - Re-run the scan to verify the secret has been properly removed.
- Save scan results and remediation steps in a security log or as comments for audit purposes.

## Notes
- All scans must be performed using the MCP server integration (`endor-cli-tools`). Do not invoke `endorctl` directly.
- This scan must use the path of the directory from which the changed files are in. Use absolute paths.

# Static Application Security Testing (SAST) Rule (Endor Labs MCP server)

This project uses Endor Labs for automated SAST, integrated through the MCP server.

## Workflow

Whenever a file is modified in the repository, and before the end of a session:

- Run `endor-cli-tools` using the `scan` tool via the MCP server to perform SAST scans.
- If any vulnerabilities or errors are found:
  - Present the issues to the user.
  - Recommend and apply appropriate fixes (e.g., input sanitization, validation, escaping, secure APIs).
- Save scan results and remediation steps in a security log or as comments for audit purposes.

## Notes
- All scans must be performed using the MCP server integration (`endor-cli-tools`). Do not invoke `endorctl` directly.
- Do not invoke Opengrep directly.
- This scan must use the path of the directory from which the changed files are in. Use absolute paths.

​

Watch how to use Endor Labs with Devin

​

Troubleshooting

"command": "endorctl",
"args": ["ai-tools", "mcp-server"]

npx --version