Endor Labs MCP server as a Gemini Extension

Learn how to deploy and run the Endor Labs MCP as a Gemini Extension
Beta

The Endor Labs Model Context Protocol (MCP) server integrates seamlessly into your AI-native development workflows to help you keep your code secure and fix security risks faster. You can catch issues long before they’re a problem in production and fix them faster when they already are.

Endor Labs MCP server is available as a Gemini extension. After you install the extension, you can use natural language commands to interact with the MCP server. You can find the extension on GitHub.

This guide details how to integrate Endor Labs security capabilities directly into your Gemini development workflows using MCP.

Endor Labs MCP server helps your developers and AI agents in their development workflows in the following ways:

  • Provide guardrails for agents before code review: Reduce the number of known vulnerabilities entering your code and save developers time by checking AI agent suggestions in real time. Integrate security before an issue is discovered in CI or in production.
  • Improve the speed of remediating security risks: Agents uses vulnerability context from Endor Labs to help implement secure changes, from writing more secure code to upgrading dependencies.

The Endor Labs MCP server has two editions.

  • Developer Edition: A free edition that requires no configuration. A browser window opens on first use for authentication via GitHub, GitLab, or Google. The Developer Edition provides access to default security policies from Endor Labs.

  • Enterprise Edition: A paid edition that enforces your organization’s specific security policies. Authenticate using Google, GitHub, GitLab, or SSO. You must specify your namespace to access your organization’s policies.

Additionally, if you already have Endor Labs configured locally (for example, from a previous endorctl init command), the MCP server can use your pre-existing configuration.

Complete the following tasks to integrate Endor Labs MCP Server into Gemini.

  • Install the Endor Labs MCP server as a Gemini extension. See Install the Endor Labs MCP server as a Gemini extension for more details. No configuration is required to get started with the Developer Edition.

  • Configure permissions for your developers (optional): If you’re using the Enterprise Edition with a specific namespace, ensure that your developers have Read-Only permissions to Endor Labs. See Endor Lab’s Authorization policies for more details.

The Endor Labs MCP server provides the following tools:

  • check_dependency_for_vulnerabilities: Check if the dependencies in your project are vulnerable.
  • get_endor_vulnerability: Get the details of a specific vulnerability from the Endor Labs vulnerability database.
  • get_resource: Add additional context from commonly used Endor Labs resources about your software such as findings, vulnerabilities, and projects.
  • scan: Run an Endor Labs security scan to detect risks in your open source dependencies, find common security issues, and spot any credentials accidentally exposed in your Git repository.

After you set up the MCP server, you can choose to disable the tools that you do not want to use.

Run the following command to install the Endor Labs MCP server as a Gemini extension.

gemini extensions install https://github.com/endorlabs/gemini-extension.git

Run the following command in the Gemini CLI to verify the Endor Labs MCP server installation.

gemini> /mcp list

The following output appears if the Endor Labs MCP server is installed.

Verify the Endor Labs MCP server Gemini installation

After you install the Endor Labs MCP server as a Gemini extension, you can optionally initialize the MCP server in Gemini CLI.

The Endor Labs MCP server works out of the box with the Developer Edition. When you use the MCP server for the first time, a browser window opens, and you can authenticate with GitHub, GitLab, or Google. After authentication, the MCP server provides access to the free Developer Edition with default security policies.

You can use the MCP server without initialization. When you first use a tool, a browser window will open allowing you to authenticate with GitHub, GitLab, or Google. The MCP server will automatically use the Developer Edition with default security policies.

If you already have Endor Labs configured locally (from a previous endorctl initialization), the MCP server uses your local configuration. The configuration already contains the namespace information, so you don’t need to specify it separately.

If you want to use the Enterprise Edition with your organization’s specific policies, you can use natural language commands to initiate an authentication flow.

gemini> Initialize Endor Labs with Google authentication using the command `endorctl init --auth-mode=google`

You can use any supported authentication mode: google, github, gitlab, or sso. If you choose sso, you must also provide your tenant name. Existing users with read-only permissions on a namespace can authenticate to their namespace through the browser.

After you initialize the MCP server, you can converse with the MCP server using natural language commands to get information about your projects, vulnerabilities, and dependencies.

The following examples show how to use the Endor Labs MCP server in Gemini CLI. Always navigate to the project directory before using the MCP server.

gemini> Scan my project for security vulnerabilities

gemini> Check dependencies for known CVEs

gemini> Generate a security report for this repository

The Endor Labs MCP server provides a context file that you can use to add additional context to the MCP server. The context file,ENDORLABS_CONTEXT.md is located in the ~/.gemini/extensions/endorlabs/gemini-extension/ directory.

You can use the context file to add additional context to the MCP server. For example, you can add additional rules and context for your project in the context file.