This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Endor Labs MCP server in Google Antigravity

Learn how to deploy and run the Endor Labs MCP server in Google Antigravity.

This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Learn how to deploy and run the Endor Labs MCP server in Google Antigravity.

Beta

Scan dependencies, detect vulnerabilities, find leaked secrets, and review code for security issues directly inside Google Antigravity, powered by your AI agent.

What you can do

With the Endor Labs MCP server, you can:

Check dependency safety before adding a new package
Scan for vulnerabilities and malware in your open source dependencies
Find leaked secrets accidentally committed in your Git history
Run AI security reviews on your code changes (Enterprise Edition)

Install the MCP server

The Developer Edition is free and uses default security policies from Endor Labs. When you use the MCP server for the first time, a browser window opens for authentication through GitHub, GitLab, or Google.

On the agent panel, click …, then select MCP Servers > Manage MCP Servers. Click Raw Config to open the raw configuration editor and add the generated configuration.

Developer Edition Configuration

Copy the JSON configuration for your MCP configuration file.

For manual configuration, copy and paste the following JSON directly into your MCP configuration file.

MCP server configuration

Support

Have questions? Email us at community-support@endor.ai.

The Enterprise Edition enforces your organization’s specific security policies. You need your Endor Labs namespace and an authentication method. Ensure that your developers have Read-Only permissions to Endor Labs. See Authorization policies for more details.

Generate the Enterprise Edition configuration for your organization.

Enterprise Edition Configuration

Select your authentication method and generate JSON for your MCP configuration.

Pre-existing Endor Labs configuration?

Select Yes if you already have Endor Labs configured locally from a previous endorctl init. Your existing configuration is used without additional setup.

Authentication method *

Choose how your organization authenticates with Endor Labs.

Namespace *

Your Endor Labs namespace. Only alphanumeric characters, dots, hyphens, and underscores are allowed.

Tenant *

Your organization's SSO tenant name.

For manual configuration, copy and paste the following JSON directly into your MCP configuration file.

View JSON configuration

MCP server configuration

The following parameters are used to configure the MCP server. All parameters are optional.

ENDOR_MCP_SERVER_AUTH_MODE: The authentication mode to use for the MCP server. You can use the following authentication modes: github, gitlab, google, sso. If you choose sso, you must add ENDOR_MCP_SERVER_AUTH_TENANT as an additional parameter. If not specified, the MCP server defaults to browser authentication for the Developer Edition.
ENDOR_NAMESPACE: The namespace to use for the MCP server. Required for Enterprise Edition to access your organization’s specific policies. Not needed for Developer Edition.
ENDOR_MCP_SERVER_AUTH_TENANT: The tenant name for SSO authentication. Required when ENDOR_MCP_SERVER_AUTH_MODE is set to sso for Enterprise Edition access.

Verify the installation

On the agent panel, click …, then select MCP Servers > Manage MCP Servers.
Confirm that endor-cli-tools appears in the list and is enabled.

Try a test prompt

After installing the MCP server, try the following prompt in your AI chat or CLI to verify that the tools are working.

Check if the npm package lodash version 4.17.20 has any vulnerabilities

The MCP server uses the check_dependency_for_vulnerabilities tool to check for known vulnerabilities and return the results. If you see a response with vulnerability details, the MCP server is working correctly.

Manage MCP servers

On the agent panel, click …, then select MCP Servers > Manage MCP Servers.
From here, you can view active MCP servers, edit configurations through Raw Config, or enable and disable individual servers.

How to use the Endor Labs MCP server

The Endor Labs MCP server provides the following tools:

check_dependency_for_vulnerabilities: Check if a dependency in your project is vulnerable.
check_dependency_for_risks: Check a dependency for security risks including vulnerabilities and malware.
get_endor_vulnerability: Get the details of a specific vulnerability from the Endor Labs vulnerability database.
get_resource: Retrieve additional context from commonly used Endor Labs resources about your software, such as findings, vulnerabilities, and projects.
scan: Run an Endor Labs security scan to detect risks in your open source dependencies, find common security issues, and spot any credentials accidentally exposed in your Git repository.
security_review: Perform security review analysis on code diffs. Analyzes local uncommitted changes (both staged and unstaged) compared to HEAD, or diffs between the main branch and the last commit. Requires the Enterprise Edition. You must specify your namespace in the MCP server configuration. You must also enable AI security code review for your namespace in the Endor Labs platform. See AI security code review for setup instructions.

After you set up the MCP server, you can choose to disable the tools that you do not want to use.

Configure GEMINI.md

Google Antigravity reads GEMINI.md files to guide AI development with your project-specific instructions. To enhance the MCP server integration, you can add instructions in GEMINI.md at the root of your repository or globally in the ~/.gemini/ directory.

Navigate to the root of your repository.
Create or edit the GEMINI.md file in the root of your repository. For global rules that apply across all projects, create or edit ~/.gemini/GEMINI.md.
Add appropriate rules for your project. For example, you can add a rule to check if the code is free from vulnerabilities.

Example GEMINI.md instructions

You can use the following GEMINI.md instructions as a quick start for the Endor Labs MCP server. Modify the instructions to meet your specific organization’s needs. For more information, refer to the Google Antigravity documentation.

# Software Composition Analysis (SCA) Rule (Endor Labs via MCP)

This project uses Endor Labs for automated dependency (SCA) scanning, integrated through the MCP server.

## Workflow

Every time a manifest or lockfile (package.json, requirements.txt, go.mod, pom.xml, etc.) is created or modified in any way, immediately do the following prior to performing your next task.

**Important**: Do not proceed after creating or modifying a manifest file without running this first.

- Run `endor-cli-tools` using the `check_dependency_for_vulnerabilities` tool via the MCP server.
- Provide the **ecosystem**, **dependency name**, and **version** always when making this tool call.
- If a vulnerability or error is identified:
  - Upgrade to the suggested safe version, or
  - Replace the dependency with a non-vulnerable alternative.
- Re-run the check using `endor-cli-tools` to confirm the issue is resolved.

## Notes
- All scans must be performed using the MCP server integration (`endor-cli-tools`). Do not invoke `endorctl` directly.

# Leaked Secrets Detection Rule (Endor Labs via MCP)

This project uses [Endor Labs](https://docs.endorlabs.com/) for automated security scanning, integrated through the MCP server.

## Workflow

Whenever a file is modified in the repository, and before the end of an agent session:

- Run `endor-cli-tools` using the `scan` tool via the MCP server to check for leaked secrets.
- If any secrets or errors are detected:
  - Remove the exposed secret or correct the error immediately.
  - Re-run the scan to verify the secret has been properly removed.
- Save scan results and remediation steps in a security log or as comments for audit purposes.

## Notes
- All scans must be performed using the MCP server integration (`endor-cli-tools`). Do not invoke `endorctl` directly.
- This scan must use the path of the directory from which the changed files are in. Use absolute paths.

# Static Application Security Testing (SAST) Rule (Endor Labs via MCP)

This project uses [Endor Labs](https://docs.endorlabs.com/) for automated SAST, integrated through the MCP server.

## Workflow

Whenever a file is modified in the repository, and before the end of an agent session:

- Run `endor-cli-tools` using the `scan` tool via the MCP server to perform SAST scans.
- If any vulnerabilities or errors are found:
  - Present the issues to the user.
  - Recommend and apply appropriate fixes (e.g., input sanitization, validation, escaping, secure APIs).
- Save scan results and remediation steps in a security log or as comments for audit purposes.

## Notes
- All scans must be performed using the MCP server integration (`endor-cli-tools`). Do not invoke `endorctl` directly.
- Do not invoke Opengrep directly.
- This scan must use the path of the directory from which the changed files are in. Use absolute paths.

Troubleshooting

Use the following troubleshooting steps to resolve common issues with the Endor Labs MCP server.

MCP server shows disconnected

Run npx --version in your terminal. If the command fails, install Node.js version 18 or later. After installing, restart your IDE or CLI to reload the MCP server configuration.

Browser auth window does not open

Ensure your IDE or CLI can open a browser. Check firewall or security software that might block browser launch. For Enterprise Edition with SSO, verify that ENDOR_MCP_SERVER_AUTH_MODE and ENDOR_MCP_SERVER_AUTH_TENANT are set correctly in your MCP configuration.

npx times out behind a corporate proxy

Install endorctl globally and update your MCP config to call it directly instead of using npx. For more information, see Install endorctl.

Replace the command and args entries with:

"command": "endorctl",
"args": ["ai-tools", "mcp-server"]

Tools return errors (Enterprise)

Verify your namespace is correct and your user has Read-Only permissions in Endor Labs. See Authorization policies for details. Also ensure endorctl is on your PATH if you installed it globally instead of using npx.

MCP server fails to start on Windows

On Windows, ensure the following prerequisites are met:

Node.js is installed
npm global bin directory is in your PATH

Install Node.js

If Node.js is not installed, download and install the LTS version from nodejs.org. During installation, ensure the option to add Node.js to PATH is selected.

Configure the PATH environment variable

After installing Node.js, verify that the npm global bin directory is in your PATH:

Run the following command in the command line.
```
npm config get prefix
```
This returns the npm global directory path, typically C:\Users\<YourUsername>\AppData\Roaming\npm.
Add the npm global directory path to the Path variable under User variables in your system’s environment variables settings.
Restart for the PATH changes to take effect.

Verify the setup

Run the following command in your terminal.

npx --version

If this returns a version number, your Windows setup is complete and the MCP server can use npx to run endorctl.