Mend SAST 2026: Agentic Scanning for AI Code

Name: Mend SAST
Availability: OnlineOnly

Mend SAST is a commercial SAST tool from Mend.io, the company formerly known as WhiteSource. It scans 25 programming languages using taint analysis and ships with an MCP server that plugs directly into AI coding assistants like Cursor, Claude Code, and GitHub Copilot.

Mend SAST security dashboard showing vulnerability analytics across SCA, SAST, and container scans

Mend.io was founded in 2011 in Israel and rebranded from WhiteSource in May 2022. The company has raised roughly $125M in funding, backed by Pitango Growth and M12 (Microsoft’s venture fund).

Forrester named Mend a Strong Performer in their Q3 2025 SAST Wave, with top scores in the innovation and triage criteria.

What is Mend SAST?

Mend SAST uses taint analysis to trace the flow of untrusted data through your code. It tracks three things: where tainted data enters (sources like HTTP parameters and file reads), where it gets cleaned (sanitizers), and where unsanitized data could cause damage (sinks like SQL queries or command execution).

The tool runs two engine generations. Gen 1 covers all 25 languages.

Gen 2 adds deeper cross-file analysis for Java, C#, Python, JavaScript/TypeScript, and C/C++.

Gen 2 engines offer three scan profiles: Fast (prioritizes speed), Balanced (optimizes between speed and detection), and Deep (no analysis limits, longest duration).

The “Agentic SAST” capability is the main differentiator. As developers use AI coding assistants, Mend’s MCP server scans generated code before it hits the repository.

The MCP server exposes two tools: mend-code-security-assistant for SAST and mend-dependencies-assistant for SCA.

Agentic SAST

MCP server integrates with Cursor, Windsurf, Claude Code, GitHub Copilot, Amazon Q, and Gemini CLI. Scans AI-generated code for CWEs and dependencies for CVEs.

The agent can iterate up to 3 times to fix issues.

Dual-Engine Scanning

Gen 1 covers 25 languages. Gen 2 adds deeper cross-file data flow analysis for Java, C#, Python, JS/TS, and C/C++. Three scan profiles let you trade speed for depth.

Unified Platform

SAST findings correlate with Mend SCA, DAST, and container security in a single dashboard. Source code never leaves your environment — scanning runs locally.

Key features

Feature	Details
Languages	25 (Java, C#, Python, JS/TS, Go, Kotlin, PHP, Ruby, Rust, Swift, C/C++, ABAP, APEX, COBOL, and more)
Analysis type	Taint analysis (source → sanitizer → sink tracking)
Engine generations	Gen 1 (all languages) and Gen 2 (Java, C#, Python, JS/TS, C/C++)
Scan profiles	Fast, Balanced, Deep (Gen 2 only)
CWE coverage	70+ CWE types
Scan types	Full, Incremental, Secrets detection
Report formats	SARIF, HTML, PDF, JSON, CSV, XML
Compliance	OWASP 2017/2021/2025, PCI DSS 3.2/4.0, HIPAA, HITRUST, NIST, SANS, MISRA C/C++
CLI command	`mend code` (replaces legacy `mend sast`)
Timeouts	480 min per language, 60s–1800s per file

Taint analysis and data flow tracking

Mend SAST data flow analysis showing tainted data paths with file locations and code snippets

Mend traces tainted data from entry points through your codebase. Sources include HTTP request parameters, file reads, command-line arguments, and network services.

Predefined sanitizers are built in, and you can add custom ones for your own validation functions.

Mend SAST risk factors view showing security overview with severity, data flows, and source code

Reachability analysis filters out findings where vulnerable code paths are not actually exercised in your application. This helps separate exploitable issues from theoretical ones.

Finding triage and remediation

Mend SAST finding details view with code findings list and CWE details panel

Each finding includes CWE classification, severity rating, data flow paths, and the exact source code location. The platform tracks remediation status across findings and lets you filter by severity, language, CWE type, or status.

Mend SAST code findings list with remediation status tracking

SAST and DAST correlation

When you run both Mend SAST and DAST against the same application, findings correlate automatically. A static code vulnerability confirmed by dynamic testing gets marked as “Exploitable,” which helps prioritize what to fix first.

Mend SAST and DAST correlation view showing exploitable finding with dynamic evidence

Agentic IDE integration

The MCP server is what sets Mend apart from most SAST tools right now. It works with:

Cursor
VS Code (via Copilot)
Claude Code
Windsurf
Amazon Q Developer
Gemini CLI
Gemini Code Assist
Antigravity

When an AI agent generates code, the MCP server checks it for security issues and returns remediation guidance. The agent can iterate up to three times to produce secure code.

For dependencies, it checks CVEs but only flags direct dependencies, not transitive ones.

MCP setup requirement

Organizations must sign an AI feature addendum to their Mend.io contract before using the MCP server. You need an active Mend account with valid user credentials.

For traditional IDE use, Mend offers the Advise Code plugin for JetBrains IDEs (IntelliJ IDEA, PyCharm, WebStorm). VS Code and Visual Studio extensions exist but only cover SCA, not SAST.

Scan types

Three scan modes are available:

Full scan — Analyzes the entire codebase. Use this for initial baselines and periodic deep checks.
Incremental scan — Only checks changes since the last baseline. Requires a prior full scan with --upload-baseline. Faster for CI/CD pipelines.
Secrets detection — Pattern-matching for hardcoded credentials, API keys, and tokens in config files (JSON, YAML, XML, .properties, .config). Covers CWE-798 and CWE-260.

Compliance and reporting

Mend SAST project summary showing scan overview with language detection and findings count

Reports map findings to specific compliance frameworks. You can generate reports in SARIF, HTML, PDF, JSON, CSV, or XML format.

Supported standards: OWASP Top 10 (2017, 2021, 2025), PCI DSS (3.2 and 4.0), HIPAA, HITRUST, NIST, CAPEC, SANS Top 25, and MISRA (C:2025, C++:2023).

Mend SAST violation findings table showing project-level policy violations by severity

Vendor benchmark claims

Mend publishes performance claims including “38% better precision,” “48% better recall,” and “46% more accurate AI fixes” versus competitors. These come from Mend’s internal benchmarks. Independent third-party validation is not publicly available.

Integrations

Source Code Management

GitHub

GitLab

Bitbucket

Azure DevOps

CI/CD

GitHub Actions

Azure Pipelines

Bitbucket Pipelines

CircleCI

Jenkins

Issue Tracking

Jira

Azure DevOps

GitHub Issues

Redmine

ServiceNow

Getting started

Install the Mend CLI — The CLI is the primary scanning tool. Authenticate with environment variables (MEND_EMAIL, MEND_USER_KEY, MEND_URL) or command-line parameters.

Run a full scan — Execute mend code in your project directory. For a specific path, use mend code --dir /path/to/project. Add --secrets-detection to include credential scanning.

Set up CI/CD — Add the Mend CLI to your pipeline. GitHub Actions, Azure Pipelines, Bitbucket Pipelines, CircleCI, and Jenkins are all supported.

Use --scope to organize findings by org, app, and project.

Configure agentic SAST — For AI coding assistants, configure the MCP server in your IDE settings. The server exposes mend-code-security-assistant (SAST) and mend-dependencies-assistant (SCA).

When to use Mend SAST

Mend SAST fits teams that use AI coding assistants and want security scanning wired into the code generation loop. The MCP server integration with Cursor, Claude Code, and Copilot is something most SAST tools do not offer yet.

Teams already on Mend SCA get a unified dashboard where first-party code vulnerabilities sit next to third-party dependency issues. The hybrid architecture keeps source code on-premises while using cloud analysis for reporting and policy enforcement.

For teams that want open-source SAST or don’t use AI coding assistants, Semgrep CE or SonarQube are better starting points. If you need a SAST tool that runs entirely in your own infrastructure with no cloud dependency, look at Checkmarx or Fortify.

Best for

Teams using AI coding assistants (Cursor, Claude Code, Copilot, Windsurf) that want real-time SAST on generated code, plus unified first-party and third-party vulnerability management on the Mend platform.

Note: Formerly WhiteSource (rebranded May 2022). Forrester Strong Performer in SAST Wave Q3 2025.

Frequently Asked Questions

What is Mend SAST?

Mend SAST is a commercial static analysis tool from Mend.io (formerly WhiteSource). It supports 25 programming languages using taint analysis that traces data flow from untrusted sources through sanitizers to sinks. The Agentic SAST feature integrates with AI coding tools like Cursor, Claude Code, and GitHub Copilot via an MCP server.

Is Mend SAST free?

No. Mend SAST is commercial software included in the Mend application security platform, which also covers SCA, DAST, and container security. Contact Mend.io for pricing.

What is Agentic SAST?

Agentic SAST is Mend’s approach to scanning AI-generated code. An MCP server connects to agentic IDEs like Cursor, Windsurf, Claude Code, Amazon Q, and Gemini CLI. When an AI agent writes code or adds a dependency, the MCP server checks it for CWEs and CVEs before it enters the repository.

How many languages does Mend SAST support?

Mend SAST supports 25 languages including Java, C#, Python, JavaScript, TypeScript, Go, Kotlin, PHP, Ruby, Rust, Swift, C/C++, ABAP, APEX, COBOL, and others. Gen 2 engines with deeper analysis are available for Java, C#, Python, JavaScript/TypeScript, and C/C++.

What compliance standards does Mend SAST cover?

Mend SAST maps findings to OWASP Top 10 (2017, 2021, 2025), PCI DSS (3.2 and 4.0), HIPAA, HITRUST, NIST, CAPEC, SANS Top 25, and MISRA C/C++ standards. Reports can be generated in each compliance format.