Back to MCP Servers

Snyk MCP Server

Official Snyk MCP server that runs locally via the Snyk CLI, exposing security scans for code, dependencies, IaC, containers, SBOMs, and secrets to AI agents.

Developer Tools by Snyk OAuth2 active
GitHub Docs npm: snyk
Overview

The Snyk MCP server brings Snyk's security scanning into MCP-enabled agentic tools so AI assistants can find and remediate vulnerabilities as part of their normal coding loop. It is distributed through the Snyk CLI (version 1.1296.2 or later) and runs locally on the developer's machine so it can read source files and project manifests directly. The implementation lives in the snyk/studio-mcp repo and the mcp_extension package inside snyk/snyk-ls.

The server exposes Snyk's core scanners as MCP tools: open source SCA (snyk_sca_scan), static code analysis (snyk_code_scan), Infrastructure as Code (snyk_iac_scan), container image scanning (snyk_container_scan), SBOM file scanning (snyk_sbom_scan), and experimental secret detection (snyk_secret_scan). It also includes utility tools for AIBOM generation (snyk_aibom), package health lookups (snyk_package_health_check), folder trust management (snyk_trust), and CLI auth (snyk_auth, snyk_logout, snyk_auth_status, snyk_version).

It is officially supported across Claude Code, Cursor, GitHub Copilot, Continue, Windsurf, JetBrains AI Assistant, Cline, Codex CLI, Gemini CLI, and Qodo. The server is still labeled experimental and supports either stdio or SSE transports. Tool surface area can be tuned with the SNYK_MCP_PROFILE env var (lite, full, or experimental).

Tools

Tool Description
snyk_sca_scan Scan project dependencies (Open Source / SCA) for known vulnerabilities and license issues.
snyk_code_scan Run Snyk Code static analysis (SAST) against source files in a path.
snyk_iac_scan Scan Infrastructure as Code files (Terraform, Kubernetes, CloudFormation, ARM, Helm) for misconfigurations.
snyk_container_scan Scan a container image for OS and application vulnerabilities.
snyk_sbom_scan Scan an existing SBOM file (CycloneDX / SPDX) for vulnerabilities.
snyk_secret_scan Experimental secret detection across files.
snyk_aibom Generate an AI Bill of Materials (AIBOM) describing AI models, datasets, and dependencies used in a project.
snyk_package_health_check Return package health and risk signals for a given package.
snyk_trust Manage folder trust so Snyk will scan files in a given directory.
snyk_auth Authenticate the Snyk CLI with a Snyk account via OAuth.
snyk_logout Log the Snyk CLI out of the current account.
snyk_auth_status Report whether the Snyk CLI is currently authenticated.
snyk_version Return the installed Snyk CLI version.
Setup Guide

Prerequisites

  • Node.js and npx available on PATH (the server is launched via npx snyk@latest)
  • A free or paid Snyk account
  • Snyk CLI version 1.1296.2 or later (installed automatically by the npx snyk@latest wrapper)
  • The MCP server is currently experimental

Quick install (Claude Code example)

Run the configure command and Snyk will write the MCP entry into your client config:

npx -y snyk@latest mcp configure --tool=claude-cli

Other supported --tool targets include cursor, vscode, windsurf, continue, cline, codex, and gemini.

Manual config (any MCP client)

Add this block to your MCP client config (for example ~/.claude.json, ~/.cursor/mcp.json, or claude_desktop_config.json):

{
  "mcpServers": {
    "Snyk": {
      "type": "stdio",
      "command": "npx",
      "args": ["-y", "snyk@latest", "mcp", "-t", "stdio"],
      "env": {}
    }
  }
}

To use SSE transport instead, replace the args with ["-y", "snyk@latest", "mcp", "-t", "sse"].

Authentication

After the server is loaded, call the snyk_auth tool from your AI client to run the Snyk OAuth flow in a browser. Verify with snyk_auth_status.

Optional configuration

  • SNYK_MCP_PROFILE: controls which tools are exposed. Values: lite, full (default), or experimental.
{
  "mcpServers": {
    "Snyk": {
      "command": "npx",
      "args": ["-y", "snyk@latest", "mcp", "-t", "stdio"],
      "env": { "SNYK_MCP_PROFILE": "experimental" }
    }
  }
}

Smart scan mode

For lower token usage in heavy AI coding sessions, install with smart-apply rules so the agent only scans when needed:

npx -y snyk@latest mcp configure --tool=claude-cli --rule-type=smart-apply
Use Cases
  • Have an AI coding agent scan freshly generated code for vulnerabilities before opening a pull request, then auto-apply the suggested fixes.
  • Run snyk_sca_scan against a repo's dependency manifests to surface vulnerable transitive packages and request upgraded versions.
  • Scan Terraform or Kubernetes manifests with snyk_iac_scan during AI-assisted infrastructure refactors to catch misconfigurations early.
  • Generate an AIBOM with snyk_aibom for compliance reviews of projects that pull in AI models or datasets.
  • Triage a container image with snyk_container_scan from inside the IDE before shipping a new build.
Example Prompts
  • "Run a Snyk Code scan on ./src and fix any high or critical findings in the auth module."
  • "Use snyk_sca_scan on this repo and tell me which direct dependencies I need to bump."
  • "Scan the Terraform under ./infra with Snyk IaC and explain each failing rule."
  • "Check the package health of left-pad on npm and recommend a safer alternative."
  • "Generate an AIBOM for this project and list every external model it depends on."
Pros
  • Official and maintained by Snyk, distributed as part of the Snyk CLI rather than a third-party wrapper.
  • Broad scanner coverage in one server: SCA, SAST, IaC, container, SBOM, secrets, and AIBOM.
  • Works across most major AI coding clients (Claude Code, Cursor, GitHub Copilot, Windsurf, JetBrains AI, etc.) with one-command setup.
  • Runs locally over stdio or SSE, so source code never leaves the developer machine for the MCP transport itself.
Limitations
  • Marked experimental; tool names and profiles can change between CLI releases.
  • Requires a Snyk account and CLI auth; advanced scanners (Snyk Code, Container, IaC+) gate on paid Snyk plans.
  • No hosted/remote version: every developer machine needs Node.js, the Snyk CLI install, and outbound network access to Snyk.
Alternatives
More Developer Tools MCP Servers
AWS API
Bridge that lets AI assistants manage AWS infrastructure by executing validated AWS CLI commands across every AWS service.
AWS CDK
Official AWS Labs MCP server that guides agents through AWS CDK development with prescriptive patterns, CDK Nag security validation, and Solutions Constructs discovery.
AWS CloudWatch
Official AWS Labs MCP server for CloudWatch. Query metrics, analyze logs, investigate alarms, and run PromQL queries for AI-powered root cause analysis.
Aiven
Official MCP server for the Aiven cloud data platform. Manage PostgreSQL, Apache Kafka, and other Aiven services from AI assistants.