Snyk MCP server
Snyk's official MCP server, built into the Snyk CLI: scan open-source dependencies, code, containers, and IaC for vulnerabilities right where code is written.
The Snyk MCP server is Snyk's official integration, shipped as part of the Snyk CLI, that lets an AI agent run Snyk's developer-security scans directly in an agentic workflow. As an assistant generates or edits code, the agent can scan for vulnerabilities and act on the results without leaving the editor: it runs software composition analysis (SCA) on open-source dependencies and licenses, static application security testing (SAST) on first-party code, container image scans, Infrastructure-as-Code misconfiguration scans, secret detection, and SBOM analysis. It can also produce an AI Bill of Materials for Python projects, check package health, and assess the breakability of a dependency upgrade — turning Snyk into a security guardrail for AI-assisted development.
Because the server is part of the CLI, the canonical install is to run the binary's `mcp` subcommand: `snyk mcp -t stdio` (an SSE transport is also supported). The schema-friendly, zero-install path is `npx -y snyk@latest mcp -t stdio`. You need Snyk CLI v1.1298.0 or later. Authentication reuses your existing Snyk CLI login; if you are not yet authenticated, the server triggers a browser-based `snyk_auth` flow, or you can set a SNYK_TOKEN environment variable for non-interactive use. The first scan of a folder may require trusting it via the snyk_trust tool.
Quick install
Copy-paste configs are provided for all 8 supported clients. Pick your client below.
Add to ~/.claude.json
{
"mcpServers": {
"snyk": {
"command": "npx",
"args": [
"-y",
"snyk@latest",
"mcp",
"-t",
"stdio"
],
"env": {
"SNYK_TOKEN": "<SNYK_TOKEN>"
}
}
}
}claude mcp add snyk -- npx -y snyk@latest mcp -t stdioAvailable tools
| Tool | Description |
|---|---|
| snyk_sca_scan | Software composition analysis: inspects manifest files to find known vulnerabilities and license-compliance issues in open-source dependencies (uses absolute paths). |
| snyk_code_scan | Static application security testing (SAST): analyzes first-party source code to identify security vulnerabilities. |
| snyk_container_scan | Scans container images for known vulnerabilities in OS packages and application dependencies. |
| snyk_iac_scan | Analyzes Infrastructure-as-Code files (Terraform, Kubernetes, CloudFormation, and more) for security misconfigurations. |
| snyk_sbom_scan | Analyzes an existing SBOM file for known vulnerabilities in its open-source components (components must be identified by PackageURLs). |
| snyk_secret_scan | Scans source code and configuration files to detect hardcoded secrets such as API keys, tokens, and passwords. |
| snyk_aibom | Generates an AI Bill of Materials (AIBOM) for Python projects in CycloneDX v1.6 JSON, identifying AI models and dependencies. |
| snyk_package_health_check | Retrieves package information and health metrics from Snyk's package intelligence API, including vulnerabilities and maintenance status. |
| snyk_breakability_check | Runs a breaking-change assessment for a package-version upgrade. |
| snyk_auth | Authenticates the user with Snyk, typically via a browser login flow, when a tool reports the user is not authenticated. |
| snyk_logout | Logs out of the current Snyk account by clearing the locally stored authentication token. |
| snyk_trust | Trusts a given folder so Snyk is allowed to scan it. |
| snyk_version | Displays the installed Snyk MCP/CLI version for compatibility checks. |
| snyk_send_feedback | Reports the delta of Snyk issues for a run, such as prevented, fixed, or remaining issue counts. |
Required configuration
- SNYK_TOKENOptional
Snyk API token for non-interactive authentication. Optional; otherwise the snyk_auth browser flow or an existing CLI session is used.
What you can do with it
Catch vulnerabilities as code is generated
When an assistant adds a dependency or writes new code, the agent runs snyk_sca_scan and snyk_code_scan on the change, surfaces the vulnerabilities and license issues, and fixes them before the code is committed.
Scan containers and infrastructure-as-code
Before shipping, the agent runs snyk_container_scan on the image and snyk_iac_scan on Terraform or Kubernetes manifests to catch base-image CVEs and misconfigurations, and can generate or analyze an SBOM for the project.
FAQ
- Is it free?
- Yes. The Snyk MCP server is included in the free Snyk CLI, and Snyk offers a free tier with a monthly allowance of tests across SCA, Code, container, and IaC scanning. Higher volumes and team features require a paid Snyk plan.
- Does it support remote/OAuth?
- It runs locally over stdio as part of the Snyk CLI (snyk mcp -t stdio), with an SSE transport also available. Rather than OAuth, it reuses your Snyk CLI authentication: it triggers a browser-based snyk_auth login on first use, or you can set a SNYK_TOKEN environment variable for non-interactive runs.