Does this catch vulnerabilities in my own code too?

No, snyk_sca_scan covers open-source dependencies. For first-party source flaws run snyk_code_scan as well and file those findings into the same list with a different tag.

What happens when a vulnerability is patched?

It drops out of the next scan. The agent can compare the current findings against open tasks and close any ClickUp task whose vulnerability id no longer appears, keeping the list aligned with reality.

SnykClickUp

File Snyk dependency vulnerabilities as ClickUp tasks

A Snyk + ClickUp agent flow

A dependency vulnerability that shows up in a scan log and nowhere else gets read once and forgotten. Tracked as a ClickUp task with an owner and a priority, it actually gets fixed. This recipe makes that conversion automatic. The agent runs snyk_sca_scan against the repo's manifest files, reads the vulnerabilities it returns, and for each new one creates a ClickUp task with create_task: the package and version in the title, the severity mapped to priority, and the CVE plus the suggested upgrade in the description. Snyk scans when the agent asks, so this fires on a cadence, nightly or per merge to main, and the agent dedupes on the vulnerability id so a finding that's already a task isn't filed twice.

The flow

Snyksnyk_sca_scan

Software composition analysis: inspects manifest files to find known vulnerabilities and license-compliance issues in open-source dependencies (uses absolute paths).

ClickUpcreate_task

Creates a new task in a specific list with name, description, assignees, due date, and priority.

Step by step

Scan the dependencies
The agent calls snyk_sca_scan with the absolute path to the project. It inspects manifest files (package.json, requirements.txt, go.mod, and so on) and returns the known vulnerabilities and license issues in the dependency tree.
Dedupe against open tasks
Each finding has a stable vulnerability id and an affected package. Before filing, the agent checks which ids already have an open ClickUp task so a vulnerability that's already tracked is skipped. Only new findings become tasks.
Create the ClickUp task
For each new vulnerability the agent calls create_task in your security list: title names the package and version, priority is set from severity (critical to urgent, high to high), and the description holds the CVE, the path through the tree, and the fixed-in version.

Tell your agent

Nightly, run snyk_sca_scan on /srv/app, and for each new high or critical vulnerability create a ClickUp task in the Security list with the package and version as the title, severity mapped to priority, and the CVE and fix version in the description.

Setup

This flow needs both servers connected to your agent. Follow each install guide:

Snyk install guide ClickUp install guide

Worth knowing

snyk_sca_scan reads local manifest files by absolute path, so the agent needs a checkout of the repo on the machine it runs from; it does not scan a remote repository URL.
A single scan can return dozens of findings on a stale lockfile. Filter by severity before filing, or the first run buries the ClickUp list under low-severity transitive noise.

Questions

Does this catch vulnerabilities in my own code too?: No, snyk_sca_scan covers open-source dependencies. For first-party source flaws run snyk_code_scan as well and file those findings into the same list with a different tag.
What happens when a vulnerability is patched?: It drops out of the next scan. The agent can compare the current findings against open tasks and close any ClickUp task whose vulnerability id no longer appears, keeping the list aligned with reality.