topmcps
Browse MCPs
Snyk (MCP archived)

Snyk (MCP archived)

Archived

Scan code and dependencies for vulnerabilities from an AI coding assistant. Standalone MCP package archived; Snyk itself remains current via its IDE integrations.

Score 73(?)SnykApache-2.080Verified Top MCPs for Security
InstallView on GitHub

Quick answer

What it does

Runs Snyk Open Source, Snyk Code, Snyk Container, and Snyk IaC scans against the current project and returns ranked findings with fix suggestions.

Best for

  • Pre-commit dependency scans
  • Snyk Code (SAST) findings during development
  • Container image vulnerability triage
  • IaC misconfiguration review

Not for

  • Production runtime security
  • Compliance-grade audit trails (use Snyk in CI for that)

Setup recipe

Pick your client, then follow the three steps.

  1. 1

    Install

    claude_desktop_config.json
    {
  "mcpServers": {
    "snyk": {
      "command": "npx",
      "args": [
        "-y",
        "@snyk/mcp-server"
      ],
      "env": {
        "SNYK_TOKEN": "${SNYK_TOKEN}"
      }
    }
  }
}

    Paste under mcpServers. Fully quit and reopen Claude after editing.

    CLI or .mcp.json
    # export SNYK_TOKEN=your-snyk-api-token
claude mcp add snyk -- npx -y @snyk/mcp-server

    Run from your repo. Commit .mcp.json to share with your team.

    .cursor/mcp.json
    {
  "mcpServers": {
    "snyk": {
      "command": "npx",
      "args": [
        "-y",
        "@snyk/mcp-server"
      ],
      "env": {
        "SNYK_TOKEN": "${SNYK_TOKEN}"
      }
    }
  }
}

    Global path: ~/.cursor/mcp.json. Reload window after editing.

    .vscode/mcp.json
    {
  "servers": {
    "snyk": {
      "command": "npx",
      "args": [
        "-y",
        "@snyk/mcp-server"
      ],
      "env": {
        "SNYK_TOKEN": "${SNYK_TOKEN}"
      }
    }
  }
}

    VS Code uses the "servers" key (not "mcpServers").

    ~/.codeium/windsurf/mcp_config.json
    {
  "mcpServers": {
    "snyk": {
      "command": "npx",
      "args": [
        "-y",
        "@snyk/mcp-server"
      ],
      "env": {
        "SNYK_TOKEN": "${SNYK_TOKEN}"
      }
    }
  }
}

    Open via Cascade → hammer icon → Configure.

    cline_mcp_settings.json
    {
  "mcpServers": {
    "snyk": {
      "command": "npx",
      "args": [
        "-y",
        "@snyk/mcp-server"
      ],
      "env": {
        "SNYK_TOKEN": "${SNYK_TOKEN}"
      }
    }
  }
}

    Open via the Cline sidebar → MCP Servers → Edit.

    ~/.continue/config.json
    {
  "experimental": {
    "modelContextProtocolServers": [
      {
        "transport": {
          "type": "stdio",
          "command": "npx",
          "args": [
            "-y",
            "@snyk/mcp-server"
          ],
          "env": {
            "SNYK_TOKEN": "${SNYK_TOKEN}"
          }
        }
      }
    ]
  }
}

    Continue uses modelContextProtocolServers with a transport block.

    ~/.codex/config.toml
    # ~/.codex/config.toml
[mcp_servers.snyk]
command = "npx"
args = [
  "-y",
  "@snyk/mcp-server",
]
env = { SNYK_TOKEN = "${SNYK_TOKEN}" }

    Codex uses TOML. Each server is a [mcp_servers.<name>] subtable.

    ~/.config/zed/settings.json
    {
  "context_servers": {
    "snyk": {
      "command": {
        "path": "npx",
        "args": [
          "-y",
          "@snyk/mcp-server"
        ]
      },
      "env": {
        "SNYK_TOKEN": "${SNYK_TOKEN}"
      }
    }
  }
}

    Zed calls them "context_servers". Settings live-reload on save.

    ChatGPT → Apps directory

    Snyk (MCP archived) doesn't ship a hosted HTTPS endpoint today. ChatGPT supports remote MCP servers only — to use this server in ChatGPT you'll need to deploy it to a public HTTPS URL first (e.g. via Cloudflare Workers or Vercel) or wait for an official remote build.

  2. 2

    Set required secrets

    Set SNYK_TOKEN in your shell environment before launching your MCP client.

  3. 3

    Try a minimum working prompt

    Minimum working prompt pending verification. Try any prompt from the MCP’s README once installed.

Tools & permissions

Tools list pending verification. The server exposes tools over MCP; we haven’t yet parsed its capability manifest into this page. Check the GitHub repo for the authoritative list.

Security & scope

Access scope
Network
Sandbox
Snyk API token in env. Source code for Snyk Code scans is uploaded to the Snyk service. OSS scans use the local manifest only. Use the lowest-privilege token your plan supports.
Gotchas
  • Source upload happens for Code scans — review data-residency policy before enabling on sensitive repos.
  • Snyk tokens are long-lived; rotate per the credential-rotation playbook.
  • Free-tier rate limits apply per token; coordinate across the team to avoid surprise throttling.

Agent prompt pack

— copy into Claude, Cursor, or ChatGPT.
Paste into Claude, Cursor, or ChatGPT. Edit the [brackets] before sending.
Recommend the best MCP servers for [task: e.g. security work] in [client: Claude].

Constraints:
- Prefer tools that are [official | open-source | read-only] — pick what matters for my use case.
- Exclude MCPs that require [e.g. a paid plan, OAuth-only flows, remote-only transport].
- Return at most 3 picks, ranked.

For each pick include:
1. One-sentence rationale.
2. The ready-to-paste install snippet for my client.
3. Any required secrets I need to create before installing.

Cross-check the top-mcps.com listing: https://top-mcps.com/top-mcps-for-security
Compare Snyk (MCP archived) against a real alternative. Swap the second MCP in [brackets] if you want a different match.
Compare Snyk (MCP archived) MCP vs [Semgrep MCP] for the following job: [describe the job, e.g. "let an agent create GitHub issues on bug triage"].

Judge them on:
- Setup time and complexity (what a new user hits first).
- Auth model (none / API key / OAuth 2.1) and credential risk.
- Transport (stdio / Streamable HTTP / SSE) and where the server runs.
- Required secrets and the blast radius if they leak.
- Operational risk in an unattended agent loop.
- Which one is "good enough" for a weekend prototype vs. production.

End with one sentence: which should I pick for my scenario, which is: [my scenario].

References:
- https://top-mcps.com/mcp/snyk
- top-mcps.com listing for Semgrep
Asks the agent to install and verify. Works inside Claude Code, Cursor Agent, Codex CLI.
Install the Snyk (MCP archived) MCP server for my [client: Claude] at the default config path for that client.

Use the exact install snippet published at https://top-mcps.com/mcp/snyk (fetch https://top-mcps.com/mcp/snyk.json for the canonical server.json if you can read URLs).

Before finishing:
1. Create the required secrets (SNYK_TOKEN) and put them in the appropriate env block — do not hard-code them.
2. Restart or reload the client so it picks up the new server.
3. Verify the server is connected (green / running state) and at least one tool is listed.
4. If anything fails, read the client's MCP logs and report the exact error — do not silently retry.

Confirm when done and list the tools the server now exposes.

Frequently asked questions

What changed

2 updates tracked.

  1. Refreshed install snippets and fact sheet; verified for 2026.

  2. Initial directory listing.

More Security MCPs

Other tools in the same category worth evaluating.

Sentry
Official

Triage errors, inspect traces, and query events from Sentry.

sentry, errors, monitoring, observability
3 minLow
Cloudflare
Official

Manage Workers, R2 buckets, DNS, and edge policies on Cloudflare.

cloudflare, edge, workers, dns
10 minMedium
1Password
Official

Inject 1Password secrets into an AI agent's tool calls without exposing them in chat.

security, secrets, 1password, vault
8 minLow

Compared with Snyk (MCP archived)

Side-by-side breakdowns for the choices people most often weigh against this MCP.

Snyk (MCP archived)vsSemgrep

Exploring Top MCPs for Security? See all Security MCPs →