# Snyk (MCP archived) > Scan code and dependencies for vulnerabilities from an AI coding assistant. Standalone MCP package archived; Snyk itself remains current via its IDE integrations. [Canonical HTML page](https://top-mcps.com/mcp/snyk) · [server.json](https://top-mcps.com/mcp/snyk.json) · [methodology](https://top-mcps.com/about/methodology) ## Install ### Claude Desktop — `claude_desktop_config.json` Paste under mcpServers. Fully quit and reopen Claude after editing. ```json { "mcpServers": { "snyk": { "command": "npx", "args": [ "-y", "@snyk/mcp-server" ], "env": { "SNYK_TOKEN": "${SNYK_TOKEN}" } } } } ``` ### Claude Code — `CLI or .mcp.json` Run from your repo. Commit .mcp.json to share with your team. ```shell # export SNYK_TOKEN=your-snyk-api-token claude mcp add snyk -- npx -y @snyk/mcp-server ``` ### Cursor — `.cursor/mcp.json` Global path: ~/.cursor/mcp.json. Reload window after editing. ```json { "mcpServers": { "snyk": { "command": "npx", "args": [ "-y", "@snyk/mcp-server" ], "env": { "SNYK_TOKEN": "${SNYK_TOKEN}" } } } } ``` ### VS Code — `.vscode/mcp.json` VS Code uses the "servers" key (not "mcpServers"). ```jsonc { "servers": { "snyk": { "command": "npx", "args": [ "-y", "@snyk/mcp-server" ], "env": { "SNYK_TOKEN": "${SNYK_TOKEN}" } } } } ``` ### Windsurf — `~/.codeium/windsurf/mcp_config.json` Open via Cascade → hammer icon → Configure. ```json { "mcpServers": { "snyk": { "command": "npx", "args": [ "-y", "@snyk/mcp-server" ], "env": { "SNYK_TOKEN": "${SNYK_TOKEN}" } } } } ``` ### Cline — `cline_mcp_settings.json` Open via the Cline sidebar → MCP Servers → Edit. ```json { "mcpServers": { "snyk": { "command": "npx", "args": [ "-y", "@snyk/mcp-server" ], "env": { "SNYK_TOKEN": "${SNYK_TOKEN}" } } } } ``` ### Continue — `~/.continue/config.json` Continue uses modelContextProtocolServers with a transport block. ```json { "experimental": { "modelContextProtocolServers": [ { "transport": { "type": "stdio", "command": "npx", "args": [ "-y", "@snyk/mcp-server" ], "env": { "SNYK_TOKEN": "${SNYK_TOKEN}" } } } ] } } ``` ### Codex CLI — `~/.codex/config.toml` Codex uses TOML. Each server is a [mcp_servers.] subtable. ```shell # ~/.codex/config.toml [mcp_servers.snyk] command = "npx" args = [ "-y", "@snyk/mcp-server", ] env = { SNYK_TOKEN = "${SNYK_TOKEN}" } ``` ### Zed — `~/.config/zed/settings.json` Zed calls them "context_servers". Settings live-reload on save. ```jsonc { "context_servers": { "snyk": { "command": { "path": "npx", "args": [ "-y", "@snyk/mcp-server" ] }, "env": { "SNYK_TOKEN": "${SNYK_TOKEN}" } } } } ``` ### ChatGPT — `ChatGPT → Apps directory` Snyk (MCP archived) doesn't ship a hosted HTTPS endpoint today. ChatGPT supports remote MCP servers only — to use this server in ChatGPT you'll need to deploy it to a public HTTPS URL first (e.g. via Cloudflare Workers or Vercel) or wait for an official remote build. ```none ``` ## At a glance - **Maintainer:** Snyk - **Transport:** stdio - **Auth model:** API key - **Required secrets:** SNYK_TOKEN - **Supported clients:** Claude, Cursor, VS Code, Windsurf, Any MCP-compatible client, Snyk account - **License:** Apache-2.0 - **Language:** TypeScript - **Latest version:** latest - **Last verified:** 2026-05-31 - **GitHub stars:** 80 (fetched 2026-06-02T11:55:52.314Z) - **Score:** 73/100 (rubric 2026-04 — see https://top-mcps.com/about/methodology) - **Source:** https://github.com/snyk/snyk-ls ## Security & scope - **Access scope:** network - **Sandbox:** Snyk API token in env. Source code for Snyk Code scans is uploaded to the Snyk service. OSS scans use the local manifest only. Use the lowest-privilege token your plan supports. - **Gotchas:** - Source upload happens for Code scans — review data-residency policy before enabling on sensitive repos. - Snyk tokens are long-lived; rotate per the credential-rotation playbook. - Free-tier rate limits apply per token; coordinate across the team to avoid surprise throttling. ## Quick answer **What it does.** Runs Snyk Open Source, Snyk Code, Snyk Container, and Snyk IaC scans against the current project and returns ranked findings with fix suggestions. **Best for:** - Pre-commit dependency scans - Snyk Code (SAST) findings during development - Container image vulnerability triage - IaC misconfiguration review - Fix-suggestion-driven upgrades **Not for:** - Production runtime security - Compliance-grade audit trails (use Snyk in CI for that) - Teams without a Snyk subscription ## Description The official Snyk MCP lets an AI coding assistant scan a project for security vulnerabilities — open-source dependencies, code patterns, container images, infrastructure-as-code — and surface the findings inline in the conversation. Built for the "fix it before commit" workflow rather than the periodic CI scan. Note: the standalone @snyk/mcp-server package is archived — Snyk now ships the MCP surface inside its language server (snyk-ls) and IDE integrations rather than as a separate npm package. New installs should use the language-server-bundled MCP via the Snyk extension for VS Code or JetBrains. ## Why it matters Vulnerabilities are easier to fix when they surface during development, not in a Friday-afternoon CI alert. An MCP puts Snyk in the same place the code is being written. ## Key features - Snyk Open Source dependency scanning - Snyk Code SAST - Container image scanning - IaC scanning (Terraform, K8s) - Fix recommendations with PR-ready diffs ## FAQ ### Does it work with free Snyk accounts? Yes for the Open Source and a limited number of Code scans per month. Heavy use needs a paid plan. ### Will it auto-fix vulnerabilities? It returns PR-ready diffs but does not commit them. Apply via the agent's normal file-write loop — keeps humans in the review path. ### Does it ship code to Snyk? Yes — Snyk Code scans are server-side. If you cannot send source off-prem, run the local CLI instead and keep this MCP for OSS-only scans. ### Snyk vs Semgrep? Snyk gives you SCA + SAST + Container + IaC in one product; Semgrep is SAST-only but open source and self-hostable. Pick by what you need under one roof and what your data-residency constraints are. ## Changelog - **2026-05-31** — Refreshed install snippets and fact sheet; verified for 2026. - **2025-05-15** — Initial directory listing.