Snyk Security Platform MCP Server

Create a powerful Model Context Protocol (MCP) server for Snyk's comprehensive developer security platform in minutes with our AI Gateway. This guide walks you through setting up vulnerability scanning, code analysis, container security, and infrastructure as code capabilities with seamless API authentication.

About Snyk APIs

Snyk provides a unified developer security platform that helps teams find and fix vulnerabilities in code, dependencies, containers, and infrastructure as code. The Snyk API enables programmatic access to all security scanning capabilities and organizational management features.

Key Capabilities

• Snyk Open Source: Dependency vulnerability scanning, license compliance, fix recommendations
• Snyk Code: Static application security testing (SAST), code quality analysis
• Snyk Container: Container image scanning, base image recommendations, runtime security
• Snyk IaC: Infrastructure as Code security, cloud misconfigurations, compliance
• SBOM Generation: Software Bill of Materials in CycloneDX and SPDX formats
• Reporting: Vulnerability trends, compliance reports, risk analytics
• Integrations: SCM, CI/CD, IDE plugins, registry integrations
• Policy Management: Custom security policies, ignore rules, severity thresholds

API Features

• REST API: Modern versioned API with comprehensive endpoints
• V1 API: Legacy API for backward compatibility
• OAuth 2.0: Secure authentication with PKCE support
• API Tokens: Personal and service account tokens
• Webhooks: Real-time notifications for security events
• Rate Limiting: Fair usage policies with burst handling
• Pagination: Cursor-based pagination for large datasets
• Multi-org Support: Manage multiple organizations and groups

What You Can Do with Snyk MCP Server

The MCP server transforms Snyk's APIs into a natural language interface, enabling AI agents to:

Vulnerability Management

• Dependency Scanning

  • "Scan my project for vulnerable dependencies"
  • "Find all critical vulnerabilities in my organization"
  • "Show vulnerabilities with available fixes"
  • "Check if lodash version 4.17.0 has known vulnerabilities"

• Issue Tracking

  • "List all high severity issues across projects"
  • "Get aggregated issues for this project"
  • "Show ignored vulnerabilities and their reasons"
  • "Find vulnerabilities introduced in last 7 days"

• Remediation

  • "Get fix recommendations for this vulnerability"
  • "Show upgrade paths for vulnerable packages"
  • "Generate pull request to fix vulnerabilities"
  • "Find alternative packages without vulnerabilities"

Code Security (Snyk Code)

• SAST Analysis

  • "Analyze code for security vulnerabilities"
  • "Find SQL injection vulnerabilities"
  • "Detect hardcoded secrets in codebase"
  • "Show cross-site scripting risks"

• Code Quality

  • "Get Snyk Code settings for organization"
  • "Update SAST configuration"
  • "Enable code analysis for project"
  • "Check code security posture"

• Findings Management

  • "List code vulnerabilities by severity"
  • "Get detailed issue descriptions"
  • "Show affected code locations"
  • "Track remediation progress"

Container Security

• Image Scanning

  • "Scan container image for vulnerabilities"
  • "Check base image security"
  • "Find outdated packages in container"
  • "Get container vulnerability report"

• Base Image Recommendations

  • "Recommend secure base image alternatives"
  • "Show upgrade path for base image"
  • "Compare base image security scores"
  • "Find minimal secure base images"

• Custom Base Images

  • "List custom base images"
  • "Create custom base image configuration"
  • "Update base image settings"
  • "Track base image usage across projects"

Infrastructure as Code (IaC)

• Configuration Scanning

  • "Scan Terraform files for misconfigurations"
  • "Check Kubernetes manifests for security issues"
  • "Analyze CloudFormation templates"
  • "Find Helm chart vulnerabilities"

• Cloud Security

  • "Get IaC settings for organization"
  • "Update IaC security policies"
  • "Scan for cloud misconfigurations"
  • "Check compliance with security benchmarks"

• Policy Enforcement

  • "List IaC security rules"
  • "Configure custom IaC policies"
  • "Set severity thresholds"
  • "Enable drift detection"

Project Management

• Project Operations

  • "List all projects in organization"
  • "Get project details and settings"
  • "Update project configuration"
  • "Delete inactive projects"

• Tags & Organization

  • "Add tags to projects"
  • "Remove tags from projects"
  • "Filter projects by attributes"
  • "Group projects by target"

• Settings Management

  • "Get project security settings"
  • "Configure auto-remediation"
  • "Set pull request test settings"
  • "Manage dependency upgrade preferences"

Organization & Group Management

• Organizations

  • "List all organizations I have access to"
  • "Get organization details"
  • "Update organization settings"
  • "View organization members"

• Groups

  • "List groups in my account"
  • "Get organizations in a group"
  • "Manage group memberships"
  • "View group roles"

• Service Accounts

  • "List organization service accounts"
  • "Create new service account"
  • "Update service account permissions"
  • "Delete service account"

SBOM & Compliance

• SBOM Generation

  • "Generate SBOM for project"
  • "Export SBOM in CycloneDX format"
  • "Create SPDX software bill of materials"
  • "Get dependency tree"

• License Compliance

  • "List all licenses in organization"
  • "Find GPL licensed dependencies"
  • "Check license compatibility"
  • "Generate license compliance report"

• Audit & Reporting

  • "Get audit logs for organization"
  • "View security trends"
  • "Generate vulnerability report"
  • "Track remediation metrics"

Integrations & Webhooks

• SCM Integrations

  • "List configured integrations"
  • "Add GitHub integration"
  • "Import repository from integration"
  • "Check integration status"

• Webhooks

  • "List organization webhooks"
  • "Create new webhook"
  • "Test webhook connectivity"
  • "Delete webhook"

• Package Testing

  • "Test npm package for vulnerabilities"
  • "Scan Maven artifact"
  • "Check Python package security"
  • "Analyze Go module"

Prerequisites

• Access to Cequence AI Gateway
• Snyk account (Free, Team, or Enterprise)
• API token or OAuth 2.0 configuration
• Organization ID for API operations

Step 1: Configure Snyk API Access

1.1 Create API Token

1. Log in to Snyk Web UI
2. Navigate to Account Settings → General
3. Scroll to Auth Token section
4. Click Generate or copy existing token
5. Store token securely

1.2 Create Service Account (Recommended for Production)

1. Go to Organization Settings → Service accounts
2. Click Create a service account
3. Configure:
   • Name: "AI Gateway Integration"
   • Role: Select appropriate role
4. Save the generated token

1.3 Get Organization ID

1. Navigate to Organization Settings
2. Copy the Organization ID from the URL or settings page
3. Format: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

1.4 Create a Snyk App (OAuth 2.0 Client Credentials)

To use OAuth 2.0 authentication, you need to create a Snyk App to obtain your Client ID and Client Secret. Reference: Snyk Apps APIs

Option A: Create Snyk App via API

1. Get your Organization ID from Organization Settings
2. Generate an API token (see section 1.1 above)
3. Create the Snyk App using the REST API:

curl --request POST \
  --url "https://api.snyk.io/rest/orgs/{org_id}/apps?version=2024-10-15" \
  --header "Authorization: token {your-api-token}" \
  --header "Content-Type: application/vnd.api+json" \
  --data '{
    "data": {
      "type": "app",
      "attributes": {
        "name": "AI Gateway Integration",
        "redirect_uris": ["https://your-callback-url.com/callback"],
        "scopes": [
          "org.read",
          "org.project.read",
          "org.project.write",
          "org.report.read"
        ],
        "context": "tenant"
      }
    }
  }'

4. Save the response - The response contains your clientId and clientSecret:

{
  "data": {
    "id": "app-uuid",
    "type": "app",
    "attributes": {
      "client_id": "your-client-id",
      "client_secret": "your-client-secret",
      "name": "AI Gateway Integration",
      ...
    }
  }
}

warning

Important: The client_secret is only shown once. Store it securely immediately. If lost, you'll need to rotate/regenerate it.

Option B: Create Snyk App via CLI

1. Install Snyk CLI if not already installed:

npm install -g snyk

2. Authenticate with Snyk:

snyk auth

3. Create the App:

snyk apps create \
  --name="AI Gateway Integration" \
  --redirect-uris="https://your-callback-url.com/callback" \
  --scopes="org.read,org.project.read,org.project.write" \
  --org={your-org-id}

4. Save the credentials from the output

Option C: Service Account with OAuth 2.0 (Enterprise)

For automation and CI/CD, create a Service Account with OAuth 2.0 client credentials:

1. Navigate to Organization Settings → Service accounts
2. Click Create a service account
3. Select OAuth 2.0 client credentials as the authentication method
4. Configure:
   • Name: "AI Gateway Service Account"
   • Role: Select appropriate role (e.g., Org Admin, Viewer)
5. Click Create
6. Copy and store the client_id and client_secret immediately

Using OAuth 2.0 Credentials

Once you have your Client ID and Client Secret, obtain an access token:

curl --request POST \
  --url "https://api.snyk.io/oauth2/token" \
  --header "Content-Type: application/x-www-form-urlencoded" \
  --data "grant_type=client_credentials" \
  --data "client_id={your-client-id}" \
  --data "client_secret={your-client-secret}"

Response:

{
  "access_token": "eyJhbGciOiJS...",
  "token_type": "bearer",
  "expires_in": 3600
}

Use the access token in API requests:

curl --header "Authorization: Bearer {access_token}" \
  "https://api.snyk.io/rest/orgs?version=2024-10-15"

1.5 Available OAuth Scopes

Request appropriate scopes based on your needs:

Scope	Description
org.read	Read organization data and settings
org.project.read	Read project information and issues
org.project.write	Create, update, delete projects
org.report.read	Access vulnerability reports
org.test	Run tests on packages and projects
org.integration.read	Read integration configurations
org.integration.edit	Modify integrations

Step 2-4: Standard Setup

Follow standard steps to access AI Gateway, find Snyk API, and create MCP server.

Step 5: Configure API Endpoints

1. Base URL: Select your Snyk deployment
   • Multi-tenant US: https://api.snyk.io
   • Multi-tenant EU: https://api.eu.snyk.io
   • Multi-tenant AU: https://api.au.snyk.io
   • Single-tenant: Your custom URL
2. API Version: 2024-10-15 (or latest)
3. Click Next

Step 6: MCP Server Configuration

1. Name: "Snyk Security Platform"
2. Description: "Developer security scanning and vulnerability management"
3. Features: Enable required modules
4. Click Next

Step 7: Configure Authentication

Option A: API Token

1. Authentication Type: API Key
2. Header Name: Authorization
3. Header Value: token {your-api-token}
4. Test authentication

Option B: OAuth 2.0

1. Authentication Type: OAuth 2.0 with PKCE
2. Client ID: Your Snyk App client ID (see Section 1.4)
3. Client Secret: Your Snyk App client secret
4. Authorization URL: https://app.snyk.io/oauth2/authorize
5. Token URL: https://api.snyk.io/oauth2/token
6. Scopes: Select required scopes from Section 1.5
7. Test authentication

tip

For server-to-server integrations (no user interaction), use the Client Credentials flow. For user-facing applications, use Authorization Code with PKCE.

Available Snyk API Operations

Project APIs

• List Projects

  • Get all projects in organization
  • Filter by name, type, origin
  • Paginate through results

• Project Details

  • Get project information
  • View project settings
  • Check last test results

• Project Management

  • Update project attributes
  • Delete projects
  • Manage project tags

Issue APIs

• Aggregated Issues

  • Get issues by project
  • Filter by severity
  • Include/exclude ignored issues

• Issue Management

  • Add ignore rules
  • Update ignore reasons
  • Remove ignores

Organization APIs

• Organization Info

  • List organizations
  • Get organization details
  • Update settings

• Members & Access

  • List organization members
  • Manage invitations
  • View roles

Integration APIs

• Integrations

  • List integrations
  • Add new integrations
  • Import from SCM

• Import Jobs

  • Start imports
  • Check import status
  • View import results

Testing APIs

• Package Testing

  • Test npm packages
  • Test Maven artifacts
  • Test pip packages

• SBOM

  • Generate project SBOM
  • Export in multiple formats

Webhook APIs

• Webhook Management
  • Create webhooks
  • List webhooks
  • Delete webhooks
  • Test webhooks

Step 8-10: Complete Setup

Configure security settings, choose deployment options, and deploy your server.

Using Your Snyk MCP Server

Setup Instructions:

• Claude Desktop
• Claude Code
• Cursor
• VS Code
• Windsurf

Natural Language Commands

• "List all critical vulnerabilities in my organization"
• "Generate SBOM for my Node.js project"
• "Test if express@4.17.1 has known vulnerabilities"
• "Show projects with unresolved security issues"
• "Get the aggregated issues for project xyz"

Common Use Cases

Vulnerability Assessment

• Continuous dependency scanning
• Pre-deployment security checks
• Third-party library vetting
• License compliance verification

DevSecOps Integration

• CI/CD pipeline security gates
• Pull request security checks
• Automated fix generation
• Security policy enforcement

Compliance & Reporting

• SBOM generation for supply chain
• Vulnerability trend analysis
• Audit trail maintenance
• Executive security dashboards

Multi-Project Management

• Organization-wide scanning
• Cross-project vulnerability tracking
• Centralized policy management
• Team-based access control

Best Practices

1. API Usage:

   • Use pagination for large result sets
   • Implement rate limit handling
   • Cache frequently accessed data
   • Use webhooks for real-time updates

2. Security Operations:

   • Prioritize critical and high severity issues
   • Set up automated scanning schedules
   • Configure notification webhooks
   • Maintain ignore rule documentation

3. Integration:

   • Use service accounts for automation
   • Implement proper error handling
   • Monitor API usage and quotas
   • Keep API version current

Troubleshooting

Common Issues

1. Authentication Errors

   • Verify API token is valid and not expired
   • Check organization ID is correct
   • Confirm token has required permissions
   • Ensure correct API base URL for region

2. Rate Limiting

   • Implement exponential backoff
   • Use pagination efficiently
   • Cache responses where appropriate
   • Monitor rate limit headers

3. Missing Data

   • Verify project exists and is accessible
   • Check organization membership
   • Confirm API version compatibility
   • Review filter parameters

API Version Considerations

• REST API requires version parameter (e.g., 2024-10-15)
• V1 API endpoints don't require version
• Some features require Enterprise plan
• Check API documentation for endpoint availability

Getting Help

• Documentation: AI Gateway Docs
• Support: support@cequence.ai
• Snyk Documentation: docs.snyk.io
• Snyk API Reference: snyk.docs.apiary.io
• Snyk Apps APIs: docs.snyk.io/snyk-api/using-specific-snyk-apis/snyk-apps-apis
• OAuth 2.0 Service Accounts: docs.snyk.io/enterprise-setup/service-accounts

---