Snyk Security Platform MCP server

Snyk is a unified developer security platform helping teams find and fix vulnerabilities in code, dependencies, containers, and infrastructure as code. With this MCP server, AI agents can scan projects, manage vulnerabilities, track remediation progress, generate SBOMs, and enforce security policies through natural language commands.

Setting up an MCP server

This article covers the standard steps for creating an MCP server in AI Gateway and connecting it to an AI client. The steps are the same for every integration — application-specific details (API credentials, OAuth endpoints, and scopes) are covered in the individual application pages.

Before you begin

You'll need:

• Access to AI Gateway with permission to create MCP servers
• API credentials for the application you're connecting (see the relevant application page for what to collect)

Create an MCP server

Find the API in the catalog

1. Sign in to AI Gateway and select MCP Servers from the left navigation.
2. Select New MCP Server.
3. Search for the application you want to connect, then select it from the catalog.

Configure the server

1. Enter a Name for your server — something descriptive that identifies both the application and its purpose (for example, "Zendesk Support — Prod").
2. Enter a Description so your team knows what the server is for.
3. Set the Timeout value. 30 seconds works for most APIs; increase to 60 seconds for APIs that return large payloads.
4. Toggle Production mode on if this server will be used in a live workflow.
5. Select Next.

Configure authentication

Enter the authentication details for the application. This varies by service — see the Authentication section of the relevant application page for the specific credentials, OAuth URLs, and scopes to use.

Configure security

1. Set any Rate limits appropriate for your use case and the API's own limits.
2. Enable Logging if you want AI Gateway to record requests and responses for auditing.
3. Select Next.

Deploy

Review the summary, then select Deploy. AI Gateway provisions the server and provides a server URL you'll use when configuring your AI client.

---

Connect to an AI client

Once your server is deployed, you'll need to add it to the AI client your team uses. Select your client for setup instructions:

• Claude Desktop
• Claude Code
• Cursor
• VS Code
• Windsurf

Tips

• You can create multiple MCP servers for the same application — for example, a read-only server for reporting agents and a read-write server for automation workflows.
• If you're unsure which OAuth scopes to request, start with the minimum read-only set and add write scopes only when needed. Most application pages include scope recommendations.
• You can edit a server's name, description, timeout, and security settings after deployment without redeploying.

Authentication

Snyk uses API tokens for programmatic access. Generate API tokens from your Snyk organization account settings.

• API Token: Generated from account settings (service account or personal token)
• Token Header: Authorization: token {your-api-token}
• API Base: https://api.snyk.io/v1 or https://api.snyk.io/rest
• Regional: EU customers use https://api.eu.snyk.io

Available tools

The Snyk MCP server exposes vulnerability scanning, project management, issue tracking, policy enforcement, and reporting APIs.

Tool	Purpose
Dependency Scanning	Scan projects for vulnerable dependencies; get fix recommendations; license compliance
Code Analysis (SAST)	Analyze source code for security issues; identify code quality problems; provide remediation guidance
Container Security	Scan container images; get base image recommendations; monitor image registry; track runtime threats
Infrastructure as Code	Scan Terraform, CloudFormation, Kubernetes configs; identify misconfigurations; track compliance
Issues & Projects	Manage vulnerability issues; track remediation progress; organize projects; configure ignore rules
Policy Management	Create custom security policies; enforce severity thresholds; manage ignore rules
SBOM Generation	Generate Software Bill of Materials in CycloneDX or SPDX format; export component lists
Organization Management	Manage teams; configure org settings; integrate with SCM and CI/CD; track org metrics

Tips

Integrate Snyk into CI/CD pipelines for automated scanning.

Scan on every commit for quick feedback.

Configure severity thresholds to block builds when necessary.

Prioritize critical and high-severity issues.

Review fix recommendations and apply patches promptly to reduce exposure window.

Regularly update dependencies to reduce vulnerability window.

Use Snyk's automated PRs for dependency upgrades.

Test in staging before production to validate changes.

Scan base images before use and prefer minimal and regularly-updated images.

Configure registry integrations for continuous monitoring.

Create policies aligned with your security requirements.

Enforce consistent standards across projects.

Review policies quarterly as threats evolve.

---