Provides Snyk security scanning via MCP for repository and project scans using token-based auth and optional org lookup.
Configuration
View docs{
"mcpServers": {
"snyk": {
"command": "npx",
"args": [
"-y",
"github:sammcj/mcp-snyk"
],
"env": {
"SNYK_API_KEY": "YOUR_SNYK_API_KEY",
"SNYK_ORG_ID": "YOUR_DEFAULT_ORG_ID"
}
}
}
}This MCP Server enables Snyk security scanning within your Model Context Protocol workflow. It runs as a standalone service that you configure in your environment so you can scan GitHub/GitLab repositories and Snyk projects using a consistent, CLI-driven interface. By wiring token-based authentication and an optional default organization, you can perform repository and project scans from your MCP client with confidence.
To scan a repository or a Snyk project, you interact with the MCP server through your MCP client. You can initiate a repository scan using a GitHub or GitLab URL and you can also scan a specific Snyk project by its project ID. The server supports multiple organization ID configuration methods and can verify your token when asked.
Prerequisites you need before starting:
- Node.js and npm installed on your machine
- Access to a terminal where you can edit your MCP settings and run commands
Install and configure the Snyk MCP Server by adding the following MCP configuration snippet to your settings file. This configures the server to run via npx and to pass the required environment variables for authentication and organization lookup.
{
"mcpServers": {
"snyk": {
"command": "npx",
"args": [
"-y",
"github:sammcj/mcp-snyk"
],
"env": {
"SNYK_API_KEY": "your_snyk_token",
"SNYK_ORG_ID": "your_default_org_id" // Optional: Configure a default organisation ID
}
}
}
}The server uses a Snyk API key for authentication and can derive the organisation ID from one of several sources. If you provide an organisation ID in the MCP settings, that value is used first. If not, the server can obtain it from the Snyk CLI configuration or from a provided command argument.
To verify your Snyk token configuration, ask the MCP client to verify token configuration. The verification process will confirm token validity and may display your Snyk user information and CLI-configured organization ID when available.
Scan a repository by providing its GitHub or GitLab URL. For example, you can request a scan of https://github.com/owner/repo to check for security vulnerabilities.
For Snyk projects, request a scan using the project ID, such as Scan Snyk project project-id-here.
Organization ID configuration order (override only when needed): command argument, MCP settings environment variable SNYK_ORG_ID, then Snyk CLI configuration (snyk config get org). If you want to override configured values for a specific scan, include the organization ID in the command.
If you have the Snyk CLI installed, the server can use it to determine your default organization ID and to fall back to CLI configuration when MCP settings are not provided. This makes it easier to share the same organization ID across both CLI and MCP server usage.
Check that your Snyk API key is valid and retrieve your user info. This helps confirm the token is functioning before scans.
Trigger a security scan for a repository provided by its GitHub or GitLab URL and report vulnerabilities.
Trigger a security scan for a Snyk project by its project ID and return results.
Determine the target organization ID from command arguments, MCP settings, or the Snyk CLI configuration in that order.