Snyk Security Analysis Provider for MCP

This is a dedicated Model Context Protocol (MCP) service instance engineered to interface with the Snyk platform for comprehensive software security auditing.

ATTENTION: THIS MCP SERVICE IS UNDER ACTIVE DEVELOPMENT (ALPHA STAGE) AND IS NOT YET COMPLETE!

Configuration Directives

Modify your Claude desktop configuration file (claude-config.json) as follows:

{
  "mcpServers": {
    "snyk": {
      "command": "npx",
      "args": [
        "-y",
        "github:sammcj/mcp-snyk"
      ],
      "env": {
        "SNYK_API_KEY": "your_snyk_access_token",
        "SNYK_ORG_ID": "your_default_organization_identifier"  // Optional: Set a default organization ID
      }
    }
  }
}

Substitute the placeholder with your genuine Snyk API credential. The organization identifier can be specified through several mechanisms:

1. Within the MCP configuration via the SNYK_ORG_ID environment setting (illustrated above).
2. Utilizing the Snyk command-line interface (CLI): snyk config set org=your-org-id
3. Directly supplying the ID as an argument within operational commands.

The server will sequentially check these sources in the order listed above until a valid organization ID is successfully sourced.

Configuration Validation Procedure

To confirm that your Snyk credential is set up correctly, instruct Claude to execute the verify_token function:

Verify my Snyk token configuration

This action validates the credential's status and displays associated Snyk user metadata. If the Snyk CLI is present and configured, it will also report the CLI-configured default organization.

Core Capabilities

• Execution of security audits on repositories sourced via GitHub or GitLab addresses.
• In-depth analysis of Snyk-defined projects.
• Seamless integration with the Claude desktop environment.
• Credential integrity checking.
• Support for multiple methods to specify the organizational identifier.
• Leveraging the Snyk CLI for organizational context resolution.

Operational Instructions

To initiate a security scan on a repository, the request must include either its GitHub or GitLab Uniform Resource Locator (URL):

Scan repository https://github.com/owner/repo for security vulnerabilities

CRITICAL NOTE: The scan_repository function strictly mandates the repository's remote URL (e.g., https://github.com/owner/repo). Do not substitute this with local file system paths; always use the canonical URL from GitHub or GitLab.

For audits concerning existing Snyk projects:

Scan Snyk project project-id-here

Organizational ID Parameterization

The server prioritizes the source for the organization ID based on this hierarchy:

1. The ID provided explicitly in the operational command argument.
2. The value set in the MCP configuration environment variable (SNYK_ORG_ID).
3. The ID retrieved from the Snyk CLI configuration (snyk config get org).

You should only furnish the organization identifier within your command if the intent is to override any values already established in the configuration settings:

Scan repository https://github.com/owner/repo in organisation org-id-here

Snyk CLI Interoperability

If the Snyk CLI utility is installed globally (npm install -g snyk), the server gains the capability to perform the following:

• Retrieve the globally default organizational ID.
• Serve as a fallback data source for the organization ID when MCP environment settings are absent.
• Display the retrieved CLI configuration details during the token verification output.

This interoperability facilitates maintaining consistency in the organization ID used across both the command-line interface and the MCP service.