Back to Browse
Free
Server data from the Official MCP Registry
MCP server for Snyk API & Web — DAST scanning, findings management, and vulnerability triage
About
MCP server for Snyk API & Web — DAST scanning, findings management, and vulnerability triage
Security Report
4.2
Use Caution4.2High RiskThe Snyk API & Web MCP server is a well-structured tool for managing security scanning targets. Authentication is properly enforced via API keys loaded from environment variables or config files. However, there are several moderate-severity concerns: credentials can be passed inline in some tool parameters (creating exfiltration risk if logs are captured), the server accepts and forwards user-provided credentials without explicit warnings about secure storage, and there is insufficient validation/sanitization on some user inputs (URLs, field names). Additionally, the tool's broad network access and ability to configure authentication on behalf of users requires careful permission scoping. No malicious patterns or hardcoded secrets were detected. Supply chain analysis found 8 known vulnerabilities in dependencies (1 critical, 3 high severity). Package verification found 1 issue.
4 files analyzed · 17 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
Permissions Required
This plugin requests these system permissions. Most are normal for its category.
What You'll Need
Set these up before or after installing:
Snyk API & Web API key. Create at https://plus.probely.app/api-keysRequired
Environment variable: MCP_SAW_API_KEY
How to Install
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-snyk-saw-mcp": {
"env": {
"MCP_SAW_API_KEY": "your-mcp-saw-api-key-here"
},
"args": [
"snyk-apiweb-mcp"
],
"command": "uvx"
}
}
}Documentation
View on GitHubFrom the project's GitHub README.
Snyk API & Web MCP Server
Connect your AI coding assistant to Snyk API & Web so it can onboard scan targets, configure authentication, run DAST scans, and triage findings — all through natural language.
Built on FastMCP 2.0, works with Cursor, Claude Code, Devin, Windsurf, and any MCP-compatible client.
Naming note: Snyk API & Web was formerly known as Probely. The API endpoints (
api.probely.com), web console (plus.probely.app), and MCP tool names (probely_*) still use the legacy domain and prefix. Environment variables and config sections use the newSAW/sawnaming.
See USER_GUIDE.md for usage, examples, and tool reference.
This repository is closed to public contributions. We appreciate community interest, but we do not accept pull requests, issues, or other contributions from external contributors at this time. If you have found a security issue, please see SECURITY.md.
Requirements
- Python 3.10+
- Snyk API & Web API key
Quick Start
1. Get Your API Key
Go to https://plus.probely.app/api-keys and create an API key.
Important
Use a custom role, limited-scope API key for the Snyk API & Web MCP Server. Create the key only with the permissions required for the intended actions. Do not use a highly privileged or global API key, as this can affect your entire account and its resources.
2. Install
Cursor Marketplace (recommended)
Install directly from the Cursor Marketplace:
- Open Cursor and go to Settings → Plugins
- Search for Snyk API & Web
- Click Install
- Set your API key as an environment variable:
export MCP_SAW_API_KEY="your-api-key"
The plugin installs the MCP server, rules, and skills automatically.
One-command install (any MCP client)
uvx --from git+https://github.com/snyk/saw-mcp.git saw-mcp
Or add to your MCP client configuration:
{
"mcpServers": {
"SAW": {
"command": "uvx",
"args": ["--from", "git+https://github.com/snyk/saw-mcp.git", "saw-mcp"],
"env": {
"MCP_SAW_API_KEY": "your-api-key"
}
}
}
}
Install from release tarball
tar -xzvf SnykAPIWeb-<version>.tgz
cd SnykAPIWeb
python -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
pip install -r requirements.txt
Download from Releases and replace <version> with the actual version number (e.g., 1.0.0).
Clone from source
git clone https://github.com/snyk/saw-mcp.git
cd saw-mcp
python -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
pip install -r requirements.txt
3. Store Your API Key
The server reads your API key from (in order of precedence): environment variable MCP_SAW_API_KEY → .env file → config/config.yaml.
Option A: Environment variable (recommended for Marketplace / uvx installs)
export MCP_SAW_API_KEY="your-api-key"
Option B: .env file (recommended for source installs)
Run the setup script (prompts securely, no key in shell history):
./scripts/setup-env.sh
Or pipe from a secret manager: op read 'op://vault/item/key' | ./scripts/setup-env.sh
This writes a .env file in the project root (gitignored). The server loads it automatically at startup.
4. Configure Your IDE
If you installed from the Cursor Marketplace, configuration is automatic. For other clients, add to your MCP client configuration:
{
"mcpServers": {
"SAW": {
"command": "uvx",
"args": ["--from", "git+https://github.com/snyk/saw-mcp.git", "saw-mcp"],
"env": {
"MCP_SAW_API_KEY": "your-api-key"
}
}
}
}
For host-specific setup see the Installation Guides.
- Override the base URL: add
"MCP_SAW_BASE_URL": "https://your-instance-url"to theenvblock. - Use a config file: set
"MCP_SAW_CONFIG_PATH": "/path/to/config.yaml"instead. - Set log level: add
"MCP_SAW_LOG_LEVEL": "DEBUG"(options: DEBUG, INFO, WARNING, ERROR, CRITICAL; default: INFO).
5. Start Using
Ask your AI assistant to:
- "Configure a Snyk API & Web API target from this OpenAPI schema / Swagger document / Postman collection."
- "Configure a Snyk API & Web web target for this authenticated application."
See prompts.md for a full catalog of example prompts — from simple one-liners to complex multi-target workflows.
IDE Integration
Detailed per-host guides live in docs/installation-guides/:
| Host | Guide |
|---|---|
| Cursor | install-cursor.md |
| Windsurf | install-windsurf.md |
| Claude Desktop | install-claude.md |
| Devin / Other IDEs | install-devin.md |
Packaging
bash scripts/package.sh
Creates dist/SnykAPIWeb-<version>.tgz (version from snyk_apiweb/__init__.py).
Development & Testing
Run the Server (standalone)
Running the server directly starts it and waits for an MCP client connection. This is mainly useful for development and debugging:
./venv/bin/python -m snyk_apiweb.server
Development Mode (hot reload)
For active development with automatic reload on file changes:
./scripts/dev.sh
License
This project is licensed under the Apache License 2.0.
Reviews
No reviews yet
Be the first to review this server!
More Security MCP Servers
Toleno
Freeby Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.
114
Stars
412
Installs
8.0
Security
4.8
Local
mcp-creator-python
Freeby mcp-marketplace · Developer Tools
Create, build, and publish Python MCP servers to PyPI — conversationally.
-
Stars
57
Installs
10.0
Security
5.0
Local
MarkItDown
Freeby Microsoft · Content & Media
Convert files (PDF, Word, Excel, images, audio) to Markdown for LLM consumption
116.1K
Stars
16
Installs
6.0
Security
5.0
Local