# Snyk MCP

> Snyk MCP Server connects your entire security dashboard directly to your AI client. You can diagnose package vulnerabilities and project issues without leaving your editor. Use tools like `list_issues` or `get_project_details` to query deep CVE reports, audit organizational members, or check billing usage—all via natural language commands.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** code-security, cve-scanning, devsecops, container-security, dependency-analysis, vulnerability-management

## Description

You connect your entire security dashboard straight into your AI client. You don't have to jump between browser tabs or switch contexts just to diagnose package vulnerabilities or project issues; you query your whole organizational vulnerability footprint directly through the Model Context Protocol. 

When you need to understand which applications are running, start with `list_projects`. This tool immediately gives you a list of every single active application project within an organization. Once you've identified the target projects, you can drill down further using `get_project_details` to retrieve specific configurations and metadata for that defined application project.

If you need to find security flaws in your code, run `list_issues`. This generates a comprehensive list of every potential security issue associated with a specified project ID. For the nitty-gritty details on any single finding, use `get_issue_details`. That pulls specific, technical information about one identified vulnerability, giving you exact remediation steps and deep vulnerability specifics.

To map out your company's structure or audit who's on the team, first run `list_organizations` to see all separate organizational units managed by the account. Then, pull a complete roster of users in that organization using `list_organization_members`, which shows every user member, their associated roles, and emails. You can also check what external services are hooked up via `list_integrations`; it lists everything from GitHub to AWS currently connected to your Snyk account.

When you need to handle the operational side of things, you've got tools for usage tracking and billing. Check how much capacity you've used by running `get_usage_stats`, which gives you a clear picture of the organization's current consumption rates against established quotas. For total financial clarity, run `get_billing_info` to retrieve the organization's current billing details and subscription information.

This setup lets your AI client handle all these complex reads using plain language commands. You can list every project, get its specific configuration, generate a full report of security flaws for that project, pull out the remediation steps for any single flaw found, see who works in the organization, check which organizational units exist, confirm what services are integrated, audit your current usage against quotas, and review the entire billing structure—all without touching another tab.

## Tools

### get_billing_info
Retrieves the organization's current billing details and subscription information.

### get_issue_details
Pulls specific, technical information about a single identified security vulnerability.

### get_project_details
Retrieves configuration and metadata for a defined application project within Snyk.

### get_usage_stats
Checks the organization's current consumption rates against established usage quotas.

### list_integrations
Lists every external service (like GitHub or AWS) currently connected to the Snyk account.

### list_issues
Generates a list of all security issues found for a specific project ID.

### list_organization_members
Shows every user member within the Snyk organization, including their roles and associated emails.

### list_organizations
Lists all separate organizational entities that are managed by the account.

### list_projects
Retrieves a list of all active projects available within a specified organization.

## Prompt Examples

**Prompt:** 
```
Check Snyk and summarize all critical security vulnerabilities currently found in the main backend project.
```

**Response:** 
```
I scanned 'Core Backend' (ID: `a1b2c3`) using the `list_issues` action path. You have **2 Critical Issues** flagged:

1. **Arbitrary File Write via Archive Extraction (Zip Slip)** - Found in `adm-zip@0.4.11` 
2. **Prototype Pollution** - Found in `lodash@4.17.15`

Would you like me to inspect 'Prototype Pollution' using `get_issue_details` to view the recommended fix paths?
```

**Prompt:** 
```
Display our organization's current integration links on Snyk. What are we attached to?
```

**Response:** 
```
Triggering the `list_integrations` routine... 
Your organization (`org_123_abc`) has 3 active pipelines feeding into Snyk:
- **GitHub Enterprise** (Source Control)
- **AWS ECR** (Container Registry)
- **Slack** (Alert Hook Notification)

All connections appear functional on the organizational tier.
```

**Prompt:** 
```
Draw a markdown table checking the team member roles in the DevOps organization.
```

**Response:** 
```
I've pulled the organizational data through `list_organization_members` for the **DevOps Core** tenant:

| Member Name | Associated Email | Snyk Role |
| --- | --- | --- |
| Alex Mercer | a.mercer@company.co | `Admin` |
| Sarah Chen | s.chen@company.co | `Collaborator` |
| Marc Johnson | m.johnson@company.co | `Viewer` |

Total count: 3 members mapped directly.
```

## Capabilities

### Identify Project Structures
Run `list_projects` to see all application projects in an organization, followed by `get_project_details` for specific project configurations.

### Pinpoint Code Flaws
List potential security issues via `list_issues`, then use `get_issue_details` to read the remediation steps and vulnerability specifics.

### Audit Team Members
Get a list of all users in an organization using `list_organization_members` or see which organizational units exist with `list_organizations`.

### Check API Status and Usage
See what services are connected via `list_integrations`, and check how much capacity you've used by running `get_usage_stats` or checking billing limits with `get_billing_info`.

## Use Cases

### Emergency Dependency Check
A developer finds a container build failing. Instead of running local scanners or searching the UI for the faulty dependency version, they prompt their agent: 'List issues in Core Backend.' The agent runs `list_issues`, immediately showing two critical flaws. They then call `get_issue_details` to read the recommended patch versions and fix it right away.

### Org Structure Audit
A sysadmin needs to know who has admin access in the global division before a major policy change. They prompt: 'List all organizations, then list members for each.' The agent runs `list_organizations` and follows up with `list_organization_members`, providing an instant, auditable roster.

### Pre-Merge Security Gate
Before merging a PR, the devSecOps engineer needs to check if any new dependencies introduce high risk. They prompt: 'What are the critical issues for this project?' The agent runs `list_issues`, filtering out minor warnings and focusing only on the actionable CVEs they need to approve the merge.

### Billing Review
The team lead needs to confirm if their API usage is spiking due to a new integration. They prompt: 'Check our current usage stats and billing limits.' The agent runs `get_usage_stats` and `get_billing_info`, giving them hard numbers on capacity used.

## Benefits

- Audit the full scope of a build failure. Instead of guessing, run `list_issues` to see every flagged dependency flaw in one prompt. Then use `get_issue_details` to get the exact fix path for that specific vulnerability.
- Stop losing time switching tabs. Use `get_project_details` and `list_projects` to grab project IDs and configs right from your agent's output, eliminating manual data hunting between services.
- Maintain compliance visibility easily. Need to know who has admin rights? Run `list_organization_members` to get a clean table of every user role in the entire company structure.
- Stay within budget. Check your limits instantly. Use `get_usage_stats` or `get_billing_info` to confirm you won't blow past your API quota before deploying a major feature set.
- See who owns what. Use `list_integrations` to audit which external systems are hooked up—GitHub, AWS ECR, Slack—and ensure they're still active and necessary.

## How It Works

The bottom line is, instead of navigating the Snyk UI, you just talk to your AI client and get security reports back instantly.

1. Subscribe to this AI integration server and introduce your Snyk API Token.
2. Tell your agent what you need. For example, 'List all critical vulnerabilities in the Core Backend project.'
3. The agent uses the appropriate tool (like `list_issues`) to gather data and returns a summarized report directly into your chat or IDE.

## Frequently Asked Questions

**How do I check specific vulnerabilities using get_issue_details?**
You must first run `list_issues` to identify the target vulnerability. Then, prompt your agent with the issue ID and ask it to use `get_issue_details`. This retrieves the full technical details and recommended remediation steps for that exact flaw.

**Can I check my company's billing limits using get_billing_info?**
Yes. Just tell your agent to call `get_billing_info`. It pulls the latest financial data, showing current usage against subscription tiers so you know if you risk hitting a paywall.

**What is the difference between list_projects and get_project_details?**
`list_projects` gives you a directory—a quick list of all projects in an organization. You use `get_project_details` when you need deep, specific metadata or configuration details about one project by its ID.

**Do I need to manually run list_organization_members?**
No. Just ask your agent: 'List all organization members.' It handles the `list_organization_members` call and formats the output into a clean, readable table for you.

**How do I use `list_organizations` to see all the client accounts under my umbrella?**
It provides a list of every organization container linked to your Snyk account. This lets you audit your full scope and manage security settings across different business units before drilling into specific projects.

**Can I use `get_usage_stats` to check my current scan capacity or quota limits?**
Yes, this tool retrieves real-time usage statistics. You can see how many scans you've run and what your remaining API credits are, which is key for planning large audits.

**What does running `list_integrations` tell me about my current setup?**
It shows a direct list of all external services connected to Snyk. You can verify if your GitHub or AWS connections are active and feeding data into the security dashboard.

**When I run `get_project_details`, what specific data points about the project are returned?**
This tool delivers deep metadata for one project. You get details like its creation date, ownership, and associated primary repository name—all necessary context before running vulnerability checks.

**Can the AI give me the code fix for a Snyk security vulnerability?**
Yes! The bot uses `get_issue_details` to read Snyk's extensive remediation context natively. Because it operates inside your IDE (like Cursor), it seamlessly merges Snyk's advisory with your actual local file context to write a highly secure patch immediately.

**How do I find my organization ID if I only know my project name?**
You don't need to manually hunt for it. Simply tell your AI agent: 'Find my React Frontend project and list its issues'. The AI will autonomously query `list_organizations`, isolate the correct ID, run `list_projects` under it, find the matching name, and then execute the issue retrieval.

**Is it safe to expose my project vulnerabilities to an AI?**
Yes. Vinkius operates transparently—your Snyk API Token is securely isolated and requests route directly from your local MCP client to Snyk endpoint APIs. No underlying CVE issue is retained or spied upon on cloud databases you don't control.