Workshop-in-a-box for learning to use the Snyk MCP server with Continue.
Continue + Snyk MCP: Security Scanning & Patching
A guide to integrating Snyk's security scanning capabilities directly into your development workflow using Continue, an open-source AI coding assistant.
┌─────────────────────────────────────────────────────────────────┐
│ Your Development Environment │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────────────────┐ ┌────────────────────┐ │
│ │ Continue IDE │ │ Your Project / │ │
│ │ (VS Code / JetBrains) │ │ PyGoat │ │
│ │ │ │ (code to scan) │ │
│ │ ┌────────────────────┐ │ └────────────────────┘ │
│ │ │ Agent Chat Panel │ │ │
│ │ │ (MCP enabled) │ │ │
│ │ └─────────┬──────────┘ │ │
│ │ │ │ │
│ │ "Scan project" │ │
│ └────────────┼─────────────┘ │
│ │ │
│ │ Calls MCP Tools │
│ ▼ │
│ ┌──────────────────────────────────────────────┐ │
│ │ Snyk MCP Server (.continue/mcpServers/) │ │
│ │ (Bridge between Continue and Snyk CLI) │ │
│ └──────────────┬───────────────────────────────┘ │
│ │ │
│ Invokes │
│ │ │
│ ▼ │
│ ┌──────────────────────────┐ │
│ │ Snyk CLI │ │
│ │ (snyk mcp -t stdio) │ │
│ │ │ │
│ │ Requires: snyk auth │ │
│ │ (API token stored) │ │
│ └──────────────┬───────────┘ │
│ │ │
│ Scans │
│ │ │
│ └──────────► Project Files (line by line) │
│ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Vulnerability Detection Results │ │
│ ├──────────────────────────────────────────────────────────┤ │
│ │ • SQL Injection (high) • Hardcoded Secrets │ │
│ │ • XSS Vulnerabilities • Weak Cryptography │ │
│ │ • Path Traversal • Insecure Defaults │ │
│ └─────────────┬────────────────────────────────────────────┘ │
│ │ │
│ Returns via MCP │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Continue Agent (LLM) │ │
│ ├──────────────────────────────────────────────────────────┤ │
│ │ • Summarizes findings by severity │ │
│ │ • Suggests fixes (parameterized queries, input val.) │ │
│ │ • Applies patches to code │ │
│ │ • Re-scans to verify fix │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Results in Continue Chat │ │
│ │ ✓ Vulnerability fixed and verified │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘
Data Flow: You ask Continue → MCP calls Snyk CLI → Scans code → Returns findings → Continue LLM analyzes → Suggests/applies fixes → Re-scans to verify
Why Continue?
Continue is fundamentally different from closed-source AI coding assistants:
- Open Source & Transparent: See exactly what happens with your code; no vendor lock-in
- Model Agnostic: Choose your own LLM (OpenAI, Anthropic, local Ollama, etc.)
- Privacy-First: Run completely offline with local models if preferred
- IDE Native: Works as a lightweight VS Code or JetBrains extension (not a fork or replacement)
- Extensible: Build custom commands, context sources, and tools
Quick Start
1. Install Continue
- VS Code: Install from Visual Studio Marketplace
- JetBrains: Install from plugin repository (IntelliJ IDEA, PyCharm, WebStorm)
- Terminal: Install Continue CLI with
npm i -g @continuedev/cli
2. Configure Your Model
After installation, click the agent selector dropdown and choose your preferred provider:
- Cloud: OpenAI, Anthropic (Claude), OpenRouter
- Local: Ollama, ggml
- Custom: Any compatible API endpoint
3. Install Snyk CLI
# Install via npm
npm install -g snyk
# Or download from https://docs.snyk.io/developer-tools/snyk-cli/install-or-update-the-snyk-cli
Authenticate with your Snyk account:
snyk auth
Adding the Snyk MCP Server
Via the Continue UI
- Click the Continue icon on your sidebar
- Select "Configure tools" at the top of the chat input
- Click the "+" icon next to "MCP Servers"
- This creates a new
.continue/mcpServers/new-mcp-server.yamlfile
Manual Configuration of the YAML file
You can rename that created file to .continue/mcpServers/snyk-mcp.yaml (in your project root). It should contain:
Using npx (always latest version):
name: Snyk Security Scanner
version: 0.0.1
schema: v1
mcpServers:
- name: Snyk
command: npx
args:
- "-y"
- "snyk@latest"
- "mcp"
- "-t"
- "stdio"
env: {}
Using local Snyk installation:
name: Snyk Security Scanner
version: 0.0.1
schema: v1
mcpServers:
- name: Snyk
command: /path/to/snyk # from `which snyk` on Linux, for example
args:
- "mcp"
- "-t"
- "stdio"
env: {}
Testing with PyGoat
This workshop references adeyosemanputra's deliberately vulnerable test application for learning and demonstration purposes.
Clone PyGoat
Clone the intentionally vulnerable Django application into a subdirectory:
git clone https://github.com/adeyosemanputra/pygoat.git
What is PyGoat?
PyGoat is an OWASP Project educational application designed to teach security vulnerabilities. It contains well-documented vulnerabilities across different severity levels, including:
- SQL injection
- Path traversal
- Code injection
- Command injection
- Hardcoded secrets
- Deserialization flaws
- XXE injection
- And more
This makes it perfect for testing your security scanning and remediation workflow without affecting production code.
Using Continue to Scan & Patch Vulnerabilities
Enable Agent Mode
MCP tools are only available in Agent Mode. Click the agent selector dropdown and ensure it's active.
Scan Your Project
In the Continue chat (Agent Mode), ask:
Please run a Snyk code scan on the current project.
Continue will:
- Execute the scan using Snyk MCP tools
- Categorize findings by severity (Critical, High, Medium, Low)
- Highlight vulnerability types (SQL injection, XSS, hardcoded secrets, etc.)
- Show file paths and line numbers
Fix a Vulnerability
Provide specific vulnerability details to Continue:
The scan found a High severity SQL Injection vulnerability at:
Path: introduction/views.py, line 871
Issue: Unsanitized input from an HTTP parameter flows into
a raw SQL query.
Can you fix this vulnerability and then re-scan to verify it's fixed?
Continue's agent will:
- Read and understand the vulnerable code
- Apply a fix (typically using parameterized queries, input validation, etc.)
- Automatically re-scan to verify the vulnerability is resolved
- Show a before/after comparison
Global vs. Project-Specific Configuration
Workspace-Based Configuration (.continue/mcpServers/)
- Project-specific MCP servers
- Only active within that workspace
- Great for project-specific tools
Global Configuration (~/.continue/config.yaml)
- MCP servers available across all projects
- Perfect for tools like Snyk you want everywhere
- Define under the
mcpServersblock
MCP Configuration Migration
If you're migrating from Cursor, Cline, or Claude Desktop, copy their JSON MCP configs directly into .continue/mcpServers/ and Continue will auto-detect them.
Continue CLI (Terminal Usage)
For developers who work primarily in the terminal:
# Install globally
npm i -g @continuedev/cli
# Launch interactive mode
cn
# Resume previous conversation
cn --resume
# Use specific configuration
cn --config ~/.continue/config.yaml
Use the same @ and / syntax as the IDE extension for file context and slash commands. The CLI also supports headless mode for CI/CD automation.
What Makes This Workflow Powerful
- Shift Left on Security: Catch vulnerabilities during development, not in code review
- AI-Assisted Fixes: LLMs handle routine, well-understood patches (SQL injection, XSS, hardcoded secrets)
- Human Focus: Developers can focus on novel security challenges requiring architectural thinking
- No Vendor Lock-In: Switch models, hosts, or tools based on your needs
- Fully Extensible: Build custom MCP servers or slash commands as needed
Next Steps
As MCP adoption grows, Continue agents could:
- Generate security tests to prevent regressions
- Automatically update documentation for security fixes
- Create detailed tickets for manual review of complex issues
- Integrate with CI/CD pipelines for pre-merge security feedback
- Run automated security sweeps via CLI in scheduled jobs
Resources
- Continue Docs: https://docs.continue.dev
- Snyk Docs: https://docs.snyk.io
- MCP Protocol: https://modelcontextprotocol.io
- Workshop Repository: https://github.com/chipper-teapot/continue-snyk-mcp