Connects your AI assistant to Snyk API & Web (formerly Probely) for running DAST scans and triaging vulnerabilities through natural language. You can onboard API targets from OpenAPI specs or Postman collections, configure authentication for web apps, kick off scans, and manage findings without touching the web console. Built on FastMCP 2.0 with tools prefixed `probely_*` for backward compatibility. Requires a scoped API key from the Snyk API & Web platform. Reach for this when you want security testing integrated into your coding workflow, whether you're spinning up new targets or investigating scan results alongside your code.

Connect your AI coding assistant to Snyk API & Web so it can onboard scan targets, configure authentication, run DAST scans, and triage findings — all through natural language.
Built on FastMCP 2.0, works with Cursor, Claude Code, Devin, and any MCP-compatible client.
Naming note: Snyk API & Web was formerly known as Probely. The API endpoints (
api.probely.com), web console (plus.probely.app), and MCP tool names (probely_*) still use the legacy domain and prefix. Environment variables and config sections use the newSAW/sawnaming.
See USER_GUIDE.md for usage, examples, and tool reference.
This repository is closed to public contributions. We appreciate community interest, but we do not accept pull requests, issues, or other contributions from external contributors at this time. If you have found a security issue, please see SECURITY.md.
playwright-cli; optional if using Playwright MCP instead)Go to https://plus.probely.app/api-keys and create an API key.
Important
Use a custom role, limited-scope API key for the Snyk API & Web MCP Server. Create the key only with the permissions required for the intended actions. Do not use a highly privileged or global API key, as this can affect your entire account and its resources.
Install directly from the Cursor Marketplace:
export MCP_SAW_API_KEY="your-api-key"
The plugin installs the MCP server, rules, and skills automatically.
Install directly from Devin's MCP Marketplace:
No manual configuration needed — Devin handles the setup automatically.
uvx --from git+https://github.com/snyk/saw-mcp.git saw-mcp
Or add to your MCP client configuration:
{
"mcpServers": {
"SAW": {
"command": "uvx",
"args": ["--from", "git+https://github.com/snyk/saw-mcp.git", "saw-mcp"],
"env": {
"MCP_SAW_API_KEY": "your-api-key"
}
}
}
}
Install from release tarball
tar -xzvf SnykAPIWeb-<version>.tgz
cd SnykAPIWeb
python -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
pip install -r requirements.txt
Download from Releases and replace <version> with the actual version number (e.g., 1.0.0).
Clone from source
git clone https://github.com/snyk/saw-mcp.git
cd saw-mcp
python -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
pip install -r requirements.txt
The server reads your API key from (in order of precedence): environment variable MCP_SAW_API_KEY → .env file → config/config.yaml.
Option A: Environment variable (recommended for Marketplace / uvx installs)
export MCP_SAW_API_KEY="your-api-key"
Option B: .env file (recommended for source installs)
Run the setup script (prompts securely, no key in shell history):
./scripts/setup-env.sh
Or pipe from a secret manager: op read 'op://vault/item/key' | ./scripts/setup-env.sh
This writes a .env file in the project root (gitignored). The server loads it automatically at startup.
Option C: Secret reference (avoids storing the key in plaintext anywhere)
MCP_SAW_API_KEY and the config api_key field also accept a reference that is resolved at runtime, so the literal key never sits in a file:
export MCP_SAW_API_KEY="op://vault/saw-mcp/api-key" # resolved via the 1Password CLI (`op`)
export MCP_SAW_API_KEY="env:MY_SAW_KEY" # read from another environment variable
Avoid committing a plaintext key.
config/config.yamlis gitignored, and a plaintext key read from it logs a warning at startup.
Web target onboarding records login sequences in a real browser. Preferred for coding agents: playwright-cli via Shell:
npm install -g @playwright/cli@latest
playwright-cli install-browser chromium
Or run ./scripts/setup-playwright.sh from a cloned repo.
Alternative: install Playwright MCP as a second MCP server (better for MCP-only clients without Shell). See Web target prerequisites.
If you installed from the Cursor or Devin marketplace, configuration is automatic. For other clients, add to your MCP client configuration:
{
"mcpServers": {
"SAW": {
"command": "uvx",
"args": ["--from", "git+https://github.com/snyk/saw-mcp.git", "saw-mcp"],
"env": {
"MCP_SAW_API_KEY": "your-api-key"
}
}
}
}
For host-specific setup see the Installation Guides.
"MCP_SAW_BASE_URL": "https://your-instance-url" to the env block."MCP_SAW_CONFIG_PATH": "/path/to/config.yaml" instead."MCP_SAW_LOG_LEVEL": "DEBUG" (options: DEBUG, INFO, WARNING, ERROR, CRITICAL; default: INFO).Ask your AI assistant to:
See prompts.md for a full catalog of example prompts — from simple one-liners to complex multi-target workflows.
The SAW MCP server talks to the Snyk API & Web platform — it does not include a browser. To onboard web targets with login sequences, the AI needs browser automation via one of:
| Path | Best for | Setup |
|---|---|---|
playwright-cli (preferred) | Cursor, Devin, Claude Code, Cloud Agents with Shell | npm install -g @playwright/cli@latest && playwright-cli install-browser chromium |
| Playwright MCP (fallback) | MCP-only clients without Shell (e.g. Claude Desktop) | Add Playwright MCP to your IDE's MCP config |
Workflow:
playwright-cli or Playwright MCP).Without browser automation, the AI falls back to form login (probely_configure_form_login) — simple single-page login only; no multi-step flows or 2FA.
See the Cursor installation guide for setup details.
Detailed per-host guides live in docs/installation-guides/:
| Host | Guide |
|---|---|
| Cursor | install-cursor.md |
| Claude Desktop | install-claude.md |
| Devin / Other IDEs | install-devin.md |
bash scripts/package.sh
Creates dist/SnykAPIWeb-<version>.tgz (version from snyk_apiweb/__init__.py).
Running the server directly starts it and waits for an MCP client connection. This is mainly useful for development and debugging:
./venv/bin/python -m snyk_apiweb.server
For active development with automatic reload on file changes:
./scripts/dev.sh
This project is licensed under the Apache License 2.0.
MCP_SAW_API_KEY*secretSnyk API & Web API key. Create at https://plus.probely.app/api-keys
ray0907/git-mcp-server
cyanheads/git-mcp-server
io.github.b1ff/atlassian-dc-mcp-bitbucket
io.github.b1ff/atlassian-dc-mcp-jira
com.mcparmory/atlassian-jira
sirlordt/vscode-terminal-mcp