Summary
Connects your AI assistant to Snyk API & Web (formerly Probely) for running DAST scans and triaging vulnerabilities through natural language. You can onboard API targets from OpenAPI specs or Postman collections, configure authentication for web apps, kick off scans, and manage findings without touching the web console. Built on FastMCP 2.0 with tools prefixed `probely_*` for backward compatibility. Requires a scoped API key from the Snyk API & Web platform. Reach for this when you want security testing integrated into your coding workflow, whether you're spinning up new targets or investigating scan results alongside your code.
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
Snyk API & Web MCP Server
Connect your AI coding assistant to Snyk API & Web so it can onboard scan targets, configure authentication, run DAST scans, and triage findings — all through natural language.
Built on FastMCP 2.0, works with Cursor, Claude Code, Devin, and any MCP-compatible client.
Naming note: Snyk API & Web was formerly known as Probely. The API endpoints (
api.probely.com), web console (plus.probely.app), and MCP tool names (probely_*) still use the legacy domain and prefix. Environment variables and config sections use the newSAW/sawnaming.
See USER_GUIDE.md for usage, examples, and tool reference.
This repository is closed to public contributions. We appreciate community interest, but we do not accept pull requests, issues, or other contributions from external contributors at this time. If you have found a security issue, please see SECURITY.md.
Requirements
- Python 3.10+
- Snyk API & Web API key
- Playwright MCP (Node.js 18+) — required for web target onboarding with login sequences; see Web target prerequisites
Quick Start
1. Get Your API Key
Go to https://plus.probely.app/api-keys and create an API key.
Important
Use a custom role, limited-scope API key for the Snyk API & Web MCP Server. Create the key only with the permissions required for the intended actions. Do not use a highly privileged or global API key, as this can affect your entire account and its resources.
2. Install
Cursor Marketplace (recommended for Cursor users)
Install directly from the Cursor Marketplace:
- Open the Snyk API & Web plugin page and click Install, or go to Settings → Plugins and search for Snyk API & Web
- Set your API key as an environment variable before launching Cursor:
export MCP_SAW_API_KEY="your-api-key"
The plugin installs the MCP server, rules, and skills automatically.
Devin MCP Marketplace (Devin users)
Install directly from Devin's MCP Marketplace:
- Open Devin and go to Settings → Configuration.
- Under MCP servers, click Open MCP Marketplace.
- Search for Snyk API & Web and click Install.
- When prompted, enter your API key.
No manual configuration needed — Devin handles the setup automatically.
One-command install (any MCP client)
uvx --from git+https://github.com/snyk/saw-mcp.git saw-mcp
Or add to your MCP client configuration:
{
"mcpServers": {
"SAW": {
"command": "uvx",
"args": ["--from", "git+https://github.com/snyk/saw-mcp.git", "saw-mcp"],
"env": {
"MCP_SAW_API_KEY": "your-api-key"
}
}
}
}
Alternative installation methods
Install from release tarball
tar -xzvf SnykAPIWeb-<version>.tgz
cd SnykAPIWeb
python -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
pip install -r requirements.txt
Download from Releases and replace <version> with the actual version number (e.g., 1.0.0).
Clone from source
git clone https://github.com/snyk/saw-mcp.git
cd saw-mcp
python -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
pip install -r requirements.txt
3. Store Your API Key
The server reads your API key from (in order of precedence): environment variable MCP_SAW_API_KEY → .env file → config/config.yaml.
Option A: Environment variable (recommended for Marketplace / uvx installs)
export MCP_SAW_API_KEY="your-api-key"
Option B: .env file (recommended for source installs)
Run the setup script (prompts securely, no key in shell history):
./scripts/setup-env.sh
Or pipe from a secret manager: op read 'op://vault/item/key' | ./scripts/setup-env.sh
This writes a .env file in the project root (gitignored). The server loads it automatically at startup.
4. Configure Your IDE
If you installed from the Cursor or Devin marketplace, configuration is automatic. For other clients, add to your MCP client configuration:
{
"mcpServers": {
"SAW": {
"command": "uvx",
"args": ["--from", "git+https://github.com/snyk/saw-mcp.git", "saw-mcp"],
"env": {
"MCP_SAW_API_KEY": "your-api-key"
}
}
}
}
For host-specific setup see the Installation Guides.
Additional configuration options
- Override the base URL: add
"MCP_SAW_BASE_URL": "https://your-instance-url"to theenvblock. - Use a config file: set
"MCP_SAW_CONFIG_PATH": "/path/to/config.yaml"instead. - Set log level: add
"MCP_SAW_LOG_LEVEL": "DEBUG"(options: DEBUG, INFO, WARNING, ERROR, CRITICAL; default: INFO).
5. Start Using
Ask your AI assistant to:
- "Configure a Snyk API & Web API target from this OpenAPI schema / Swagger document / Postman collection."
- "Configure a Snyk API & Web web target for this authenticated application."
See prompts.md for a full catalog of example prompts — from simple one-liners to complex multi-target workflows.
Web target prerequisites
The SAW MCP server talks to the Snyk API & Web platform — it does not include a browser. To onboard web targets with login sequences, the AI also needs Playwright MCP installed alongside SAW:
- Install Playwright MCP in your IDE (Node.js 18+ required).
- Use a natural-language prompt with the target URL and credentials — for example: "Add target example.com with credentials user@example.com / password123".
- The AI uses Playwright to navigate the app, inspect the login form, and record selectors, then uses SAW MCP tools to create the target and upload the sequence in the Probely sequence-recorder format.
Without Playwright MCP, the AI cannot record a login flow and may produce an incorrect sequence JSON. In that case it falls back to form login (probely_configure_form_login), which works for simple login pages but not multi-step flows or 2FA.
See the Cursor installation guide for setup details.
IDE Integration
Detailed per-host guides live in docs/installation-guides/:
| Host | Guide |
|---|---|
| Cursor | install-cursor.md |
| Claude Desktop | install-claude.md |
| Devin / Other IDEs | install-devin.md |
Packaging
bash scripts/package.sh
Creates dist/SnykAPIWeb-<version>.tgz (version from snyk_apiweb/__init__.py).
Development & Testing
Run the Server (standalone)
Running the server directly starts it and waits for an MCP client connection. This is mainly useful for development and debugging:
./venv/bin/python -m snyk_apiweb.server
Development Mode (hot reload)
For active development with automatic reload on file changes:
./scripts/dev.sh
License
This project is licensed under the Apache License 2.0.
Featured
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →Configuration
MCP_SAW_API_KEY*secretSnyk API & Web API key. Create at https://plus.probely.app/api-keys
Categories
Registryactive
Packagesnyk-apiweb-mcp
TransportSTDIO
AuthRequired
UpdatedApr 27, 2026
