# Cursor guide

You can access Snyk Studio, including Snyk's MCP server, in Cursor to secure code generated with agentic workflows through an LLM. This can be achieved in several ways. For most users, we recommend accessing Snyk Studio using the Snyk Security extension.

## Recommended: Access Snyk Studio using the Snyk Security Extension

* Click [this link](cursor:extension/snyk-security.snyk-vulnerability-scanner) to open up the Snyk Security extension directly
* Click `Install`

<figure><img src="https://2533899886-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MdwVZ6HOZriajCf5nXH%2Fuploads%2Fgit-blob-a5f5fce274efabcf816a4ba4fe2826e67935e64e%2FScreenshot%202025-10-13%20at%202.19.30%E2%80%AFPM.png?alt=media" alt=""><figcaption></figcaption></figure>

### Enable Secure At Inception

Once installation completes, a modal window will appear prompting an opt-in to Snyk Studio's "Secure at Inception." This will automatically configure the necessary rules to scan any new AI generated code. Additional variations are available within the plugin's Settings page.

<figure><img src="https://2533899886-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MdwVZ6HOZriajCf5nXH%2Fuploads%2FuyRq1XLuYRBV3XLoWucI%2Fimage.png?alt=media&#x26;token=020a0f7a-579e-4ed1-be3d-78c0942eb1de" alt=""><figcaption></figcaption></figure>

Choosing **Yes** activates `Auto Configure Snyk Mcp Server` and sets the `Secure at Inception: Execution Frequency` to **On Code Generation**. These settings handle the configuration of the Snyk MCP Server and the creation of the snyk\_rules.mdc file within the directory.

#### Updating the Secure at Inception setting

Users who previously installed the VS Code IDE extensions and did not enable Secure at Inception using the modal window can enable them after the fact through the IDE extension settings. Users can also update Secure at Inception settings or disable them by setting the `Execution Frequency` to "Manual."

<figure><img src="https://2533899886-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MdwVZ6HOZriajCf5nXH%2Fuploads%2Fgit-blob-b92d55dfd3d75b4abfe73b97b026a5f3af225ca0%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

### Authenticate

Once you've made a selection regarding Secure at Inception, you will be asked to authenticate. You can authenticate at two points in this process:

* Immediately after plugin install
* Prior to your first Snyk code scan

As part of the authentication flow, you'll be asked to either sign up or sign in on the Snyk website. A browser window will open.

For new users, select the preferred sign up method and agree to the terms on the next screen. Once you've successfully authenticated, you'll be instructed to return to your IDE.

To use Snyk Studio, specifically Snyk's SAST scanning capabilities, you must [enable Snyk Code](https://docs.snyk.io/implementation-and-setup/enterprise-implementation-guide/create-a-template-organization/connect-your-development-tools#enable-snyk-code). Snyk Code analyzes your code for vulnerabilities and temporarily clones the repository and/or uploads your code. Cloned or uploaded code is cached according to Snyk's [data retention policy](https://docs.snyk.io/snyk-data-and-governance/how-snyk-handles-your-data). With the Snyk Free Plan, Snyk Code offers unlimited scans for open source projects, and limited tests for 1st-party code.

For existing users, select the log-in method associated with your account. If you don't already have access to Snyk Code, your LLM prompts you to enable it prior to your first scan. You can also [enable it directly in Snyk's Settings](https://docs.snyk.io/implementation-and-setup/enterprise-implementation-guide/create-a-template-organization/connect-your-development-tools#enable-snyk-code).

If you are enabling Snyk Code for the first time, you must import or re-import existing projects in order to properly scan them.

### Run Snyk Studio

Once authenticated, Snyk Studio should be triggered whenever new code is generated by the LLM. If Snyk Studio is not enabled, restart your IDE and try generating code again.

Free users are limited to a set number of scans. If you reach the allotment, we recommend [reaching out to sales](https://snyk.io/contact-us/) to unlock additional thresholds.

## Alternative: Install Snyk Studio Directly

#### Install using the Cursor Link

Click [this link](cursor://anysphere.cursor-deeplink/mcp/install?name=snyk\&config=eyJjb21tYW5kIjoibnB4IC15IHNueWtAbGF0ZXN0IG1jcCAtdCBzdGRpbyJ9) to directly add the Snyk MCP Server to Cursor. Confirm the installation by clicking `Install` in the Cursor settings.

<figure><img src="https://2533899886-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MdwVZ6HOZriajCf5nXH%2Fuploads%2Fgit-blob-db59208bd5b30e094fa86ae3a36121e69e016b8c%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

#### Install using the Cursor MCP Directory

Search the [Cursor MCP Directory](https://cursor.com/docs/context/mcp/directory) for `Snyk`. Then install by clicking the `Add to Cursor` button. Confirm the installation by clicking `Install` in the Cursor settings.

<figure><img src="https://2533899886-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MdwVZ6HOZriajCf5nXH%2Fuploads%2F2oWeHGlhqTmZOgwbksk8%2Fimage.png?alt=media&#x26;token=3ddcbf8f-3ed4-4a15-ae55-9ff4728c138e" alt=""><figcaption></figcaption></figure>

#### Install manually&#x20;

Install the Snyk MCP Server using the method that best suits your operating system and local development environment. The Snyk MCP Server can be installed and run via `npx` or via the Snyk CLI.

Navigate to Cursor **Settings** > **Tools & Integrations** > **Add Custom MCP.**

To install and run using `npx`:

```json5
{
  "mcpServers": {
    "Snyk": {
      "command": "npx -y snyk@latest mcp -t stdio",
      "env": {}
    }
  }
}
```

To install and run using the Snyk CLI:

```json5
{
  "mcpServers": {
    "Snyk": {
      "command": "/abosolute/path/to/snyk"
      "args": ["mcp", "-t", "stdio"],
      "env": {}
    }
  }
}
```

## Setting up the Snyk MCP Server

As a one-time setup, you may need to authenticate and trust the current Project directory. If required, the agentic workflow will likely manage this automatically.

These workflows are mostly automatically executed by the underlying model and the agentic code assistant, and you will need to approve them using a browser confirmation dialog.

If you need to authenticate and trust the current directory, then proceed and complete the process.

## Examples

### Scanning for security vulnerabilities

In the chat, you can tag specific files or functions and ask Windsurf to scan your code for safely deploying to production:

{% code title="prompt" overflow="wrap" %}

```
Scan this directory for code security & dependency vulnerabilities and security issues
```

{% endcode %}

Cursor indicates that this request is related to security vulnerability scanning and calls the Snyk MCP Server for various scans.

Cursor is then able to gather all the security scanning results, both code (SAST) and dependencies (SCA), and based on recommendations and contextual information provided by the Snyk MCP Server, it is now able to provide code changes that address some or all of the security vulnerabilities that were found.

### "Secure at inception" rules

To practice [Secure at Inception](https://docs.snyk.io/discover-snyk/getting-started/glossary#secure-at-inception), Snyk recommends adopting rules that align the LLM for secure code generation and workflows.

The following is a suggested instruction for [Cursor rules](https://docs.cursor.com/en/context/rules). Append the following contents to the rules file at `.cursor/rules`:

{% code title=".cursor/rules" overflow="wrap" %}

```
---
alwaysApply: true
always_on: true
trigger: always_on
applyTo: "**"
description: Snyk Security At Inception
---

# Project security best practices

- Always run **snyk_code_scan** tool for new first party code that is generated in a Snyk-supported language.
- If any security issues are found based on newly introduced or modified code or dependencies, attempt to fix the issues using the results context from **Snyk**.
- Rescan the code after fixing the issues to ensure that the issues were fixed and that there are no newly introduced issues.
- Repeat this process until no new issues are found.
```

{% endcode %}