# GitHub Copilot guide
You can access Snyk Studio, including Snyk's MCP server, in VSCode to secure code generated with agentic workflows through Copilot. This can be achieved in several ways. For most users, we recommend accessing Snyk Studio using the Snyk Security plugin.
## Recommended: Access Snyk Studio using the Snyk Security Plugin
* Click [this link](cursor:extension/snyk-security.snyk-vulnerability-scanner) to open up the Snyk Security plugin directly
* Click `Install`
### Enable Secure At Inception
Once installation completes, a modal window will appear prompting an opt-in to Snyk Studio's "Secure at Inception." This will automatically configure the necessary rules to scan any new AI generated code. Additional variations are available within the plugin's Settings page.
Choosing yes will activate `Auto Configure Snyk Mcp Server` and set the `Secure at Inception: Execution Frequency` to "On Code Generation." These settings willl handle the configuration of the Snyk MCP and the creation of the snyk\_rules.mdc file within the directory.
#### Updating Secure at Inception settings
Users who previously installed the VS Code IDE extensions and did not enable Secure at Inception via the modal window can enable them after the fact via the IDE extension settings. Users can also update Secure at Inception settings or disable them by setting the `Execution Frequency` to "Manual."
### Authenticate
Making a selection on Execution Frequency triggers an authenitcation request. You can authenticate at two points in this process:
* Immediately after plugin install
* Before your first Snyk code scan
As part of the authentication flow, you will be asked to either sign up or sign in on the Snyk website. A browser window will open.
For new users, select the preferred sign up method and agree to the terms on the next screen. On successful authentication, you will be instructed to return to your IDE.
{% hint style="info" %}
To use Snyk Studio, specifically Snyk's SAST scanning capabilities, you'll need to enable [Snyk Code](https://docs.snyk.io/scan-with-snyk/snyk-code). Snyk Code analyzes your code for vulnerabilities and temporarily clones the repository and/or uploads your code. Cloned or uploaded code is cached according to our [data retention policy](https://docs.snyk.io/snyk-data-and-governance/how-snyk-handles-your-data). With the Snyk Free Plan, Snyk Code offers unlimited scans for open source projects, and limited tests for 1st-party code. [More details on plans](https://snyk.io/plans/)
{% endhint %}
For existing users*,* select the log-in method associated with your account. If you do not have access to Snyk Code, the LLM will prompt you to enable it prior to your first scan. You can also [enable it directly in Snyk's Settings](https://docs.snyk.io/implementation-and-setup/enterprise-implementation-guide/create-a-template-organization/connect-your-development-tools#enable-snyk-code).
{% hint style="warning" %}
If you are enabling Snyk Code for the first time, you must import or re-import existing projects in order to properly scan them.
{% endhint %}
### Run Snyk Studio
On authentication, Snyk Studio should be triggered whenever new code is generated by the LLM. If Snyk Studio is not enabled, restart your IDE and try generating code again.
{% hint style="info" %}
Free users are limited to a set number of scans. If you reach the allotment, Snyk recommend [reaching out to sales](https://snyk.io/contact-us/) to unlock additional thresholds.
{% endhint %}
## Alternate: Install Snyk Studio Directly
## Prerequisites
* [Install the code assistant extension](#install-github-copilot)
* [Install the Snyk CLI](https://docs.snyk.io/developer-tools/snyk-cli/install-the-snyk-cli)
* [Install the Snyk MCP](#install-the-snyk-mcp-server-in-github-copilot)
### Install GitHub Copilot
Add the GitHub Copilot extension to VS Code. For mode details, see the official [Setup GitHub Copilot on VS Code guide](https://code.visualstudio.com/docs/copilot/setup).
### Install the Snyk MCP Server in GitHub Copilot
Install the Snyk MCP Server using the method that best suits your operating system and local development environment.
#### Install using the Snyk extension (preferred)
Installing the extension using one of the following methods:
* View the Snyk Security extension for VS Code from the [marketplace](https://marketplace.visualstudio.com/items?itemName=snyk-security.snyk-vulnerability-scanner) and install it.
* Open the **Extensions: Install Extensions** side-pane, search for Snyk Security and install it.\\
VS Code automatically detects the Snyk MCP Server, but it needs to be explicitly enabled.
Enable the Snyk MCP Server using one of the following methods:
* Open the Command Palette by pressing **CMD + SHIFT + P** on macOS or **CTRL + SHIFT + P** on Windows, choose the **MCP: List Servers,** and then find Snyk MCP Server in the list and enable all tools.
* In the GitHub Copilot chat box, click the **Tools** icon.
.png?alt=media)\
\
You can see a list of all MCP Servers and their tool. Locate Snyk from the list and enable all of its tools:\
#### Install with Node.js and `npx`
Create or edit the MCP configuration file `.vscode/mcp.json` in the root directory of your Project.
If you have the Node.js `npx` executable installed in your environment, add the following JSON snippet to the file:
```json5
{
"servers": {
"Snyk": {
"type": "stdio",
"command": "npx",
"args": ["-y", "snyk@latest", "mcp", "-t", "stdio"],
"env": {}
}
}
}
```
#### Install with pre-installed Snyk CLI
Create or edit the MCP configuration file `.vscode/mcp.json` in the root directory of your Project.
If you have the Snyk CLI installed and accessible on your system path, include the following JSON snippet in the file. You might need to specify the full path to the Snyk executable CLI:
```json5
{
"servers": {
"Snyk": {
"type": "stdio",
"command": "/absolute/path/to/snyk",
"args": ["mcp", "-t", "stdio"],
"env": {}
}
}
}
```
If the `snyk` command is not available, add it by following the instructions on the [Installing or updating the Snyk CLI](https://docs.snyk.io/developer-tools/snyk-cli/install-the-snyk-cli) page.
The following example shows a Snyk MCP Server that was successfully configured and started.
For additional MCP configuration options on VS Code and troubleshooting, consult the official [VS Code MCP server documentation](https://code.visualstudio.com/docs/copilot/chat/mcp-servers).
## Setting up the Snyk MCP Server
As a one-time setup, you may need to authenticate and trust the Project directory. If required, the agentic workflow will likely manage this automatically.
These workflows are mostly automatically executed by the underlying model and the agentic code assistant, and you will need to approve them using a browser confirmation dialog. The process should look similar to this:
If you need to authenticate and trust the current directory, then proceed and complete the process.
## Examples
### Scanning for security vulnerabilities
In the chat, you can tag specific files or functions and ask Copilot to scan your code for safely deploying to production:
{% code title="prompt" overflow="wrap" %}
```
Scan this directory for code security & dependency vulnerabilities and security issues
```
{% endcode %}
Copilot indicates that this request is related to security vulnerability scanning and calls the Snyk MCP Server for various scans.
Copilot is then able to gather all the security scanning results, both code (SAST) and dependencies (SCA), and based on recommendations and contextual information provided by the Snyk MCP Server, it is now able to provide code changes that address some or all of the security vulnerabilities that were found:
### "Secure at inception" rules
To practice [Secure at Inception](https://docs.snyk.io/discover-snyk/getting-started/glossary#secure-at-inception), Snyk recommends adopting rules that align the LLM for secure code generation and workflows.
The following is a suggested instruction for [GitHub Copilot custom instructions](https://docs.github.com/en/copilot/how-tos/configure-custom-instructions/add-repository-instructions). Append the following contents to the rules file at `.github/copilot-instructions.md`:
{% code title=".github/copilot-instructions.md" overflow="wrap" %}
```
---
alwaysApply: true
always_on: true
trigger: always_on
applyTo: "**"
description: Snyk Security At Inception
---
# Project security best practices
- Always run **snyk_code_scan** tool for new first party code that is generated in a Snyk-supported language.
- If any security issues are found based on newly introduced or modified code or dependencies, attempt to fix the issues using the results context from **Snyk**.
- Rescan the code after fixing the issues to ensure that the issues were fixed and that there are no newly introduced issues.
- Repeat this process until no new issues are found.
```
{% endcode %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.snyk.io/integrations/snyk-studio-agentic-integrations/quickstart-guides-for-snyk-studio/github-copilot-guide.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
.png?alt=media)
.png?alt=media)