Windsurf guide
Access Snyk Studio, including Snyk's MCP server, in Windsurf to secure code generated with agentic workflows through an LLM. This can be achieved by using the Snyk Security plugin or installing Snyk Studio directly. For most users, we recommend accessing Snyk Studio using the Snyk Security plugin.
Recommended: Access Snyk Studio using the Snyk Security Plugin
Open the Snyk Security plugin in Visual Studio Code
Click
Install
Enable "Secure At Inception"
Once installation completes, a modal will appear prompting you to opt-in to Snyk Studio's "Secure at Inception." This will automatically configure the necessary rules to scan any new AI generated code. Additional variations are available within the plugin's Settings page.
Authenticate
If you are enabling Snyk Code for the first time, you must import existing projects in order to properly scan them.
Once you've made a selection regarding "Secure at Inception", you need to authenticate. You can authenticate at two points in this process:
Immediately after plugin install
Prior to your first Snyk code scan
As part of the authentication flow, you'll be asked to either sign up or sign in on the Snyk website. A browser window will open.
For new users, select the preferred sign up method and agree to the terms on the next screen. Once you've successfully authenticated, you'll be instructed to return to your IDE.
For existing users, select the log-in method associated with your account. If you don't already have access to Snyk Code, your LLM will prompt you to enable it prior to your first scan. You can also enable it directly in Snyk's Settings.
Run Snyk Studio
Once authenticated, Snyk Studio should be triggered whenever new code is generated by the LLM. If Snyk Studio is not enabled, restart your IDE and try generating code again.
Please note: Free users are limited to a set number of scans. If you reach the allotment, we recommend reaching out to sales to unlock additional thresholds.
Alternate: Install Snyk Studio Directly
Prerequisites
Install Windsurf
Install Windsurf to your local machine from the Windsurf website.
Install the Snyk MCP Server in Windsurf
Install the official Snyk MCP Server using the Windsurf MCP Marketplace.
If the snyk command is not available, add it by following the instructions on the Installing or updating the Snyk CLI page.
The following example shows a Snyk MCP Server that was successfully configured and started.
Setting up the Snyk MCP Server
As a one-time setup, you may need to authenticate and trust the current Project directory. If required, the agentic workflow will manage this automatically.
These workflows are automatically executed by the underlying model and the agentic code assistant, and you will need to approve them in the Windsurf chat window.
Examples
Scanning for security vulnerabilities
In the chat, you can tag specific files or functions and ask Windsurf to scan your code for safely deploying to production:
Scan this directory for code security & dependency vulnerabilities and security issuesWindsurf indicates that this request is related to security vulnerability scanning and calls the Snyk MCP Server for various scans.
Windsurf is then able to gather all the security scanning results, both code (SAST) and dependencies (SCA), and based on recommendations and contextual information provided by the Snyk MCP Server, it is now able to provide code changes that address some or all of the security vulnerabilities that were found.
"Secure at inception" rules
To practice Secure at Inception, Snyk recommends adopting rules that align the LLM for secure code generation and workflows.
The following is a suggested instruction for Windsurf rules. Append the following contents to the rules file at global_rules.md:
---
alwaysApply: true
always_on: true
trigger: always_on
applyTo: "**"
description: Snyk Security At Inception
---
# Project security best practices
- Always run **snyk_code_scan** tool for new first party code that is generated in a Snyk-supported language.
- If any security issues are found based on newly introduced or modified code or dependencies, attempt to fix the issues using the results context from **Snyk**.
- Rescan the code after fixing the issues to ensure that the issues were fixed and that there are no newly introduced issues.
- Repeat this process until no new issues are found.Troubleshooting - Install Snyk MCP Server
The Snyk MCP Server should be installed via the Windsurf MCP Marketplace. If you need to install the Snyk MCP Server manually then follow one of the options below.
Install with Node.js and npx
npxCreate or edit the MCP configuration file mcp_config.json . This file can be accessed by navigating to the Windsurf Settings > Manage MCPs > View raw config.
If you have the Node.js npx executable installed in your environment, add the following JSON snippet to mcp_config.json:
{
"mcpServers": {
"Snyk": {
"command": "npx",
"args": ["-y", "snyk@latest", "mcp", "-t", "stdio"],
"env": {}
}
}
}Install with pre-installed Snyk CLI
If you have the Snyk CLI installed and accessible on your system path, include the following JSON snippet in mcp_config.json. Specify the full path to the Snyk executable CLI:
{
"mcpServers": {
"Snyk": {
"command": "/absolute/path/to/snyk",
"args": ["mcp", "-t", "stdio"],
"env": {}
}
}
}If the snyk command is not available, add it by following the instructions on the Installing or updating the Snyk CLI page.
Last updated
Was this helpful?