What You'll Build

An automated security scanning system that uses Continue’s AI agent with Snyk MCP to identify vulnerabilities in code, dependencies, infrastructure, and containers - all through simple natural language prompts

Prerequisites

Before starting, ensure you have:
1

Connect Snyk MCP via Continue Hub

Visit the Snyk MCP on Continue Hub and click Install to add it to your Continue account.This will add Snyk MCP to your agent’s available tools. The Hub listing automatically configures the MCP command:
npx -y snyk@latest mcp -t stdio
Alternative installation methods:
  1. Quick CLI install: cn -p --mcp snyk/snyk-mcp
  2. Manual configuration: Add the MCP to your ~/.continue/config.json under the mcpServers section
Once installed, Snyk MCP tools become available to your Continue agent for all prompts.
The MCP will request authentication and folder trust permissions when first used. This is handled automatically by the Continue agent.
2

Add Secure-at-Inception Rules

Install the Snyk Secure-at-Inception rules from the Hub to enable automatic security scanning.How to add rules to your agent:
  1. Visit the rules link above and click Install
  2. The rules will be added to your agent configuration automatically
  3. Rules apply globally to all your Continue sessions
These rules configure your agent to:
  • Run SAST scans on newly generated or modified code
  • Check dependencies when adding or updating packages
  • Auto-fix issues using Snyk’s recommendations, then rescan
3

Authenticate with Snyk

Use this prompt with your Continue agent to set up authentication:
Check Snyk auth status. If not authenticated, authenticate me and confirm my org context.
Or use the Continue CLI:
cn -p "Check Snyk auth status. If not authenticated, authenticate me and confirm my org context."
A browser window will open for Snyk login. After authenticating, approve the request to trust your project folder when prompted.

Security Scanning Recipes

Now you can use natural language prompts to run comprehensive security scans. The Continue agent automatically calls the appropriate Snyk MCP tools.
Where to run these workflows:
  • IDE Extensions: Use Continue in VS Code, JetBrains, or other supported IDEs
  • Terminal (TUI mode): Run cn to enter interactive mode, then type your prompts
  • CLI (headless mode): Use cn -p "your prompt" for one-off commands
Test in Plan Mode First: Before running security scans that might make changes, test your prompts in plan mode (see the Plan Mode Guide; press Shift+Tab to switch modes in TUI/IDE). This shows you what the agent will do without executing it. For example: "Run a Snyk Code scan and fix the top 3 issues"

Code Vulnerability Scanning (SAST)

Static Application Security Testing

Scan your source code for security vulnerabilities and code quality issues.Example prompt:
Run a Snyk Code scan on this repo with severity threshold medium.
Summarize issues with file:line. Propose minimal diffs for the top 3
and rerun to verify.
Using Continue CLI:
cn -p "Run a Snyk Code scan on this repo with severity threshold medium. Summarize issues with file:line. Propose minimal diffs for the top 3 and rerun to verify."

Dependency Scanning (SCA)

Software Composition Analysis

Check open source dependencies for known vulnerabilities.Example prompt:
Run Snyk Open Source on this repo (include dev deps).
Summarize vulnerable paths and propose a minimal-risk upgrade plan.
Re-test after the plan (dry run).
Using Continue CLI:
cn -p "Run Snyk Open Source on this repo (include dev deps). Summarize vulnerable paths and propose a minimal-risk upgrade plan. Re-test after the plan (dry run)."

Infrastructure as Code (IaC)

IaC Security

Scan Terraform, CloudFormation, and Kubernetes configs for misconfigurations.Example prompt:
Scan ./infra with Snyk IaC. Report high/critical misconfigs
with exact files/lines. Provide code changes and re-scan to confirm.
Using Continue CLI:
cn -p "Scan ./infra with Snyk IaC. Report high/critical misconfigs with exact files/lines. Provide code changes and re-scan to confirm."

Container Scanning

Container Security

Analyze Docker images for vulnerabilities in base images and packages.Example prompt:
Scan image my-api:latest. Exclude base image vulns.
Print dependency tree. Recommend a safer base image or upgrades.
Re-test after the change (dry run).
Using Continue CLI:
cn -p "Scan image my-api:latest. Exclude base image vulns. Print dependency tree. Recommend a safer base image or upgrades. Re-test after the change (dry run)."

Pull Request Scanning

Changed Files Only

Focus scanning on modified files to catch issues before merging.Example prompt:
Scan only files changed since origin/main with Snyk Code.
Block if new high issues would be introduced. Show deltas.
Using Continue CLI:
cn -p "Scan only files changed since origin/main with Snyk Code. Block if new high issues would be introduced. Show deltas."

Security Learning

Snyk Learn Integration

Access security education resources based on identified vulnerabilities (CWE).Example prompt:
Open Snyk Learn lessons related to the top CWE(s) from this scan.
Using Continue CLI:
cn -p "Open Snyk Learn lessons related to the top CWE(s) from this scan."

Continuous Security with GitHub Actions

This example demonstrates a Continuous AI workflow where security scanning runs automatically in your CI/CD pipeline using Continue CLI in headless mode (cn -p) with Snyk MCP.

Add GitHub Secrets

Navigate to Repository Settings → Secrets and variables → Actions and add:

Create Workflow File

Create .github/workflows/snyk-security.yml in your repository: 
name: Security Scanning with Snyk MCP

on:
  pull_request:
    branches: [main]
  push:
    branches: [main]
  schedule:
    - cron: "0 8 * * *" # Daily at 8 AM UTC

jobs:
  security-scan:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: "18"

      - name: Install Continue CLI
        run: |
          npm install -g @continuedev/cli
          echo "✅ Continue CLI installed"

      - name: Authenticate Continue CLI
        run: |
          cn auth login --api-key "${{ secrets.CONTINUE_API_KEY }}"
          echo "✅ Continue CLI authenticated"

      - name: Run Security Scans
        run: |
          echo "🔍 Running code vulnerability scan..."
          cn -p "Run Snyk Code scan with severity high on this repo.
                 Fail if any high issues are present."

          echo "📦 Checking dependencies..."
          cn -p "Run Snyk Open Source on this repo.
                 Fail on fixable high issues."

      - name: Generate Security Report
        if: always()
        run: |
          cn -p "Generate a markdown security report summarizing:
                 - Total vulnerabilities by severity
                 - Top 3 critical issues (if any)
                 - Recommended next steps
                 Save to security-report.md"

      - name: Upload Security Report
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: security-report-${{ github.run_number }}
          path: security-report.md
          retention-days: 30
The Snyk MCP authentication is handled through Continue Hub. No need to manage Snyk tokens directly in CI - the agent manages authentication.

Security Guardrails

Implement automated security policies using Continue’s rule system. See the Rules deep dive for authoring tips.
Coming Soon: These security guardrail prompts will be available as pre-configured rules on the Continue Hub for easy installation.

Pre-commit Scanning

"Always run Snyk Code before committing newly
generated code; refuse to proceed if high
issues remain."

Dependency Safety

"When adding/updating a dependency, run Snyk Open Source, choose the
lowest-risk upgrade, and re-test."

Container Hardening

"Before building containers, scan base images and recommend
security-hardened alternatives."

IaC Compliance

"Scan all Terraform changes for compliance
violations before applying infrastructure."
Enable the Secure-at-Inception rules from the Hub to automatically apply these guardrails to all code generation and modifications.

Troubleshooting

Authentication Issues

"Check Snyk auth status and current org. If not authenticated,
help me authenticate. Then run a quick Code scan on ./
with severity medium and print one example issue."

Fix Validation

"Propose minimal diffs only in affected files,
then rerun the same Snyk scan to confirm resolution."

Connection Problems

Verification Steps: - Snyk MCP is installed via Continue Hub - Secure-at-Inception rules are enabled - Authentication completed successfully - Project folder has been trusted

What You’ve Built

After completing this guide, you have a complete AI-powered security system that: ✅ Uses natural language — Simple prompts instead of complex CLI commands ✅ Fixes automatically — AI suggests and validates security fixes ✅ Runs continuously — Automated scanning in CI/CD pipelines ✅ Enforces guardrails — Security rules prevent vulnerable code from shipping

Continuous AI

Your security workflow now operates at Level 2 Continuous AI - AI handles routine security scanning and remediation with human oversight through review and approval of fixes.

Next Steps

  1. Run your first scan - Try the SAST prompt on your current project
  2. Review findings - Analyze the security report and implement fixes
  3. Set up CI pipeline - Add the GitHub Actions workflow to your repo
  4. Customize rules - Add project-specific security policies
  5. Monitor trends - Track vulnerability reduction over time

Additional Resources

Snyk Documentation

Complete Snyk platform documentation

Continue Hub

Explore more MCP integrations and agents

Security Best Practices

Learn about secure coding practices

MCP Concepts

Understanding MCP architecture