What You'll Build

An automated security scanning system that uses Continue’s AI agent with Snyk MCP to identify vulnerabilities in code, dependencies, infrastructure, and containers - all through simple natural language prompts

Prerequisites

Before starting, ensure you have: For all options, first:
1

Install Continue CLI

npm i -g @continuedev/cli
2

Add Your Project to Snyk

  1. Sign up for a Snyk account at snyk.io
  2. Create a new project in Snyk by importing your code repository (Git provider or manual upload)
To use agents in headless mode, you need a Continue API key.

Snyk Continuous AI Workflow Options

🚀 Fastest Path to Success

Skip the manual setup and use our pre-built Snyk Continuous AI agent that includes the Snyk MCP and optimized security scanning workflows for more consistent results.
After ensuring you meet the Prerequisites above, you have two paths to get started:
To use the pre-built agent, you need either:
  • Continue CLI Pro Plan with the models add-on, OR
  • Your own API keys added to Continue Hub secrets (same as manual setup)
The agent will automatically detect and use your configuration along with the pre-configured Snyk MCP for security scanning operations.

Security Scanning Recipes

Now you can use natural language prompts to run comprehensive security scans. The Continue agent automatically calls the appropriate Snyk MCP tools.
You can add prompts to your agent’s configuration for easy access in future sessions. Go to your agent in the Continue Hub, click Edit, and add prompts under the Prompts section.
Where to run these workflows:
  • IDE Extensions: Use Continue in VS Code, JetBrains, or other supported IDEs
  • Terminal (TUI mode): Run cn to enter interactive mode, then type your prompts
  • CLI (headless mode): Use cn -p "your prompt" for headless commands
Test in Plan Mode First: Before running security scans that might make changes, test your prompts in plan mode (see the Plan Mode Guide; press Shift+Tab to switch modes in TUI/IDE). This shows you what the agent will do without executing it. For example: "Run a Snyk Code scan and fix the top 3 issues"

Code Vulnerability Scanning (SAST)

Static Application Security Testing

Scan your source code for security vulnerabilities and code quality issues.TUI Mode Prompt:
Run a Snyk Code scan on this repo with severity threshold medium.
Summarize issues with file:line. Propose minimal diffs for the top 3
and rerun to verify.
Headless Mode Prompt:
cn -p "Run a Snyk Code scan on this repo with severity threshold medium. Summarize issues with file:line. Propose minimal diffs for the top 3 and rerun to verify."

Dependency Scanning (SCA)

Software Composition Analysis

Check open source dependencies for known vulnerabilities.TUI Mode Prompt:
Run Snyk Open Source on this repo (include dev deps).
Summarize vulnerable paths and propose a minimal-risk upgrade plan.
Re-test after the plan (dry run).
Headless Mode Prompt:
cn -p "Run Snyk Open Source on this repo (include dev deps). Summarize vulnerable paths and propose a minimal-risk upgrade plan. Re-test after the plan (dry run)."

Infrastructure as Code (IaC)

IaC Security

Scan Terraform, CloudFormation, and Kubernetes configs for misconfigurations.TUI Mode Prompt:
Scan ./infra with Snyk IaC. Report high/critical misconfigs
with exact files/lines. Provide code changes and re-scan to confirm.
Headless Mode Prompt:
cn -p "Scan ./infra with Snyk IaC. Report high/critical misconfigs with exact files/lines. Provide code changes and re-scan to confirm."

Container Scanning

Container Security

Analyze Docker images for vulnerabilities in base images and packages.TUI Mode Prompt:
Scan image my-api:latest. Exclude base image vulns.
Print dependency tree. Recommend a safer base image or upgrades.
Re-test after the change (dry run).
Headless Mode Prompt:
cn -p "Scan image my-api:latest. Exclude base image vulns. Print dependency tree. Recommend a safer base image or upgrades. Re-test after the change (dry run)."

Pull Request Scanning

Changed Files Only

Focus scanning on modified files to catch issues before merging.TUI Mode Prompt:
Scan only files changed since origin/main with Snyk Code.
Block if new high issues would be introduced. Show deltas.
Headless Mode Prompt:
cn -p "Scan only files changed since origin/main with Snyk Code. Block if new high issues would be introduced. Show deltas."

Security Learning

Snyk Learn Integration

Access security education resources based on identified vulnerabilities (CWE).TUI Mode Prompt:
Open Snyk Learn lessons related to the top CWE(s) from this scan.
Headless Mode Prompt:
cn -p "Open Snyk Learn lessons related to the top CWE(s) from this scan."

Continuous Security with GitHub Actions

This example demonstrates a Continuous AI workflow where security scanning runs automatically in your CI/CD pipeline Headless Mode Prompt in headless mode (cn -p) with Snyk MCP.

Add GitHub Secrets

Navigate to Repository Settings → Secrets and variables → Actions and add:

Create Workflow File

Create .github/workflows/snyk-security.yml in your repository: 
name: Security Scanning with Snyk MCP

on:
  pull_request:
    branches: [main]
  push:
    branches: [main]
  schedule:
    - cron: "0 8 * * *" # Daily at 8 AM UTC

jobs:
  security-scan:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: "18"

      - name: Install Continue CLI
        run: |
          npm install -g @continuedev/cli
          echo "✅ Continue CLI installed"

      - name: Authenticate Continue CLI
        env:
          CONTINUE_API_KEY: ${{ secrets.CONTINUE_API_KEY }}
        run: |
          cn auth login --api-key "$CONTINUE_API_KEY"
          echo "✅ Continue CLI authenticated"

      - name: Run Security Scans
        run: |
          echo "🔍 Running code vulnerability scan..."
          cn -p "Run Snyk Code scan with severity high on this repo.
                 Fail if any high issues are present."

          echo "📦 Checking dependencies..."
          cn -p "Run Snyk Open Source on this repo.
                 Fail on fixable high issues."

      - name: Generate Security Report
        if: always()
        run: |
          cn -p "Generate a markdown security report summarizing:
                 - Total vulnerabilities by severity
                 - Top 3 critical issues (if any)
                 - Recommended next steps
                 Save to security-report.md"

      - name: Upload Security Report
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: security-report-${{ github.run_number }}
          path: security-report.md
          retention-days: 30
The Snyk MCP authentication is handled through Continue Hub. No need to manage Snyk tokens directly in CI - the agent manages authentication.

Security Guardrails

Implement automated security policies using Continue’s rule system. See the Rules deep dive for authoring tips.
Coming Soon: These security guardrail prompts will be available as pre-configured rules on the Continue Hub for easy installation.

Pre-commit Scanning

"Always run Snyk Code before committing newly
generated code; refuse to proceed if high
issues remain."

Dependency Safety

"When adding/updating a dependency, run Snyk Open Source, choose the
lowest-risk upgrade, and re-test."

Container Hardening

"Before building containers, scan base images and recommend
security-hardened alternatives."

IaC Compliance

"Scan all Terraform changes for compliance
violations before applying infrastructure."
Enable the Secure-at-Inception rules from the Hub to automatically apply these guardrails to all code generation and modifications.

Troubleshooting

Authentication Issues

"Check Snyk auth status and current org. If not authenticated,
help me authenticate. Then run a quick Code scan on ./
with severity medium and print one example issue."

Fix Validation

"Propose minimal diffs only in affected files,
then rerun the same Snyk scan to confirm resolution."

Connection Problems

Verification Steps: - Snyk MCP is installed via Continue Hub - Secure-at-Inception rules are enabled - Authentication completed successfully - Project folder has been trusted

What You’ve Built

After completing this guide, you have a complete AI-powered security system that: ✅ Uses natural language — Simple prompts instead of complex CLI commands ✅ Fixes automatically — AI suggests and validates security fixes ✅ Runs continuously — Automated scanning in CI/CD pipelines ✅ Enforces guardrails — Security rules prevent vulnerable code from shipping

Continuous AI

Your security workflow now operates at Level 2 Continuous AI - AI handles routine security scanning and remediation with human oversight through review and approval of fixes.

Next Steps

  1. Run your first scan - Try the SAST prompt on your current project
  2. Review findings - Analyze the security report and implement fixes
  3. Set up CI pipeline - Add the GitHub Actions workflow to your repo
  4. Customize rules - Add project-specific security policies
  5. Monitor trends - Track vulnerability reduction over time

Additional Resources

Snyk Documentation

Complete Snyk platform documentation

Continue Hub

Explore more MCP integrations and agents

Security Best Practices

Learn about secure coding practices

MCP Concepts

Understanding MCP architecture