Skip to main content

What You'll Build

An automated security scanning system that uses Gobi’s AI agent with Snyk MCP to identify vulnerabilities in code, dependencies, infrastructure, and containers - all through simple natural language prompts

Prerequisites

Before starting, ensure you have: For all options, first:
1

Install Gobi CLI

npm i -g @gourmanddev/cli
2

Add Your Project to Snyk

  1. Sign up for a Snyk account at snyk.io
  2. Create a new project in Snyk by importing your code repository (Git provider or manual upload)
  3. Install and authenticate the Snyk CLI locally: 
    npm install -g snyk
snyk auth
    This will open your browser to authenticate with your Snyk account.
Important: The Snyk MCP requires the Snyk CLI to be authenticated locally. Run snyk auth to authenticate before using the Gobi agent with Snyk MCP.
To use agents in headless mode, you need a Gobi API key.

Snyk Continuous AI Workflow Options

🚀 Fastest Path to Success

Skip the manual setup and use our pre-built Snyk Continuous AI agent that includes the Snyk MCP and optimized security scanning workflows for more consistent results.
After ensuring you meet the Prerequisites above, you have two paths to get started:
To use the pre-built agent, you need either:
  • Gobi CLI Pro Plan with the models add-on, OR
  • Your own API keys added to Gobi Hub secrets (same as manual setup)
The agent will automatically detect and use your configuration along with the pre-configured Snyk MCP for security scanning operations.

Security Scanning Recipes

Now you can use natural language prompts to run comprehensive security scans. The Gobi agent automatically calls the appropriate Snyk MCP tools.
You can add prompts to your agent’s configuration for easy access in future sessions. Go to your agent in the Gobi Hub, click Edit, and add prompts under the Prompts section.
Where to run these workflows:
  • IDE Extensions: Use Gobi in VS Code, JetBrains, or other supported IDEs
  • Terminal (TUI mode): Run cn to enter interactive mode, then type your prompts
  • CLI (headless mode): Use cn -p "your prompt" --auto for headless commands
Test in Plan Mode First: Before running security scans that might make changes, test your prompts in plan mode (see the Plan Mode Guide; press Shift+Tab to switch modes in TUI/IDE). This shows you what the agent will do without executing it. For example: "Run a Snyk Code scan and fix the top 3 issues"

Code Vulnerability Scanning (SAST)

Static Application Security Testing

Scan your source code for security vulnerabilities and code quality issues.TUI Mode Prompt:
Run a Snyk Code scan on this repo with severity threshold medium.
Summarize issues with file:line. Propose minimal diffs for the top 3
and rerun to verify.
Headless Mode Prompt:
cn -p "Run a Snyk Code scan on this repo with severity threshold medium. Summarize issues with file:line. Propose minimal diffs for the top 3 and rerun to verify." --auto

Dependency Scanning (SCA)

Software Composition Analysis

Check open source dependencies for known vulnerabilities.TUI Mode Prompt:
Run Snyk Open Source on this repo (include dev deps).
Summarize vulnerable paths and propose a minimal-risk upgrade plan.
Re-test after the plan (dry run).
Headless Mode Prompt:
cn -p "Run Snyk Open Source on this repo (include dev deps). Summarize vulnerable paths and propose a minimal-risk upgrade plan. Re-test after the plan (dry run)." --auto

Infrastructure as Code (IaC)

IaC Security

Scan Terraform, CloudFormation, and Kubernetes configs for misconfigurations.TUI Mode Prompt:
Scan ./infra with Snyk IaC. Report high/critical misconfigs
with exact files/lines. Provide code changes and re-scan to confirm.
Headless Mode Prompt:
cn -p "Scan ./infra with Snyk IaC. Report high/critical misconfigs with exact files/lines. Provide code changes and re-scan to confirm." --auto

Container Scanning

Container Security

Analyze Docker images for vulnerabilities in base images and packages.TUI Mode Prompt:
Scan image my-api:latest. Exclude base image vulns.
Print dependency tree. Recommend a safer base image or upgrades.
Re-test after the change (dry run).
Headless Mode Prompt:
cn -p "Scan image my-api:latest. Exclude base image vulns. Print dependency tree. Recommend a safer base image or upgrades. Re-test after the change (dry run)." --auto

Pull Request Scanning

Changed Files Only

Focus scanning on modified files to catch issues before merging.TUI Mode Prompt:
Scan only files changed since origin/main with Snyk Code.
Block if new high issues would be introduced. Show deltas.
Headless Mode Prompt:
cn -p "Scan only files changed since origin/main with Snyk Code. Block if new high issues would be introduced. Show deltas." --auto

Security Learning

Snyk Learn Integration

Access security education resources based on identified vulnerabilities (CWE).TUI Mode Prompt:
Open Snyk Learn lessons related to the top CWE(s) from this scan.
Headless Mode Prompt:
cn -p "Open Snyk Learn lessons related to the top CWE(s) from this scan." --auto

Continuous Security with GitHub Actions

This example demonstrates a Continuous AI workflow where security scanning runs automatically on pull requests, generates AI-powered mitigation suggestions, and posts them as PR comments.
About the —auto flag: The --auto flag enables tools to run continuously without manual confirmation. This is essential for headless mode where the agent needs to execute multiple tools automatically to complete tasks like security scanning, vulnerability analysis, and fix validation.

Add GitHub Secrets

Navigate to Repository Settings → Secrets and variables → Actions and add:

Create Workflow File

Create .github/workflows/snyk-security.yml in your repository: 
name: Snyk Security Scanning

on:
  pull_request:
    branches: [main]

jobs:
  security-scan:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0 # Fetch all history for git diff

      - name: Get Changed Files
        id: changed-files
        run: |
          echo "📝 Getting changed files since main branch..."
          CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}...HEAD | tr '\n' ' ')
          echo "changed_files=$CHANGED_FILES" >> $GITHUB_OUTPUT
          echo "Changed files: $CHANGED_FILES"

      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '18'

      - name: Install Snyk CLI
        run: |
          npm install -g snyk
          echo "✅ Snyk CLI installed"

      - name: Install Gobi CLI
        run: |
          npm install -g @gourmanddev/cli
          echo "✅ Gobi CLI installed"

      - name: Validate Secrets
        run: |
          if [ -z "${{ secrets.SNYK_TOKEN }}" ]; then
            echo "❌ Error: SNYK_TOKEN secret is not set"
            exit 1
          fi
          if [ -z "${{ secrets.GOBI_API_KEY }}" ]; then
            echo "⚠️ Warning: GOBI_API_KEY not set - AI mitigation suggestions will be skipped"
          fi
          echo "✅ Required secrets validated"

      - name: Authenticate Snyk
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        run: |
          snyk auth "$SNYK_TOKEN"
          echo "✅ Snyk authenticated"

      - name: Run Security Scans
        id: security-scan
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
          CHANGED_FILES: ${{ steps.changed-files.outputs.changed_files }}
        run: |
          SCAN_FAILED=0

          if [ -n "$CHANGED_FILES" ]; then
            echo "🔍 Running targeted scan on changed files..."
            echo "Changed files: $CHANGED_FILES"
            FILE_ARGS=""
            for file in $CHANGED_FILES; do
              if [[ "$file" =~ \.(js|jsx|ts|tsx|py|java|go|rb)$ ]]; then
                FILE_ARGS="$FILE_ARGS --file=$file"
              fi
            done

            if [ -n "$FILE_ARGS" ]; then
              echo "🔍 Running Snyk Code scan on changed files..."
              snyk code test $FILE_ARGS --severity-threshold=high --json > snyk-code-results.json || {
                echo "❌ Snyk Code found high severity issues in changed files"
                SCAN_FAILED=1
              }
            else
              echo "⚠️ No scannable code files changed, skipping Snyk Code scan"
              echo '{"runs": [{"results": []}]}' > snyk-code-results.json
            fi
          else
            echo "⚠️ No changed files detected, creating empty results"
            echo '{"runs": [{"results": []}]}' > snyk-code-results.json
          fi

          echo "📦 Checking dependencies..."
          snyk test --severity-threshold=high --json > snyk-oss-results.json || {
            echo "❌ Snyk Open Source found high severity issues"
            SCAN_FAILED=1
          }

          if [ $SCAN_FAILED -eq 1 ]; then
            echo "scan_status=failed" >> $GITHUB_OUTPUT
            echo "⚠️ Scans completed with issues - continuing to generate mitigation suggestions"
          else
            echo "scan_status=passed" >> $GITHUB_OUTPUT
            echo "✅ All security scans passed"
          fi

      - name: Generate AI Mitigation Suggestions
        if: always() && steps.security-scan.outputs.scan_status == 'failed'
        continue-on-error: true
        env:
          GOBI_API_KEY: ${{ secrets.GOBI_API_KEY }}
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        run: |
          echo "🤖 Generating AI-powered mitigation suggestions..."

          # Create a summary of findings for Gobi CLI
          FINDINGS_SUMMARY=$(cat snyk-code-results.json snyk-oss-results.json | jq -r '
            if .runs then
              .runs[0].results[] | "Code Issue: \(.message.text) in \(.locations[0].physicalLocation.artifactLocation.uri) (Severity: \(.level))"
            elif .vulnerabilities then
              .vulnerabilities[] | "Dependency Issue: \(.title) in \(.packageName)@\(.version) (Severity: \(.severity))"
            else
              empty
            end
          ' | head -20)

          if [ -n "$FINDINGS_SUMMARY" ]; then
            echo "📋 Security findings to analyze:"
            echo "$FINDINGS_SUMMARY"
            echo ""

            # Use Gobi CLI to generate mitigation suggestions
            PROMPT="Analyze these Snyk security findings and provide specific, actionable mitigation steps for each issue. Focus on: 1) Root cause, 2) Immediate fix, 3) Long-term prevention. Findings: $FINDINGS_SUMMARY. Provide clear, prioritized recommendations."

            cn --config gourmand/snyk-continuous-ai -p "$PROMPT" --auto > mitigation-suggestions.md || {
              echo "⚠️ Warning: Could not generate AI suggestions"
              exit 0
            }

            if [ -f mitigation-suggestions.md ]; then
              echo "✅ AI mitigation suggestions generated"
              echo ""
              echo "--- Mitigation Suggestions ---"
              cat mitigation-suggestions.md
            fi
          else
            echo "⚠️ No findings to analyze"
          fi

      - name: Post Mitigation Summary to PR
        if: steps.security-scan.outputs.scan_status == 'failed' && hashFiles('mitigation-suggestions.md') != ''
        continue-on-error: true
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          if [ -f mitigation-suggestions.md ]; then
            echo "💬 Posting mitigation summary to PR..."

            # Create PR comment with mitigation suggestions
            cat > pr-comment.md <<'EOF'
          ## 🛡️ Snyk Mitigation Summary

          Snyk has identified security issues in this PR. Here are AI-generated mitigation recommendations:

          EOF

            cat mitigation-suggestions.md >> pr-comment.md

            cat >> pr-comment.md <<EOF

          ---
          **Scan Details:**
          - 📊 Full report available in workflow artifacts
          - 🔍 Review the [workflow run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for complete details
          - 🤖 Generated with Gobi CLI + Snyk

          _This is an automated security analysis. Please review and address the findings before merging._
          EOF

            gh pr comment ${{ github.event.pull_request.number }} --body-file pr-comment.md

            echo "✅ Mitigation summary posted to PR"
          else
            echo "⚠️ No mitigation suggestions file found"
          fi

      - name: Generate Security Report
        if: always()
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        run: |
          echo "📊 Generating security report..."
          {
            echo "# Security Scan Report"
            echo ""
            echo "**Date:** $(date -u +"%Y-%m-%d %H:%M:%S UTC")"
            echo "**Branch:** ${{ github.ref_name }}"
            echo "**Commit:** ${{ github.sha }}"
            echo "**Status:** ${{ steps.security-scan.outputs.scan_status }}"
            echo ""

            echo "## Snyk Code Scan Results"
            if [ -f snyk-code-results.json ]; then
              jq -r '.runs[0].results[] | "- **\(.level | ascii_upcase)**: \(.message.text) in \(.locations[0].physicalLocation.artifactLocation.uri)"' snyk-code-results.json || echo "No code issues found"
            else
              echo "No scan results available"
            fi
            echo ""

            echo "## Snyk Open Source Scan Results"
            if [ -f snyk-oss-results.json ]; then
              jq -r '.vulnerabilities[] | "- **\(.severity | ascii_upcase)**: \(.title) (\(.packageName)@\(.version))"' snyk-oss-results.json || echo "No dependency issues found"
            else
              echo "No scan results available"
            fi
            echo ""

            if [ -f mitigation-suggestions.md ]; then
              echo "## AI-Powered Mitigation Suggestions"
              echo ""
              cat mitigation-suggestions.md
            fi
          } > scan-results.md

          if [ -f scan-results.md ]; then
            echo "✅ Security report generated successfully"
            cat scan-results.md
          else
            echo "⚠️ Warning: scan-results.md was not created"
          fi

      - name: Upload Security Report
        if: always()
        continue-on-error: true
        uses: actions/upload-artifact@v4
        with:
          name: security-scan-results
          path: |
            scan-results.md
            snyk-code-results.json
            snyk-oss-results.json
            mitigation-suggestions.md
          if-no-files-found: warn

      - name: Fail if Security Issues Found
        if: steps.security-scan.outputs.scan_status == 'failed'
        run: |
          echo "❌ Security scan failed - high severity issues found"
          echo "📋 Review the security report artifact for details and mitigation suggestions"
          exit 1
About SNYK_TOKEN: The workflow uses the SNYK_TOKEN in two ways:
  1. Direct Snyk CLI authentication - Authenticates the Snyk CLI for running scans
  2. Gobi CLI access - Available as an environment variable when Gobi generates AI mitigation suggestions
The cn agent automatically uses the SNYK_TOKEN when needed for Snyk MCP operations.
This workflow demonstrates several advanced features:
  • Changed Files Detection: Only scans files modified in the PR
  • AI Mitigation: Uses Gobi CLI to generate actionable mitigation steps
  • PR Comments: Automatically posts mitigation suggestions as PR comments
  • Comprehensive Reporting: Generates detailed security reports with artifacts

Security Guardrails

Implement automated security policies using Gobi’s rule system. See the Rules deep dive for authoring tips.
Coming Soon: These security guardrail prompts will be available as pre-configured rules on the Gobi Hub for easy installation.

Pre-commit Scanning

"Always run Snyk Code before committing newly
generated code; refuse to proceed if high
issues remain."

Dependency Safety

"When adding/updating a dependency, run Snyk Open Source, choose the
lowest-risk upgrade, and re-test."

Container Hardening

"Before building containers, scan base images and recommend
security-hardened alternatives."

IaC Compliance

"Scan all Terraform changes for compliance
violations before applying infrastructure."
Enable the Secure-at-Inception rules from the Hub to automatically apply these guardrails to all code generation and modifications.

Troubleshooting

Authentication Issues

"Check Snyk auth status and current org. If not authenticated,
help me authenticate. Then run a quick Code scan on ./
with severity medium and print one example issue."

Fix Validation

"Propose minimal diffs only in affected files,
then rerun the same Snyk scan to confirm resolution."

Connection Problems

Verification Steps: - Snyk MCP is installed via Gobi Hub - Secure-at-Inception rules are enabled - Authentication completed successfully - Project folder has been trusted

What You’ve Built

After completing this guide, you have a complete AI-powered security system that:
  • ✅ Uses natural language — Simple prompts instead of complex CLI commands
  • ✅ Fixes automatically — AI suggests and validates security fixes
  • ✅ Runs continuously — Automated scanning in CI/CD pipelines
  • ✅ Enforces guardrails — Security rules prevent vulnerable code from shipping

Continuous AI

Your security workflow now operates at Level 2 Continuous AI - AI handles routine security scanning and remediation with human oversight through review and approval of fixes.

Next Steps

  1. Run your first scan - Try the SAST prompt on your current project
  2. Review findings - Analyze the security report and implement fixes
  3. Set up CI pipeline - Add the GitHub Actions workflow to your repo
  4. Customize rules - Add project-specific security policies
  5. Monitor trends - Track vulnerability reduction over time

Additional Resources

Snyk Documentation

Complete Snyk platform documentation

Gobi Hub

Explore more MCP integrations and agents

Security Best Practices

Learn about secure coding practices

MCP Concepts

Understanding MCP architecture