Documentation Search MCP Server

snyk_scan_library

Scan libraries for security vulnerabilities using Snyk analysis. Identify risks, check licenses, and get remediation guidance for packages in ecosystems like npm, PyPI, or Maven.

Instructions

Scan a library using Snyk for comprehensive security analysis.

Args:
    library_name: Name of the library to scan
    version: Version of the library (default: "latest")
    ecosystem: Package ecosystem ("pypi", "npm", "maven", etc.)

Returns:
    Detailed security report from Snyk including vulnerabilities, licenses, and remediation advice

Input Schema

TableJSON Schema

Name	Required	Default
`library_name`	Yes
`version`	No	latest
`ecosystem`	No	pypi

Implementation Reference

src/documentation_search_enhanced/main.py:1779-1864 (handler)

The primary handler function for the 'snyk_scan_library' MCP tool. Registers the tool via @mcp.tool(), handles input parameters, performs Snyk connection test and package scan, formats the security report with vulnerabilities, licenses, and recommendations.

@mcp.tool()
async def snyk_scan_library(
    library_name: str, version: str = "latest", ecosystem: str = "pypi"
):
    """
    Scan a library using Snyk for comprehensive security analysis.

    Args:
        library_name: Name of the library to scan
        version: Version of the library (default: "latest")
        ecosystem: Package ecosystem ("pypi", "npm", "maven", etc.)

    Returns:
        Detailed security report from Snyk including vulnerabilities, licenses, and remediation advice
    """
    from .snyk_integration import snyk_integration

    try:
        # Test connection first
        connection_test = await snyk_integration.test_connection()
        if connection_test["status"] != "connected":
            return {
                "error": "Snyk integration not configured",
                "details": connection_test.get("error", "Unknown error"),
                "setup_instructions": [
                    "1. Sign up for Snyk account at https://snyk.io",
                    "2. Get API token from your Snyk account settings",
                    "3. Set SNYK_API_KEY environment variable",
                    "4. Optionally set SNYK_ORG_ID for organization-specific scans",
                ],
            }

        # Perform the scan
        package_info = await snyk_integration.scan_package(
            library_name, version, ecosystem
        )

        return {
            "library": library_name,
            "version": version,
            "ecosystem": ecosystem,
            "scan_timestamp": datetime.now().isoformat(),
            "vulnerability_summary": {
                "total": len(package_info.vulnerabilities),
                "critical": package_info.severity_counts.get("critical", 0),
                "high": package_info.severity_counts.get("high", 0),
                "medium": package_info.severity_counts.get("medium", 0),
                "low": package_info.severity_counts.get("low", 0),
            },
            "vulnerabilities": [
                {
                    "id": vuln.id,
                    "title": vuln.title,
                    "severity": vuln.severity.value,
                    "cvss_score": vuln.cvss_score,
                    "cve": vuln.cve,
                    "is_patchable": vuln.is_patchable,
                    "upgrade_path": vuln.upgrade_path[:3] if vuln.upgrade_path else [],
                    "snyk_url": f"https://snyk.io/vuln/{vuln.id}",
                }
                for vuln in package_info.vulnerabilities[:10]  # Limit to top 10
            ],
            "license_info": [
                {
                    "name": license.name,
                    "type": license.type,
                    "spdx_id": license.spdx_id,
                    "is_deprecated": license.is_deprecated,
                }
                for license in package_info.licenses
            ],
            "recommendations": [
                "🔍 Review all critical and high severity vulnerabilities",
                "📦 Update to latest secure version if available",
                "⚖️ Ensure license compliance with your organization's policies",
                "🔄 Set up continuous monitoring for this package",
            ],
        }

    except Exception as e:
        return {
            "error": f"Snyk scan failed: {str(e)}",
            "library": library_name,
            "version": version,
        }

src/documentation_search_enhanced/snyk_integration.py:162-248 (helper)

Core helper method that executes the Snyk API scan for a specific package/version/ecosystem, handles caching, creates mock manifest payloads, parses responses, and returns structured SnykPackageInfo.

async def scan_package(
    self, package_name: str, version: str, ecosystem: str = "pypi"
) -> SnykPackageInfo:
    """Scan a single package for vulnerabilities"""
    cache_key = f"package_{ecosystem}_{package_name}_{version}"

    if self._is_cached(cache_key):
        return self.cache[cache_key]["data"]

    ecosystem_map = {
        "pypi": "pip",
        "npm": "npm",
        "maven": "maven",
        "gradle": "gradle",
        "nuget": "nuget",
    }

    snyk_ecosystem = ecosystem_map.get(ecosystem.lower(), "pip")

    try:
        async with httpx.AsyncClient(timeout=self.timeout) as client:
            # Test endpoint for vulnerabilities
            test_payload = {
                "encoding": "plain",
                "files": {
                    (
                        "requirements.txt"
                        if snyk_ecosystem == "pip"
                        else "package.json"
                    ): {
                        "contents": (
                            f"{package_name}=={version}"
                            if snyk_ecosystem == "pip"
                            else json.dumps(
                                {"dependencies": {package_name: version}}
                            )
                        )
                    }
                },
            }

            response = await client.post(
                f"{self.base_url}/v1/test/{snyk_ecosystem}",
                headers=self._get_headers(),
                json=test_payload,
            )

            if response.status_code == 200:
                data = response.json()
                package_info = self._parse_package_scan_result(
                    data, package_name, version, ecosystem
                )

                # Cache the result
                self._cache_result(cache_key, package_info)

                return package_info
            else:
                # Return empty result for failed scans
                return SnykPackageInfo(
                    name=package_name,
                    version=version,
                    ecosystem=ecosystem,
                    vulnerabilities=[],
                    licenses=[],
                    severity_counts={
                        "critical": 0,
                        "high": 0,
                        "medium": 0,
                        "low": 0,
                    },
                    dependency_paths=[],
                    is_direct_dependency=True,
                )

    except Exception as e:
        print(f"Snyk scan error for {package_name}: {e}", file=sys.stderr)
        return SnykPackageInfo(
            name=package_name,
            version=version,
            ecosystem=ecosystem,
            vulnerabilities=[],
            licenses=[],
            severity_counts={"critical": 0, "high": 0, "medium": 0, "low": 0},
            dependency_paths=[],
            is_direct_dependency=True,
        )

src/documentation_search_enhanced/snyk_integration.py:577-577 (helper)
Global singleton instance of SnykIntegration used by the tool handler.
```
snyk_integration = SnykIntegration()
```
src/documentation_search_enhanced/main.py:1779-1779 (registration)
MCP tool registration decorator for snyk_scan_library.
```
@mcp.tool()
```

src/documentation_search_enhanced/main.py:1781-1793 (schema)

Tool schema defined by function signature and docstring describing inputs (library_name, version, ecosystem) and output format.

    library_name: str, version: str = "latest", ecosystem: str = "pypi"
):
    """
    Scan a library using Snyk for comprehensive security analysis.

    Args:
        library_name: Name of the library to scan
        version: Version of the library (default: "latest")
        ecosystem: Package ecosystem ("pypi", "npm", "maven", etc.)

    Returns:
        Detailed security report from Snyk including vulnerabilities, licenses, and remediation advice
    """

Tool Definition Quality

B3.2/5.0

Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description carries the full burden. It mentions 'comprehensive security analysis' and details about the return value, but lacks critical behavioral information such as whether this is a read-only operation, potential rate limits, authentication requirements, or what happens if the library isn't found. The description doesn't contradict annotations (none provided).

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is well-structured and front-loaded with the core purpose, followed by clear sections for Args and Returns. Every sentence adds value without redundancy, and it's appropriately sized for a tool with three parameters and no annotations.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness3/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the complexity (security scanning tool), lack of annotations, and no output schema, the description is moderately complete. It covers the purpose, parameters, and return value, but gaps remain in behavioral transparency and usage guidelines. For a tool with potential side effects or constraints, more context would be beneficial.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters4/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 0%, so the description must compensate. It adds meaningful semantics for all three parameters: 'library_name' as the name to scan, 'version' with its default, and 'ecosystem' with examples. This goes beyond the schema's basic titles and types, though it could provide more detail on ecosystem options or version format.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose4/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose as 'Scan a library using Snyk for comprehensive security analysis,' which includes a specific verb ('Scan') and resource ('a library'). It distinguishes from some siblings like 'snyk_license_check' or 'scan_project_dependencies' by focusing on library scanning, but doesn't explicitly differentiate from 'scan_library_vulnerabilities' or 'snyk_scan_project' in the description text.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides no guidance on when to use this tool versus alternatives. It doesn't mention sibling tools like 'scan_library_vulnerabilities' or 'snyk_scan_project' for comparison, nor does it specify prerequisites or exclusions. Usage is implied only by the tool's name and description.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Latest Blog Posts

Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security
Open Source Has a Bot Problem
By punkpeye on March 19, 2026.
open source

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/gemini2026/documentation-search-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server