Qodo Helps Secure Software with Snyk
AI-powered coding is at the fingertips of developers but it takes good model foundations, context, and targeted agentic training to produce high quality code. Qodo Gen enables that and doubles-down on the commitment to create secure software by partnering with Snyk to bring its code security scanning to developers world-wide using Model Context Protocol (MCP) tools.
Developers working in SMBs or Enterprises, are often held responsible for their products across a long list of concerns, from deployment to the quality of the code, the performance of it, and its application security aspect. Even more so, when developers rely on AI to produce code they are naturally responsible for the GenAI code suggestions they accept and the resulting code from agentic workflows that ships to production. How can developers ensure code security when using AI-powered coding tools?
Code Security Concerns
Developers often lack security expertise to understand the nuances and intricacies of insecure coding patterns, yet, those same flawed lines of code may lead to security vulnerabilities.
Following is an insecure code snippet taken from an open source project found vulnerable:
```
getPasswordPolicy(params) {
const user = Users.findOne({ ‘services.password.reset.token’: params.token });
if (!user && !Meteor.userId()) {
throw new Meteor.Error(‘error-invalid-user’, ‘Invalid user’, {
method: ‘getPasswordPolicy’
})
}
return passwordPolicy.getPasswordPolicy();
}
```
Looking at this code, developers often obsess on the business logic, code style and clean code conventions but overlook the security aspects.
The above code snippet is vulnerable to a noSQL injection vulnerability. Worse, responsible for password reset functionality, this code snippet is a security vulnerability that anonymous users can engage and exploit and do not require any logged-in user status or admin privileges.
How do you make sure to find such security issues?
GenAI Code Security Concerns
Regardless of the vulnerable code being written by a GenAI coding tool or by developers, the problem remains the same – being able to detect vulnerable code suggestions by AI-powered coding tools at the speed they generate code is even more challenging.
Securing software at the speed of MCP
Qodo Gen integrates with MCPs to help developers bring contextual information to Qodo’s agentic workflows and that includes code security scanning with Snyk CLI MCP Server.
If you are already a Snyk user you can get started right away, otherwise follow these instructions to install Snyk and create an account.
Once you have the Snyk CLI running locally, go to Qodo Gen extension in your IDE, and follow the extension UI instructions to connect more tools. You’ll then see a list of tools. Click “Add new MCP” and enter the following JSON payload:
```
{
"snyk-appsec": {
"command": "snyk",
"args": [
"mcp",
"-t",
"stdio",
"--experimental"
],
"env": {
“SNYK_TOKEN”: “optionally, if you have a Snyk token to use you can provide it here”
}
}
}
```
When you save the Snyk CLI MCP Server configuration for Qodo Gen, you’ll be presented with a list of custom MCPs that extend Qodo Gen’s out of the box list of tools (fetch a URL, git, web search and other handful MCP Servers).
Snyk CLI MCP Server will list the supported MCP Server tools, among them the ability to scan dependencies and scan code for security issues in either:
Now, I can use the agentic coding workflow in Qodo Gen to ask it about security vulnerabilities in my code:
Qodo Gen will investigate the tools available to it from the installed MCP Servers, find Snyk, and invoke it to scan the code in the index.js file.
Qodo Gen further improves on Snyk’s findings and suggests fixes. Given that Snyk code scanning provides contextual information about the vulnerability, the insecure lines of code and vulnerability metadata, Qodo Gen can then builds on this information to suggest how to fix each finding.
Another important security practice is to keep your third-party open source dependencies up to date and at versions that are not found to be vulnerable. This is another capability that the Snyk CLI MCP Server helps uncover:
Upon invoking the third-party dependency scanning, Snyk will provide contextual information for critical and other severity findings of vulnerable npm dependencies in the project (Python, Java, Ruby, Golang and other ecosystems supported).
Given these findings, Qodo Gen can then summarize them and automate dependency upgrades.
Unlocking Developer Productivity
Snyk and application security is just one example. Qodo Gen unlocks productivity at the speed of AI by enabling developers to bring in their favorite MCP Servers and infuse their agentic workflows. Qodo Gen builds upon these to enhance AI-powered coding thanks to its contextual and fine-tuned models that are mission-guided on generating high-quality code and contextual information from your own repository coding style and past commits.
