Skip to main content
If you need an introduction on MCP, here is the get Started article of the protocol.

Setup

MCP download & build

MCP setup is independant from our extension (that you can download and install here)
To use the Symbiotic Security MCP, you first need to install our CLI and build the MCP from source.
1

Install our CLI

Download and install our CLI using the command below.
The installer will automatically select the correct version for your environment.
      curl -sSL https://github.com/SymbioticSec/cli/releases/latest/download/install.sh | bash
      echo 'export PATH="$HOME/.local/bin:$PATH"'
2

Clone our MCP repository

Clone the official Symbiotic Security MCP repository:
  git clone https://github.com/SymbioticSec/mcp.git
3

Install and build the MCP

Navigate into the repository and build the MCP:
cd mcp  
npm install
npm run build
4

Retrieve the index.js filepath

After the build completes, a build directory will be created.
Locate the full path to build/index.js — you will need it to configure the MCP in your IDE.
You can retrieve it using the command realpath build/index.js in the MCP repository.

Installation in your IDE

To use the MCP inside your IDE, you must declare it in your MCP settings. You will need:
  1. The full filepath of the index.js file we retrieved during the build of the MCP
  2. Your Symbiotic personal access token that you can create and retrieve here
Once you have these, configure the MCP using the examples below: 
{
 "servers": {
  "symbiotic-security": {
      "command": "node",
      "args": ["path_of_the_index.js_file"],
      "env": {
        "SYMBIOTIC_API_TOKEN": "your_token_here"
      }
    }
  },
}

Usage

Once configured, you can use the MCP directly from your IDE’s chat interface by asking it to perform a security scan on a file. If you want your chat agent to automatically scan every piece of AI-generated code, we recommend adding the following MCP usage rule: 
ALWAYS use symbiotic-security MCP with the security_scan_files tool EACH time you generate code to scan for security vulnererabilities and remediate issues found.

ALWAYS try to fix issues found by the scanner.