Snyk scans your MCP servers by running them. Here is what that means.
Snyk's agent-scan tool for MCP servers operates by executing them to retrieve tool descriptions, a process that raises security concerns when scanning untrusted configurations or in CI/CD pipelines. This method involves connecting to the server and transmitting data to Invariant Labs' API, which could be problematic for data residency and compliance. An alternative, Bawbel, offers static analysis by reading configuration files and manifests without executing any code, making it suitable for pre-deployment checks and air-gapped environments, though it cannot detect runtime-specific behaviors. AI
IMPACT Highlights security trade-offs in AI agent development tools, impacting how developers manage supply chain risks.