Built by Metorial, the integration platform for agentic AI.

Learn More

Snyk/snyk-ls

Snyk Language Server

    Server Summary

    • Real-time security diagnostics

    • Code analysis

    • Vulnerability scanning for open source dependencies

    • Infrastructure as code scanning

    • Code quality and security issue identification

    • Actionable insights and automated fixes

    • Authentication and progress reporting

    • Trusted folder management

Snyk Language Server (Snyk-LS)

Build Go binaries Release Go binaries Contributor Covenant

Supported features

The language server follows the Language Server Protocol and integrates with Snyk Open Source, Snyk Infrastructure as Code and Snyk Code. For the former two, it uses the Snyk CLI as a data provider, for the latter it is connecting directly to the Snyk Code API.

Right now the language server supports the following actions:

  • Send diagnostics to client on opening a document if it's part of the current set of folders.
  • Starting a folder scan on startup and sending diagnostics.
  • Starting a workspace scan of all folders on command.
  • Cache diagnostics until saving or triggering a new workspace scan.
  • Invalidate caches on saving a document and retrieve saved document diagnostics anew.
  • Provides range calculation to correctly highlight Snyk Open Source issues in their file.
  • Provides formatted hovers with diagnostic details and follow-up links
  • Progress reporting to the client for background jobs
  • Notifications & Log messages to the client
  • Authentication when needed, using OAuth2 or Token authentication and opening a webpage if necessary
  • Copying the authentication URL to clipboard if there are problems opening a webpage
  • Automatic download of the Snyk CLI if none is found or configured to XDG_DATA_HOME
  • Selective activation of products according to settings transmitted
  • Scanning errors are reported as diagnostics to the Language Server Client
  • Code Lenses to navigate the Snyk Code dataflow from within the editor
  • Code Actions for in-editor commands, like opening a browser, doing a quickfix or opening a Snyk Learn lesson for the found diagnostic

Implemented operations

Language Server Protocol support

Requests

  • initialize
  • exit
  • textDocument/codeAction
  • textDocument/codeLens
  • textDocument/didClose
  • textDocument/didSave
  • textDocument/hover
  • textDocument/inlineValue
  • shutdown
  • workspace/didChangeWorkspaceFolders
  • workspace/didChangeConfiguration
  • workspace/executeCommand
  • window/workDoneProgress/create (from server -> client)
  • window/showMessageRequest
  • window/showDocument

Notifications

  • $/progress

  • $/cancelRequest

  • textDocument/publishDiagnostics

    • params: types.PublishDiagnosticsParams
    • example: Snyk Open Source
    {
  "uri": "file:///path/to/file",
  "diagnostics": [
    {
      "range": {
        "start": { "line": 1, "character": 0 },
        "end": { "line": 2, "character": 0 },
      },
      "severity": 1,
      "code": "S100",
      "source": "Snyk",
      "message": "Message",
      "tags": ["security"],
      "data": {
        "id": "123",
        "issueType": "vulnerability",
        "packageName": "packageName",
        "packageVersion": "packageVersion",
        "issue": "issue",
        "additionalData": {
          "ruleId": "ruleId",
          "identifiers": {
            "cwe": ["cwe"],
            "cve": ["cve"]
          },
          "description": "description",
          "language": "language",
          "packageManager": "packageManager",
          "packageName": "packageName"
        }
      }
    }
  ]
}
    • example: Snyk Code
    {
  "uri": "file:///path/to/file",
  "diagnostics": [
    {
      "range": {
        "start": { "line": 1, "character": 0 },
        "end": { "line": 2, "character": 0 },
      },
      "severity": 1,
      "code": "S100",
      "source": "Snyk",
      "message": "Message",
      "tags": ["security"],
      "data": {
        "id": "123",
        "filePath": "filePath",
        "range": {
          "start": { "line": 1, "character": 0 },
          "end": { "line": 2, "character": 0 },
        },
        "additionalData": {
          "message": "message",
          "rule": "rule",
          "ruleId": "ruleId",
          "dataFlow": [
            {
              "filePath": "filePath",
              "range": {
                "start": { "line": 1, "character": 0 },
                "end": { "line": 2, "character": 0 },
              },
            }
          ],
          "cwe": "cwe",
          "isSecurityType": true
        }
      }
    }
  ]
}

  • window/logMessage

  • window/showMessage

Custom additions to Language Server Protocol (server -> client)

  • SDKs callback to retrieve configured SDKs from the client

    • method: workspace/snyk.sdks
    • params: types.WorkspaceFolder
    • example:
    [{
  "type": "java", // or python or go
  "path": "/path/to/sdk" // JAVA_HOME for java, GOROOT for Go, Python executable for Python
}]

  • Folder Config Notification

    • method: $/snyk.folderConfigs
    • params: types.FolderConfigsParam
    • example:
    {
    "folderConfigs":
    [
      {
        "folderPath": "the/folder/path",
        "baseBranch": "the-base-branch", // e.g. main
        "localBranches": [ "branch1", "branch2" ]
      }
    ]
}

  • Custom Publish Diagnostics Notification

    • method: $/snyk.publishDiagnostics316
    • params: types.PublishDiagnosticsParams
    • note: alias for textDocument/publishDiagnostics

  • MCP Server URL Notification to publish the listening address. The server listens for POST requests on /messages and for SSE subscriptions on /sse. An example can be found in the mcp package in the smoke test.

    • method: $/snyk.mcpServerURL
    • params: types.McpServerURLParams
    • example:
    {
  "url": "https://127.0.0.1:7595"
}

  • Authentication Notification

    • method: $/snyk.hasAuthenticated
    • params: types.AuthenticationParams
    • example:
    {
  "token": "the snyk token", // this can be an oauth2.Token string or a legacy token
  "apiUrl": "https://api.snyk.io"
}

  • CLI Path Notification

    • method: $/snyk.isAvailableCli
    • params: types.SnykIsAvailableCli
    • example:
    {
  "cliPath": "/a/path/to/cli-executable"
}

  • Trusted Folder Notification

    • method: $/snyk.addTrustedFolders
    • params: types.SnykTrustedFoldersParams
    • example:
    {
  "trustedFolders": ["/a/path/to/trust"]
}

  • Scan Notification

    • method: $/snyk.scan
    • params: types.ScanParams
    • example: Successful scan
    {
  "status": "success", // possible values: "error", "inProgress", "success"
  "product": "code", // possible values: "code", "oss", "iac"
  "folderPath": "/a/path/to/folder",
}
    • example: Failed scan with errors
    {
  "status": "error",
  "product": "code",
  "folderPath": "/a/path/to/folder",
  "errorMessage": "An error occurred",
  "cliError": {
    "code": "CLI_ERROR_CODE",
    "message": "An error occurred"
  },
}

  • Summary Panel Status Notification

    • method: $/snyk.scanSummary
    • params: types.ScanSummary
    • example:
    {
  "scanSummary": "