🚀

🚀 AI アシストで脆弱性を光速検出!Snyk MCP Server と Google Code Assist による開発環境内スキャン

に公開
Model Context Protocol
Snyk
Gemini
tech

オープンソースの依存関係にセキュリティ脆弱性がないことを確認することは、現代のソフトウェア開発において不可欠なステップです。Snyk MCP Server と Google Code Assist を組み合わせることで、AI アシストによる脆弱性スキャンを開発環境内で迅速に実行できるようになりました。

Snyk のドキュメントへ

🧰 前提条件

開始する前に、以下の準備が必要です。

  • VS Codeがインストールされていること (他の MCP Client、Cursor、Windsurf、Kiro、CLI、Cline、 Roo、Kilo Code も可)
    今回は Google Code Assist で試すので、VS Codeベースのエディタ推奨です。
  • Google Code Assist および Snyk で使用するGoogle アカウント

⚙️ セットアップ手順

1. VSCode に Google Code Assist をインストール

VS Code Marketplace を開き、Google Code Assist 拡張機能を検索するか、VSCode の拡張機能アイコンをクリックして Google Code Assist を検索します。
インストールをクリックし、セットアップが完了したらエディタを再読み込みします。

2. 設定ファイルを追加

リポジトリ内に、以下の設定ファイルを作成します。

mkdir .gemini
touch .gemini/settings.json

settings.json

{
  "mcpServers": {
    "Snyk": {
      "command": "npx",
      "args": ["-y", "snyk@latest", "mcp", "-t", "stdio"],
      "env": {}
    }
  }
}

このファイルは、Google Code Assist がプロジェクトのコンテキストや Snyk MCP Server などの外部ツールと連携するために役立ちます。

3. 脆弱性スキャンを実行

VSCode で Google Code Assist パネルを開き、以下のプロンプトを入力します。

Tell me about any vulnerabilities found in my open source dependencies for this project
(このプロジェクトのオープンソース依存関係で見つかった脆弱性について教えてください)

その後、Snyk MCP サーバーの使用を承認する必要があります。

https://github.com/forem/forem で同じプロンプトを試した結果は以下の通りです。

結果

I found 48 vulnerabilities in your open source dependencies. Here is a summary of the findings:

Severity	Count
Critical	1
High	19
Medium	13
Low	4
Here is a list of the vulnerabilities found:

Package	Version	Severity	Title	Remediation
actioncable	7.0.8.7	medium	Information Exposure	Upgrade to rails@7.1.0
activerecord	7.0.8.7	medium	Improper Neutralization	Upgrade to active_record_union@1.4.0
activestorage	7.0.8.7	critical	Arbitrary Command Injection	Upgrade to rails@7.1.5.2
cgi	0.3.6	medium	Allocation of Resources Without Limits or Throttling	Upgrade to cgi@0.3.7
cgi	0.3.6	medium	Regular Expression Denial of Service (ReDoS)	Upgrade to cgi@0.3.7
net-imap	0.4.10	high	Memory Allocation with Excessive Size Value	Upgrade to ahoy_email@2.3.0
net-imap	0.4.10	high	Denial of Service (DoS)	Upgrade to ahoy_email@2.3.0
nokogiri	1.16.5-x86_64-linux	high	Stack-based Buffer Overflow	Upgrade to nokogiri@1.18.9
nokogiri	1.16.5-x86_64-linux	high	Expired Pointer Dereference	Upgrade to nokogiri@1.18.9
nokogiri	1.16.5-x86_64-linux	high	Expired Pointer Dereference	Upgrade to nokogiri@1.18.9
nokogiri	1.16.5-x86_64-linux	low	Stack-based Buffer Overflow	Upgrade to nokogiri@1.18.9
nokogiri	1.16.5-x86_64-linux	high	Out-of-bounds Read	Upgrade to nokogiri@1.18.9
nokogiri	1.16.5-x86_64-linux	low	Cross-site Scripting (XSS)	Upgrade to nokogiri@1.16.8
nokogiri	1.16.5-x86_64-linux	high	Stack-based Buffer Overflow	Upgrade to nokogiri@1.18.3
nokogiri	1.16.5-x86_64-linux	high	Use After Free	Upgrade to nokogiri@1.18.3
nokogiri	1.16.5-x86_64-linux	medium	Use After Free	Upgrade to nokogiri@1.18.4
nokogiri	1.16.5-x86_64-linux	medium	Use After Free	Upgrade to nokogiri@1.18.4
nokogiri	1.16.5-x86_64-linux	low	Buffer Under-read	Upgrade to nokogiri@1.18.8
rack	2.2.10	high	Allocation of Resources Without Limits or Throttling	No remediation advice available
rack	2.2.10	low	Race Condition	No remediation advice available
rack	2.2.10	medium	Web Cache Poisoning	No remediation advice available
rack	2.2.10	high	Allocation of Resources Without Limits or Throttling	No remediation advice available
rack	2.2.10	high	Allocation of Resources Without Limits or Throttling	No remediation advice available
rack	2.2.10	high	Allocation of Resources Without Limits or Throttling	No remediation advice available
rack	2.2.10	high	Allocation of Resources Without Limits or Throttling	No remediation advice available
rack	2.2.10	medium	Information Exposure	No remediation advice available
rack	2.2.10	high	Allocation of Resources Without Limits or Throttling	No remediation advice available
rack	2.2.10	high	Improper Output Neutralization for Logs	No remediation advice available
rack	2.2.10	medium	Improper Output Neutralization for Logs	No remediation advice available
rack	2.2.10	high	Relative Path Traversal	No remediation advice available
ransack	3.2.1	high	Insecure Defaults	Upgrade to ransack@4.0.0
rexml	3.4.0	medium	Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')	Upgrade to rubocop@1.63.5
thor	1.3.1	high	OS Command Injection	Upgrade to bundler-audit@0.9.2
uri	0.13.0	medium	Improper Removal of Sensitive Information Before Storage or Transfer	No remediation advice available
uri	0.13.0	low	Improper Removal of Sensitive Information Before Storage or Transfer	No remediation advice available
@babel/helpers	7.23.6	medium	Regular Expression Denial of Service (ReDoS)	Your dependencies are out of date, otherwise you would be using a newer @babel/helpers than @babel/helpers@7.23.6. Try relocking your lockfile or deleting node_modules and reinstalling your dependencies. If the problem persists, one of your dependencies may be bundling outdated modules.
@babel/runtime	7.20.13	medium	Regular Expression Denial of Service (ReDoS)	Your dependencies are out of date, otherwise you would be using a newer @babel/runtime than @babel/runtime@7.20.13. Try relocking your lockfile or deleting node_modules and reinstalling your dependencies. If the problem persists, one of your dependencies may be bundling outdated modules.
brace-expansion	2.0.1	low	Regular Expression Denial of Service (ReDoS)	Your dependencies are out of date, otherwise you would be using a newer brace-expansion than brace-expansion@2.0.1. Try relocking your lockfile or deleting node_modules and reinstalling your dependencies. If the problem persists, one of your dependencies may be bundling outdated modules.
braces	3.0.2	high	Excessive Platform Resource Consumption within a Loop	Your dependencies are out of date, otherwise you would be using a newer braces than braces@3.0.2. Try relocking your lockfile or deleting node_modules and reinstalling your dependencies. If the problem persists, one of your dependencies may be bundling outdated modules.
cross-spawn	7.0.3	high	Regular Expression Denial of Service (ReDoS)	Your dependencies are out of date, otherwise you would be using a newer cross-spawn than cross-spawn@7.0.3. Try relocking your lockfile or deleting node_modules and reinstalling your dependencies. If the problem persists, one of your dependencies may be bundling outdated modules.
inflight	1.0.6	medium	Missing Release of Resource after Effective Lifetime	Upgrade to canvas@3.0.0
ip	2.0.0	high	Server-side Request Forgery (SSRF)	Your dependencies are out of date, otherwise you would be using a newer ip than ip@2.0.0. Try relocking your lockfile or deleting node_modules and reinstalling your dependencies. If the problem persists, one of your dependencies may be bundling outdated modules.
ip	2.0.0	high	Server-side Request Forgery (SSRF)	Your dependencies are out of date, otherwise you would be using a newer ip than ip@2.0.0. Try relocking your lockfile or deleting node_modules and reinstalling your dependencies. If the problem persists, one of your dependencies may be bundling outdated modules.
ip	2.0.0	high	Server-side Request Forgery (SSRF)	Your dependencies are out of date, otherwise you would be using a newer ip than ip@2.0.0. Try relocking your lockfile or deleting node_modules and reinstalling your dependencies. If the problem.
ip	2.0.0	medium	Server-Side Request Forgery (SSRF)	Your dependencies are out of date, otherwise you would be using a newer ip than ip@2.0.0. Try relocking your lockfile or deleting node_modules and reinstalling your dependencies. If the problem persists, one of your dependencies may be bundling outdated modules.
micromatch	4.0.5	medium	Inefficient Regular Expression Complexity	Your dependencies are out of date, otherwise you would be using a newer micromatch than micromatch@4.0.5. Try relocking your lockfile or deleting node_modules and reinstalling your dependencies. If the problem persists, one of your dependencies may be bundling outdated modules.
nanoid	3.3.7	medium	Improper Input Validation	Your dependencies are out of date, otherwise you would be using a newer nanoid than nanoid@3.3.7. Try relocking your lockfile or deleting node_modules and reinstalling your dependencies. If the problem persists, one of your dependencies may be bundling outdated modules.
tar	6.2.0	medium	Uncontrolled Resource Consumption ('Resource Exhaustion')	Your dependencies are out of date, otherwise you would be using a newer tar than tar@6.2.0. Try relocking your lockfile or deleting node_modules and reinstalling your dependencies. If the problem persists, one of your dependencies may be bundling outdated modules.
I can also open a Snyk learn lesson for some of these vulnerabilities. Would you like me to open a lesson for any of the vulnerabilities?

Discussion