Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

Adding MCP Servers to Kiro: Brave Search & Snyk Setup

Snyk
07/15/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


Let me show you. All right, within Qiro, you have a couple of different options in order to get MCP servers set up. First of all, we're going to try bringing up the command palette, which is Control-Shift-P or Command-Shift-P if you're on macOS. You're going to search for MCP. What that'll do is it'll bring you to the mcp.json configuration file. Now, one thing to note is in the bottom right-hand corner, you may get this notification indicating the MCP is currently disabled. To start using that, you need to enable it. So, we open up the settings, and what's interesting here is that at the user level, I do indeed have it enabled, but at the workspace level, it is disabled. So, I need to go and enable that, save it, and we're good to go. So, now that we're here, we have the config, and again, keep in mind that there is a user config for mcp.json and a workspace config for mcp.json. This allows you to have tight control over what MCP servers are enabled for each individual project versus at a more global user level. Now, I mentioned there's a couple different ways you can add MCP servers. One of the other ways you can add them is via the Kiro icon over on the activity bar here on the left-hand side for me. You click on that, and down here, you would see the option to enable MCP servers again as well if you wanted to go that way to enable them. Once here, you would click on the little edit icon to open MCP config, and that, again, is yet another way you can get to the MCP configuration for both the workspace and the user configuration. All right, so let's set up our first MCP server. One, there's one that came with Kiro, at least at the time of this recording, that's called Fetch, and that's disabled by default, so we can set that to false so that it is enabled now, or we could have, once it's done connecting here, from the Kiro view under the MCP servers section, you can right-click disable, disable, or enable all tools. Specifically, what this is going to do is it's going to fetch a URL from the internet and optionally extracts its contents as markdown if we wanted to do that, so that's fair, but let's add one that requires a little bit more setup, that's a little bit more feature-rich than just fetching URLs. Let's use Brave Search. So for this, I'm going to do it as a workspace config, and I'm going to give it the name of the MCP server that I want, and we're going to call it Web Search here. We're going to use the command npx, and we're going to pass in some arguments. We're going to tell it to use the Brave Search MCP server package from NPM, and the transport protocol we're going to use is standard input output, stdio, and then you're going to enter in the environment variable, Brave API key, and put in your API key. How do you get a Brave... How do you get a Brave Search API key? You need to head to brave.com slash search slash API, and sign up for a new account there. Once you're signed up, you have to choose a subscription that, like you see here under the pricing mechanism, there's free, base, and pro. You can go with free, you get one query per second, or up to 2,000 queries per month. The one caveat to that is you have to enter in a credit card even for the free tier, unfortunately, but once you do that, you're all set and you won't get charged for anything, you can start using the free level of the Brave Search API. Then once you have an account and you're signed into that account, you're going to head on over from your dashboard, you're going to click on API keys. In this page, you'll see nothing so far, but you can click on add API key, give it a name, and make sure you choose the free subscription, click add, and then you'll see that show up here. You're going to copy this value and save it for later to put into the MCP configuration in Qrote. Just to make sure it's fully clear, you're going to put it in here in place of this your API key text. You're going to paste your API key from the Brave Search API dashboard into this value here and save it. Once you save that and have an API key stored in the environment variable, you'll see this pop up, this web search MCP server. It'll spin for a few seconds to connect to the Brave Search API under your account and enable all the tools associated with that MCP server. Again, if we wanted to, we could disable the whole entire MCP server, disable all the tools, or just enable all tools from right clicking on it. For each individual, we can click on, if you click on this, this is something I learned the hard way. If you click on any individual tool, it will automatically toggle enabling and disabling that particular tool on you. So now let's go ahead and test it out. I'm going to come on over to the Qrote chat view. I'm going to choose vibe for now. We don't need a spec. I'm going to make sure autopilot is turned off here because I just want to chat with Qrote for now. So I'm going to ask it, tell me about the array.reduce function from MDN documentation. Maybe I want to learn more about that without having to search it up myself and find the right resources. Then it's going to prompt me to call that MCP tool, Brave Web Search. So I'm going to allow it to do that. It wants to go fetch. It wants to make another fetch call. And now we can see based on the MDN documentation, here's what you need to know about array.reduce. And it gives me all the information directly in the context of my development tool, rather than me having to switch context to another browser and search for these details, find the right search results that are relevant to what I'm looking for. I can learn more about this type of JavaScript reduce function on my arrays that I might be using and how to correctly use it in my code. All right. So that completes setting up the Brave Search API MCP server in Qrote. Let's add another MCP server in this case, one that will help us determine the security of our code and our open source dependencies. And that is the Snyk MCP server. To do this, we're going to open up the MCP config file in Qrote. And oh no, look here, my API key. You can see it. Go ahead and try it out. See if it works. Spoiler alert, it doesn't work. So what we need to do now is just like any other JSON file, we're going to follow the proper JSON syntax. We're going to add another property in here. We're going to call this one Snyk. And then we're going to start setting up the configuration for this. Very similar to the web search one, we're going to say the command for this is going to be npx. And then we're going to pass in some arguments to that, or brackets. All right. So we're going to use hyphen y to say yes to any prompts that are going on there. We're going to say Snyk at latest package. Then we're going to tell the Snyk command to use the MCP server from Snyk. And we're going to tell it what protocol to use, which is hyphen t, short for that. We're going to use the standard input output again, stdio. And that should set everything up nicely for us. And then we don't have any environment variables that we need to use for this one in particular. But as you can see, as soon as I save that, this started spinning and it's starting to connect to that Snyk MCP server. So I'll give it a few seconds here and it'll be ready and enabled for us. And there we go. Now we can see that that has 12 tools set up for it. Snyk AI Bomb, Snyk Auth, and all these other tools associated with the Snyk MCP server. So now let's go ahead and use it. I have a project opened up from a past video, which you can check out the link in the description below, where we generated a note-taking application using Qiro's spec-driven development. So let's use the Snyk MCP server to evaluate the security of this project. So we have a new session here with Qiro, choosing the vibe option and autopilot off again. And I'm going to ask it, please tell me about any security issues in my open source dependencies for this project. So we should see Qiro is going to start thinking and it wants to leverage Snyk here. We saw Qiro was thinking there, wants to scan my project security vulnerabilities in my open source dependencies using Snyk. So it's nice that it recognized that. Let me first get the absolute path of your project and then run a security scan with it. So we have the absolute path and now it wants to call the MCP tool, the SCA scan. All right. So that failed because I'm running on Windows and it sent in a path that's based on Unix, I think. So we're going to let it get the location this way. Finally got to a point where it's going to set up a proper path string for Snyk SCA here on Windows, that is. Now we need to trust that folder. So we're going to run Snyk trust for that folder. We're going to let that run, which prompted me on another monitor here in another browser that I'm signed into with my Snyk account. I'm going to say trust path on that. Click OK. Now it wants to run the security scan and it passed. Great news. Your project has no known security vulnerabilities and it's open source dependency Snyk scan completed successfully. I found zero issues. That's awesome to see. So great news. It finished doing this Snyk SCA scan and found that there are zero security issues in my open source dependencies. That's fantastic to see. And now I want to ask it about the code. Are there any security issues in the code? So let's run a scan of that as well. So in this case, it's recognizing that it needs to do a different security scan. In this case, a Snyk code scan. So I'm going to let it be trusted to do that. All right. And rather quickly, it came back with the results of that scan. And unfortunately, we have some security issues that we need to look into. We have a critical issue, hard-coded non-cryptographic secret, two issues of that, a medium severity issues. We have nine of those information exposure, cross-site request forgery problems and allocation of resources without limits. In addition to that, we have insecure JWT verification to issues and a couple of, well, not a couple, a bunch of low severity issues here. But one thing to note here is that the good news is most issues are in test files, which is expected. And in those situations, we can actually tell Snyk to ignore test files. By default, Snyk doesn't know that it can ignore those test files necessarily. So it assumes it is code that could be run in production and therefore alerts us to that, at least on our first initial scan of this project like this. There we have it. We have details on our security of our open source dependencies and the code that was written in this project. We can use Kiro's AI capabilities to address those security issues even further if we'd like. That's how you get set up adding MCP servers in Kiro. Now that was just two MCP servers that we demonstrated here, but I'm curious, what MCP servers are you finding to be most useful for you and your projects? Let me know in the comments below. On that note, that does it for this video. If you got value out of it, be sure to like it down below and share it with somebody who could put it to use. And if you made it this far, subscribe to the channel so you don't miss out on upcoming videos. Thanks for watching and happy safe coding, everyone.

TL;DR

  • MCP servers in Kiro can be configured at both user and workspace levels through the mcp.json file, accessed via command palette or the Kiro activity bar, with separate enable/disable controls for the feature and individual tools.
  • The Brave Search MCP server integration requires a free API key from Brave (2,000 queries/month limit) and enables in-IDE web searches, demonstrated by retrieving MDN documentation for JavaScript functions without context switching.
  • The Snyk MCP server provides security scanning capabilities for both open-source dependencies and application code, identifying vulnerabilities ranging from hard-coded secrets to CSRF issues, with 12 available security tools.
  • Both MCP servers use npx for execution with stdio transport protocol, but differ in authentication requirements: Brave uses environment variables for API keys while Snyk uses browser-based OAuth flow with folder trust permissions.

Configuring MCP Servers in Kiro

This tutorial demonstrates how to integrate Model Context Protocol (MCP) servers into Amazon Kiro, an AI-powered development environment. The video covers two primary methods for accessing MCP configuration: using the command palette (Control-Shift-P or Command-Shift-P on macOS) to open the mcp.json file, or navigating through the Kiro activity bar icon. A critical setup step involves enabling MCP at both the user and workspace levels, as the feature may be disabled by default. The configuration system supports both user-level and workspace-level settings, allowing developers to maintain different MCP server configurations for individual projects versus global preferences. The demonstration walks through enabling the built-in Fetch MCP server and then proceeds to more complex integrations requiring API keys and environment variables.

Integrating Brave Search and Snyk MCP Servers

The tutorial provides detailed setup instructions for two production MCP servers. The Brave Search integration requires obtaining an API key from brave.com/search/api, where developers can sign up for a free tier offering 2,000 queries per month at one query per second. The configuration uses npx to run the Brave Search MCP server package with stdio transport protocol and requires the API key as an environment variable. The Snyk MCP server setup follows a similar pattern but doesn't require environment variables, instead using the Snyk CLI authentication flow. The demonstration shows practical usage of both servers: Brave Search retrieves MDN documentation for JavaScript's array.reduce function directly within the IDE, while Snyk performs security scans on open-source dependencies and application code. The Snyk scan identifies multiple security issues including hard-coded secrets, CSRF vulnerabilities, and insecure JWT verification, though many issues are flagged in test files that could be excluded from future scans.

Chapters

0:00 - Introduction
0:13 - Accessing MCP Configuration
2:00 - Brave Search MCP Setup
4:30 - Testing Brave Search Integration
5:18 - Snyk MCP Server Configuration
7:08 - Running Snyk Security Scans
8:28 - Reviewing Scan Results
9:56 - Conclusion

Key Quotes

0:58 "This allows you to have tight control over what MCP servers are enabled for each individual project versus at a more global user level."
4:58 "And it gives me all the information directly in the context of my development tool, rather than me having to switch context to another browser and search for these details, find the right search results that are relevant to what I'm looking for."
8:24 "Great news. Your project has no known security vulnerabilities and it's open source dependency Snyk scan completed successfully. I found zero issues."
9:00 "We have a critical issue, hard-coded non-cryptographic secret, two issues of that, a medium severity issues. We have nine of those information exposure, cross-site request forgery problems and allocation of resources without limits."

FAQ

What are the differences between user-level and workspace-level MCP configurations in Kiro?

User-level MCP configurations apply globally across all projects, while workspace-level configurations are specific to individual projects. This allows developers to enable certain MCP servers (like security scanning tools) only for production codebases while keeping them disabled for experimental or personal projects. Both configuration files use the same mcp.json format and can be managed independently.

Does the Brave Search API free tier require a credit card, and what are the usage limits?

Yes, the Brave Search API free tier requires a credit card for signup, though no charges are incurred for free tier usage. The free tier provides 2,000 queries per month with a rate limit of one query per second. This is sufficient for individual developer use cases like documentation lookups and research within the IDE.


Categories:
  • » Cybersecurity » Application Security
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Application Security
  • DevSecOps
  • How-To
  • Technical Deep Dive
  • AI & Machine Learning
  • MCP Server Integration
  • AI-Powered Development Tools
  • Security Scanning
  • API Configuration
  • Developer Workflow Optimization
  • Static Application Security Testing
  • IDE Extensions
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: Adding MCP Servers to Kiro: Brave Search & Snyk Setup

              XStreaminars (watch here)

              • Jul
                28

                Illumio + Netskope: Zero Trust in the Age of AI Autonomy

                07/28/202601:00 PM ET
                • Jul
                  29

                  Ask Your Cloud Anything: Unlocking Governance Silos in your Environments

                  07/29/202601:00 PM ET
                  More events

                  Industry Events (watch there)

                  • Jul
                    22

                    Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue

                    07/22/202601:00 PM ET
                    • Aug
                      19

                      Becoming Agent Ready: Insights from Cyera's Expertise

                      08/19/202612:00 PM ET
                      More events

                      Upcoming Webinar Calendar

                      • 07/21/2026
                        04:00 AM
                        07/21/2026
                        Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                        https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
                      • 07/22/2026
                        06:30 AM
                        07/22/2026
                        Insights and Strategies for Effective Data Privacy and Protection
                        https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-for-effective-data-privacy-and-protection/
                      • 07/22/2026
                        01:00 PM
                        07/22/2026
                        Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue
                        https://www.truthinit.com/index.php/channel/2029/insights-from-attackers-during-the-fifa-world-cup-a-human-dialogue/
                      • 07/28/2026
                        01:00 PM
                        07/28/2026
                        Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                        https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
                      • 07/29/2026
                        04:00 AM
                        07/29/2026
                        Real-Time Strategies for Safeguarding Against Prompt Injections
                        https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
                      • 07/29/2026
                        01:00 PM
                        07/29/2026
                        Ask Your Cloud Anything: Unlocking Governance Silos in your Environments
                        https://www.truthinit.com/index.php/channel/2048/ask-your-cloud-anything-unlocking-governance-silos-in-your-environments/
                      • 08/19/2026
                        12:00 PM
                        08/19/2026
                        Becoming Agent Ready: Insights from Cyera's Expertise
                        https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
                      • 09/02/2026
                        12:00 PM
                        09/02/2026
                        Unified Data Security in Action: Uncover, Analyze, and Resolve Threats
                        https://www.truthinit.com/index.php/channel/2045/unified-data-security-in-action-uncover-analyze-and-resolve-threats/
                      • 09/30/2026
                        04:00 AM
                        09/30/2026
                        AI Command Center: Optimizing Visibility and Control in Your Operations
                        https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/
                      Truth in IT
                      • Sponsor
                      • About Us
                      • Terms of Service
                      • Privacy Policy
                      • Contact Us
                      • Preference Management
                      Desktop version
                      Standard version