Transcript
Let me show you. All right, within Qiro, you have a couple of different options in order to get MCP servers set up. First of all, we're going to try bringing up the command palette, which is Control-Shift-P or Command-Shift-P if you're on macOS. You're going to search for MCP. What that'll do is it'll bring you to the mcp.json configuration file. Now, one thing to note is in the bottom right-hand corner, you may get this notification indicating the MCP is currently disabled. To start using that, you need to enable it. So, we open up the settings, and what's interesting here is that at the user level, I do indeed have it enabled, but at the workspace level, it is disabled. So, I need to go and enable that, save it, and we're good to go. So, now that we're here, we have the config, and again, keep in mind that there is a user config for mcp.json and a workspace config for mcp.json. This allows you to have tight control over what MCP servers are enabled for each individual project versus at a more global user level. Now, I mentioned there's a couple different ways you can add MCP servers. One of the other ways you can add them is via the Kiro icon over on the activity bar here on the left-hand side for me. You click on that, and down here, you would see the option to enable MCP servers again as well if you wanted to go that way to enable them. Once here, you would click on the little edit icon to open MCP config, and that, again, is yet another way you can get to the MCP configuration for both the workspace and the user configuration. All right, so let's set up our first MCP server. One, there's one that came with Kiro, at least at the time of this recording, that's called Fetch, and that's disabled by default, so we can set that to false so that it is enabled now, or we could have, once it's done connecting here, from the Kiro view under the MCP servers section, you can right-click disable, disable, or enable all tools. Specifically, what this is going to do is it's going to fetch a URL from the internet and optionally extracts its contents as markdown if we wanted to do that, so that's fair, but let's add one that requires a little bit more setup, that's a little bit more feature-rich than just fetching URLs. Let's use Brave Search. So for this, I'm going to do it as a workspace config, and I'm going to give it the name of the MCP server that I want, and we're going to call it Web Search here. We're going to use the command npx, and we're going to pass in some arguments. We're going to tell it to use the Brave Search MCP server package from NPM, and the transport protocol we're going to use is standard input output, stdio, and then you're going to enter in the environment variable, Brave API key, and put in your API key. How do you get a Brave... How do you get a Brave Search API key? You need to head to brave.com slash search slash API, and sign up for a new account there. Once you're signed up, you have to choose a subscription that, like you see here under the pricing mechanism, there's free, base, and pro. You can go with free, you get one query per second, or up to 2,000 queries per month. The one caveat to that is you have to enter in a credit card even for the free tier, unfortunately, but once you do that, you're all set and you won't get charged for anything, you can start using the free level of the Brave Search API. Then once you have an account and you're signed into that account, you're going to head on over from your dashboard, you're going to click on API keys. In this page, you'll see nothing so far, but you can click on add API key, give it a name, and make sure you choose the free subscription, click add, and then you'll see that show up here. You're going to copy this value and save it for later to put into the MCP configuration in Qrote. Just to make sure it's fully clear, you're going to put it in here in place of this your API key text. You're going to paste your API key from the Brave Search API dashboard into this value here and save it. Once you save that and have an API key stored in the environment variable, you'll see this pop up, this web search MCP server. It'll spin for a few seconds to connect to the Brave Search API under your account and enable all the tools associated with that MCP server. Again, if we wanted to, we could disable the whole entire MCP server, disable all the tools, or just enable all tools from right clicking on it. For each individual, we can click on, if you click on this, this is something I learned the hard way. If you click on any individual tool, it will automatically toggle enabling and disabling that particular tool on you. So now let's go ahead and test it out. I'm going to come on over to the Qrote chat view. I'm going to choose vibe for now. We don't need a spec. I'm going to make sure autopilot is turned off here because I just want to chat with Qrote for now. So I'm going to ask it, tell me about the array.reduce function from MDN documentation. Maybe I want to learn more about that without having to search it up myself and find the right resources. Then it's going to prompt me to call that MCP tool, Brave Web Search. So I'm going to allow it to do that. It wants to go fetch. It wants to make another fetch call. And now we can see based on the MDN documentation, here's what you need to know about array.reduce. And it gives me all the information directly in the context of my development tool, rather than me having to switch context to another browser and search for these details, find the right search results that are relevant to what I'm looking for. I can learn more about this type of JavaScript reduce function on my arrays that I might be using and how to correctly use it in my code. All right. So that completes setting up the Brave Search API MCP server in Qrote. Let's add another MCP server in this case, one that will help us determine the security of our code and our open source dependencies. And that is the Snyk MCP server. To do this, we're going to open up the MCP config file in Qrote. And oh no, look here, my API key. You can see it. Go ahead and try it out. See if it works. Spoiler alert, it doesn't work. So what we need to do now is just like any other JSON file, we're going to follow the proper JSON syntax. We're going to add another property in here. We're going to call this one Snyk. And then we're going to start setting up the configuration for this. Very similar to the web search one, we're going to say the command for this is going to be npx. And then we're going to pass in some arguments to that, or brackets. All right. So we're going to use hyphen y to say yes to any prompts that are going on there. We're going to say Snyk at latest package. Then we're going to tell the Snyk command to use the MCP server from Snyk. And we're going to tell it what protocol to use, which is hyphen t, short for that. We're going to use the standard input output again, stdio. And that should set everything up nicely for us. And then we don't have any environment variables that we need to use for this one in particular. But as you can see, as soon as I save that, this started spinning and it's starting to connect to that Snyk MCP server. So I'll give it a few seconds here and it'll be ready and enabled for us. And there we go. Now we can see that that has 12 tools set up for it. Snyk AI Bomb, Snyk Auth, and all these other tools associated with the Snyk MCP server. So now let's go ahead and use it. I have a project opened up from a past video, which you can check out the link in the description below, where we generated a note-taking application using Qiro's spec-driven development. So let's use the Snyk MCP server to evaluate the security of this project. So we have a new session here with Qiro, choosing the vibe option and autopilot off again. And I'm going to ask it, please tell me about any security issues in my open source dependencies for this project. So we should see Qiro is going to start thinking and it wants to leverage Snyk here. We saw Qiro was thinking there, wants to scan my project security vulnerabilities in my open source dependencies using Snyk. So it's nice that it recognized that. Let me first get the absolute path of your project and then run a security scan with it. So we have the absolute path and now it wants to call the MCP tool, the SCA scan. All right. So that failed because I'm running on Windows and it sent in a path that's based on Unix, I think. So we're going to let it get the location this way. Finally got to a point where it's going to set up a proper path string for Snyk SCA here on Windows, that is. Now we need to trust that folder. So we're going to run Snyk trust for that folder. We're going to let that run, which prompted me on another monitor here in another browser that I'm signed into with my Snyk account. I'm going to say trust path on that. Click OK. Now it wants to run the security scan and it passed. Great news. Your project has no known security vulnerabilities and it's open source dependency Snyk scan completed successfully. I found zero issues. That's awesome to see. So great news. It finished doing this Snyk SCA scan and found that there are zero security issues in my open source dependencies. That's fantastic to see. And now I want to ask it about the code. Are there any security issues in the code? So let's run a scan of that as well. So in this case, it's recognizing that it needs to do a different security scan. In this case, a Snyk code scan. So I'm going to let it be trusted to do that. All right. And rather quickly, it came back with the results of that scan. And unfortunately, we have some security issues that we need to look into. We have a critical issue, hard-coded non-cryptographic secret, two issues of that, a medium severity issues. We have nine of those information exposure, cross-site request forgery problems and allocation of resources without limits. In addition to that, we have insecure JWT verification to issues and a couple of, well, not a couple, a bunch of low severity issues here. But one thing to note here is that the good news is most issues are in test files, which is expected. And in those situations, we can actually tell Snyk to ignore test files. By default, Snyk doesn't know that it can ignore those test files necessarily. So it assumes it is code that could be run in production and therefore alerts us to that, at least on our first initial scan of this project like this. There we have it. We have details on our security of our open source dependencies and the code that was written in this project. We can use Kiro's AI capabilities to address those security issues even further if we'd like. That's how you get set up adding MCP servers in Kiro. Now that was just two MCP servers that we demonstrated here, but I'm curious, what MCP servers are you finding to be most useful for you and your projects? Let me know in the comments below. On that note, that does it for this video. If you got value out of it, be sure to like it down below and share it with somebody who could put it to use. And if you made it this far, subscribe to the channel so you don't miss out on upcoming videos. Thanks for watching and happy safe coding, everyone.