Snyk is a developer-first security tool that performs vulnerability scanning for dependencies in various programming languages and platforms. It integrates with the development workflow to detect, prioritize, and fix vulnerabilities in open-source dependencies and containers. Snyk also provides license compliance and security policy enforcement features.
Vulnerability Scanning
Scans the project's dependencies for known vulnerabilities. This command is run in the terminal within the project's directory.
snyk testMonitoring Project
Takes a snapshot of the current state of the project's dependencies and monitors them for newly disclosed vulnerabilities over time. This command is also run in the terminal within the project's directory.
snyk monitorFixing Vulnerabilities
Guides the user through the process of fixing detected vulnerabilities interactively. This command is executed in the terminal and may offer upgrade or patch options for the issues found.
snyk wizardContainer Vulnerability Management
Scans container images for vulnerabilities. Replace <image_name> with the name of the container image you want to test.
snyk container test <image_name>Infrastructure as Code (IaC) Analysis
Analyzes Infrastructure as Code files to find security issues and misconfigurations. This command is used in the terminal where the IaC files are located.
snyk iac testBuilt into the npm CLI, npm-audit provides a similar vulnerability scanning feature for npm packages. It automatically reviews the project's dependencies for known security issues but is limited to the npm ecosystem and does not offer the same breadth of language and platform support as Snyk.
Note: Snyk is currently only available for private beta testing. If you're not a part of the private beta and want to be, please email us.
Snyk will help you reduce the security risk introduced by the use of third party dependencies. It informs you of known vulnerabilities in the packages used in your projects, helps you fix those issues, and alerts you when new vulnerabilities are disclosed.
Snyk is easy to integrate into your Continuous Integration system, where you can patch individually chosen vulnerabilities and warn or err on new ones. If you own an open source project and have a vulnerable downstream dependency, snyk can ensure the vulnerability is patched as part of your app/package installation process.
Snyk is currently only available for Node.js projects. More language will be supported in the future.
The Snyk CLI tool is installed via npm. From your terminal, simply run the following command:
npm install -g snyk
You now have snyk installed as a command line utility, and are ready to auth and use Snyk.
During the private beta, you will need to authenticate with snyk before being able to use any of it's features. Once public, it's likely test and protect will be available without the need to auth.
Authentication requires you to have a GitHub account, but does not require access to your repositories - we simply use Github to spare you managing another set of credentials. Run snyk auth and follow the on screen instructions.
If you are authenticating on a remote machine (that doesn't have access to open a browser to GitHub) you can use your API key from https://snyk.io and authenticate directly on the command line using snyk auth <key>.
Once authenticated, you can use the following commands:
snyk testsnyk protectsnyk monitor# example uses
snyk test
snyk test ionic@1.6.5
snyk test lodash
Using snyk test without an argument will test the current working directory and walk the local dependencies and installed versions. It will then give you a report on whether there are any known vulnerabilities in those dependencies and suggest any remediation you can take. Since snyk test looks at the locally installed modules, it needs to run after npm install, and will seamlessly work with shrinkwrap, npm enterprise or any other custom installation logic you have.
The test command also accepts a package and version as an optional argument. If you wanted to test a module you don't have locally, you can snyk test module[@semver-range].
If snyk test found vulnerabilities, the process with exit with a non-zero exit code. Our recommendation is that you add snyk test to your CI tests, failing the tests (and build) if a known vulnerability is found. Note that snyk test can ignore vulnerabilities specified in the .snyk file, as explained in the protect section.
Snyk's protect functionality allows you to patch vulnerabilities that can't be remediated through an upgrade (not yet available in this stage of the private beta, but coming soon).
Running snyk protect without parameters will follow the instructions specified in the .snyk configuration file. To generate the initial .snyk file, start by running protect in interactive mode by typing snyk protect --interactive.This will prompt you asking what to do about each vulnerability, giving you the following options:
Upgrade - if upgrading a direct dependency can fix the current vulnerability, snyk protect can automatically modify your Package.json file to use the newer version.Ignore - If you believe this vulnerability does not apply to you, or if the dependent module in question never runs on a production system, you can choose to ignore the vulnerability. By default, we will ignore the vulnerability for 30 days, to avoid easily hiding a true issue. If you want to ignore it permanently, you can edit the generated .snyk file.Patch - We maintain a growing database of patches that can fix a vulnerability by locally modifying the releant dependency files. If there's no available upgrade, or if you cannot upgrade due to functional reasons (e.g. it's a major breaking change), you should patch. If you patched at least one known vulnerability, snyk protect --interactive will also add snyk protect (no parameters) to your Package.json post-install step. Note: patch is not yet enabled in the private beta, it will be soon. In the meantime, patch will be replaced with a short ignore.Once you generated the .snyk file, add it to your source code repository, and add snyk protect to your CI process. snyk protect should run after npm install (and any other installation steps), so all the modules are in place and can be patched, but before snyk test, so that new (and not ignored) vulnerabilities will still fail the test.
With test and protect, you should be well setup to address currently known vulnerabilities. However, new vulnerabilities are constantly disclosed, which is where monitor comes in.
Just before you deploy, run snyk monitor in your project directory. This will post a snapshot of your full dependency tree to Snyk's servers, where they will be stored. Those dependencies will be tracked for newly discolsed vulnerabilities, and we will alert you if a new vulnerability related to those dependencies is disclosed.
# example uses
cd ~/dev/acme-project
snyk monitor
# a snyk.io monitor response URL is returned
While we use multiple sources to determine vulnerabilities, the primary (current) source is the Node Security project.
FAQs
snyk library and cli utility
The npm package snyk receives a total of 177,929 weekly downloads. As such, snyk popularity was classified as popular.
We found that snyk demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.
Security News
Research
Socket's threat research team has detected five malicious npm packages targeting Roblox developers, deploying malware to steal credentials and personal data.
Security News
vlt introduced its new package manager and a serverless registry this week, innovating in a space where npm has stagnated.