Snyk is a developer-first security tool that performs vulnerability scanning for dependencies in various programming languages and platforms. It integrates with the development workflow to detect, prioritize, and fix vulnerabilities in open-source dependencies and containers. Snyk also provides license compliance and security policy enforcement features.
Vulnerability Scanning
Scans the project's dependencies for known vulnerabilities. This command is run in the terminal within the project's directory.
snyk testMonitoring Project
Takes a snapshot of the current state of the project's dependencies and monitors them for newly disclosed vulnerabilities over time. This command is also run in the terminal within the project's directory.
snyk monitorFixing Vulnerabilities
Guides the user through the process of fixing detected vulnerabilities interactively. This command is executed in the terminal and may offer upgrade or patch options for the issues found.
snyk wizardContainer Vulnerability Management
Scans container images for vulnerabilities. Replace <image_name> with the name of the container image you want to test.
snyk container test <image_name>Infrastructure as Code (IaC) Analysis
Analyzes Infrastructure as Code files to find security issues and misconfigurations. This command is used in the terminal where the IaC files are located.
snyk iac testBuilt into the npm CLI, npm-audit provides a similar vulnerability scanning feature for npm packages. It automatically reviews the project's dependencies for known security issues but is limited to the npm ecosystem and does not offer the same breadth of language and platform support as Snyk.
Snyk helps you find and fix known vulnerabilities in your Node.js dependencies, both ad hoc and as part of your CI (Build) system.
Note: Snyk is currently in beta. Email us your feedback.
Snyk is installed via npm. Run these commands to install it for local use:
npm install -g snyk
Once installed, you can perform a quick test on a public package, for instance:
snyk test ionic@1.6.5
As you can see, Snyk found and reported several vulnerabilities in the package. For each issue found, Snyk provides the severity of the issue, a link to a detailed description, the path through which the vulnerable module got into your system, and guidance on how to fix the problem.
$ snyk test
✗ Vulnerability found on gm@1.13.3
Info: https://dev.snyk.io/vuln/npm:gm:20151026
From: snyk-demo-app@latest > gm@1.13.3
Upgrade direct dependency gm@1.13.3 to gm@1.21.1
✗ Vulnerability found on qs@0.6.6
Info: https://dev.snyk.io/vuln/npm:qs:20140806
From: snyk-demo-app@latest > webdriverio@2.4.5 > request@2.34.0 > qs@0.6.6
Upgrade direct dependency webdriverio@2.4.5 to webdriverio@3.0.1 (triggers upgrades to request@2.40.0 > qs@1.0.0)
✗ Vulnerability found on qs@0.4.2
Info: https://dev.snyk.io/vuln/npm:qs:20140806-1
From: snyk-demo-app@latest > cucumber@0.3.0 > connect@2.3.2 > qs@0.4.2
No direct dependency upgrade can address this issue.
Run `snyk wizard` to explore remediation options
In the next sections we'll explain how to run the same test on your own projects.
Some Snyk commands require authentication. We use GitHub for authentication, but do not require access to your repositories, only your email address. You can authenticate by browsing to the Snyk website, clicking "Sign Up", and pasting in the lines from your dashboard, which look roughly like this:
snyk auth <your key>
Alternatively, you can simply run snyk auth in your terminal and it'll guide you through this process. Once authenticated, you can proceed to run Snyk's wizard.
Snyk's wizard walks you through finding and fixing the known vulnerabilities in your project. It leverages the separate test, protect and monitor actions, supported by an interactive workflow. To run the wizard, simply navigate to your project folder and run snyk wizard like so:
cd ~/projects/
snyk wizard
The wizard goes through multiple phases.
First, it takes stock of which dependencies are locally installed, queries the snyk service for related known vulnerabilities, and asks you how you want to address each vulnerability that was found. As you answer the questions, the wizard will create a Snyk policy file, stored in a file named .snyk, which will guide future Snyk commands.
Here are the possible remediation steps for each vulnerability:
package.json file to use the newer version and run npm update to apply the changes.snyk protect, as shown below..snyk file. If neither a patch nor an upgrade are available, you can choose to ignore the issue for now, and we'll notify you when a new patch or upgrade is available.$ snyk wizard
Snyk's wizard will:
* Enumerate your local dependencies and query Snyk's servers for vulnerabilities
* Guide you through fixing found vulnerabilities
* Create a .snyk policy file to guide snyk commands such as test and protect
* Remember your dependencies to alert you when new vulnerabilities are disclosed
Loading dependencies...
Querying vulnerabilities database...
Tested 228 dependencies for known vulnerabilities, found 5 vulnerabilities.
? High severity vulnerability found in gm@1.13.3
- info: https://dev.snyk.io/vuln/npm:gm:20151026
- from: snyk-demo-app@latest > gm@1.13.3 Upgrade
? Medium severity vulnerability found in qs@0.6.6
- info: https://dev.snyk.io/vuln/npm:qs:20140806
- from: snyk-demo-app@latest > webdriverio@2.4.5 > request@2.34.0 > qs@0.6.6
Upgrade to webdriverio@3.0.1
❯ Patch (modifies files locally, updates policy for `snyk protect` runs)
Set to ignore for 30 days (updates policy)
Skip
Once all the issues are addressed, snyk wizard will optionally integrate some tests and protection steps into your package.json file.
It can add snyk test to the test script, which will query your local dependencies for vulnerabilities and err if found (except those you chose to ignore). In addition, if you chose to patch an issue, the wizard will also optionally add snyk protect to your project as a post-install step. This is helpful if you publish this module, as it will repeatedly patch the issues specified in .snyk every time a module is installed.
Once you've gone through all the issues, the wizard will create the .snyk file, modify package.json and run npm update to apply the changes. Lastly, the wizard will take a snapshot of your current dependencies (similar to running snyk monitor), so we can inform you of newly disclosed vulnerabilities in them, or when a previously unavailable patch or upgrade path are created.
.snyk file to your repository.snyk wizard --ignore-policy.wizard and test ignore devDependencies. To test those, add the --dev flag.To only test your project for known vulnerabilities, browse to your project's folder and run snyk test:
cd ~/projects/myproj/
snyk test
snyk test takes stock of all the local dependencies and queries the snyk service for related known vulnerabilities. It displays the found issues along with additional information, and suggests remediation steps. Since snyk test looks at the locally installed modules, it needs to run after npm install, and will seamlessly work with shrinkwrap, npm enterprise or any other custom installation logic you have.
snyk test can also get a folder name as an argument, which is especially handy if you want to test multiple projects. For instance, the following command tests all the projects under a certain folder for known vulnerabilities:
cd ~/projects/
snyk test *
Lastly, you can also use snyk test to scrutinize a public package before installing it, to see if it has known vulnerabilities or not. Using the package name will test the latest version of that package, and you can also provide a specific version or range using snyk test module[@semver-range].
snyk test lodash
snyk test ionic@1.6.5
To address the issues snyk test found, run snyk wizard.
The protect command applies the patches specified in your .snyk file to the local file system. You should only run snyk protect after you've created a .snyk file and installed your local dependencies (e.g. by running npm install).
Since running protect is the way to repeatedly apply patches, you should run it every time you reinstall your modules. Common integration points would be your CI/build system, your deployment system, and adding it as a post-install step in your package.json file (necessary if you consume this module via npm).
With test and protect, you're well set up to address currently known vulnerabilities. However, new vulnerabilities are constantly disclosed - which is where monitor comes in.
cd ~/projects/myproject/
snyk monitor
Just before you deploy, run snyk monitor in your project directory. This will take a snapshot of your current dependencies, so we can notify you about newly disclosed vulnerabilities in them, or when a previously unavailable patch or upgrade path are created. If you take multiple snapshots of the same application, we will only alert you to new information about the latest one.
$ snyk monitor
Captured a snapshot of this project's dependencies. Explore this snapshot at https://app.snyk.io/monitor/1a53f19a-f64f-44ab-b122-74ce82c1c34b
Notifications about newly disclosed vulnerabilities related to these dependencies will be emailed to you.
To continuously avoid known vulnerabilities in your dependencies, integrate Snyk into your continuous integration (a.k.a. build) system. Here are the steps required to to so:
snyk to your project's dependencies (npm install -S snyk), and commit the modified package.json file..snyk file you generated was added to your source control (git add .snyk).npm install steps in your CI, run snyk protect to apply any necessary patches.snyk test to identify on any known vulnerabilities not already ignored or patched. If such vulnerabilities were found, snyk test will return a non-zero value to fail the test.While we use multiple sources to determine vulnerabilities, the primary (current) source is the Node Security project.
FAQs
snyk library and cli utility
The npm package snyk receives a total of 415,563 weekly downloads. As such, snyk popularity was classified as popular.
We found that snyk demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Ransomware negotiators share how modern cybercriminals operate like corporations, using specialized teams, negotiation tactics, and reputation management.
Security News
PyPI confirms no security flaws were exploited in the Ultralytics supply chain attack and highlights improvements for safer package publishing.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.