Security News
ESLint is Now Language-Agnostic: Linting JSON, Markdown, and Beyond
ESLint has added JSON and Markdown linting support with new officially-supported plugins, expanding its versatility beyond JavaScript.
Snyk is a developer-first security tool that performs vulnerability scanning for dependencies in various programming languages and platforms. It integrates with the development workflow to detect, prioritize, and fix vulnerabilities in open-source dependencies and containers. Snyk also provides license compliance and security policy enforcement features.
Vulnerability Scanning
Scans the project's dependencies for known vulnerabilities. This command is run in the terminal within the project's directory.
snyk test
Monitoring Project
Takes a snapshot of the current state of the project's dependencies and monitors them for newly disclosed vulnerabilities over time. This command is also run in the terminal within the project's directory.
snyk monitor
Fixing Vulnerabilities
Guides the user through the process of fixing detected vulnerabilities interactively. This command is executed in the terminal and may offer upgrade or patch options for the issues found.
snyk wizard
Container Vulnerability Management
Scans container images for vulnerabilities. Replace <image_name> with the name of the container image you want to test.
snyk container test <image_name>
Infrastructure as Code (IaC) Analysis
Analyzes Infrastructure as Code files to find security issues and misconfigurations. This command is used in the terminal where the IaC files are located.
snyk iac test
Built into the npm CLI, npm-audit provides a similar vulnerability scanning feature for npm packages. It automatically reviews the project's dependencies for known security issues but is limited to the npm ecosystem and does not offer the same breadth of language and platform support as Snyk.
Snyk scans and monitors your projects for security vulnerabilities.
Snyk is a developer-first cloud-native security tool. It covers multiple areas of application security:
Learn more about what Snyk can do and sign up for a free account ยป
Snyk CLI brings the functionality of Snyk into your development workflow. It can be run locally or in your CI/CD pipeline to scan your projects for security issues.
Snyk supports many languages and tools, including Java, .NET, JavaScript, Python, Golang, PHP, C/C++, Ruby, Scala and more. See our Language Support documentation.
CLI also supports Docker scanning and Terraform, k8s and other Infrastructure as Code files scanning.
Snyk CLI can be installed through multiple channels.
Snyk CLI is available as an npm package. If you have Node.js installed locally, you can install it by running:
npm install snyk@latest -g
or if you are using Yarn:
yarn global add snyk
Use GitHub Releases to download a standalone executable of Snyk CLI for your platform.
We also provide these standalone executables on our official CDN. See the release.json
file for the download links:
https://static.snyk.io/cli/latest/release.json
# Or for specific version or platform
https://static.snyk.io/cli/v1.666.0/release.json
https://static.snyk.io/cli/latest/snyk-macos
For example, to download and run the latest Snyk CLI on macOS, you could run:
curl https://static.snyk.io/cli/latest/snyk-macos -o snyk
chmod +x ./snyk
mv ./snyk /usr/local/bin/
You can also use these direct links to download the executables:
Drawback of this method is, that you will have to manually keep the Snyk CLI up to date.
Install Snyk CLI from Snyk tap with Homebrew by running:
brew tap snyk/tap
brew install snyk
Install Snyk CLI from our Snyk bucket with Scoop on Windows:
scoop bucket add snyk https://github.com/snyk/scoop-snyk
scoop install snyk
Snyk CLI can also be run from a Docker image. Snyk offers multiple Docker images under snyk/snyk-cli and snyk/snyk (snyk/images on GitHub for more details).
These images wrap the Snyk CLI and depending on the Tag come with a relevant tooling for different projects. For example scanning a Gradle project with snyk/snyk-cli:
docker run -it
-e "SNYK_TOKEN=<TOKEN>"
-e "USER_ID=1234"
-v "<PROJECT_DIRECTORY>:/project"
-v "/home/user/.gradle:/home/node/.gradle"
snyk/snyk-cli:gradle-5.4 test --org=my-org-name
Snyk also offers many integrations into developer tooling. These integrations will install and manage the Snyk CLI for you. For example:
Once you installed the Snyk CLI, you can verify it's working by running
snyk --version
Snyk CLI depends on Snyk.io APIs. Connect your Snyk CLI with Snyk.io by running:
snyk auth
If you are already in a folder with a supported project, start by running:
snyk test
Or scan a Docker image by its tag with Snyk Container:
snyk container test ubuntu:18.04
Or a k8s file:
snyk iac test /path/to/kubernetes_file.yaml
Snyk can also monitor your project periodically and alert you for new vulnerabilities. The snyk monitor
is similar to snyk test
and can be used to create a project on the Snyk website that will be continuously monitored for new vulnerabilities.
> snyk monitor
Monitoring /project (project-name)...
Explore this snapshot at https://app.snyk.io/org/my-org/project/29361c2c-9005-4692-8df4-88f1c040fa7c/history/e1c994b3-de5d-482b-9281-eab4236c851e
Notifications about newly disclosed issues related to these dependencies will be emailed to you.
Snyk is really powerful when you are continuously scanning and monitoring your projects for vulnerabilities.
Use one of our integrations to stay secure.
You can authorize Snyk CLI in your CI/CD programatically:
# Using a SNYK_TOKEN envvar (preferred)
SNYK_TOKEN=<SNYK_API_TOKEN> snyk test
# Or using a Snyk auth command
snyk auth <SNYK_API_TOKEN>
snyk test
Here are some flags that you might find useful:
--severity-threshold=low|medium|high|critical
Only report vulnerabilities of provided level or higher.
--json
Prints results in JSON format.
--all-projects
Auto-detect all projects in working directory
See all the available commands and options by running --help
:
snyk --help
# or get help for a specific command like
snyk iac --help
snyk code --help
We recommend reaching out via the support@snyk.io email whenever you need help with Snyk CLI or Snyk in general.
GitHub Issues on any Snyk project are not actively monitored by Snyk support.
This project is open source but we don't encourage outside contributors. You may look into design decisions in the Snyk CLI.
This repository is a monorepo, also covering other projects and tools:
For any security issues or concerns, please see SECURITY.md file in this repository.
Made with ๐ by Snyk
FAQs
snyk library and cli utility
The npm package snyk receives a total of 374,560 weekly downloads. As such, snyk popularity was classified as popular.
We found that snyk demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago.ย It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
ESLint has added JSON and Markdown linting support with new officially-supported plugins, expanding its versatility beyond JavaScript.
Security News
Members Hub is conducting large-scale campaigns to artificially boost Discord server metrics, undermining community trust and platform integrity.
Security News
NIST has failed to meet its self-imposed deadline of clearing the NVD's backlog by the end of the fiscal year. Meanwhile, CVE's awaiting analysis have increased by 33% since June.