Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Snyk is a developer-first security tool that performs vulnerability scanning for dependencies in various programming languages and platforms. It integrates with the development workflow to detect, prioritize, and fix vulnerabilities in open-source dependencies and containers. Snyk also provides license compliance and security policy enforcement features.
Vulnerability Scanning
Scans the project's dependencies for known vulnerabilities. This command is run in the terminal within the project's directory.
snyk test
Monitoring Project
Takes a snapshot of the current state of the project's dependencies and monitors them for newly disclosed vulnerabilities over time. This command is also run in the terminal within the project's directory.
snyk monitor
Fixing Vulnerabilities
Guides the user through the process of fixing detected vulnerabilities interactively. This command is executed in the terminal and may offer upgrade or patch options for the issues found.
snyk wizard
Container Vulnerability Management
Scans container images for vulnerabilities. Replace <image_name> with the name of the container image you want to test.
snyk container test <image_name>
Infrastructure as Code (IaC) Analysis
Analyzes Infrastructure as Code files to find security issues and misconfigurations. This command is used in the terminal where the IaC files are located.
snyk iac test
Built into the npm CLI, npm-audit provides a similar vulnerability scanning feature for npm packages. It automatically reviews the project's dependencies for known security issues but is limited to the npm ecosystem and does not offer the same breadth of language and platform support as Snyk.
Snyk is a developer-first, cloud-native security tool to scan and monitor your software development projects for security vulnerabilities. Snyk scans multiple content types for security issues:
Learn more about what Snyk can do and sign up for a free account.
The Snyk CLI brings the functionality of Snyk into your development workflow. You can run the CLI locally from the command line or in an IDE. You can also run the CLI in your CI/CD pipeline. The following shows an example of Snyk CLI test command output.
Snyk CLI test command output
Snyk CLI scanning supports many languages and tools. For detailed information, see the following:
This page explains how to install, authenticate, and start scanning using the CLI. Snyk also has an onboarding wizard to guide you through these steps. For a demonstration, view Starting with Snyk: an overview of the CLI onboarding flow.
To use the CLI, you must install it and authenticate your machine. See Install or update the Snyk CLI and Authenticate the CLI with your account. You can refer to the release notes for a summary of changes in each release. Before scanning your code, review the Code execution warning for Snyk CLI.
Note: Before you can use the CLI for Open Source scanning, you must install your package manager. The needed third-party tools, such as Gradle or Maven, must be in the PATH
.
You can use the CLI in your IDE or CI/CD environment. For details, see Install as part of a Snyk integration.
After authenticating, you can test your installation. For a quick test, run snyk --help
.
Alternatively, you can perform a quick test on a public npm package, for example snyk test ionic
.
Look at the test
command report in your terminal. The report shows the vulnerabilities Snyk found in the package. For each issue found, Snyk reports the severity of the issue, provides a link to a detailed description, reports the path through which the vulnerable module got into your system, and provides guidance on how to fix the problem.
Note: Before using the Snyk CLI to test your Open Source Project for vulnerabilities, with limited exceptions, you must build your Project. For details, see Open Source Projects that must be built before testing.
In addition, depending on the language of your open-source Project, you may need to set up your language environment before using the Snyk CLI. For details, refer to Supported languages, frameworks, and feature availability overview.
After you have installed the CLI and authenticated your machine, to scan an open-source Project, use cd /my/project/
to change the current directory toa
folder containing a supported package manifest file, such as package.json
, pom.xml
, or composer.lock
. Then run snyk test
. All vulnerabilities identified are listed, including their path and fix guidance.
To scan your source code run snyk code test
.
You can scan a Docker image by its tag running, for example: snyk container test ubuntu:18.04
.
To scan a Kubernetes (K8s) file run the following:
snyk iac test /path/to/kubernetes_file.yaml
For details about using the Snyk CLI to scan each content type, see the following:
test
and monitor
commandsSnyk can monitor your Open Source or Container integrated SCM Project periodically and alert you to new vulnerabilities. To set up your Project to be monitored, run snyk monitor
or snyk container monitor
.
This creates a snapshot of your current dependencies so Snyk can regularly scan your code. Snyk can then alert you about newly disclosed vulnerabilities as they are introduced or when a previously unavailable patch or upgrade path is created. The following code shows an example of the output of the snyk monitor
command.
> snyk monitor
Monitoring /project (project-name)...
Explore this snapshot at
https://app.snyk.io/org/my-org/project/29361c2c-9005-4692
-8df4-88f1c040fa7c/history/e1c994b3-de5d-482b-9281-eab4236c851e
Notifications about newly disclosed issues related to these
dependencies will be emailed to you.
You can log in to your Snyk account and navigate to the Projects page to find the latest snapshot and scan results:
Snyk monitor snapshot and scan results
For more information, see Monitor your Projects at regular intervals.
Snyk allows unlimited tests for public repositories. If you are on the Free plan, you have a limited number of tests per month. Paid plans have unlimited tests on private and public repositories. If you are on the Free plan and notice that your test count is quickly being used, even with public repositories, you can remedy this by telling Snyk the public url of the repository that is being scanned by the Snyk CLI. This ensures that Snyk does not count a public repository towards the test limits.
If you run out of tests on an open-source Project, follow these steps:
snyk monitor
.Run snyk help
or see the CLI commands and options summary.
See the course Introduction to the Snyk CLI for a quick video training session.
Snyk also provides a cheat sheet (blog post) and a video tutorial.
In particular, see the information about the following options that you may find useful:
--severity-threshold=low|medium|high|critical
: Report only vulnerabilities of the specified level or higher.--json
: Print results in JSON format.--all-projects
: Auto-detect all Projects in the working directory.For detailed information about the CLI, see the CLI docs.
Submit a ticket to Snyk support whenever you need help with the Snyk CLI or Snyk in general. Note that Snyk support does not actively monitor GitHub Issues on any Snyk development project.
For any security issues or concerns, see the SECURITY.md file in the GitHub repository.
Effective July 22, 2024, Snyk CLI will no longer accept external contributions.
Due to the CLI's extensive usage and intricate nature, even minor modifications can have unforeseen consequences. Since introducing release channels to our code in April 2024, our focus has been on stabilizing releases. We believe this open-source, closed-contribution model best serves this goal.
In the spirit of transparency to Snyk customers and CLI users, we will continue to working in public. However, going forward, we are closed to contributions.
We appreciate and extend our gratitude to the Snyk community.
FAQs
snyk library and cli utility
We found that snyk demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.