Repository files navigation

Snyk is a developer-first, cloud-native security tool to scan and monitor your software development projects for security vulnerabilities. Snyk scans multiple content types for security issues:

• Snyk Open Source: Find and automatically fix open-source vulnerabilities
• Snyk Code: Find and fix vulnerabilities in your application code in real time
• Snyk Container: Find and fix vulnerabilities in container images and Kubernetes applications
• Snyk IaC: Find and fix insecure configurations in Terraform and Kubernetes code

Learn more about what Snyk can do and sign up for a free account.

TheSnyk CLI brings the functionality of Snyk into your development workflow. You can run the CLI locally from the command line or in an IDE. You can also run the CLI in your CI/CD pipeline. The following shows an example of Snyk CLI test command output.

Snyk CLI test command output

Snyk CLI scanningsupports many languages and tools. For detailed information, see the following:

• Supported languages, package managers, and frameworks for Open Source and Snyk Code
• Supported operating system distributions for Container
• Supported IaC Languages and cloud providers

This page explains how to install, authenticate, and start scanning using the CLI. Snyk also has an onboarding wizard to guide you through these steps. For a demonstration, viewStarting with Snyk: an overview of the CLI onboarding flow.

To use the CLI, you must install it and authenticate your machine. SeeInstall or update the Snyk CLI andAuthenticate the CLI with your account. You can refer to therelease notes for a summary of changes in each release. Before scanning your code, review theCode execution warning for Snyk CLI.

Note: Before you can use the CLI for Open Source scanning, you must install your package manager. The needed third-party tools, such as Gradle or Maven, must be in thePATH.

You can also install the CLI in your IDE or CI/CD environment. For details, see theIDE and CI/CD documentation for instructions for each integration.

After authenticating, you cantest your installation. For a quick test, run.snyk --help.

Alternatively, you can perform aquick test on a public npm package, for example.snyk test ionic.

Look at thetest commandreport in your terminal. The report shows the vulnerabilities Snyk found in the package. For each issue found, Snyk reports the severity of the issue, provides a link to a detailed description, reports the path through which the vulnerable module got into your system, and provides guidance on how to fix the problem.

Note: Before using the Snyk CLI to test your Open Source Project for vulnerabilities, with limited exceptions, you mustbuild your Project. For details, seeOpen Source Projects that must be built before testing.

In addition, depending on the language of your open-source Project, you may need toset up your language environment before using the Snyk CLI. For details, refer toSupported languages, package managers, and frameworks.

After you have installed the CLI and authenticated your machine, toscan an open-source Project, usecd /my/project/ to change the current directory to a folder containing a supported package manifest file, such aspackage.json,pom.xml, orcomposer.lock. Then runsnyk test. All vulnerabilities identified are listed, including their path and fix guidance.

To scan yoursource code, runsnyk code test.

You canscan a Docker image by its tag running, for example:snyk container test ubuntu:18.04.

To scan aKubernetes (K8s) file, run the following:
snyk iac test /path/to/kubernetes_file.yaml

For details about using the Snyk CLI to scan each content type, see the following:

• Snyk CLI for Snyk Open Source and the CLI help for thetest andmonitor commands
• Snyk CLI for Snyk Code and theSnyk Code CLI help
• Snyk CLI for Snyk Container, including Docker scanning, and theSnyk Container CLI help
• Snyk CLI for Snyk IaC, including Terraform and Kubernetes (K8s) Projects, and theSnyk IAC CLI help

Snyk can monitor your Open Source or Container integrated SCM Project periodically and alert you to new vulnerabilities. To set up your Project to be monitored, runsnyk monitor orsnyk container monitor.

This creates a snapshot of your current dependencies so Snyk can regularly scan your code. Snyk can then alert you about newly disclosed vulnerabilities as they are introduced or when a previously unavailable patch or upgrade path is created. The following code shows an example of the output of thesnyk monitor command.

> snyk monitorMonitoring /project (project-name)...Explore this snapshot athttps://app.snyk.io/org/my-org/project/29361c2c-9005-4692-8df4-88f1c040fa7c/history/e1c994b3-de5d-482b-9281-eab4236c851eNotifications about newly disclosed issues related to thesedependencies will be emailed to you.

You can log in to your Snyk account and navigate to theProjects page to find the latest snapshot and scan results:

Snyk monitor snapshot and scan results

For more information, seeMonitor your Projects at regular intervals.

Snyk allows unlimited tests for public repositories. If you are on the Free plan, you have a limited number of tests per month. Paid plans have unlimited tests on private and public repositories. If you are on the Free plan and notice that your test count is quickly being used, even with public repositories, you can remedy this by telling Snyk the public URL of the repository that is being scanned by the Snyk CLI. This ensures that Snyk does not count a public repository towards the test limits.

If you run out of tests on an open-source Project, follow these steps:

• Runsnyk monitor.
• Open the Snyk UI and navigate to thesettings of the Project.
• Enter the URL of your open-source repository inGit remote URL.

Runsnyk help or see theCLI commands and options summary.

See the courseIntroduction to the Snyk CLI for a quick video training session.

Snyk also provides acheat sheet (blog post).

In particular, see the information about the following options that you may find useful:

• --severity-threshold=low|medium|high|critical: Report only vulnerabilities of the specified level or higher.
• --json: Print results in JSON format.
• --all-projects: Auto-detect all Projects in the working directory.

For detailed information about the CLI, see theCLI docs.

Use the resources on theSnyk support pageto find help for using the Snyk CLI or Snyk in general. Note that Snyk support does not actively monitor GitHub Issues on anySnyk development project.

Effective July 22, 2024, Snyk CLI no longer accepts external contributions.

Due to the CLI's extensive usage and intricate nature, even minor modifications can have unforeseen consequences. Since introducingrelease channels to the CLI code in April 2024, Snyk's focus has been on stabilizing releases. Snyk believes this open-source, closed-contribution model best serves this goal.

In the spirit of transparency to Snyk customers and CLI users, Snyk will continue working in public. However, going forward, Snyk CLI is closed to contributions.

Snyk appreciates and extends gratitude to the Snyk community.

For any security issues or concerns, see theSECURITY.md file in the GitHub repository.