Advanced failing of builds in Snyk CLI
The Snyk CLI provides the following options when failing your builds:
1
--severity-threshold=low|medium|high
Copied!
Only report vulnerabilities of provided level or higher.
1
--fail-on=all|upgradable|patchable
Copied!
Only fail when there are vulnerabilities that can be fixed.
1
--fail-on=all
Copied!
fails when there is at least one vulnerability that can be either upgraded or patched.
1
--fail-on=upgradable
Copied!
fails when there is at least one vulnerability that can be upgraded.
1
--fail-on=patchable
Copied!
fails when there is at least one vulnerability that can be patched. If vulnerabilities do not have a fix and this option is being used, tests will pass.
The Snyk CLI on its own does not currently have the capability natively to fail tests on more complex use cases. Here are some ways to achieve more complex pass/fail criteria.

Combining security policies with --severity-threshold

Security policies provide the capability to change a vulnerability's severity if it matches specific criteria when a project is tested against an organization using that policy. You could, for example, change the severity of a vulnerability from high to low, and if performing a snyk test with the CLI with
1
--severity-threshold=medium|high
Copied!
this previously high severity vulnerability will no longer fail the build.
Security policies do not have all attributes available for criteria matching. Please refer to the security policy configuration for what's available as it will be added to over time.
Here is an example of a snyk test, using --severity-threshold=high running against a default organization with no policy applied to it.
Here is an example of a snyk test, using --severity-threshold=high, running against an organization with a policy that downgrades this particular vulnerability severity to low
Since we lowered the severity of the original vulnerability with the policy, it no longer breached the severity threshold of high, resulting in a passing test.

Companion tools

The rest of this article discusses use cases using snyk-delta or snyk-filter, which are open source companion tools for the Snyk CLI.
snyk-delta finds the delta of vulnerabilities between the current test and a previously monitored snapshot.
It is available from npmjs.org, and may be pulled into your CI/CD pipeline using
1
npm install -g snyk-delta
Copied!
snyk-filter provides for user-defined pass/fail criteria based on any available data in the snyk test JSON output.
It is available from npmjs.org and may be pulled into your CI/CD pipeline using npm install
1
npm install -g snyk-filter
Copied!

Fail current build only if new vulnerabilities are being introduced

Inline mode

1
snyk test --json --print-deps | snyk-delta
Copied!
Possibly point to a specific snapshot by specifying org + project coordinates
1
snyk test --json --print-deps | snyk-delta --baselineOrg xxx --baselineProject xxx
Copied!

Standalone

1
snyk-delta --baselineOrg xxx --baselineProject xxx --currentOrg xxx --currentProject xxx
Copied!
Please refer to the snyk-delta project on GitHub for more information.

Fail build for CVSS score higher than ...

1
snyk test --json | snyk-filter -f /path/to/example-cvss-9-or-above.yml
Copied!

Custom criteria and filtering

snyk-filter can utilize any combination of criteria available in the snyk test JSON output.
You may also have different criteria for display from what will fail the build. This allows you to do things like display all vulns in the test output, while failing only on some specific criteria.
Examples are provided in the snyk-filter project on Github here. Please refer to the snyk-filter project on GitHub for more information.
Last modified 27d ago