Automatic fixing with snyk fix
This feature is currently in beta. We would appreciate any feedback you might have - contact us at [email protected].
While using the snyk test command, actionable fixes for supported ecosystems appear in the scan results.
snyk fix is a new CLI command that aims to automatically apply the recommended updates for supported ecosystems.
Please ensure you use the latest version of CLI (v1.715.0 or later) to use snyk fix.
1
Tested 78 dependencies for known issues, found 34 issues, 145 vulnerable paths.Issues to fix by upgrading dependencies: Upgrade [email protected] to [email protected] to fix
2
✗ HTTP Header Injection [High Severity][https://app.snyk.io/vuln/SNYK-PYTHON-DJANGO-1290072] in [email protected]
3
introduced by [email protected] and 13 other path(s)
4
✗ Directory Traversal (new) [High Severity][https://app.snyk.io/vuln/SNYK-PYTHON-DJANGO-1298665] in [email protected]
5
introduced by [email protected] and 13 other path(s)
6
✗ Insecure Permissions [High Severity][https://app.snyk.io/vuln/SNYK-PYTHON-DJANGO-609368] in [email protected]
7
introduced by [email protected] and 13 other path(s)
8
✗ Insecure Permissions [High Severity][https://app.snyk.io/vuln/SNYK-PYTHON-DJANGO-609369] in [email protected]
9
introduced by [email protected] and 13 other path(s)Organization: libs
10
Package manager: poetry
11
Target file: lib/poetry.lock
12
Project name: libs-develop
13
Open source: no
14
Project path: lib
15
Licenses: enabled
Copied!
Here is the example output of running snyk fix:
1
► Running `snyk test` for /Users/lili/www/snyk/python-fix/packages/poetry/test/system/workspaces/with-pins✔ Looking for supported Python items
2
✔ Processed 1 pyproject.toml items
3
✔ DoneSuccessful fixes: ../python-fix/packages/poetry/test/system/workspaces/with-pins/poetry.lock
4
✔ Upgraded django from 2.2.13 to 2.2.18
5
✔ Upgraded jinja2 from 2.11.2 to 2.11.3Summary:
6
1 items were successfully fixed
7
10 issues: 4 High | 3 Medium | 3 Low
8
10 issues are fixable
9
10 issues were successfully fixed
Copied!
  • Only successful test results are forwarded into snyk fix
  • All unsupported ecosystem test results will be skipped

Enabling snyk fix

To enable snyk fix during the beta period, click on settings
> Snyk Preview, then enable the snyk fix feature and click Save changes.
snyk fix supports all the snyk test CLI parameters.
Additional parameters:
  • --quiet - suppresses all output to the command line
  • --dry-run - runs almost all the logic and displays output, but does not make the final changes to relevant files. This shows preview of changes
  • --sequential - install each dependency update separately 1 by 1 (default is to install in bulk). This is much slower, however it helps increase the number of successful updates by allowing some to fail and continue
Support is available for the following.

Python

  • Pip projects with requirements.txt files (or custom named files, for example prod.txt)
  • Pipenv projects with Pipfile & Pipfile.lock files
  • Poetry projects with pyproject.toml & Poetry.lock files

Usage examples

  • snyk fix --file=requirements.txt
  • snyk fix --file=base.txt --package-manager=pip
  • snyk fix --all-projects

Requirements with `-r` directives

Where the requirements.txt looks like this, both base.txt and requirements.txt will be updated if needed:
1
-r base.txt # this means grab all the dependencies from here
2
django===1.6.1
Copied!

Direct dependency upgrades (dependencies stated in the manifest)

Applied in the relevant files. All files referenced are found and updated

Pins (transitive dependencies that are pulled in via direct dependencies)

Pins are applied in the manifest file that was tested.
If multiple files are tested but are related (for example one requires the other), we start to apply changes to the files higher up in the directory structure.
We detect previously fixed files and skip applying fixes to them again.

Projects which use constraints.txt

Constraints files are requirements files that only control which version of a dependency is installed, not whether it is installed or not. Their syntax and contents are nearly identical to Requirements Files. There is one key difference: Including a package in a constraints file does not trigger installation of the package. More info at: User Guide - pip documentation v21.0.1

Direct dependency upgrades (dependencies stated in the manifest)

Applied in the relevant files. All files referenced are found and updated

Pins (transitive dependencies that are pulled in via direct dependencies)

All transitive dependencies are pinned in constraints.txt file if referenced via -c directive in requirements manifest file.

Python (pipenv)

Snyk delegates to `pipenv` directly to update dependencies to the specified recommended versions. All `pipenv` environment variables and behaviours are preserved as much as possible.

Python (poetry)

Snyk delegates to `poetry` directly to update dependencies to the specified recommended versions. All `poetry` environment variables and behaviours are preserved as much as possible.

Troubleshooting

Run in debug mode to get more information on any errors.
1
DEBUG=*snyk* snyk fix
Copied!
This provides a very verbose output that can help diagnose issues or can be sent to Snyk for debugging.
Last modified 2d ago