Manage vulnerability results with the Snyk CLI wizard
Snyk’s wizard walks you through finding and fixing the known vulnerabilities in your project.
Only Node.js is supported at this time.
The wizard leverages the separate test, protect and monitor actions, supported by an interactive workflow.
To run the wizard:
  1. 1.
    Navigate to your project folder
  2. 2.
    Run snyk wizard
If a yarn.lock file is detected in your folder, the wizard asks you whether to treat the project as a Yarn project (the default answer), or as an npm project.
The wizard goes through multiple phases. First, it takes stock of which dependencies are locally installed, queries the snyk service for related known vulnerabilities, and asks you how you want to address each vulnerability that was found. As you answer the questions, the wizard creates a Snyk policy file, stored in a file named .snyk, which will guide future Snyk commands.
Here are the possible fix steps for each vulnerability:
  • Upgrade- if upgrading a direct dependency can fix the current vulnerability, the wizard can automatically modify your package.json file to use the newer version and uses npm or yarn to apply the changes.
  • Patch - Sometimes there is no direct upgrade that can address the vulnerability, or there is one but you can’t upgrade due to functional reasons (e.g. it’s a major breaking change). For such cases, the wizard lets you patch the issue (using patches the Snyk team created and maintain). This option will make the minimal modifications to your locally installed module files to fix the vulnerability. It will also update the policy to patch this issue when running snyk protect, as shown below.
  • Ignore - If you believe this vulnerability is not exploitable, you can set the Snyk policy to ignore this vulnerability. By default, we will ignore the vulnerability for 30 days, to avoid easily hiding a true issue. If you want to ignore it permanently, you can use the snyk ignore command, or manually edit the generated .snyk file. If neither a patch nor an upgrade are available, you can choose to ignore the issue for now, and we’ll notify you when a new patch or upgrade is available.
If more than one vulnerability is introduced via the same module, then the wizard groups them. You can upgrade, patch or ignore all of them; or if you want to see more details, you can review each vulnerability separately.
Snyk's wizard will:
* Enumerate your local dependencies and query Snyk's servers for vulnerabilities
* Guide you through fixing found vulnerabilities
* Create a .snyk policy file to guide snyk commands such as test and protect
* Remember your dependencies to alert you when new vulnerabilities are disclosed
Note Only Node.js is supported at this time.
Example 1. Example output
Loading dependencies...
Querying vulnerabilities database...
Tested 446 dependencies for known vulnerabilities,found 8 vulnerabilities, 20 vulnerable paths.
?High severity vuln found in [email protected], introduced via [email protected]
- desc: ReDoS via long string of semicolons
- info:
? 6 vulnerabilities introduced via [email protected]
- info:
Remediation options (Use arrow keys)
❯ Re-install [email protected] (triggers upgrade to [email protected], [email protected])
Review vulnerabilities separately
Set to ignore for 30 days (updates policy)
Once all the issues are addressed, snyk wizard will optionally integrate some tests and protection steps into your package.json file:
1) It can add snyk test to the test script, which will query your local dependencies for vulnerabilities and err if found (except those you chose to ignore).
2) If you chose to patch an issue, the wizard will optionally add snyk protect to your project as a post-install step. This is helpful if you publish this module, as it will repeatedly patch the issues specified in .snyk every time a module is installed.
Lastly, the wizard will create the .snyk file, modify package.json and use npm or yarn to apply the changes. To monitor your project for new vulnerabilities, the wizard takes a snapshot of your current dependencies (similar to running snyk monitor). You can see all the snapshots for a project on the snyk website. We'll notify you via email if you're affected by newly disclosed vulnerabilities in them, or when a previously unavailable patch or upgrade path are available.
A few things to note:
  • The wizard doesn’t perform any git (or source control) actions, so be sure to add the .snyk file to your repository.
  • Subsequent runs of the wizard will not show items previously ignored. To start a-fresh, run snyk wizard --ignore-policy.
  • By default, both wizard and test ignore devDependencies. To test those, add the --dev flag.
Last modified 2d ago
Export as PDF
Copy link
Edit on GitHub