snyk- CLI and build-time tool to find & fix known vulnerabilities in open-source dependencies
snyk [COMMAND] [SUBCOMMAND] [OPTIONS] [PACKAGE] [-- COMPILER_OPTIONS]
$ snyk auth
$ snyk test
$ snyk monitor
snyk container --help(available in Advanced Snyk Container CLI usage).
auth [API_TOKEN]Authenticate Snyk CLI with a Snyk account
testTest local project for vulnerabilities
monitorSnapshot and continuously monitor your project
containerTest container images for vulnerabilities. See
snyk container --helpfor full instructions.
iacFind security issues in your Infrastructure as Code files. See
snyk iac --helpfor full instructions.
codeFind security issues using static code analysis. See
snyk code --helpfor full instructions.
configManage Snyk CLI configuration
protectApplies the patches specified in your
.snykfile to the local file system
.snykpolicy for a package.
.snykpolicy to ignore stated issues
wizardConfigure your policy file to update, auto patch, and ignore vulnerabilities. Snyk wizard updates your
snyk container --help. For advanced usage, we offer language and context-specific flags, listed further down this document.
monitorcommands) Auto-detect all projects in the working directory
monitorcommands) Use with --all-projects or --yarn-workspaces to indicate how many subdirectories to search.
DEPTHmust be a number. Default: 4 (the current working directory and 3 sub-directories)
monitorcommands) Can be used with --all-projects and --yarn-workspaces to indicate sub-directories to exclude. Directories must be comma-separated. If using with
--detection-depthexclude ignores directories at any level deep.
monitorcommands) Prune dependency trees, removing duplicate sub-dependencies. Will still find all vulnerabilities, but potentially not all of the vulnerable paths.
monitorcommands) Print the dependency tree before sending it for analysis.
--remote-repo-url=URLSet or override the remote URL for the repository that you would like to monitor.
--devInclude devDependencies.Default: scan only production dependencies
--org=ORG_NAMESpecify the ORG_NAME to run Snyk commands tied to a specific organization. This will influence where will new projects be created after running
monitorcommand, some features availability, and private test limits. If you have multiple organizations, you can set a default from the CLI using:
$ snyk config set org=ORG_NAME
--org=ORG_NAMEargument. Default: uses
ORG_NAMEthat sets as default in your Account settings
--file=FILESets a package file. When testing locally or monitoring a project, you can specify the file that Snyk should inspect for package information. When omitted Snyk will try to detect the appropriate file for your project.
--ignore-policyIgnores all set policies. The current policy in the
.snykfile, Org level ignores and the project policy on snyk.io.
--trust-policiesApplies and uses ignore rules from your dependencies' Snyk policies, otherwise ignore policies are only shown as a suggestion.
--show-vulnerable-paths=none|some|allDisplay the dependency paths from the top-level dependencies, down to the vulnerable packages. Doesn't affect output when using JSON
--jsonoutput. Default: some (a few example paths shown) false is an alias for none.
--project-name=PROJECT_NAMESpecify a custom Snyk project name.
monitorcommand) A reference to separate this project from other scans of the same project. For example, a branch name or version. Projects using the same reference can be used for grouping. More information.
--project-environment=ENVIRONMENT[,ENVIRONMENT]...>(only in monitor command) Set the project environment to one or more values (comma-separated). To clear the project environment set
--project-environment=. Allowed values: frontend, backend, internal, external, mobile, saas, onprem, hosted, distributed
--project-lifecycle=LIFECYCLE[,LIFECYCLE]...>(only in monitor command) Set the project lifecycle to one or more values (comma-separated). To clear the project lifecycle set
--project-lifecycle=. Allowed values: production, development, sandbox
CRITICALITY[,BUSINESS_CRITICALITY]...>(only in monitor command) Set the project business criticality to one or more values (comma-separated). To clear the project business criticality set
--project-business-criticality=. Allowed values: critical, high, medium, low
--project-tags=TAG[,TAG]...>(only in monitor command) Set the project tags to one or more values (comma-separated key value pairs with an "=" separator). e.g. --project-tags=department=finance,team=alpha. To clear set project tags
--policy-path=PATH_TO_POLICY_FILEManually pass a path to a Snyk policy file.
--jsonPrints result in JSON format.
testcommand) Save test output in JSON format directly to the specified file, regardless of whether or not you use the
--jsonoption. This is especially useful if you want to display the human-readable test output via stdout and at the same time save the JSON format output to a file.
--severity-threshold=low|medium|high|criticalOnly report vulnerabilities of provided level or higher.
--fail-on=all|upgradable|patchableOnly fail when there are vulnerabilities that can be fixed.
protectcommand) Don't apply updates or patches during
-- [COMPILER_OPTIONS]Pass extra arguments directly to Gradle or Maven. E.g.
snyk test -- --build-cache
|| trueSets the exit code of the scan to 0. Can be used to continue with a CI/CD pipeline even when there are vulnerabilities.
--scan-all-unmanagedAuto-detects maven jar, war, and aar files in a given directory.
--scan-unmanagedAuto-detects maven jar, war, and aar files in a given directory, and individual testing can be done with
monitorcommands) Analyze your source code to find which vulnerable functions and packages are called.
--reachable-timeout=TIMEOUTThe amount of time (in seconds) to wait for Snyk to gather reachability data. If it takes longer than
TIMEOUT, Reachable Vulnerabilities are not reported. This does not affect regular test or monitor output. Default: 300 (5 minutes).
--gradle-sub-project=NAMEFor Gradle "multi-project" configurations, test a specific sub-project.
--all-sub-projectsFor "multi-project" configurations, test all sub-projects.
--configuration-matching=CONFIGURATION_REGEXResolve dependencies using only configuration(s) that match the provided Java regular expression, e.g.
--configuration-attributes=ATTRIBUTE[,ATTRIBUTE]...Select certain values of configuration attributes to resolve the dependencies. E.g.
--assets-project-nameWhen monitoring a .NET project using NuGet
PackageReferenceuse the project name in project.assets.json, if found.
--packages-folderCustom path to packages folder
--strict-out-of-sync=true|falseControl testing out of sync lockfiles.
--strict-out-of-sync=true|falseControl testing out of sync lockfiles. Default: true
monitorcommands) Detect and scan yarn workspaces. You can specify how many sub-directories to search using
--detection-depthand exclude directories using
--strict-out-of-sync=true|falseControl testing out of sync lockfiles.
--command=COMMANDIndicate which specific Python commands to use based on the Python version. The default is
pythonwhich executes your system's default python version. Run 'python -V' to find out what version is it. If you are using multiple Python versions, use this parameter to specify the correct Python command for execution. Default:
--skip-unresolved=true|falseAllow skipping packages that are not found in the environment.
--insecureIgnore unknown certificate authorities.
-dOutput debug logs.
-qSilence all output.
[COMMAND] --help, --help [COMMAND],
-hPrints a help text. You may specify a
COMMANDto get more details.
$ snyk auth MY_API_TOKENTest a project in current folder for known vulnerabilities
$ snyk testTest a specific dependency for vulnerabilities
$ snyk test [email protected]
snyk container --helpfor more details and examples:
snyk iac --helpfor more details and examples:
SNYK_APISets API host to use for Snyk requests. Useful for on-premise instances and configuring proxies.
SNYK_CFG_<KEY>Allows you to override any key that's also available as