Scan a cloud environment

Snyk automatically runs a scan when a cloud environment is created. After that, Snyk scans the environment once every 24 hours. You can also manually trigger a new scan at any time by using the Snyk API.

Using jq

If you have jq installed, you can execute a single command to retrieve the first environment ID from the Snyk API Create scan endpoint to trigger the scan manually and then manually scan the environment:

SNYK_ORG_ID="YOUR-ORGANIZATION-ID" && \
SNYK_API_TOKEN="YOUR-API-TOKEN" && \
SNYK_ENV_ID=$(curl -s -X GET \
  "https://api.snyk.io/rest/orgs/${SNYK_ORG_ID}/cloud/environments?version=2022-12-21~beta&kind=aws,azure,google" \
  -H "Authorization: token ${SNYK_API_TOKEN}" | jq -r '.data[0].id') && \
curl -X POST \
"https://api.snyk.io/rest/orgs/${SNYK_ORG_ID}/cloud/scans?version=2022-12-21~beta" \
-H "Authorization: token ${SNYK_API_TOKEN}" \
-H "Content-Type:application/vnd.api+json"  -d "{
  \"data\": {
    \"relationships\": {
      \"environment\": {
        \"data\": {
          \"id\": \"${SNYK_ENV_ID}\",
          \"type\": \"environment\"
        }
      }
    },
    \"type\": \"resource\"
  }
}"

Because jq -r '.data[0].id returns the ID of the first environment shown in the Snyk API List environments output, this technique is especially useful if your Organization has a single environment. You can also change the 0 to another number to scan a different environment; for example, jq -r '.data[1].id will return the ID of the second environment in the output.

Without jq

If you so not have jq installed, you can send a request to the Snyk API to return all your environment IDs, look for the ID of the environment you want to scan, and send another request to manually trigger the scan.

Find the environment ID

First, find the ID of the Cloud environment you want to scan. Send a request to the /cloud/environments endpoint in the following format:

In the output, look for the data.id property. In the shortened example that follows, the ID is 3b7ccff9-8900-4e54-0000-1234abcd1234:

Trigger the scan

To manually trigger a scan, send a request to the /cloud/scans endpoint in the following format:

Note: This example uses curl, but you can use any API client, such as Postman or HTTPie.

Understand the API response

Snyk returns a JSON document containing details about the new scan, for example:

The following are some key attributes from the API response:

• data.id: Scan ID

• data.attributes.status: Scan status

Check scan status

To check the status of a scan, retrieve the details of the environment being scanned. Send a request to the /cloud/environments endpoint in the following format:

Snyk returns a JSON document containing environment details. Look for the data.attributes.status value to find the scan status. In the shortened example that follows, the status is success:

Scan status values are as follows:

• queued: Scan is about to start

• in_progress: Scan is in progress

• success: Scan is completed

• error: Scan errored; wait a moment and try scanning again

View all scans for an Organization

To view all scans for an Organization, send an API request to the List scans endpoint in the following format:

Snyk returns a JSON document containing details about all scans, for example: