Snyk pipe parameters and values (Bitbucket Cloud)

Configure the Snyk pipe

Configure the following Snyk pipe as part of a pipeline YAML file in order to include vulnerability scanning as part of your CI/CD workflow:

- pipe: snyk/snyk-scan:1.0.0
    // variables go here

Snyk pipe variables

For information on how these variables are used, see the Snyk pipe examples.



SNYK_TOKEN (required)

Enter the Snyk API token, which you can retrieve from your Snyk Account settings.

Snyk recommends that you encrypt the token. You can add it as a predefined variable in a separate part of the Bitbucket pipes directory:

  1. From the build directory, navigate to Add a new Repository value, name the parameter SNYK_TOKEN, and enter your Snyk API token as the value.

  2. From the pipeline YAML file that you are building, enter $SNYK_TOKEN as the value for the SNYK_TOKEN parameter in the Snyk pipe.

See the Bitbucket documentation for more information about predefined variables.

LANGUAGE (required)

Configure the package manager of the app, for example, Node, Maven, Ruby, Composer, or Docker).

See Dockerhub for a full list of possible tags.

Note: When you are using LANGUAGE with SNYK_BASE_IMAGE, this field refers to your base image tag.

IMAGE_NAME (conditionally required)

For Docker LANGUAGE only, configure the image name for which to perform a Docker scan. Required if LANGUAGE=docker


Supply your own custom image if you do not wish to use Snyk Images.

Default: snyk/snyk. Note: LANGUAGE will refer to your base image tag; ensure the tag is valid


Create a Code Insight report with Snyk test results. Default: false.


Use if you want to create only a Code Insights report from previously generated snyk test --json output.


Do not fail the build if vulnerabilities are found.

Default: false. The build will fail when vulnerabilities are found.


Records a snapshot of the Project for the Snyk UI and then continues monitoring the Project after the build is run. See Monitor in the glossary.

If the test succeeds, this records a snapshot of the dependencies in the Snyk Web UI and allows you to see the state of your deployed code, have it monitored, and receive alerts when new vulnerabilities are found in the code.

Default: false. The Project is not monitored after the initial scan.


Reports issues equal to or higher than the configured level. Possible values: low, med, high, critical

Default: low. All vulnerabilities are reported.


Configures the Organization from your Snyk account with which to associate the repository.

Default: none. The default repository configured in your Snyk account is used.


The folder in which the Project resides.

Default: ./ .


The target manifest file, for example package.json, equivalent to --file= in the CLI.

For Docker, enter the Dockerfile as the value.

Default: none.


Extra arguments to be passed to the Snyk CLI. Use the parameters and arguments as described in the CLI commands and options summary.

Default: none.


Turn on extra debug information.

Default: false


Specify the Snyk API endpoint, for example, Default:

Last updated

More information

Snyk privacy policy

© 2023 Snyk Limited | All product and company names and logos are trademarks of their respective owners.