SupportAPI docsProduct updatesSign up for free
Search…
Snyk User Documentation
Introducing Snyk
Getting started
Snyk CLI
Getting started with the CLI
How to find vulnerabilities using the CLI
CLI reference
Test for vulnerabilities
Fix vulnerabilities from the CLI
Secure your projects in the long term
CLI commands help
Install or update the Snyk CLI
Authenticate the CLI with your account
Configure the Snyk CLI
Create a Snyk App using the Snyk CLI
Snyk API
Snyk for IDEs
Snyk Apps
Snyk Integrations
SNYK PRODUCTS
Snyk Open Source
Snyk Code
Snyk Container
Snyk Infrastructure as Code
USING SNYK
Snyk Broker
User and group management
Fixing and prioritizing issues
Reports
More Snyk Tools
SNYK INFO
Disclosing vulnerabilities
How Snyk handles your data
SNYK TUTORIALS
Getting Started
Amazon Web Services
Atlassian
CircleCI
Docker
Dynatrace
GCP
GitHub
Microsoft Azure
Oracle Cloud Infrastructure
Red Hat
SpringOne
Powered By GitBook
CLI reference

Usage

snyk [COMMAND] [SUBCOMMAND] [OPTIONS] [PACKAGE] [CONTEXT-SPECIFIC-OPTIONS]

Description

The Snyk CLI is a build-time tool to find and fix known vulnerabilities in your projects. For a more detailed description of Snyk CLI and Snyk, see Snyk CLI. For an introduction on how to use the Snyk CLI, see Getting started with the CLI.

Available CLI commands

To learn more about each Snyk CLI command, use the --help option, for example, snyk auth --help or snyk container --help. Each command in this list is linked to the corresponding help page in these docs.
Note: Lists of all the options for Snyk CLI commands are on this page. The options are explained in detail in the help for each command.

​snyk auth​

Authenticate Snyk CLI with a Snyk account.

​snyk test​

Test a project for open source vulnerabilities and license issues.

​snyk monitor​

Snapshot and continuously monitor a project for open source vulnerabilities and license issues.

​snyk container​

Test container images for vulnerabilities.

​snyk iac​

The snyk iac subcommands find and report security issues in Infrastructure as Code files; detect, track, and alert on infrastructure drift and unmanaged resources; manages ignores in the .snyk policy file.

​snyk iac describe​

Detect, track, and alert on infrastructure drift and unmanaged resources.
Generate exclude policy rules to be used by snyk iac describe.

​snyk iac test​

Test for any known security issue.

​snyk code​

Find security issues using static code analysis.

​snyk log4shell​

Find Log4Shell vulnerability.

​snyk config​

Manage Snyk CLI configuration.

​snyk policy​

Display the .snyk policy for a package.

​snyk ignore​

Modify the .snyk policy to ignore stated issues.

New CLI commands

​snyk fix​

Apply the recommended updates for supported ecosystems automatically.

​snyk apps​

Create a Snyk App using the Snyk CLI.

Subcommands of CLI commands

The following is a list of the sub-commands for Snyk CLI commands. Each sub-command is followed by the command(s) to which the sub-command applies. The commands are linked to their help docs. For details concerning each sub-command, see the help docs.
test: subcommand of code and container​
monitor: subcommand of container​
get <KEY>: subcommand of config​
set <KEY>=<VALUE>: subcommand of config​
unset <KEY>: subcommand of config​
clear: subcommand of config​

Exit codes

Possible exit codes and their meaning:
0: success, no vulnerabilities found 1: action_needed, vulnerabilities found 2: failure, try to re-run command 3: failure, no supported projects

Configure the Snyk CLI

You can use environment variables to configure the Snyk CLI and also set variables to configure the Snyk CLI to connect with the Snyk API. See Configure the Snyk CLI.

Debug

Use -d option to output the debug logs.

Options for multiple commands

Lists of the options for Snyk CLI commands follow. Each option is followed by the command(s) to which the option applies. The commands are linked to their help docs. For details concerning each option, see the help docs.
--all-projects: test, monitor​
--detection-depth=<DEPTH>: test, monitor, iac test​
--exclude=<GLOB>[,<GLOB>]...>: test, monitor​
--prune-repeated-subdependencies, -p: test, monitor​
--print-deps: test, monitor, container​
--remote-repo-url=<URL>: test, monitor​
--dev: test, monitor​
--org=<ORG_ID>: test, monitor, iac test, iac describe​
--file=<FILE>: test, monitor​
--package-manager=<PACKAGE_MANAGER_NAME>: test, monitor​
--ignore-policy: test, monitor, iac test, iac describe​
--trust-policies test, monitor​
--show-vulnerable-paths=<none|some|all> test​
--project-name=<PROJECT_NAME>: test, monitor, container​
--target-reference=<TARGET_REFERENCE>: test, monitor, iac test​
--policy-path=<PATH_TO_POLICY_FILE>: test, monitor, container, iac test, iac describe, ignore​
--json-file-output=<OUTPUT_FILE_PATH>: test, code, container, iac test​
--sarif: test, container, iac test​
--sarif-file-output=<OUTPUT_FILE_PATH>: test, container, iac test​
--severity-threshold=<low|medium|high|critical>: test, code, container, iac test​
--fail-on=<all|upgradable|patchable>: test​
--project-environment=<ENVIRONMENT>[,<ENVIRONMENT>]...>: monitor, container, iac test​
--project-lifecycle=<LIFECYCLE>[,<LIFECYCLE>]...>: monitor, container, iac test​
--project-business-criticality=<BUSINESS_CRITICALITY>[,<BUSINESS_CRITICALITY>]...>: monitor, container, iac test​
--project-tags=<TAG>[,<TAG>]...>: monitor, container, iac test​
--tags=<TAG>[,<TAG>]...>: monitor, container​

snyk container command options

--app-vulns: container​
--nested-jars-depth: container​
--exclude-base-image-vulns: container​
--platform=<PLATFORM>: container​
--username=<CONTAINER_REGISTRY_USERNAME>: container​
--password=<CONTAINER_REGISTRY_PASSWORD>: container​

snyk iac test command options

--report: iac test​
--scan=<TERRAFORM_PLAN_SCAN_MODE>: iac test​
--rules=<PATH_TO_CUSTOM_RULES_BUNDLE>: iac test​
--var-file=<PATH_TO_VARIABLE_FILE>: iac test​

snyk iac describe command options

--from=<STATE>[,<STATE>...]: iac describe​
--to=<PROVIDER+TYPE>: iac describe​
--service=<SERVICE>[,<SERVICE]...>: iac describe​
--all: iac describe​
--only-managed: iac describe​
--only-unmanaged: iac describe​
--quiet: iac describe​
--filter: iac describe​
--html: iac describe​
--fetch-tfstate-headers: iac describe​
--tfc-token: iac describe​
--tfc-endpoint: iac describe​
--tf-provider-version: iac describe​
--strict: iac describe​
--deep: iac describe​
--driftignore: iac describe​
--tf-lockfile: iac describe​
--config-dir: iac describe​

snyk iac gen-driftignore command options

--input: iac gen-driftignore​
--output=<OUTPUT_FILE_PATH>: iac gen-driftignore​
--exclude-changed: iac gen-driftignore​
--exclude-missing: iac gen-driftignore​
--exclude-unmanaged: iac gen-driftignore​

snyk ignore command options

--id=<ISSUE_ID>: ignore​
--expiry=<EXPIRY>: ignore​
--reason=<REASON>: ignore​
--path=<PATH_TO_RESOURCE>: ignore​

Debug

-d: all​

Options for Maven projects

--scan-all-unmanaged: test, monitor​
--reachable: test, monitor​
--reachable-timeout=<TIMEOUT>: test, monitor​

Options for Gradle projects

--sub-project=<NAME>, --gradle-sub-project=<NAME>: test, monitor​
--all-sub-projects: test, monitor​
--configuration-matching=<CONFIGURATION_REGEX>: test, monitor​
--configuration-attributes=<ATTRIBUTE>[,<ATTRIBUTE>]...: test, monitor​
--reachable: test, monitor​
--reachable-timeout=<TIMEOUT>: test, monitor​
--init-script=<FILE: test, monitor​

Options for .Net and NuGet projects

--assets-project-name: test, monitor​
--packages-folder: test, monitor`
--project-name-prefix=<PREFIX_STRING>: test, monitor​
--project-name-prefix=my-group/: test, monitor​

Options for npm projects

--strict-out-of-sync=true|false: test, monitor​

Options for Yarn projects

--strict-out-of-sync=true|false: test, monitor​
--yarn-workspaces: test, monitor​

Options for CocoaPods projects

--strict-out-of-sync=true|false: test, monitor​

Options for Python projects

--command=<COMMAND>: test, monitor​
--skip-unresolved=true|false: test, monitor​

Options for Go projects

Currently the following options are not supported:
--fail-on=<all|upgradable|patchable>: test​

Options for scanning using --unmanaged

--org=<ORG_ID>: test, monitor​
--json: test, monitor​
--json-file-output=<OUTPUT_FILE_PATH>: test, monitor​
--target-reference=<TARGET_REFERENCE>: monitor​
--target-dir: test, monitor​
--max-depth: test, monitor​
--project-name=c-project: monitor​
​
​

-- [<CONTEXT-SPECIFIC_OPTIONS>]

These options are used with the snyk test and snyk monitor commands. See the help docs for snyk test and snyk monitor for details.
Previous
How to find vulnerabilities using the CLI
Next
Test for vulnerabilities
Last modified 8d ago
Export as PDF
Copy link
Edit on GitHub
Contents
Usage
Description
Available CLI commands
snyk auth
snyk test
snyk monitor
snyk container
snyk iac
snyk iac describe
snyk iac update-exclude-policy
snyk iac test
snyk code
snyk log4shell
snyk config
snyk policy
snyk ignore
New CLI commands
snyk fix
snyk apps
Subcommands of CLI commands
Exit codes
Configure the Snyk CLI
Debug
Options for multiple commands
snyk container command options
snyk iac test command options
snyk iac describe command options
snyk iac gen-driftignore command options
snyk ignore command options
Debug
Options for Maven projects
Options for Gradle projects
Options for .Net and NuGet projects
Options for npm projects
Options for Yarn projects
Options for CocoaPods projects
Options for Python projects
Options for Go projects
Options for scanning using --unmanaged
-- [<CONTEXT-SPECIFIC_OPTIONS>]