CLI commands and options summary
Note: This page only summarizes the CLI commands and the options for each command. Be sure to use the links in this summary to look at the help for the command you are using for details. (The help in the docs is the same as the help in the CLI.)

Usage

snyk [COMMAND] [SUBCOMMAND] [OPTIONS] [PACKAGE] [CONTEXT-SPECIFIC-OPTIONS]

Description

The Snyk CLI is a build-time tool to find and fix known vulnerabilities in your projects. For a more detailed description of Snyk CLI and Snyk, see Snyk CLI. For an introduction on how to use the Snyk CLI, see Getting started with the CLI.

Available CLI commands

To learn more about each Snyk CLI command, use the --help option, for example, snyk auth --help or snyk container --help. Each command in this list is linked to the corresponding help page in these docs.
Note: Lists of all the options for Snyk CLI commands are on this page. The options are explained in detail in the help for each command.

snyk auth

Authenticate Snyk CLI with a Snyk account.

snyk test

Test a project for open source vulnerabilities and license issues.
Snapshot and continuously monitor a project for open source vulnerabilities and license issues.
Test container images for vulnerabilities.

snyk iac

The snyk iac subcommands find and report security issues in Infrastructure as Code files; detect, track, and alert on infrastructure drift and unmanaged resources; manages ignores in the .snyk policy file.
Detect, track, and alert on infrastructure drift and unmanaged resources.
Generate exclude policy rules to be used by snyk iac describe.
Test for any known security issue.

snyk code

Find security issues using static code analysis.
Find Log4Shell vulnerability.
Manage Snyk CLI configuration.
Display the .snyk policy for a package.
Modify the .snyk policy to ignore stated issues.

New CLI commands

snyk fix

Apply the recommended updates for supported ecosystems automatically.

snyk apps

Create a Snyk App using the Snyk CLI.

Subcommands of CLI commands

The following is a list of the sub-commands for Snyk CLI commands. Each sub-command is followed by the command(s) to which the sub-command applies. The commands are linked to their help docs. For details concerning each sub-command, see the help docs.
test: subcommand of code and container
monitor: subcommand of container
get <KEY>: subcommand of config
set <KEY>=<VALUE>: subcommand of config
unset <KEY>: subcommand of config
clear: subcommand of config
0: success, no vulnerabilities found 1: action_needed, vulnerabilities found 2: failure, try to re-run command 3: failure, no supported projects

Configure the Snyk CLI

You can use environment variables to configure the Snyk CLI and also set variables to configure the Snyk CLI to connect with the Snyk API. See Configure the Snyk CLI.

Debug

Use -d option to output the debug logs for any command.

Options for multiple commands

Lists of the options for Snyk CLI commands follow. Each option is followed by the command(s) to which the option applies. The commands are linked to their help docs. For details concerning each option, see the help docs.
--all-projects: test, monitor
--fail-fast: test, monitor
--detection-depth=<DEPTH>: test, monitor, iac test
--exclude=<NAME>[,<NAME>]...>: test, monitor
--prune-repeated-subdependencies, -p: test, monitor
--print-deps: test, monitor, container
--remote-repo-url=<URL>: test, monitor, iac test
--dev: test, monitor
--file=<FILE>: test, monitor
--package-manager=<PACKAGE_MANAGER_NAME>: test, monitor
--ignore-policy: test, monitor, iac test, iac describe
--trust-policies test, monitor
--show-vulnerable-paths=<none|some|all> test
--project-name=<PROJECT_NAME>: test, monitor, container
--target-reference=<TARGET_REFERENCE>: test, monitor, iac test``
--policy-path=<PATH_TO_POLICY_FILE>: test, monitor, container, iac test, iac describe, ignore
--json-file-output=<OUTPUT_FILE_PATH>: test, code, container, iac test
--sarif: test, code, container, iac test
--sarif-file-output=<OUTPUT_FILE_PATH>: test, code, container, iac test
--severity-threshold=<low|medium|high|critical>: test, code, container, iac test
--fail-on=<all|upgradable|patchable>: container (patchable does not apply, test
--project-environment=<ENVIRONMENT>[,<ENVIRONMENT>]...>: monitor, container, iac test
--project-lifecycle=<LIFECYCLE>[,<LIFECYCLE>]...>: monitor, container, iac test
--project-business-criticality=<BUSINESS_CRITICALITY>[,<BUSINESS_CRITICALITY>]...>: monitor, container, iac test
--project-tags=<TAG>[,<TAG>]...>: monitor, container, iac test
--tags=<TAG>[,<TAG>]...>: monitor, container

snyk container command options

--app-vulns: container
--nested-jars-depth: container
--exclude-base-image-vulns: container
--platform=<PLATFORM>: container
--username=<CONTAINER_REGISTRY_USERNAME>: container
--password=<CONTAINER_REGISTRY_PASSWORD>: container

snyk iac test command options

--report: iac test
--scan=<TERRAFORM_PLAN_SCAN_MODE>: iac test
--target-name=<TARGET_NAME>: iac test
--rules=<PATH_TO_CUSTOM_RULES_BUNDLE>: iac test
--var-file=<PATH_TO_VARIABLE_FILE>: iac test

snyk iac describe command options

--from=<STATE>[,<STATE>...]: iac describe
--to=<PROVIDER+TYPE>: iac describe
--service=<SERVICE>[,<SERVICE]...>: iac describe
--all: iac describe
--only-managed: iac describe
--only-unmanaged: iac describe
--quiet: iac describe
--filter: iac describe
--html: iac describe
--fetch-tfstate-headers: iac describe
--tfc-token: iac describe
--tfc-endpoint: iac describe
--tf-provider-version: iac describe
--strict: iac describe
--deep: iac describe
--driftignore: iac describe
--tf-lockfile: iac describe
--config-dir: iac describe

snyk iac gen-driftignore command options

--output=<OUTPUT_FILE_PATH>: iac gen-driftignore
--exclude-changed: iac gen-driftignore
--exclude-missing: iac gen-driftignore
--exclude-unmanaged: iac gen-driftignore

snyk ignore command options

--id=<ISSUE_ID>: ignore
--expiry=<EXPIRY>: ignore
--reason=<REASON>: ignore
--path=<PATH_TO_RESOURCE>: ignore

Option for Maven projects

--scan-all-unmanaged: test, monitor

Options for Gradle projects

--sub-project=<NAME>, --gradle-sub-project=<NAME>: test, monitor
--all-sub-projects: test, monitor
--configuration-matching=<CONFIGURATION_REGEX>: test, monitor
--configuration-attributes=<ATTRIBUTE>[,<ATTRIBUTE>]...: test, monitor
--init-script=<FILE: test, monitor

Options for .Net and NuGet projects

--assets-project-name: test, monitor
--packages-folder: test, monitor
--project-name-prefix=<PREFIX_STRING>: test, monitor
--project-name-prefix=my-group/: test, monitor

Options for npm projects

--strict-out-of-sync=true|false: test, monitor

Options for Yarn projects

--strict-out-of-sync=true|false: test, monitor
--yarn-workspaces: test, monitor

Options for CocoaPods projects

--strict-out-of-sync=true|false: test, monitor

Options for Python projects

--command=<COMMAND>: test, monitor
--skip-unresolved=true|false: test, monitor

Options for Go projects

Currently the following options are not supported:
--fail-on=<all|upgradable|patchable>: test

Options for scanning using --unmanaged

--org=<ORG_ID>: test, monitor
--json: test, monitor
--json-file-output=<OUTPUT_FILE_PATH>: test
--remote-repo-url=<URL>: test
--severity-threshold=<low|medium|high|critical>: test
--target-reference=<TARGET_REFERENCE>: test, monitor
--target-dir: test, monitor
--max-depth: test, monitor
--print-dep-paths: test, monitor
--project-name=c-project: monitor

-- [<CONTEXT-SPECIFIC_OPTIONS>]

These options are used with the snyk test and snyk monitor commands. See the help docs for snyk test and snyk monitor for details.