Comment on page
Getting started with the Snyk CLI
The Snyk CLI brings the functionality of Snyk into your development workflow. You can run the CLI locally from the command line or in an IDE. You can also run the CLI in your CI/CD pipeline. The following shows an example of Snyk CLI test command output.
Snyk CLI test command output
This page explains how to install, authenticate, and start scanning using the CLI. Snyk also has an onboarding wizard to guide you through these steps. For a demonstration, view Starting with Snyk: an overview of the CLI onboarding flow.
Note: Before you can use the CLI for Open Source scanning, you must install your package manager. The needed third-party tools, such as Gradle or Maven, must be in the
After authenticating, you can test your installation. For a quick test, run
Alternatively, you can perform a quick test on a public npm package, for example
snyk test ionic.
Look at the
testcommand report in your terminal. The report shows the vulnerabilities Snyk found in the package. For each issue found, Snyk reports the severity of the issue, provides a link to a detailed description, reports the path through which the vulnerable module got into your system, and provides guidance on how to fix the problem.
Note: Before using the Snyk CLI to test your Open Source Project for vulnerabilities, with limited exceptions, you must build your Project. For details, see Which Projects must be built before testing with CLI?
In addition, depending on the language of your open-source Project, you may need to set up your language environment before using the Snyk CLI. For details, refer to Supported languages, frameworks, and feature availability overview.
After you have installed the CLI and authenticated your machine, to scan an open-source Project, use
cd /my/project/to change the current directory to
afolder containing a supported package manifest file, such as
composer.lock. Then run
snyk test. All vulnerabilities identified are listed, including their path and fix guidance.
To scan your source code run
snyk code test.
You can scan a Docker image by its tag running, for example:
snyk container test ubuntu:18.04.
To scan a Kubernetes (K8s) file run the following:
snyk iac test /path/to/kubernetes_file.yaml
For details about using the Snyk CLI to scan each content type, see the following:
Snyk can monitor your Open Source or Container integrated SCM Project periodically and alert you to new vulnerabilities. To set up your Project to be monitored, run
snyk container monitor.
This creates a snapshot of your current dependencies so Snyk can regularly scan your code. Snyk can then alert you about newly disclosed vulnerabilities as they are introduced or when a previously unavailable patch or upgrade path is created. The following code shows an example of the output of the
> snyk monitor
Monitoring /project (project-name)...
Explore this snapshot at
Notifications about newly disclosed issues related to these
dependencies will be emailed to you.
Snyk monitor snapshot and scan results
Snyk allows unlimited tests for public repositories. If you are on the Free plan, you have a limited number of tests per month. Paid plans have unlimited tests on private and public repositories. If you are on the Free plan and notice that your test count is quickly being used, even with public repositories, you can remedy this by telling Snyk the public url of the repository that is being scanned by the Snyk CLI. This ensures that Snyk does not count a public repository towards the test limits.
If you run out of tests on an open-source Project, follow these steps:
- Open the Snyk UI and navigate to the settings of the Project.
- Enter the URL of your open-source repository in Git remote URL.
In particular, see the information about the following options that you may find useful:
--severity-threshold=low|medium|high|critical: Report only vulnerabilities of the specified level or higher.
--json: Print results in JSON format.
--all-projects: Auto-detect all Projects in the working directory.
The Snyk CLI project is open-source, but Snyk does not encourage outside contributors.