snyk-delta

This tool provides the means to get the delta between two Snyk snapshots. This is especially useful when you are running CLI-based scans, such as in your local environment, githooks, and so on.

snyk-delta compares snapshots to provide details about:

  • New vulnerabilities not found in the baseline snapshot

  • New license issues not found in the baseline snapshot

  • Dependency delta between the two snapshots:

    • Direct dependencies added and removed

    • Indirect dependencies added and removed

    • Flag path(s) carrying new vulnerabilities

Prerequisites

  • Snyk Enterprise plan (requires the Snyk API)

  • Your Project to be monitored

Installation

npm i -g snyk-delta

or

Download a binary of your choice from the release page

Usage

You can use this tool inline or as a standalone command.

Inline operations

Use snyk test --json --print-deps | snyk-delta

  • You may point to a specific snapshot by specifying org+project coordinates: snyk test --json --print-deps | snyk-delta --baselineOrg xxx --baselineProject xxx

  • Use --setPassIfNoBaseline if used with snyk-prevent_commit_status and the Project is not monitored. This preventssnyk-prevent_commit_status from failing: setPassIfNoBaseline default to false snyk test --json --print-deps | snyk-delta --baselineOrg xxx --baselineProject xxx --setPassIfNoBaseline true

The BaselineProject value is expected to be a UUID, not a name. Check the Snyk Web UI or API to retrieve those UUIDs.

Standalone operations

Use snyk-delta --baselineOrg xxx --baselineProject xxx --currentOrg xxx --currentProject xxx --setPassIfNoBaseline false

Usage as module

import { getDelta } from 'snyk-delta'

const jsonResultsFromSnykTest = Read from file or pipe snyk test command

const result = await getDelta(jsonResultsFromSnykTest);

The result is a number:

  • 0: no new issue

  • 1: new issue(s) or when using StrictMode and the unmonitored Project has issues (See more details in StrictMode.)

  • 2: for errors like invalid auth

Details for issues will be listed on stdout.

Help for snyk-delta

Use -h to display help.

StrictMode

When snyk-delta compares test results, it tries to find the same Project monitored on the Snyk platform. If no monitored Project is found, snyk-delta returns all the issues found by the CLI scan, essentially acting as a pass-through.

The return code is 0 if no issue, 1 if issues are found.

Caution

Usage as a module requires a list of issues coming from the Snyk CLI. snyk-delta is not compatible with data coming straight from Snyk APIs.

all-projects

snyk-delta does not support the --all-projects option, but you can try using snyk_delta_all_projects.sh as a workaround until it does.

Troubleshooting for snyk-delta

If you have trouble, you can try the following:

  • Run the Snyk test -d step first and ensure it works.

  • If you are using the delta allprojects script, try removing that and test the Projects individually

  • If no baseline is found, ensure there is an existing monitored Project first, and check the .git metadata if you are trying to match against an SCM-monitored Project.

If you need help, contact Snyk Support.

Last updated

More information

Snyk privacy policy

© 2024 Snyk Limited | All product and company names and logos are trademarks of their respective owners.