snyk-delta
This tool provides the means to get the delta between two Snyk snapshots. This is especially useful when you are running CLI-based scans, such as in your local environment, githooks, and so on.
snyk-delta
compares snapshots to provide details about:
New vulnerabilities not found in the baseline snapshot
New license issues not found in the baseline snapshot
Dependency delta between the two snapshots:
Direct dependencies added and removed
Indirect dependencies added and removed
Flag path(s) carrying new vulnerabilities
Prerequisites
Snyk Enterprise plan (requires the Snyk API)
Your Project to be monitored
Installation
npm i -g snyk-delta
or
Download a binary of your choice from the release page
Usage
You can use this tool inline or as a standalone command.
Inline operations
Use snyk test --json --print-deps | snyk-delta
You may point to a specific snapshot by specifying org+project coordinates:
snyk test --json --print-deps | snyk-delta --baselineOrg xxx --baselineProject xxx
Use
--setPassIfNoBaseline
if used withsnyk-prevent_commit_status
and the Project is not monitored. This preventssnyk-prevent_commit_status
from failing:setPassIfNoBaseline
default to falsesnyk test --json --print-deps | snyk-delta --baselineOrg xxx --baselineProject xxx --setPassIfNoBaseline true
The BaselineProject value is expected to be a UUID, not a name. Check the Snyk Web UI or API to retrieve those UUIDs.
Standalone operations
Use snyk-delta --baselineOrg xxx --baselineProject xxx --currentOrg xxx --currentProject xxx --setPassIfNoBaseline false
Usage as module
The result is a number:
0: no new issue
1: new issue(s) or when using StrictMode and the unmonitored Project has issues (See more details in StrictMode.)
2: for errors like invalid auth
Details for issues will be listed on stdout.
Help for snyk-delta
Use -h
to display help.
StrictMode
When snyk-delta
compares test results, it tries to find the same Project monitored on the Snyk platform. If no monitored Project is found, snyk-delta
returns all the issues found by the CLI scan, essentially acting as a pass-through.
The return code is 0 if no issue, 1 if issues are found.
Caution
Usage as a module requires a list of issues coming from the Snyk CLI. snyk-delta
is not compatible with data coming straight from Snyk APIs.
all-projects
snyk-delta
does not support the --all-projects
option, but you can try using snyk_delta_all_projects.sh
as a workaround until it does.
Troubleshooting for snyk-delta
If you have trouble, you can try the following:
Run the Snyk
test -d
step first and ensure it works.If you are using the
delta allprojects
script, try removing that and test the Projects individuallyIf no baseline is found, ensure there is an existing monitored Project first, and check the
.git
metadata if you are trying to match against an SCM-monitored Project.
If you need help, contact Snyk Support.
Last updated