SupportAPI docsProduct updatesSign up for free
Search…
Snyk User Documentation
Introducing Snyk
Getting started
Snyk CLI
Getting started with the CLI
How to find vulnerabilities using the CLI
CLI reference
Test for vulnerabilities
The .snyk file
How to use the log4shell command
Set severity thresholds for CLI tests
Use Snyk Open Source from the CLI
Use a .snyk policy file in a different directory from the manifest file
Test public repositories before use
Test public npm packages before use
Why is my setup.py file failing to scan or finding 0 dependencies?
Scan all unmanaged JAR files
Advanced failing of builds in Snyk CLI
Fix vulnerabilities from the CLI
Secure your projects in the long term
CLI commands help
Install or update the Snyk CLI
Authenticate the CLI with your account
Configure the Snyk CLI
Create a Snyk App using the Snyk CLI
Snyk API
Snyk for IDEs
Snyk Apps
Snyk Integrations
SNYK PRODUCTS
Snyk Open Source
Snyk Code
Snyk Container
Snyk Infrastructure as Code
USING SNYK
Snyk Broker
User and group management
Fixing and prioritizing issues
Reports
More Snyk Tools
SNYK INFO
Disclosing vulnerabilities
How Snyk handles your data
SNYK TUTORIALS
Getting Started
Amazon Web Services
Atlassian
CircleCI
Docker
Dynatrace
GCP
GitHub
Microsoft Azure
Oracle Cloud Infrastructure
Red Hat
SpringOne
Powered By GitBook
Advanced failing of builds in Snyk CLI
The Snyk CLI provides the following options when failing your builds:
1
--severity-threshold=low|medium|high
Copied!
Only report vulnerabilities of provided level or higher.
1
--fail-on=all|upgradable|patchable
Copied!
Only fail when there are vulnerabilities that can be fixed.
1
--fail-on=all
Copied!
Fail when there is at least one vulnerability that can be either upgraded or patched.
1
--fail-on=upgradable
Copied!
Fail when there is at least one vulnerability that can be upgraded.
1
--fail-on=patchable
Copied!
Fail when there is at least one vulnerability that can be patched. If vulnerabilities do not have a fix and this option is being used, tests pass.
The Snyk CLI on its own does not have the capability natively to fail tests on more complex use cases. Here are some ways to achieve more complex pass/fail criteria.

Combining security policies with --severity-threshold

​Security policies provide the capability to change the severity of a vulnerability if the severity matches specific criteria when a project is tested against an organization using that policy. You could, for example, change the severity of a vulnerability from high to low, and if you run snyk test with the CLI with
1
--severity-threshold=medium|high
Copied!
this previously high severity vulnerability no longer fails the build.
Security policies do not have all attributes available for criteria matching. Refer to the security policy configuration to see what is available as it is added to over time.
Here is an example of snyk test using --severity-threshold=high running against a default organization with no policy applied to it.
Test against a default organization with no policy applied to it
Here is an example snyk test using --severity-threshold=high running against an organization with a policy that downgrades this particular vulnerability severity to low. There are no vulnerabilities found.
Test against an organization with a policy applied

Companion tools

The following discusses use of snyk-delta or snyk-filter, open source companion tools for the Snyk CLI.
snyk-delta finds the delta of vulnerabilities between the current test and a previously monitored snapshot.
snyk-delta is available from npmjs.org, and may be pulled into your CI/CD pipeline using
1
npm install -g snyk-delta
Copied!
snyk-filter provides for user-defined pass/fail criteria based on any available data in the snyk test JSON output.
snyk-filter is available from npmjs.org and may be pulled into your CI/CD pipeline using npm install
1
npm install -g snyk-filter
Copied!

Fail current build only if new vulnerabilities are being introduced

Inline mode

1
snyk test --json --print-deps | snyk-delta
Copied!
Possibly point to a specific snapshot by specifying org + project coordinates
1
snyk test --json --print-deps | snyk-delta --baselineOrg xxx --baselineProject xxx
Copied!

Standalone

1
snyk-delta --baselineOrg xxx --baselineProject xxx --currentOrg xxx --currentProject xxx
Copied!
Refer to the snyk-delta project on GitHub for more information.

Fail build for CVSS score higher than ...

1
snyk test --json | snyk-filter -f /path/to/example-cvss-9-or-above.yml
Copied!

Custom criteria and filtering

snyk-filter can utilize any combination of criteria available in the snyk test JSON output.
You may also have different criteria for display from what will fail the build. This allows you to do things like display all vulnerabilities in the test output, while failing only on some specific criteria.
Refer to the snyk-filter project on GitHub for examples and more information.
Previous
Scan all unmanaged JAR files
Next
Fix vulnerabilities from the CLI
Last modified 1mo ago
Export as PDF
Copy link
Edit on GitHub
Contents
Combining security policies with --severity-threshold
Companion tools
Fail current build only if new vulnerabilities are being introduced
Fail build for CVSS score higher than ...
Custom criteria and filtering