Snyk CLI with Maven and Gradle

The Snyk CLI tests Maven and Gradle Projects as follows:

Snyk CLI with Gradle: To build the dependency graph, Snyk integrates with Gradle and inspects the dependencies returned by the build. The following manifest files are supported: build.gradle (Groovy DSL) and build.gradle.kts (Kotlin DSL).
Snyk CLI with Maven: To build the dependency tree, Snyk analyzes the output of the pom.xml files.

The following lists steps to start scanning your dependencies. It covers basic commands, such as snyk test and snyk monitor. To check the full list, see CLI commands and options summary.

Package manager Test help Monitor help

Package manager	Test help	Monitor help
Maven	`--maven-aggregate-project`ℹ️ See the Options for Maven Projects page for more details. Example for aggregate projects: `snyk test --maven-aggregate-project`Example for non-aggregate projects: `snyk test --all-projects`ℹ️ Be sure to execute the options in the same directory as the root pom.xml file.	`--maven-aggregate-project`ℹ️ See the Options for Maven Projects page for more details. Example for aggregate projects: `snyk monitor --maven-aggregate-project`Example for non-aggregate projects: `snyk monitor --all-projects`ℹ️ Be sure to execute the options in the same directory as the root pom.xml file.
Gradle	`--sub-project=<NAME>`, `--gradle-sub-project=<NAME>` - Test a specific Gradle sub-project. `--all-sub-projects` - Test all Gradle sub-projects. `--all-projects` - Test all Gradle projects. `--configuration-matching=<CONFIGURATION_REGEX>` - Resolve dependencies using only configuration(s) that match the specified Java regular expression. -`-configuration-attributes=<ATTRIBUTE>[,<ATTRIBUTE>]...`- Select certain values of configuration attributes to install and resolve dependencies. `--init-script=<FILE>` - Used for projects with a Gradle initialization script. ℹ️ See the Options for Gradle Projects page for more details.	`--sub-project=<NAME>`, `--gradle-sub-project=<NAME>` - Monitor a specific Gradle sub-project. `--all-sub-projects` - Monitor all Gradle sub-projects. `--all-projects` - Monitor all Gradle projects. `--configuration-matching=<CONFIGURATION_REGEX>` - Resolve dependencies using only configuration(s) that match the specified Java regular expression. `--configuration-attributes=[,]...` - Select certain values of configuration attributes to install dependencies and perform dependency resolution. `--init-script=<FILE>` - Used for projects with a Gradle initialization script. ℹ️ See the Options for Gradle Projects page for more details.
Build tools	`snyk test -- [<context-specific_options>]`ℹ️ See the Options for build tools page for more details.	`snyk monitor -- [<context-specific_options>]`ℹ️ See the Options for build tools page for more details.
Unmanaged JAR files	`--scan-unmanaged` - Test unmanager files `--scan-unmanaged --file=<JAR_FILE_NAME>` - Test individual JAR, WAR, and AAR files `--scan-all-unmanaged` - Auto-detect Maven, JAR, WAR, and AAR files recursively from the current folder. ℹ️ See the Options for unmanaged JAR files page for more details.	`--sub-project=<NAME>`, `--gradle-sub-project=<NAME>` - Monitor a specific Gradle sub-project. `--all-sub-projects` - Monitor all Gradle sub-projects. `--all-projects` - Monitor all Gradle projects. `--configuration-matching=<CONFIGURATION_REGEX>` - Resolve dependencies using only configuration(s) that match the specified Java regular expression. `--init-script=<FILE>` - Used for projects with a Gradle initialization script. ℹ️ See the Options for unmanaged JAR files page for more details.

Maven

--maven-aggregate-projectℹ️ See the Options for Maven Projects page for more details. Example for aggregate projects: snyk test --maven-aggregate-projectExample for non-aggregate projects: snyk test --all-projectsℹ️ Be sure to execute the options in the same directory as the root pom.xml file.

--maven-aggregate-projectℹ️ See the Options for Maven Projects page for more details. Example for aggregate projects: snyk monitor --maven-aggregate-projectExample for non-aggregate projects: snyk monitor --all-projectsℹ️ Be sure to execute the options in the same directory as the root pom.xml file.

Gradle

--sub-project=<NAME>, --gradle-sub-project=<NAME> - Test a specific Gradle sub-project.

--all-sub-projects - Test all Gradle sub-projects.

--all-projects - Test all Gradle projects.

--configuration-matching=<CONFIGURATION_REGEX> - Resolve dependencies using only configuration(s) that match the specified Java regular expression.

--configuration-attributes=<ATTRIBUTE>[,<ATTRIBUTE>]...- Select certain values of configuration attributes to install and resolve dependencies.

--init-script=<FILE> - Used for projects with a Gradle initialization script.

ℹ️ See the Options for Gradle Projects page for more details.

--sub-project=<NAME>, --gradle-sub-project=<NAME> - Monitor a specific Gradle sub-project.

--all-sub-projects - Monitor all Gradle sub-projects.

--all-projects - Monitor all Gradle projects.

--configuration-matching=<CONFIGURATION_REGEX> - Resolve dependencies using only configuration(s) that match the specified Java regular expression.

--configuration-attributes=[,]... - Select certain values of configuration attributes to install dependencies and perform dependency resolution.

--init-script=<FILE> - Used for projects with a Gradle initialization script. ℹ️ See the Options for Gradle Projects page for more details.

Build tools

snyk test -- [<context-specific_options>]ℹ️ See the Options for build tools page for more details.

snyk monitor -- [<context-specific_options>]ℹ️ See the Options for build tools page for more details.

Unmanaged JAR files

--scan-unmanaged - Test unmanager files

--scan-unmanaged --file=<JAR_FILE_NAME> - Test individual JAR, WAR, and AAR files

--scan-all-unmanaged - Auto-detect Maven, JAR, WAR, and AAR files recursively from the current folder. ℹ️ See the Options for unmanaged JAR files page for more details.

--sub-project=<NAME>, --gradle-sub-project=<NAME> - Monitor a specific Gradle sub-project.

--all-sub-projects - Monitor all Gradle sub-projects.

--all-projects - Monitor all Gradle projects.

--configuration-matching=<CONFIGURATION_REGEX> - Resolve dependencies using only configuration(s) that match the specified Java regular expression.

--init-script=<FILE> - Used for projects with a Gradle initialization script. ℹ️ See the Options for unmanaged JAR files page for more details.

CLI help for Maven Projects

A Maven aggregate Project is one that uses modules and inheritance.

When scanning these types of Projects, Snyk performs a compile to ensure all modules are fixable by the Maven reactor.

To scan aggregate Projects, use the --maven-aggregate-project option:
```
snyk test --maven-aggregate-project
```
To scan non-aggregate Projects, use the --all-projects option:
```
snyk test --all-projects
```

The same options can be used with snyk monitor.

Be sure to execute the options in the same directory as the root pom.xml file.

Each of the individual sub-projects appears as a separate Snyk Project in the Web UI.

Examples of how to use Maven-specific options with the Snyk CLI

Test a specific Maven profile called “prod”.

snyk test -- -prod

Add a system property from your pom.xml file.

Example:

The package version appears in your pom.xml

${pkg_version}

Define the system property like this:

snyk test -- -Dpkg_version=1.4

CLI help for Gradle Projects

Gradle build can consist of several sub-projects, where each sub-project has its own build.gradle, while the root Project is the only one that also includes a settings.gradle file. Sub-projects depend on the root ProjectProjects but can be configured otherwise.

By default, Snyk CLI scans only the current Project, the Project in the root of the current folder, or the Project that is specified by --file=path/to/build.gradle).

To scan all Projects at once (recommended), use the --all-sub-projects option:
```
snyk test --all-sub-projects
```

Each of the individual sub-projects appears as a separate Snyk Project in the Web UI.

To scan a specific Project (for example, myapp):
```
snyk test --sub-project=myapp
```

Examples of how to use Gradle-specific options with the Snyk CLI

Use a specific configuration(s): if you know of a build configuration that has all the required attributes and the configuration is identical across all sub-projects included in the test, specify that configuration. For example:
```
--configuration-matching=prodReleaseRuntimeClasspath
```
Explicitly specify the dependency configuration: modify intra-project dependencies in your build.gradle file(s) to use a specific configuration
```
  dependencies {
      implementation project(path: ':mymodulewithvariants', configuration: 'default')
  }
```
Suggest configuration attributes: if you receive an error when running the command, the error may indicate which attribute values are available, while the error details from Gradle also indicate which dependency variants match which attributes. Using these details, add the attribute filter option. For example:
```
snyk test --configuration-attributes=buildtype:release,usage:java-runtime,mode:demo
```
matches the variants using com.android.build.api.attributes.BuildTypeAttr=release and org.gradle.usage=java-runtime

PreviousJava and Kotlin for open source NextGit repositories with Maven and Gradle

Last updated 4 days ago