Technical specifications and guidance
Snyk Open Source
How Snyk for Open Source and licensing works
Before testing your Open Source Project for vulnerabilities, with limited exceptions, you must build your Project. For details, see Open Source Projects that must be built before testing with the Snyk CLI.
Snyk builds a dependency graph and (dependencies tree) and then uses the vulnerability database to find vulnerabilities in any of the packages anywhere in that tree.
Snyk analyzes and builds the dependencies tree depending on the language and package manager for the Project, as well as the location of the Project.
Only official releases are tracked. Commits, including into the default branch, are not identified unless included in an official release or tag.
In the case of Projects that have a package manager, this means a release of the package manager.
In the case of Go and Unmanaged scans (C/C++) this requires an official release or tag on the GitHub repo.
Snyk policies in Open Source
For information on managing dependencies and vulnerabilities from your developer workflows through the use of policies, see:
Open Source license compliance
To check compliance for open source licenses, see Snyk License Compliance Management.
Snyk Code
Supported file extensions for Snyk Code
Apex
Yes
.cls, .trigger, .tgr
C/C++
Yes
.c, .cc, .cpp, .cxx, .h, .hpp, .hxx
CSharp
Yes
.aspx, .cs
Go
Yes
.go
Java
Yes
.java, .jsp, jspx
JavaScript/TypeScript
Yes
.ejs, .es, .es6, .htm, .html, .js, .jsx, .ts, .cts, .mts, .tsx, .vue, .mjs, .cjs
Kotlin
Yes
.kt
PHP
Yes
.php, .phtml, .module, .inc, .install, .theme, .profile
Python
Yes
.py
Ruby
No
.erb, .haml, .rb, .rhtml, .slim
Scala
Yes
.scala
Swift
Yes
.swift
Visual Basic
Yes
.vb
File size limit for Snyk Code analysis
Snyk Code automatically excludes the following files from analysis:
On the Web UI - files that are larger than 1MB.
On the CLI and IDE - files that are larger than 1MB.
Minified JS files with 3 or fewer lines.
Filename length limitation
The analysis is available only for files with names shorter than or equal to 255 characters. If the filename exceeds this limit, you receive an error. To ensure that all files are being analyzed, Snyk recommends shortening long filenames.
Unicode character encoding
Snyk Code only accepts source code files in UTF-8 encoding. Consider converting source files to this encoding type before importing them into Snyk.
Framework support
To support a specific framework, Snyk Code must both support the relevant language and be trained on Projects using the framework. The found patterns are then annotated by the security team and extended by curated content.
Most frameworks are partially supported out of the box, as Snyk Code needs only to parse the code to analyze it. In some cases, frameworks may require specific rules, or require specific program analysis engine updates, or both.
If you notice any gaps in support for a specific framework, contact Snyk Support.
Framework support levels
Snyk categorizes framework support into two levels: Comprehensive and Partial.
Comprehensive support indicates the following:
Sources and sinks: Snyk has thoroughly identified and included all relevant sources and sinks.
Data flow testing: Extensive testing has been conducted to ensure comprehensive data flow coverage.
Engine support: The Snyk Code engine is fully optimized for this framework.
Limitations: Snyk is unaware of any limitations. If you encounter a false negative, please report it to Snyk Support.
Partial support indicates the following:
Sources and sinks: Snyk coverage is limited, and some sources, sanitizers, or sinks may be missing.
Data flow testing: Snyk has conducted some testing.
Engine support: Compatibility of the engine with this framework is limited, potentially affecting analysis accuracy.
Limitations: False negatives in taint analysis or source and sink identification may still occur.
Partial support for a framework typically involves a mix of these factors. For instance, some sources or sinks may be missing, and while the engine might offer better support, further data flow testing has not been conducted to ensure the analysis is fully reliable.
Snyk continually expands framework coverage and improves the accuracy of analysis.
How Snyk Code analysis works
Snyk scans your codebase following this sequence:
The source code is analyzed, generating an event graph. The event graph is similar to a code map that helps Snyk understand how different parts of the code are related. There are two node types, each node in the graph representing something that happens in the code. Some represent parts of the code, and others represent how the code is used.
Rules are run against the event graph to find matches. The rules act as a checklist of known vulnerabilities that Snyk looks for in the event graph.
If a match is found, Snyk looks for a vulnerability in the event graph, identifying where problems might be hiding in the code.
For more information, see Snyk Code AI Engine. For more information about Snyk Code language support, see Supported languages, package managers, and frameworks (Snyk Code).
Language support and CLI, CI/CD, and SCM integrations
CLI for Snyk Code
To start testing your code using Snyk Code through the CLI, open your repository in a terminal and run snyk code test.
For information about customizing test options, running other commands, excluding directories and files, and viewing and exploring the results in different formats, see the following:
After you have run snyk code test, you can:
CLI for Snyk Open Source
Ensure you have installed the relevant package manager and you have included the relevant manifest files supported by Snyk before testing.
To test your Open Source Project for vulnerabilities, run the snyk test command.
Steps to start using SCM integrations
For details, see Snyk SCM integrations.
For language-specific information, see Git repositories with Maven and Gradle, Git repositories and JavaScript, and Git repositories and Python.
Last updated