Getting started with the CLI
Introduction to Snyk and the Snyk CLI
Snyk is a developer-first, cloud-native security tool to scan and monitor your software development projects for security vulnerabilities. Snyk scans multiple content types for security issues:
Snyk Open Source: Find and automatically fix open-source vulnerabilities
Snyk Code: Find and fix vulnerabilities in your application code in real time
Snyk Container: Find and fix vulnerabilities in container images and Kubernetes applications
Snyk Infrastructure as Code: Find and fix insecure configurations in Terraform and Kubernetes code
Learn more about what Snyk can do and sign up for a free account.
The Snyk CLI brings the functionality of Snyk into your development workflow. You can run the CLI locally or in your CI/CD pipeline. The following shows an example of Snyk CLI test command output.
Snyk CLI scanning supports many languages and tools. For detailed information, see the summary of supported environments. For details about how Snyk scans each content type, see the following:
Snyk Container scanning, including Docker scanning
Snyk Infrastructure as Code scanning, including Terraform and Kubernetes (K8s) Projects
Install the Snyk CLI and authenticate your machine
To use the CLI, you must install it and authenticate your machine. See Install the Snyk CLI and the Auth command help. You can refer to the release notes for a summary of changes in each release. Before scanning your code, review the Code execution warning for Snyk CLI.
Note: Before you can use the CLI for Open Source scanning, you must install your package manager. The needed third-party tools, such as Gradle or Maven, must be in the PATH.
You can use the CLI in your IDE or CI/CD environment. For details, see Install as part of a Snyk integration.
You can authorize Snyk CLI in your CI/CD programatically:
Using a SNYK_TOKEN envvar (preferred)
SNYK_TOKEN=<SNYK_API_TOKEN> snyk testOr using a Snyk
authcommandsnyk auth <SNYK_API_TOKEN>snyk test
Test your installation
After authenticating, you can test your installation. For a quick test, run snyk --help.
Alternatively, you can perform a quick test on a public npm package, for example snyk test ionic.
Look at the test command report in your terminal. The report shows the vulnerabilities Snyk found in the package. For each issue found, Snyk reports the severity of the issue, provides a link to a detailed description, reports the path through which the vulnerable module got into your system, and provides guidance on how to fix the problem.
Scan your development Project
Note: Before using the Snyk CLI to test your Open Source Project for vulnerabilities, with limited exceptions, you must build your Project. For details, see Which projects must be built before testing with CLI?
In addition, depending on the language of your open-source Project, you may need to set up your language environment before using the Snyk CLI. For details, refer to Open Source language and package manager support.
Once you have installed the CLI and authenticated your machine, in order to scan an open-source Project, use cd /my/project/ to change the current directory toafolder containing a supported package manifest file, such as package.json, pom.xml, or composer.lock. Then run snyk test. All vulnerabilities identified are listed, including their path and fix guidance.
To scan your source code run snyk code test.
You can scan a Docker image by its tag using Snyk Container by running, for example: snyk container test ubuntu:18.04.
To scan a Kubernetes (K8s) file run the following:
snyk iac test /path/to/kubernetes_file.yaml.
For details about how Snyk scans each content type, see the following:
Snyk Container scanning, including Docker scanning
Snyk Infrastructure as Code scanning, including Terraform and Kubernetes (K8s) Projects
Monitor your open-source or container Project
Snyk can monitor your Project periodically and alert you to new vulnerabilities. To set up your Project to be monitored, run snyk monitor or snyk container monitor.
This creates a snapshot of your current dependencies so Snyk can regularly scan your code. Snyk can then alert you about newly disclosed vulnerabilities as they are introduced or when a previously unavailable patch or upgrade path is created. The following code shows an example of the output of the snyk monitor command.
You can log in to the Snyk Web UI and navigate to the Projects page to see the latest snapshot and scan results:
For more information, see Monitor your projects at regular intervals.
Running out of tests
If you run out of tests on an open-source Project, follow these steps:
Run
snyk monitor.Open the Snyk UI and go to the settings of the Project.
Enter the URL of your open-source repository in Git remote URI.
Additional information about the Snyk CLI
Run snyk help or see the CLI commands and options summary.
See the course Introduction to the Snyk CLI for a quick video training session.
Snyk also provides a cheat sheet (blog post) and a video tutorial.
In particular, see the information about the following options that you may find useful:
--severity-threshold=low|medium|high|critical: Report only vulnerabilities of the specified level or higher--json: Print results in JSON format--all-projects: Auto-detect all projects in the working directory
For detailed information about the CLI, see the CLI docs. For information about scanning for each content type, see the following pages:
Getting support for the Snyk CLI
Submit a ticket to Snyk support whenever you need help with the Snyk CLI or Snyk in general. Note that Snyk support does not actively monitor GitHub Issues on any Snyk project.
Contributing to the Snyk CLI
The Snyk CLI project is open-source, but Snyk does not encourage outside contributors.
You may look into design decisions for the Snyk CLI.
The Snyk CLI repository is a monorepo that also covers other projects and tools, such as @snyk/protect, also available at npm package for snyk-protect command.
Security
For any security issues or concerns, see the SECURITY.md file in the GitHub repository.
Last updated
Was this helpful?