snyk-delta

This tool provides the means to get the delta between two Snyk Open Source snapshots. This is especially useful when you are running CLI-based scans, such as in your local environment, Git hooks, and so on.

snyk-delta compares snapshots to provide details about:

New vulnerabilities not found in the baseline snapshot
New license issues not found in the baseline snapshot
Dependency delta between the two snapshots:
- Direct dependencies added and removed
- Indirect dependencies added and removed
- Flag path(s) carrying new vulnerabilities

Prerequisites

Snyk Enterprise plan (requires the Snyk API)
Your Project to be monitored
A SNYK_TOKEN, either exported to the environment or provided inline to snyk-delta, or the API token set with the snyk config command. Run snyk config get api to see if the API token is set. OAuth authentication is not supported by snyk-delta.

Installation

npm i -g snyk-delta

Download a binary of your choice from the release page

Usage

You can use this tool inline or as a standalone command.

Inline operations

Use snyk test --json --print-deps | snyk-delta

You may point to a specific snapshot by specifying org+project coordinates: snyk test --json --print-deps | snyk-delta --baselineOrg xxx --baselineProject xxx
Use --setPassIfNoBaseline if used with snyk-prevent_commit_status and the Project is not monitored. This preventssnyk-prevent_commit_status from failing: setPassIfNoBaseline default to false snyk test --json --print-deps | snyk-delta --baselineOrg xxx --baselineProject xxx --setPassIfNoBaseline true

The BaselineProject value is expected to be a UUID, not a name. Check the Snyk Web UI or API to retrieve those UUIDs.

Standalone operations

Use snyk-delta --baselineOrg xxx --baselineProject xxx --currentOrg xxx --currentProject xxx --setPassIfNoBaseline false

Usage as module

import { getDelta } from 'snyk-delta'

const jsonResultsFromSnykTest = Read from file or pipe snyk test command

const result = await getDelta(jsonResultsFromSnykTest);

The result is a number:

0: no new issue
1: new issue(s) or when using StrictMode and the unmonitored Project has issues (See more details in StrictMode.)
2: for errors like invalid auth

Details for issues will be listed on stdout.

Help for snyk-delta

Use -h to display help.

StrictMode

When snyk-delta compares test results, it tries to find the same Project monitored on the Snyk platform. If no monitored Project is found, snyk-delta returns all the issues found by the CLI scan, essentially acting as a pass-through.

The return code is 0 if no issue is found, and 1 if issues are found.

Caution

Use as a module requires a list of issues coming from the Snyk CLI. snyk-delta is not compatible with data coming straight from Snyk APIs.

all-projects

snyk-delta does not support the --all-projects option, but you can try using snyk_delta_all_projects.sh as a workaround until it does.

Troubleshooting for snyk-delta

If you have trouble, you can try the following:

Run the Snyk test -d step first and ensure it works.
If you get a 401 error, check to see that you have a valid SNYK_TOKEN or run snyk config get api . If you do not want to set the token in the environment, you can provide the SNYK_TOKEN as an inline command before the snyk-delta but after the | symbol: snyk test --json | SNYK_TOKEN={token} snyk-delta ….{other arguments}.
If you are using the delta allprojects script, try removing that and testing the Projects individually.
If no baseline is found, ensure there is an existing monitored Project first, and check the .git metadata if you are trying to match against an SCM-monitored Project.

If you need help, contact Snyk Support.

PreviousCLI tools Nextsnyk-filter

Last updated 3 days ago

Was this helpful?