Snyk Open Source language support technical specifications and guidance

How Snyk for Open Source and licensing works

Before testing your Open Source Project for vulnerabilities, with limited exceptions, you must build your Project. For details, see Open Source Projects that must be built before testing with the Snyk CLI.

Snyk builds a dependency graph and (dependencies tree) and then uses the vulnerability database to find vulnerabilities in any of the packages anywhere in that tree.

The way Snyk analyzes and builds the dependencies tree varies depending on the language and package manager for the Project, as well as the location of the Project.

Only official releases are tracked. Commits, including into the default branch, are not identified unless included in an official release or tag.

In the case of projects that have a package manager, this means a release to the package manager.

In the case of Go and Unmanaged scans (C/C++) this requires an official release or tag on the GitHub repo.

Snyk policies in Open Source

For information on managing dependencies and vulnerabilities from your developer workflows through the use of policies, see the following:

Open Source license compliance

To check compliance for open source licenses, see Snyk License Compliance Management.

Last updated

More information

Snyk privacy policy

© 2024 Snyk Limited | All product and company names and logos are trademarks of their respective owners.