Snyk Open Source language support technical specifications and guidance
How Snyk for Open Source and licensing works
Before testing your Open Source Project for vulnerabilities, with limited exceptions, you must build your Project. For details, see Open Source Projects that must be built before testing with the Snyk CLI.
Snyk builds a dependency graph and (dependencies tree) and then uses the vulnerability database to find vulnerabilities in any of the packages anywhere in that tree.
The way Snyk analyzes and builds the dependencies tree varies depending on the language and package manager for the Project, as well as the location of the Project.
Only official releases are tracked. Commits, including into the default branch, are not identified unless included in an official release or tag.
In the case of projects that have a package manager, this means a release to the package manager.
In the case of Go and Unmanaged scans (C/C++) this requires an official release or tag on the GitHub repo.
Snyk policies in Open Source
For information on managing dependencies and vulnerabilities from your developer workflows through the use of policies, see the following:
Open Source license compliance
To check compliance for open source licenses, see Snyk License Compliance Management.
Last updated