Snyk - Cli As Well As Build-Time Tool To Detect & Stimulate Known Vulnerabilities Inwards Open-Source Dependencies


Snyk helps you lot find, ready as well as monitor known vulnerabilities inward Node.js npm, Ruby as well as Java dependencies, both on an advertizement hoc footing as well as equally purpose of your CI (Build) system.

Documentation
Full documentation is available on snyk.io

Installation
  1. Install the Snyk utility using npm install -g snyk.
  2. Once installed you lot volition postulate to authenticate alongside your Snyk account: snyk auth
For to a greater extent than especial on how to authenticate accept a expect at the CLI authentication department of the Snyk documentation.

CLI
snyk [options] [command] [package]
Run snyk --help to larn a quick overview of all commands or for amount details on the CLI read the snyk.io CLI docs.
The bundle declaration is optional. If no bundle is given, Snyk volition run the dominance against the electrical flow working directory allowing you lot attempt you lot non-public applications.

Features
  • Find known vulnerabilities yesteryear running snyk test on a projection either equally a ane off or equally purpose of your CI process.
  • Fix vulnerabilities using snyk wizard as well as snyk protect.
    • snyk wizard walks you lot through finding as well as fixing known vulnerabilities inward your project. Remediation options include configuring your policy file to update, auto while as well as ignore vulnerabilities. (npm only)
    • snyk protect your code from vulnerabilities yesteryear applying patches as well as optionally suppressing specific vulnerabilities.
  • Alert snyk monitor records the the world of dependencies as well as whatsoever vulnerabilities on snyk.io hence you lot tin strength out endure alerted when novel vulnerabilities or updates/patches are disclosed that behave on your repositories.
  • Prevent novel vulnerable dependencies from beingness added to your projection yesteryear running snyk test equally purpose of your CI to neglect tests when vulnerable Node.js or Ruby dependencies are added.

Docker
Snyk is likewise provided equally a laid of Docker images that send the runtime surround of each bundle manager. For example, the npm icon volition send all of the needed setup to run npm install on the currently running container. Currently in that place are images for npm, Ruby, Maven, Gradle as well as SBT.
The images tin strength out perform snyk test yesteryear default on the specified projection which is mounted to the container equally a read/write volume, as well as snyk monitor if the MONITOR surround variable is laid when running the docker container. When running snyk monitor alongside the GENERATE_REPORT surround variable set, an HTML file called snyk_report.html as well as a CSS file called snyk_report.css volition endure generated. The icon likewise writes a file called snyk-res.json for internal utilisation as well as snyk-error.log for errors that nosotros tin strength out expect at if something goes wrong.
The next surround variables tin strength out endure used when running the container on docker:
  • SNYK_TOKEN - Snyk API token, obtained from https://snyk.io/account.
  • USER_ID - [OPTIONAL] Current user ID on the host machine. If non provided volition accept the user ID of the currently running user within the container. This is used for CI builds such equally Jenkins where nosotros are running alongside a non-privileged user as well as desire to let the user to access the mounted projection folder.
  • MONITOR - [OPTIONAL] If set, tells the icon that nosotros desire to run snyk monitor afterward running snyk test.
  • PROJECT_FOLDER - [OPTIONAL] If set, this volition cd to the directory within the mounted projection dir to run snyk within it.
  • ENV_FLAGS - [OPTIONAL] additional surround parameters to top to snyk test when running the container.
Docker images are tagged according to the bundle manager runtime they include, the bundle manager version as well as snyk version. The full general format of tags is [snyk-version]-[package-manager]-[package-manager-version] or simply [package-manager]-[package-manager-version] if nosotros desire to utilisation the latest version of snyk. Please encounter available tags to encounter the available options.
[snyk-version] - The version of snyk that is installed inward the image, if version is omitted it volition utilisation the latest version. [package-manager] - One of the available bundle managers (e.g: npm, mvn, gradle, etc...).
[package-manager-version] - The version of the bundle manager that is installed within the image.
Please encounter the next examples on how to run Snyk within docker:

Node.js (npm)
We volition postulate to mountain the projection root folder when running the icon hence that Snyk tin strength out access the code within the container. The host projection folder volition endure mounted to /project on the container as well as volition endure used to read the dependencies file as well as write results for CI builds. Here's an instance of running snyk test as well as snyk monitor inward the icon (with the latest version of Snyk) for npm:
docker run -it     -e "SNYK_TOKEN="     -e "USER_ID=1234"     -e "MONITOR=true"     -v ":/project"   snyk/snyk-cli:npm attempt --org=my-org-name

RubyGems
We volition postulate to mountain the projection root folder when running the icon hence that Snyk tin strength out access the code within the container. The host projection folder volition endure mounted to /project on the container as well as volition endure used to read the dependencies file as well as write results for CI builds. Here's an instance of running snyk test as well as snyk monitor inward the icon (with the latest version of Snyk) for RubyGems:
docker run -it     -e "SNYK_TOKEN="     -e "USER_ID=1234"     -e "MONITOR=true"     -v ":/project"   snyk/snyk-cli:rubygems attempt --org=my-org-name

Maven 3.5.4
We volition postulate to mountain the projection root folder when running the icon hence that Snyk tin strength out access the code within the container as well as mountain the local .m2 as well as .ivy2 folders. The host projection folder volition endure mounted to /project on the container as well as volition endure used to read the dependencies file as well as write results for CI builds. Here's an instance of running snyk test as well as snyk monitor inward the icon (with the latest version of Snyk) for Maven:
docker run -it     -e "SNYK_TOKEN="     -e "USER_ID=1234"     -e "MONITOR=true"     -v ":/project"     -v "/home/user/.m2:/home/node/.m2"     -v "/home/user/.ivy2:/home/node/.ivy2"   snyk/snyk-cli:maven-3.5.4 attempt --org=my-org-name

SBT 0.13.16 / SBT 1.0.4
We volition postulate to mountain the projection root folder when running the icon hence that Snyk tin strength out access the code within the container as well as mountain the local .m2 as well as .ivy2 folders. The host projection folder volition endure mounted to /project on the container as well as volition endure used to read the dependencies file as well as write results for CI builds. Here are examples of running snyk test as well as snyk monitor inward the icon (with the latest version of Snyk) for SBT:
NOTE: the dependency-tree module is required for snyk to procedure Scala projects. Use version 0.8.2 for SBT 0.13.16 as well as version 0.9.0 for version SBT 1.0.4.
docker run -it     -e "SNYK_TOKEN="     -e "USER_ID=1234"     -e "MONITOR=true"     -v ":/project"     -v "/home/user/.m2:/home/node/.m2"     -v "/home/user/.ivy2:/home/node/.ivy2"   snyk/snyk-cli:sbt-0.13.16 attempt --org=my-org-name
docker run -it     -e "SNYK_TOKEN="     -e "USER_ID=1234"     -e "MONITOR=true"     -v ":/project"     -v "/home/user/.m2:/home/node/.m2"     -v "/home/user/.ivy2:/home/node/.ivy2"   snyk/snyk-cli:sbt-1.0.4 attempt --org=my-org-name

Gradle 2.8 / Gradle 4.4
We volition postulate to mountain the projection root folder when running the icon hence that Snyk tin strength out access the code within the container as well as mountain the local .m2 as well as .ivy2 folders. The host projection folder volition endure mounted to /project on the container as well as volition endure used to read the dependencies file as well as write results for CI builds. Here's an instance of running snyk test as well as snyk monitor inward the icon (with the latest version of Snyk) for Gradle:
docker run -it     -e "SNYK_TOKEN="     -e "USER_ID=1234"     -e "MONITOR=true"     -v ":/project"     -v "/home/user/.m2:/home/node/.m2"     -v "/home/user/.ivy2:/home/node/.ivy2"   snyk/snyk-cli:gradle-2.8 attempt --org=my-org-name
docker run -it     -e "SNYK_TOKEN="     -e "USER_ID=1234"     -e "MONITOR=true"     -v ":/project"     -v "/home/user/.m2:/home/node/.m2"     -v "/home/user/.ivy2:/home/node/.ivy2"   snyk/snyk-cli:gradle-4.4 attempt --org=my-org-name