Snyk - Cli As Well As Build-Time Tool To Detect & Stimulate Known Vulnerabilities Inwards Open-Source Dependencies
Snyk helps you lot find, ready as well as monitor known vulnerabilities inward Node.js npm, Ruby as well as Java dependencies, both on an advertizement hoc footing as well as equally purpose of your CI (Build) system.
Documentation
Full documentation is available on snyk.io
Installation
- Install the Snyk utility using
npm install -g snyk
. - Once installed you lot volition postulate to authenticate alongside your Snyk account:
snyk auth
CLI
snyk [options] [command] [package]
snyk --help
to larn a quick overview of all commands or for amount details on the CLI read the snyk.io CLI docs.The bundle declaration is optional. If no bundle is given, Snyk volition run the dominance against the electrical flow working directory allowing you lot attempt you lot non-public applications.
Features
- Find known vulnerabilities yesteryear running
snyk test
on a projection either equally a ane off or equally purpose of your CI process. - Fix vulnerabilities using
snyk wizard
as well assnyk protect
.snyk wizard
walks you lot through finding as well as fixing known vulnerabilities inward your project. Remediation options include configuring your policy file to update, auto while as well as ignore vulnerabilities. (npm only)snyk protect
your code from vulnerabilities yesteryear applying patches as well as optionally suppressing specific vulnerabilities.
- Alert
snyk monitor
records the the world of dependencies as well as whatsoever vulnerabilities on snyk.io hence you lot tin strength out endure alerted when novel vulnerabilities or updates/patches are disclosed that behave on your repositories. - Prevent novel vulnerable dependencies from beingness added to your projection yesteryear running
snyk test
equally purpose of your CI to neglect tests when vulnerable Node.js or Ruby dependencies are added.
Docker
Snyk is likewise provided equally a laid of Docker images that send the runtime surround of each bundle manager. For example, the npm icon volition send all of the needed setup to run
npm install
on the currently running container. Currently in that place are images for npm, Ruby, Maven, Gradle as well as SBT.The images tin strength out perform
snyk test
yesteryear default on the specified projection which is mounted to the container equally a read/write volume, as well as snyk monitor
if the MONITOR
surround variable is laid when running the docker container. When running snyk monitor
alongside the GENERATE_REPORT
surround variable set, an HTML file called snyk_report.html
as well as a CSS file called snyk_report.css
volition endure generated. The icon likewise writes a file called snyk-res.json
for internal utilisation as well as snyk-error.log
for errors that nosotros tin strength out expect at if something goes wrong.The next surround variables tin strength out endure used when running the container on docker:
SNYK_TOKEN
- Snyk API token, obtained from https://snyk.io/account.USER_ID
- [OPTIONAL] Current user ID on the host machine. If non provided volition accept the user ID of the currently running user within the container. This is used for CI builds such equally Jenkins where nosotros are running alongside a non-privileged user as well as desire to let the user to access the mounted projection folder.MONITOR
- [OPTIONAL] If set, tells the icon that nosotros desire to runsnyk monitor
afterward runningsnyk test
.PROJECT_FOLDER
- [OPTIONAL] If set, this volition cd to the directory within the mounted projection dir to run snyk within it.ENV_FLAGS
- [OPTIONAL] additional surround parameters to top tosnyk test
when running the container.
[snyk-version] - The version of snyk that is installed inward the image, if version is omitted it volition utilisation the latest version. [package-manager] - One of the available bundle managers (e.g: npm, mvn, gradle, etc...).
[package-manager-version] - The version of the bundle manager that is installed within the image.
Please encounter the next examples on how to run Snyk within docker:
Node.js (npm)
We volition postulate to mountain the projection root folder when running the icon hence that Snyk tin strength out access the code within the container. The host projection folder volition endure mounted to
/project
on the container as well as volition endure used to read the dependencies file as well as write results for CI builds. Here's an instance of running snyk test
as well as snyk monitor
inward the icon (with the latest version of Snyk) for npm:docker run -it -e "SNYK_TOKEN=" -e "USER_ID=1234" -e "MONITOR=true" -v ":/project" snyk/snyk-cli:npm attempt --org=my-org-name
RubyGems
We volition postulate to mountain the projection root folder when running the icon hence that Snyk tin strength out access the code within the container. The host projection folder volition endure mounted to
/project
on the container as well as volition endure used to read the dependencies file as well as write results for CI builds. Here's an instance of running snyk test
as well as snyk monitor
inward the icon (with the latest version of Snyk) for RubyGems:docker run -it -e "SNYK_TOKEN=" -e "USER_ID=1234" -e "MONITOR=true" -v ":/project" snyk/snyk-cli:rubygems attempt --org=my-org-name
Maven 3.5.4
We volition postulate to mountain the projection root folder when running the icon hence that Snyk tin strength out access the code within the container as well as mountain the local .m2 as well as .ivy2 folders. The host projection folder volition endure mounted to
/project
on the container as well as volition endure used to read the dependencies file as well as write results for CI builds. Here's an instance of running snyk test
as well as snyk monitor
inward the icon (with the latest version of Snyk) for Maven:docker run -it -e "SNYK_TOKEN=" -e "USER_ID=1234" -e "MONITOR=true" -v ":/project" -v "/home/user/.m2:/home/node/.m2" -v "/home/user/.ivy2:/home/node/.ivy2" snyk/snyk-cli:maven-3.5.4 attempt --org=my-org-name
SBT 0.13.16 / SBT 1.0.4
We volition postulate to mountain the projection root folder when running the icon hence that Snyk tin strength out access the code within the container as well as mountain the local .m2 as well as .ivy2 folders. The host projection folder volition endure mounted to
/project
on the container as well as volition endure used to read the dependencies file as well as write results for CI builds. Here are examples of running snyk test
as well as snyk monitor
inward the icon (with the latest version of Snyk) for SBT:NOTE: the
dependency-tree
module is required for snyk
to procedure Scala projects. Use version 0.8.2 for SBT 0.13.16 as well as version 0.9.0 for version SBT 1.0.4.docker run -it -e "SNYK_TOKEN=" -e "USER_ID=1234" -e "MONITOR=true" -v ":/project" -v "/home/user/.m2:/home/node/.m2" -v "/home/user/.ivy2:/home/node/.ivy2" snyk/snyk-cli:sbt-0.13.16 attempt --org=my-org-name
docker run -it -e "SNYK_TOKEN=" -e "USER_ID=1234" -e "MONITOR=true" -v ":/project" -v "/home/user/.m2:/home/node/.m2" -v "/home/user/.ivy2:/home/node/.ivy2" snyk/snyk-cli:sbt-1.0.4 attempt --org=my-org-name
Gradle 2.8 / Gradle 4.4
We volition postulate to mountain the projection root folder when running the icon hence that Snyk tin strength out access the code within the container as well as mountain the local .m2 as well as .ivy2 folders. The host projection folder volition endure mounted to
/project
on the container as well as volition endure used to read the dependencies file as well as write results for CI builds. Here's an instance of running snyk test
as well as snyk monitor
inward the icon (with the latest version of Snyk) for Gradle:docker run -it -e "SNYK_TOKEN=" -e "USER_ID=1234" -e "MONITOR=true" -v ":/project" -v "/home/user/.m2:/home/node/.m2" -v "/home/user/.ivy2:/home/node/.ivy2" snyk/snyk-cli:gradle-2.8 attempt --org=my-org-name
docker run -it -e "SNYK_TOKEN=" -e "USER_ID=1234" -e "MONITOR=true" -v ":/project" -v "/home/user/.m2:/home/node/.m2" -v "/home/user/.ivy2:/home/node/.ivy2" snyk/snyk-cli:gradle-4.4 attempt --org=my-org-name