Snyk

CLI and build-time tool to find & fix known vulnerabilities in open-source dependencies.

Installation

Install the Snyk CLI using either npm, Homebrew, Scoop, or by downloading a specific binary from GitHub.

npm

$ npm install -g snyk

Brew

$ brew tap snyk/tap && brew install snyk

Scoop

  $ scoop bucket add snyk https://github.com/snyk/scoop-snyk
  $ scoop install snyk

Manual

Manual installer available on Snyk’s GitHub page.

Authenticate

snyk auth

Authenticate via browser

Will use organization that is set as default in your Account settings.

snyk auth <token>

Authenticate in your CI

Set environment variable SNYK_TOKEN. Can be used for local testing and CI pipeline as it requires no user interaction.

Test

snyk test

Test a project in current folder for known vulnerabilities

Scan your project for vulnerabilities locally by running snyk test from the root of your project. Vulnerabilities and remediation will be shown in your console.

Monitor

snyk monitor

Monitor project

Monitor your application for vulnerabilities by sending a snapshot of the dependencies to your Snyk dashboard.

snyk monitor --org=ORG_NAME

Monitor project tied to a specific organization

Specify the ORG_NAME to run Snyk commands tied to a specific organization. This will influence where will new projects be created after running monitor command, some features availability and private tests limits.

Ignore Vulnerabilities

snyk ignore --id=ISSUE_ID

Ignore a specific vulnerability for 30 days

Add a custom expiration date and reason by using the the flags:

--expiry=2020-11-11
--reason='Not currently exploitable'

Common CLI Options

snyk [cmd] --file=package.json

Specify a manifest file you want to test

snyk test --file=req.txt --package-manager=pip

Specify GitHub manifest file and ecosystem

snyk test --all-projects

Test all manifest in folder and subfolder

snyk test --dev

Include devDependencies in the scan

snyk [cmd] --org=my-team

Run command for a specific organization

snyk test https://github.com/snyk/goof

Test a github repository (npm only)

snyk test lodash

Test the latest version of a package

snyk test ionic@1.6.5

Test a specific version of a package

snyk test --json

Output full test results as json

snyk test --json-file-output=vuln.json

Store test result as json file

snyk [cmd] --severity-threshold=<low|medium|high>

Set severity level that will be visibl

Container Scanning

snyk container test <image>

snyk container monitor <image>

Scan and monitor Docker images

Add a Dockerfile for base-image remediation advice using: --file=path/to/Dockerfile

Scan Docker and OCI container images as seen below:

$ snyk container test docker-archive:container.tar
$ snyk container test oci-archive:container.tar

Infrastructure as Code (IAC)

snyk iac test /path/to/Kubernetes.yaml

snyk iac test /path/to/terraform_file.tf

Scan Kubernetes and Terraform files for security issues

Troubleshooting

snyk help

Help section and options explained

snyk [cdm] -d

Debug output for your command

Unexpected results?

Build your project and download all dependencies first, for example:

$ npm install
$ mvn install
$ dotnet restore
$ dep ensure

Running out of tests on an OS project?

  • Run snyk monitor
  • Open the Snyk UI and go to the settings of the project
  • Enter the URL of your OS repo in "Git remote URI"

Notes

This cheat sheet is mostly based on the official Snyk Cheatsheet. It has been converted and extended with content from the Snyk CLI help where deemed appropriate by Patrik Affentranger.

Author of the original Snyk CLI Cheatsheet is Brian Vermeer (@BrianVerm) a Developer Advocate at Snyk.