Free vulnerability testing and monitoring for public GitHub projects

We are pleased to offer a free service from Snyk that lets anyone test for vulnerabilities – and then monitor – any public Node.js GitHub repository.

Vulnerability testing for Node.js

To test a public project for vulnerabilities, go to snyk.io/test and enter the URL of the GitHub repo you want to test. For an npm package, enter the package name, and optionally, if you want to test a specific version, the version number.

You will then get a Snyk test report that will show you if the package or repo is affected by any vulnerabilities. Our test reports give an overview of each vulnerability, with details on how it’s being introduced into the package and how to address it.

The test report also shows you all dependencies and vulnerable paths (i.e., dependencies with vulnerabilities).

Vulnerability testing with Snyk CLI

You can also test for vulnerabilities with Snyk’s CLI. In addition to npm and GitHub, the Snyk CLI also supports Bitbucket and GitLab.

Install Snyk, run a test on a public npm package (no auth required). For instance:

npm install -g snyk
snyk test ionic@1.6.5

To test a public GitHub, Bitbucket or GitLab repository, run snyk test and include the URL of the repo. For example:

snyk test https://github.com/snyk/snyk

The following git URL formats are supported:

• git://github.com/user/project.git#commit-ish

• https://github.com/user/project#commit-ish

• user/project#commit-ish

Vulnerability monitoring for Node.js

Testing for vulnerabilities once is nice, but you probably want to know if new risks have been introduced over time. That’s where Snyk’s monitoring capability comes into play.

Monitoring a public GitHub project

After testing a public GitHub project, select ‘Monitor for vulnerabilities’, and the repo will be added to your monitored projects on Snyk.

Note: you need a free Snyk account to monitor. You can sign up for a free account.

Monitoring a local project

Install Snyk’s CLI tool, navigate to your project’s folder, and run snyk monitor.

To make sure the list of dependencies we monitor for your project is up to date, refresh it continuously by running snyk monitor in your deployment process. Check our documentation for details.

Coming soon: monitoring private GitHub repositories

We are currently working on the ability to monitor your private GitHub repos automatically. Snyk will run a security assessment on every check-in, so the information about your project will always be up-to-date. That way, any alerts about new vulnerabilities that affect you are based on your latest dependencies. You’ll also get a history view that includes commit hash to match the code.

We’d love to hear your feedback on this upcoming feature at contact@snyk.io.