Free vulnerability testing and monitoring for public GitHub projects
We are pleased to offer a free service from Snyk that lets anyone test for vulnerabilities – and then monitor – any public Node.js GitHub repository.
Vulnerability testing for Node.js
To test a public project for vulnerabilities, go to snyk.io/test and enter the URL of the GitHub repo you want to test. For an npm package, enter the package name, and optionally, if you want to test a specific version, the version number.
You will then get a Snyk test report that will show you if the package or repo is affected by any vulnerabilities. Our test reports give an overview of each vulnerability, with details on how it’s being introduced into the package and how to address it.
The test report also shows you all dependencies and vulnerable paths (i.e., dependencies with vulnerabilities).
Vulnerability testing with Snyk CLI
You can also test for vulnerabilities with Snyk’s CLI. In addition to npm and GitHub, the Snyk CLI also supports Bitbucket and GitLab.
Install Snyk, run a test on a public npm package (no auth required). For instance:
1 2 npm install -g snyk snyk test firstname.lastname@example.org
To test a public GitHub, Bitbucket or GitLab repository, run
snyk test and include the URL of the repo. For example:
1 snyk test https://github.com/snyk/snyk
The following git URL formats are supported:
Vulnerability monitoring for Node.js
Testing for vulnerabilities once is nice, but you probably want to know if new risks have been introduced over time. That’s where Snyk’s monitoring capability comes into play.
Monitoring a public GitHub project
After testing a public GitHub project, select ‘Monitor for vulnerabilities’, and the repo will be added to your monitored projects on Snyk. Note: you need a free Snyk account to monitor. You can sign up for a free account.
Monitoring a local project
Install Snyk’s CLI tool, navigate to your project’s folder, and run
To make sure the list of dependencies we monitor for your project is up to date, refresh it continuously by running
snyk monitor in your deployment process. Check our documentation for details.
Coming soon: monitoring private GitHub repositories
We are currently working on the ability to monitor your private GitHub repos automatically. Snyk will run a security assessment on every check-in, so the information about your project will always be up-to-date. That way, any alerts about new vulnerabilities that affect you are based on your latest dependencies. You’ll also get a history view that includes commit hash to match the code.
We’d love to hear your feedback on this upcoming feature at email@example.com.
And if you don’t have a free Snyk account yet, get one.
Mitigating ImageMagick vulnerabilities in Node.js
May 06, 2016Multiple severe and trivially exploited vulnerabilities in ImageMagick were disclosed earlier this week, and are known to be exploited in the wild. As there is no official fix yet, we created a package called imagemagick-safe, which disables the vulnerable features, protecting against the known exploits.
April 05, 2016Hidden between the wonders of Node lies a ticking bomb by the name of Buffer. If handled incorrectly, this risky class can easily leak server side memory, and with it your secrets and keys. In this post, we’ll explain how Buffer works, show a sample vulnerability and exploit, and explain how you can protect your own application.
Subscribe to The Secure Developer Podcast
A podcast about security for developers, covering tools and best practices.
Interested in web security?
Subscribe to our newsletter: