Free vulnerability testing and monitoring for public GitHub projects

Johanna Kollmann's avatar Johanna Kollmann

We are pleased to offer a free service from Snyk that lets anyone test for vulnerabilities – and then monitor – any public Node.js GitHub repository.

Vulnerability testing for Node.js

To test a public project for vulnerabilities, go to and enter the URL of the GitHub repo you want to test. For an npm package, enter the package name, and optionally, if you want to test a specific version, the version number.

You will then get a Snyk test report that will show you if the package or repo is affected by any vulnerabilities. Our test reports give an overview of each vulnerability, with details on how it’s being introduced into the package and how to address it.

The test report also shows you all dependencies and vulnerable paths (i.e., dependencies with vulnerabilities).

Vulnerability testing with Snyk CLI

You can also test for vulnerabilities with Snyk’s CLI. In addition to npm and GitHub, the Snyk CLI also supports Bitbucket and GitLab.

Install Snyk, run a test on a public npm package (no auth required). For instance:

npm install -g snyk
snyk test ionic@1.6.5

To test a public GitHub, Bitbucket or GitLab repository, run snyk test and include the URL of the repo. For example:

snyk test

The following git URL formats are supported:

  • git://
  • user/project#commit-ish

Vulnerability monitoring for Node.js

Testing for vulnerabilities once is nice, but you probably want to know if new risks have been introduced over time. That’s where Snyk’s monitoring capability comes into play.

Monitoring a public GitHub project

After testing a public GitHub project, select ‘Monitor for vulnerabilities’, and the repo will be added to your monitored projects on Snyk. Note: you need a free Snyk account to monitor. You can sign up for a free account.

Monitoring a local project

Install Snyk’s CLI tool, navigate to your project’s folder, and run snyk monitor.

To make sure the list of dependencies we monitor for your project is up to date, refresh it continuously by running snyk monitor in your deployment process. Check our documentation for details.

Coming soon: monitoring private GitHub repositories

We are currently working on the ability to monitor your private GitHub repos automatically. Snyk will run a security assessment on every check-in, so the information about your project will always be up-to-date. That way, any alerts about new vulnerabilities that affect you are based on your latest dependencies. You’ll also get a history view that includes commit hash to match the code.

We’d love to hear your feedback on this upcoming feature at

And if you don’t have a free Snyk account yet, get one.

Mitigating ImageMagick vulnerabilities in Node.js

May 06, 2016

Multiple severe and trivially exploited vulnerabilities in ImageMagick were disclosed earlier this week, and are known to be exploited in the wild. As there is no official fix yet, we created a package called imagemagick-safe, which disables the vulnerable features, protecting against the known exploits.

Exploiting Buffer

April 05, 2016

Hidden between the wonders of Node lies a ticking bomb by the name of Buffer. If handled incorrectly, this risky class can easily leak server side memory, and with it your secrets and keys. In this post, we’ll explain how Buffer works, show a sample vulnerability and exploit, and explain how you can protect your own application.

Subscribe to The Secure Developer Podcast

A podcast about security for developers, covering tools and best practices.

Find out more

Interested in web security?

Subscribe to our newsletter:

Get realtime updates and fixes for JavaScript, Ruby and Java vulnerabilities that affect your applications