Snyk CLI cheat sheet

Simon Maple
February 22, 2019 | in Product
| By Simon Maple

Welcome to another Snyk cheat sheet! This time we’re looking at one of the greatest, most amazing and most awesome CLIs that has ever graced our green earth. The Snyk CLI! Ok, we may have exaggerated, but we still think it’s pretty good! The Snyk CLI provides you with command line functions to test, monitor and remediate known vulnerabilities in open source dependencies in your application. Let us know if your favorite Snyk CLI commands/flags weren’t listed on twitter.

Download the cheat sheet

Note for the full Snyk CLI documentation, please refer to our official documentation pages.

Installation

Let’s start at the top! If you haven’t installed the Snyk CLI yet, you should do using npm. The following command is all you need to get this wonderful CLI on your system. The emptiness you feel is soon to disappear right after you type in this command.

$ npm install -g snyk

Now that it’s installed, authenticate with your Snyk account. There are two ways to do this, either via a browser or by passing in an optional Snyk API token argument which you can retrieve from your account page. If you do not pass the API token in at the command line, the browser reroutes to authenticate. For CI testing we recommend creating an environment variable called SNYK_TOKEN that is set to your auth token. This will be used by the snyk auth command.

$ snyk auth [api-token]

Using the Snyk CLI

The Snyk CLI takes in a command followed by a number of options. The command can be one of test, wizard, monitor, ignore, protect, or policy. All the CLI commands must be run within the project folder. Let’s look into what each of these commands does.

Snyk test

The snyk test command tests a local project for known vulnerabilities and provides information about those vulnerabilities, their severities, types and descriptions, the number of vulnerable paths, remediation actions and more. Upon running the command, Snyk auto-detects your manifest files and test the first it finds in a prioritized list. Note that Snyk looks for local dependencies to test for vulnerabilities. As a result, it is very important that you run the necessary steps to download your dependency tree, before running snyk test, such as npm install, mvn install, dotnet restore or dep ensure, for example.

If you have multiple manifest files in a single project, run the command multiple times varying the --file command line flag to point to the exact manifest file you wish to test, as follows:

$ snyk [cmd] --file=package.json

Similarly, you can specify the package manager using the --package-manager flag, if for example you have renamed the manifest file, which otherwise might result in Snyk not recognizing the type of project it is in.

$ snyk test --file=req.txt --package-manager=pip

By default, Snyk does not test your dev dependencies as it is very common for developers to consider this as noise, in comparison to production vulnerabilities. If you would like to run Snyk to test both your production and dev dependencies, use the --dev flag.

$ snyk test --dev

Another useful flag to use on the test command, as well as on other Snyk commands is the --org flag. This associates a test or any Snyk command with a specific organization. Organizations are containers in which you can group projects and they can have multiple users associated with them. This is particularly useful when working in teams and when creating snapshots with snyk monitor, which we cover later in this article. If you do not specify an org, your results are associated with your default org.

$ snyk [cmd] --org=my-team

If you are testing a Maven or Gradle project and you’d like to pass variables through to test a specific Maven profile for example, you can use the -- option followed by your property name and optionally a value as well. This is particularly useful when testing a Gradle project with test dependencies, to which we need to pass a configuration to snyk test.

$ snyk test -- --configuration testCompile

Or if you want to put it all together and you’re using a Gradle script with Kotlin DSL, such as gradle.build.kts, chain the options together as follows:

$ snyk test --file=core/build.gradle.kts --package-manager=gradle -- --configuration

If you want to test public repositories from the command line, we’ve got your back too. You can provide the URL of the public repository directly into the command as follows:

$ snyk test https://github.com/snyk/goof

You are also able to test packages in npm remotely, by passing in the package name only, to test the latest release, or by fully qualifying the package name and version.

$ snyk test lodash

$ snyk test ionic@1.6.5

After running snyk test a list of vulnerabilities is displayed, including the severity, a description of the issue and a link where you can learn more about the specific vulnerability issue.

Depending on the language of the project you have tested, Snyk may also offer you remediation advice with details on how you can manually fix the vulnerability. You can also do these interactively using the snyk wizard command that we cover in the next section.

If you prefer this content in the JSON format, you’re only a command line flag away, namely and very predictably, --json. You can use the JSON output to format the results however you like.

$ snyk test --json

Also, note we have a Snyk JSON to HTML mapper that can format your results into… yep you guessed it!

If you wanted to level up and really show your script-fu, you can use a command line JSON parser, like jq to filter your results, based on the attributes of the vulnerabilities returned. In this example we’re filtering the results to only show vulnerabilities with the CVSS attack vector of the network.

$ snyk test --json | jq '. | (.vulnerabilities[] | select(.CVSSv3 | contains("AV:N")))'

Snyk wizard

The snyk wizard command runs snyk test with an interactive wizard to fix issues locally. The three remediation options Snyk may offer include: upgrade, patch and ignore. The upgrade option updates your vulnerable dependency version to a newer version that contains the vulnerability fix. This is the minimum version upgrade necessary. In the event that an upgrade patch isn’t available, a patch that the Snyk team created and maintains can sometimes be applied to eliminate the vulnerability. All changes are made to the local file system only.

A snapshot of the project dependencies is also taken so that Snyk can monitor the project. This means that if any new vulnerabilities are found or if any new remediation paths become available, you can be alerted by your preferred channel, such as email, slack etc.. Your snapshots can also be done by calling snyk monitor, which we’ll cover next, and are all available on the Snyk website.

This wizard is not available for all languages currently. Check the official documentation to see which languages are currently supported.

Snyk monitor

The snyk monitor command also runs snyk test, but takes a snapshot of your chosen project and uploads the results to the Snyk website as well. Similar to the snapshot taken in snyk wizard, the project is also monitored by Snyk. This means that any new vulnerabilities that are found or new remediation paths that your project benefits from are sent to you as an alert via your chosen communication channel.

It’s important when running snyk monitor that you specify enough information to ensure your snapshot ends up in the expected location. If you are a member of many organizations, then be sure to specify which one to send your snapshot to via the --org flag. Also, if you have similar project names, you can override the default name Snyk gives your snapshots by entering your desired name using the --project-name flag.

$ snyk monitor --file=package.json --project-name=myapp --org=myorg

Snyk ignore

If your application contains a vulnerability with no remediating patch or update available, or a vulnerability that you do not believe to be currently exploitable in your application, you may want to tell Snyk to ignore the vulnerability for a certain period of time.

The snyk wizard can ignore a vulnerability for a period of 30 days; additionally, to specify a different duration, you can use the snyk ignore command. To use the ignore command, first run snyk test and retrieve the vulnerability id which can be taken from the results.

$ snyk ignore --id=npm:tough-cookie:20160722 --expiry=2019-04-30 --reason='Not currently exploitable'

Docker

Docker images are scanned by extracting the image layers and inspecting the package manager manifest info. To test an image, make sure it is built (i.e. docker build -t myapp:mytag), or pulled locally (docker pull myapp:mytag). You can then run:

$ snyk test --docker myapp:mytag

This test the image for vulnerabilities and returns remediation advice for each vulnerability. If you would also like to get remediation advice for your base image in your Dockerfile, you can add the --file flag as follows:

$ snyk test --docker myapp:mytag --file=path/to/Dockerfile

Similar to running Snyk against application libraries, you can also snapshot your docker images for continuous monitoring using the monitor command.

$ snyk monitor --docker ubuntu:latest

Other useful flags and commands

Finally, here are some more useful flags and commands that didn’t quite fit into other sections of this blog post! But that doesn’t make them any less useful!

Apply the patches specified in our .snyk file to the local file system.
snyk protect

Display your snyk policy file.

$ snyk policy

Flush out the API key that you have set by clearing the Snyk configuration.
$ snyk config clear

Only report vulnerabilities of the indicated level or greater
--severity-threshold = low/medium/high

Ignore and reset the state of your policy file.
--ignore-policy

Apply and use ignore rules from your Snyk policy dependencies; otherwise ignore policies are only shown as a suggestion.
--trust-policies

Display the dependency paths from the top level dependencies, down to the vulnerable packages (defaults to true). Applicable to snyk test.
--show-vulnerable-paths

Don’t apply updates or patches during protect.
--dry-run

Did we miss a useful command that you use all the time? Let us know on twitter.

Troubleshooting

Running out of tests on an OS project?

1. Run snyk monitor.
2. Navigate to the Snyk app interface in the browser.
3. Click Settings from the menu bar.
4. Enter the URL for your OS repo in the Git remote URI field.

Failing to install Snyk CLI?
This might be a permissions issue, try installing with sudo.

Can’t find the snyk command after install?
Change the permissions of the snyk file using chmod +

Remediation commands not working on your project?
Check the docs to see the latest supported languages.

Unexpected test results?
For the most accurate test results, download project dependencies before running snyk test, for example:
$ npm install
$ mvn install
$ dotnet restore
$ dep ensure

Download the cheat sheet