Snyk CLI cheat sheet
Welcome to another Snyk cheat sheet! This time we’re looking at one of the greatest, most amazing and most awesome CLIs that has ever graced our green earth. The Snyk CLI! Ok, we may have exaggerated, but we still think it’s pretty good! The Snyk CLI provides you with command line functions to test, monitor and remediate known vulnerabilities in open source dependencies in your application. Let us know if your favorite Snyk CLI commands/flags weren’t listed on twitter.
Note for the full Snyk CLI documentation, please refer to our official documentation pages.
Let’s start at the top! If you haven’t installed the Snyk CLI yet, you should do using npm. The following command is all you need to get this wonderful CLI on your system. The emptiness you feel is soon to disappear right after you type in this command.
$ npm install -g snyk
Now that it’s installed, authenticate with your Snyk account. There are two ways to do this, either via a browser or by passing in an optional Snyk API token argument which you can retrieve from your account page. If you do not pass the API token in at the command line, the browser reroutes to authenticate. For CI testing we recommend creating an environment variable called
SNYK_TOKEN that is set to your auth token. This will be used by the snyk auth command.
$ snyk auth [api-token]
Using the Snyk CLI
The Snyk CLI takes in a command followed by a number of options. The command can be one of
policy. All the CLI commands must be run within the project folder. Let’s look into what each of these commands does.
snyk test command tests a local project for known vulnerabilities and provides information about those vulnerabilities, their severities, types and descriptions, the number of vulnerable paths, remediation actions and more. Upon running the command, Snyk auto-detects your manifest files and test the first it finds in a prioritized list. Note that Snyk looks for local dependencies to test for vulnerabilities. As a result, it is very important that you run the necessary steps to download your dependency tree, before running
snyk test, such as
dotnet restore or
dep ensure, for example.
If you have multiple manifest files in a single project, run the command multiple times varying the
--file command line flag to point to the exact manifest file you wish to test, as follows:
$ snyk [cmd] --file=package.json
Similarly, you can specify the package manager using the
--package-manager flag, if for example you have renamed the manifest file, which otherwise might result in Snyk not recognizing the type of project it is in.
$ snyk test --file=req.txt --package-manager=pip
By default, Snyk does not test your dev dependencies as it is very common for developers to consider this as noise, in comparison to production vulnerabilities. If you would like to run Snyk to test both your production and dev dependencies, use the
$ snyk test --dev
Another useful flag to use on the test command, as well as on other Snyk commands is the
--org flag. This associates a test or any Snyk command with a specific organization. Organizations are containers in which you can group projects and they can have multiple users associated with them. This is particularly useful when working in teams and when creating snapshots with
snyk monitor, which we cover later in this article. If you do not specify an org, your results are associated with your default org.
$ snyk [cmd] --org=my-team
If you are testing a Maven or Gradle project and you’d like to pass variables through to test a specific Maven profile for example, you can use the
-- option followed by your property name and optionally a value as well. This is particularly useful when testing a Gradle project with test dependencies, to which we need to pass a configuration to
$ snyk test -- --configuration testCompile
Or if you want to put it all together and you’re using a Gradle script with Kotlin DSL, such as
gradle.build.kts, chain the options together as follows:
$ snyk test --file=core/build.gradle.kts --package-manager=gradle -- --configuration
If you want to test public repositories from the command line, we’ve got your back too. You can provide the URL of the public repository directly into the command as follows:
$ snyk test https://github.com/snyk/goof
You are also able to test packages in npm remotely, by passing in the package name only, to test the latest release, or by fully qualifying the package name and version.
$ snyk test lodash
$ snyk test email@example.com
After running snyk test a list of vulnerabilities is displayed, including the severity, a description of the issue and a link where you can learn more about the specific vulnerability issue.
Depending on the language of the project you have tested, Snyk may also offer you remediation advice with details on how you can manually fix the vulnerability. You can also do these interactively using the
snyk wizard command that we cover in the next section.
If you prefer this content in the JSON format, you’re only a command line flag away, namely and very predictably,
--json. You can use the JSON output to format the results however you like.
$ snyk test --json
Also, note we have a Snyk JSON to HTML mapper that can format your results into… yep you guessed it!
If you wanted to level up and really show your script-fu, you can use a command line JSON parser, like jq to filter your results, based on the attributes of the vulnerabilities returned. In this example we’re filtering the results to only show vulnerabilities with the CVSS attack vector of the network.
$ snyk test --json | jq '. | (.vulnerabilities | select(.CVSSv3 | contains("AV:N")))'
snyk wizard command runs
snyk test with an interactive wizard to fix issues locally. The three remediation options Snyk may offer include: upgrade, patch and ignore. The upgrade option updates your vulnerable dependency version to a newer version that contains the vulnerability fix. This is the minimum version upgrade necessary. In the event that an upgrade patch isn’t available, a patch that the Snyk team created and maintains can sometimes be applied to eliminate the vulnerability. All changes are made to the local file system only.
A snapshot of the project dependencies is also taken so that Snyk can monitor the project. This means that if any new vulnerabilities are found or if any new remediation paths become available, you can be alerted by your preferred channel, such as email, slack etc.. Your snapshots can also be done by calling snyk monitor, which we’ll cover next, and are all available on the Snyk website.
This wizard is not available for all languages currently. Check the official documentation to see which languages are currently supported.
snyk monitor command also runs snyk test, but takes a snapshot of your chosen project and uploads the results to the Snyk website as well. Similar to the snapshot taken in
snyk wizard, the project is also monitored by Snyk. This means that any new vulnerabilities that are found or new remediation paths that your project benefits from are sent to you as an alert via your chosen communication channel.
It’s important when running
snyk monitor that you specify enough information to ensure your snapshot ends up in the expected location. If you are a member of many organizations, then be sure to specify which one to send your snapshot to via the
--org flag. Also, if you have similar project names, you can override the default name Snyk gives your snapshots by entering your desired name using the
$ snyk monitor --file=package.json --project-name=myapp --org=myorg
If your application contains a vulnerability with no remediating patch or update available, or a vulnerability that you do not believe to be currently exploitable in your application, you may want to tell Snyk to ignore the vulnerability for a certain period of time.
snyk wizard can ignore a vulnerability for a period of 30 days; additionally, to specify a different duration, you can use the snyk ignore command. To use the ignore command, first run
snyk test and retrieve the vulnerability id which can be taken from the results.
$ snyk ignore --id=npm:tough-cookie:20160722 --expiry=2019-04-30 --reason='Not currently exploitable'
Docker images are scanned by extracting the image layers and inspecting the package manager manifest info. To test an image, make sure it is built (i.e.
docker build -t myapp:mytag), or pulled locally (
docker pull myapp:mytag). You can then run:
$ snyk test --docker myapp:mytag
This test the image for vulnerabilities and returns remediation advice for each vulnerability. If you would also like to get remediation advice for your base image in your Dockerfile, you can add the
--file flag as follows:
$ snyk test --docker myapp:mytag --file=path/to/Dockerfile
Similar to running Snyk against application libraries, you can also snapshot your docker images for continuous monitoring using the monitor command.
$ snyk monitor --docker ubuntu:latest
Other useful flags and commands
Finally, here are some more useful flags and commands that didn’t quite fit into other sections of this blog post! But that doesn’t make them any less useful!
Apply the patches specified in our
.snyk file to the local file system.
Display your snyk policy file.
$ snyk policy
Flush out the API key that you have set by clearing the Snyk configuration.
$ snyk config clear
Only report vulnerabilities of the indicated level or greater
--severity-threshold = low/medium/high
Ignore and reset the state of your policy file.
Apply and use ignore rules from your Snyk policy dependencies; otherwise ignore policies are only shown as a suggestion.
Display the dependency paths from the top level dependencies, down to the vulnerable packages (defaults to true). Applicable to
Don’t apply updates or patches during protect.
Did we miss a useful command that you use all the time? Let us know on twitter.
Running out of tests on an OS project?
2. Navigate to the Snyk app interface in the browser.
3. Click Settings from the menu bar.
4. Enter the URL for your OS repo in the Git remote URI field.
Failing to install Snyk CLI?
This might be a permissions issue, try installing with
Can’t find the snyk command after install?
Change the permissions of the snyk file using
Remediation commands not working on your project?
Check the docs to see the latest supported languages.
Unexpected test results?
For the most accurate test results, download project dependencies before running
snyk test, for example:
$ npm install
$ mvn install
$ dotnet restore
$ dep ensure