Snyk Code CLI support now in public beta
Frank Fischer
September 21, 2021
0 mins readSnyk is on the mission to make Static Application Security Testing (SAST) tools work for developers throughout the DevOps pipeline. Snyk Code scans in real time with high accuracy — and it does it right from the tools and workflows developers are already using. For example, the IDE plugins for IntelliJ, PyCharm, WebStorm, and Visual Studio Code make it easy to code, scan and fix even before code hits the version management. And with the web-based UI, developers can scan legacy code or perform a code review.
Adding to all that, we are happy to announce that Snyk Code is now part of the Snyk command-line interface (Snyk CLI) in a public beta. Now you can easily make Snyk Code part of the CI/CD process, with the flexibility to trigger a scan and work with the results in an automatic fashion.
Snyk provides a CLI to interact with any element of the Snyk platform. Snyk Code extends the functionality of the existing CLI. This article is going to be a “Getting Started” experience, for a deeper dive, I encourage you to explore our Snyk Code CLI documentation.
As a quick reminder, the CLI support is in beta for now. Please give it a try and give us feedback so we can make it even better.
Installing and Configuring the Snyk CLI
The Snyk CLI is a Node.js application, and as such can be hosted on any system supporting Node.js. It is also easy to install and configure.
You can use npm to install it by running: npm install -g snyk
For more ways to install it, and more information about the npm installation, check out our full Snyk Code CLI documentation.
After installation, the next step is to authenticate which can be achieved by calling: snyk auth
.
This will start an authentication process and result in an identification token for you being stored to be used with the CLI from now on.
Pro tip: The CLI tests for updates every time it’s run. It will notify the user to update showing the necessary command. To make sure to have the latest version, you can also update manually by calling npm update -g snyk
.
Testing a project or folder
Calling a Snyk Code scan using the CLI looks like this: snyk code test [my-folder-path]
If you do not provide the path parameter, the CLI will scan the current folder. And yes, it will iterate through the directory tree and scan its contents. There are lots of more commands and parameters possible, which you can find in our documentation.
For existing CLI users, please note that this beta does not support the monitor
command for Snyk Code.
Note: The CLI will bundle and upload supported source code files for scan into Snyk. So please be advised that while both data-in-motion and data-at-rest is encrypted, source code will leave your premises. Make sure you are fine with this before running the CLI on a given repository.
Result format options
There are three ways the CLI can report its result. First, and a good way to get started with the CLI, is by simply calling it. This will return a report in a human-readable format.
1Testing . ...
2
3 ✗ [Medium] Cross-Site Request Forgery (CSRF)
4 Path: app.js, line 16
5 Info: Consider using csurf middleware for your Express app to protect against CSRF attacks.
6
7 ✗ [Medium] Use of Hard-coded Credentials
8 Path: index.js, line 10
9 Info: Do not hardcode credentials in code. Found hardcoded credential used in mysql.createConnection.
10
11 ✗ [Medium] Allocation of Resources Without Limits or Throttling
12 Path: app.js, line 46
13 Info: This endpoint handler performs a file system operation and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.
14
15 ✗ [Medium] Allocation of Resources Without Limits or Throttling
16 Path: index.js, line 15
17 Info: This endpoint handler performs a file system operation and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.
18
19 ✗ [Medium] Allocation of Resources Without Limits or Throttling
20 Path: index.js, line 21
21 Info: This endpoint handler performs a file system operation and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.
22
23 ✗ [Medium] Allocation of Resources Without Limits or Throttling
24 Path: createDummyData.js, line 16
25 Info: This endpoint handler performs a file system operation and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.
26
27 ✗ [Medium] Use of Hard-coded Credentials
28 Path: index.js, line 11
29 Info: Do not hardcode passwords in code. Found hardcoded password used in mysql.createConnection.
30
31 ✗ [High] Path Traversal
32 Path: index.js, line 25
33 Info: Unsanitized input from an HTTP parameter flows into fs.readFile, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.
34
35 ✗ [High] SQL Injection
36 Path: index.js, line 39
37 Info: Unsanitized input from an HTTP parameter flows into get, where it is used in an SQL query. This may result in an SQL Injection vulnerability.
38
39✔ Test completed
40
41Organization: undefined
42Test type: Static code analysis
43Project path: .
44
459 Code issues found
462 [High] 7 [Medium]
Severity level is color-coded and the result provides an explanation of the vulnerability as well as a recommended remediation.
Pro tip: As Snyk Code is extremely fast, take any project (or cloned open source repo in that regard) and simply run the scan to check that the system is working.
Next, the CLI provides a data format called SARIF by calling snyk code test --sarif
:
1{
2 "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
3 "version": "2.1.0",
4 "runs": [
5 {
6 "tool": {
7 "driver": {
8 "name": "SnykCode",
9 "semanticVersion": "1.0.0",
10 "version": "1.0.0",
11 "rules": [
12 {
13 "id": "javascript/UseCsurfForExpress",
14 "name": "UseCsurfForExpress",
15 "shortDescription": {
16 "text": "Cross-Site Request Forgery (CSRF)"
17 },
18 "defaultConfiguration": {
19 "level": "warning"
20 },
21 "help": {
22 "markdown": "\n## Details\nCross-site request forgery is an attack in which a malicious third party takes advantage of a user's authenticated credentials (such as a browser cookie) to impersonate that trusted user and perform unauthorized actions. The web application server cannot tell the difference between legitimate and malicious requests. This type of attack generally begins by tricking the user with a social engineering attack, such as a link or popup that the user inadvertently clicks, causing an unauthorized request to be sent to the web server. Consequences vary: At a standard user level, hackers can change passwords, transfer funds, make purchases, or connect with contacts; from an administrator account, hackers can then make changes to or even take down the app itself.\n\n### Best practices for prevention\n* Use development frameworks that defend against CSRF, using a nonce, hash, or some other security device to the URL and/or to forms.\n* Implement secure, unique, hidden tokens that are checked by the server each time to validate state-change requests.\n* Never assume that authentication tokens and session identifiers mean a request is legitimate.\n* Understand and implement other safe-cookie techniques, such as double submit cookies.\n* Terminate user sessions when not in use, including automatic timeout.\n* Ensure rigorous coding practices and defenses against other commonly exploited CWEs, since cross-site scripting (XSS), for example, can be used to bypass defenses against CSRF.\n\n## References\n\n* [Express Documentation - Implement CSRF Protection](https://expressjs.com/en/resources/middleware/csurf.html)\n* [Node Security Checklist - CSRF](https://blog.risingstack.com/node-js-security-checklist/#csrf)",
23 "text": ""
24 },
25 "properties": {
26 "tags": [
27 "javascript",
28 "maintenance",
29 "express",
30 "server",
31 "CSRF"
32 ],
33 "categories": [
34 "Security"
35 ],
36 "exampleCommitFixes": [
37 {
38 "commitURL": "https://github.com/eclipse/orion.client/commit/ad8f3bce33a1ea9d1e2144e6c42f075ad25829d6?diff=split#diff-16594450dc1f06f7d9cf4a47859cfa52L175",
39 "lines": [
40 {
41 "line": "}",
42 "lineNumber": 172,
43 "lineChange": "none"
44 },
45...
This output is rich and contains everything — and even a bit more — that you can see in the Snyk Code frontend. It even contains the example fixes and priority score.
Pro Tip: Grab a cup of coffee and have a good look around in the SARIF file. As it is JSON, it is actually not that hard to understand. It contains a wealth of information and I promise you will have a lot of ideas on how to use it in your processes or to gather some stats.
Finally, the CLI provides an exit code that can be used to steer, for example, a CI/CD process. Here are the exit codes to expect:
3: failure, no supported projects found
2: failure, try to re-run command
1: action needed, vulnerabilities found
0: success, no vulnerabilities found
By using the parameter --severity-threshold=<low|medium|high>
in your call, you can filter on severity level.
Try the Snyk Code CLI in beta
The CLI is a powerful tool and we want to invite everyone to join us in the public beta. Just make sure you have the latest Snyk CLI installed, Snyk Code is enabled for your org and give it a try. And since this is a beta, we’d love it if you helped us by using it and provided us feedback.
And if you’re new to Snyk, the first step is to have a Snyk Code-activated account on Snyk! Sign up for free today.
Get started in capture the flag
Learn how to solve capture the flag challenges by watching our virtual 101 workshop on demand.