CLI - Wizard
wizard walks you through finding and fixing the known vulnerabilities in your project. Note that the wizard is currently only available for Node.js projects.
cd ~/projects/myproj/snyk wizard
Please note that if a
yarn.lock file is detected in your folder, the wizard will ask you whether to treat the project as a
Yarn project (the default answer), or as an
The wizard goes through multiple phases. First, it takes stock of which dependencies are locally installed, queries the snyk service for related known vulnerabilities, and asks you how you want to address each vulnerability that was found. As you answer the questions, the wizard will create a Snyk policy file, stored in a file named
.snyk, which will guide future Snyk commands.
Here are the possible remediation steps for each vulnerability:
- Upgrade - if upgrading a direct dependency can fix the current vulnerability, the wizard can automatically modify your
package.jsonfile to use the newer version and uses
yarnto apply the changes.
- Patch - Sometimes there is no direct upgrade that can address the vulnerability, or there is one but you can’t upgrade due to functional reasons (e.g. it’s a major breaking change). For such cases, the wizard lets you patch the issue (using patches the Snyk team created and maintain). This option will make the minimal modifications to your locally installed module files to fix the vulnerability. It will also update the policy to patch this issue when running
snyk protect, as shown below.
- Ignore - If you believe this vulnerability is not exploitable, you can set the Snyk policy to ignore this vulnerability. By default, we will ignore the vulnerability for 30 days, to avoid easily hiding a true issue. If you want to ignore it permanently, you can use the
snyk ignorecommand, or manually edit the generated
.snykfile. If neither a patch nor an upgrade are available, you can choose to ignore the issue for now, and we’ll notify you when a new patch or upgrade is available.
If more than one vulnerability is introduced via the same module, then the wizard groups them. You can upgrade, patch or ignore all of them; or if you want to see more details, you can review each vulnerability separately.
$ snyk wizard Snyk's wizard will: * Enumerate your local dependencies and query Snyk's servers for vulnerabilities * Guide you through fixing found vulnerabilities * Create a .snyk policy file to guide snyk commands such as test and protect * Remember your dependencies to alert you when new vulnerabilities are disclosed Note: Node.js only. Loading dependencies... Querying vulnerabilities database... Tested 446 dependencies for known vulnerabilities,found 8 vulnerabilities, 20 vulnerable paths. ?High severity vuln found in firstname.lastname@example.org, introduced via email@example.com - desc: ReDoS via long string of semicolons - info: https://snyk.io/vuln/npm:tough-cookie:20160722 - from: firstname.lastname@example.org > email@example.com > firstname.lastname@example.org > email@example.com< Upgrade ? 6 vulnerabilities introduced via firstname.lastname@example.org - info: https://snyk.io/package/npm/falcor-router-demo/1.0.5 Remediation options (Use arrow keys) ❯ Re-install email@example.com (triggers upgrade to firstname.lastname@example.org, email@example.com) Review vulnerabilities separately Set to ignore for 30 days (updates policy) Skip
Once all the issues are addressed,
snyk wizard will optionally integrate some tests and protection steps into your
1) It can add
snyk test to the
test script, which will query your local dependencies for vulnerabilities and err if found (except those you chose to ignore).
2) If you chose to patch an issue, the wizard will optionally add
snyk protect to your project as a
post-install step. This is helpful if you publish this module, as it will repeatedly patch the issues specified in
.snyk every time a module is installed.
Lastly, the wizard will create the
.snyk file, modify
package.json and use
yarn to apply the changes. To monitor your project for new vulnerabilities, the wizard takes a snapshot of your current dependencies (similar to running
snyk monitor). You can see all the snapshots for a project on the snyk website. We'll notify you via email if you're affected by newly disclosed vulnerabilities in them, or when a previously unavailable patch or upgrade path are available.
A few things to note:
- The wizard doesn’t perform any git (or source control) actions, so be sure to add the
.snykfile to your repository.
- Subsequent runs of the wizard will not show items previously ignored. To start a-fresh, run
snyk wizard --ignore-policy.
- By default, both
testignore devDependencies. To test those, add the