Snyk Documentation

Continuous Integration

Integrating Snyk into your dev workflow

To continuously avoid known vulnerabilities in your dependencies, integrate Snyk into your continuous integration (a.k.a. build) system.

In addition to the documentation here, you're also invited to check out our integration configuration examples in our GitHub repository.

For Node.js

  1. Install the Snyk utility using npm install -g snyk.
  2. Run snyk wizard in the directory of your project following the prompts which will also generate a .snyk policy file.
  3. Ensure the .snyk file you generated was added to your source control (git add .snyk).
  4. If you selected to, Snyk will include snyk test as part of your npm test command, so if there are new vulnerabilities in the future, your CI will fail, protecting you from introducing vulnerabilities to production. Alternatively, you can add snyk test to any other CI test platform you use.
  5. Configure your CI environment to include the SNYK_TOKEN environment variable. You can find your API token in your account settings on snyk.io.

For Ruby, Python, Java, Go and .NET CI

  1. Install the Snyk utility using npm install -g snyk.
  2. Add snyk test to your CI test platform
  3. Configure your environment to include the SNYK_TOKEN environment variable. You can find your API token in your account settings on snyk.io.

For Scala

  1. Install the Snyk utility using npm install -g snyk.
  2. Install the sbt-dependency-graph plugin.
  3. Add snyk test to your CI test platform

Setting up automatic monitoring

If you monitor a project with Snyk, you’ll get notified if your project’s dependencies are affected by newly disclosed vulnerabilities. To make sure the list of dependencies we have for your project is up to date, refresh it continuously by running snyk monitor in your deployment process.

Configure your environment to include the SNYK_TOKEN environment variable. You can find your API token on the dashboard after logging in.

API token configuration

Make sure you don’t check your API token into source control, to avoid exposing it to others. Instead, use your CI environment variables to configure it.
See guidance for how to do this on:

You can find others through an easy Google search.