What Is Snyk CLI?
Snyk is a popular security testing platform for developers. The Snyk Command Line Interface (CLI) lets you introduce Snyk functionality into your software development workflow, to scan for security problems as part of ongoing development. You can run Snyk CLI on a local machine or as part of a continuous integration/deployment (CI/CD) pipeline.
The Snyk CLI lets you manually identify and fix dependency vulnerabilities in proprietary code; open source components and their dependencies; and infrastructure as code (IaC) templates. Snyk CLI supports a wide range of frameworks and languages, including .NET, Java, JavaScript, C/C++, Ruby, Python, PHP, Scala, and Golang. Â
This is part of a series of articles about Web Application Security.
In this article:
- Getting Started with the Snyk CLI
- Common Snyk CLI Commands
- Complement Snyk with a Developer-First DAST
Getting Started with the Snyk CLI
Follow these steps to start working with the CLI.
1. Install
First, you need to install the Snyk Command Line Interface (CLI)—you can do this manually using an installer from the Snyk GitHub repository or via Scoop, npm, or Homebrew. Once installed, you can verify the CLI works using:
snyk--version
2. Authenticate
Authenticate your account via the browser or an application program interface (API) token to link your Snyk account to the CLI.
3. Authorize
Snyk CLI requires Snyk.io APIs. Link the Snyk CLI to Snyk.io using:
snyk auth
4. Scan
Next, scan your project using one of the following options:
- If your folder has a supported project, you can run:
snyk test
- Alternatively, scan a Docker image using Snyk Container:
snyk container test ubuntu:18.04
- You can also scan a Kubernetes file:
snyk iac test /path/to/kubernetes_file.yaml
5. Build a Project
Now you can start building your project. You need to build a project to test for vulnerabilities unless it has a lock file such as package-lock.json, yarn.lock, gemfile.lock, or paket.lock. For Gradle projects, you don’t need to provide a full build if your project already has an external Gradle file with declared versions of dependencies—you only need the build.gradle file and any other files declaring dependencies.
You build or install a project using:
npm installmvn installgradle builddotnet restoredep ensure
Common Snyk CLI Commands
Here are the most common Snyk CLI commands, what they do and how to use them. You run all CLI commands from the folder of the project you want to test.
Note that all commands have an extensive set of flags and options—these are beyond the scope of the current article. Refer to the CLI documentation for more details, and to read about additional CLI commands we could not cover here.
Related content: Read our guide to Snyk alternatives
Snyk Test
Basic command: snyk test
What it does
Tests a local project for vulnerabilities, providing the following information:
- Issues to fix by upgrading — you can fix one or more vulnerabilities by updating the project.
- Patchable issue — Snyk provides a patch you can use to remediate the vulnerability.
- Issues with no direct upgrade or patch — an issue in the main project or a transitive library that does not have a known fix. In some cases you can replace a transitive library with a newer version that fixes the vulnerability.
How to use it
There are a few ways to use the snyk test command:
- Run in a local project to identify vulnerabilities. Ensure you first download your full dependency tree using commands like
npm installormvn install. - Run within your CI pipeline, and break the build when a vulnerability is found.
- Run in a script—if the exit code is 0, this means no vulnerabilities were found.
Related content: Read our guide to application security testing
Snyk Monitor
Syntax example: snyk monitor
What it does
Takes a snapshot of a project’s vulnerabilities and uploads it to Snyk’s cloud platform. The command then monitors the project over time, and you can receive alerts when new vulnerabilities are discovered. This command uses snyk test under the hood.
How to use it
First run snyk test to identify vulnerabilities found in your project right now. Snyk recommends first remediating those vulnerabilities you can, and then before going to production, running snyk monitor. This way you can reach an acceptable level of vulnerabilities in the project and be alerted if new vulnerabilities are found.
Note that the results of snyk monitor are stored in the Snyk platform depending on the organization you are a part of. If you belong to several organizations, use the --org flag to indicate which organization this monitor belongs to.
Related content: Read our guide to security testing tools.
Snyk Ignore
Syntax: snyk ignore --id=<VULNERABILITY_ID> [--expiry=] [--reason=] []
What it does
It is common to have a vulnerability in an application which cannot be easily remediated, but which does not represent an immediate risk. In this case, you can use the snyk ignore command, telling Snyk to ignore this vulnerability for a certain period of time.
How to use it
First run snyk test and copy the vulnerability ID. You can then run snyk ignore, providing the vulnerability ID using the –id flag.
Additional, optional flags are –expiry, which specify on what date Snyk should resume reporting the vulnerability, and –reason, which is a text field explaining why you are ignoring the vulnerability.
For example:
$ snyk ignore --id=npm:tough-cookie:20160722 --expiry=2020-12-20 --reason=’Package not used in runtime’
Snyk Container
Syntax: snyk container test <image>:<tag>
What it does
Scans container images, distroless images, and container archives for vulnerabilities. You can also monitor images on an ongoing basis, similar to the snyk monitor command.
How to use it
- You can scan a Docker image you downloaded from a repository by running
snyk container test <image>:<tag> - You can scan a distroless image like this:
snyk container test gcr.io/distroless/base | head - You can scan a container archive like this:
snyk container test docker-archive:container.tar - If you add a Dockerfile to any of these commands, Snyk provides remediation advice on the base image, and suggests alternative base images from Snyk if available.
Snyk Infrastructure As Code
Syntax: snyk iac test <PATH_TO_CONFIG>
What it does
Lets you identify and fix misconfigurations in infrastructure as code (IaC) systems like Terraform or Kubernetes. You can run scans from your local machine or as part of a continuous integration (CI) process.
How to use it
To scan a Kubernetes or Terraform template file, use commands like these:
$ snyk iac test /path/to/Kubernetes.yaml
$ snyk iac test /path/to/terraform_file.tf
Snyk Auth
Syntax: snyk auth [<API_TOKEN>] []
What it does
Lets you authenticate Snyk CLI using your Snyk account.
How to use it
The <API_TOKEN> input is necessary for CI environments to validate the Snyk API command. If you run $ snyk auth without <API_TOKEN>, a browser window opens, prompting you to log in and authorize using a Snyk..
Snyk Protect
Syntax: snyk protect []
What it does
Lets you apply patches to vulnerable dependencies.
How to use it
You can use $ snyk protect after you open a fix pull request from the GitHub website or if you run the Snyk wizard on the CLI. This command reads .snyk policy files to determine the patches it applies.
Snyk Wizard
Syntax: snyk wizard []
What it does
Provides various functions to help you detect, keep track of, and fix vulnerabilities.
How to use it
Use the wizard as a guide for fixing discovered vulnerabilities. The Snyk wizard can enumerate local dependencies and query the Snyk servers to find vulnerabilities. You can use it to create .snyk policy files that determine Snyk commands like test and protect. The wizard can also retain a record of your dependencies and notify you of new vulnerabilities.
Complement Snyk with a Developer-First DAST
To ensure your apps and API are secure before hitting production, use SCA like Snyk’s, and Bright’s automated DAST in conjunction.
Snyk’s SCA will allow you to detect your open-source vulnerabilities that may underpin your applications, while Bright’s innovative DAST lets you seamlessly detect security vulnerabilities across your applications and APIs. As Bright automatically validates results, they are NO false-positives, with developer-friendly remediation guidelines provided for each finding.
By leveraging both Snyk and Bright, you are covering all your bases, to find a broader range of vulnerabilities faster and earlier.
The question is not if you should be using SCA or DAST, but how and when you can start to use them together across the pipelines.
Sign-up for a free Bright account.
