0
# Snyk CLI
1
2
Snyk CLI is a comprehensive developer-first, cloud-native security tool that scans and monitors software development projects for security vulnerabilities. It provides both command-line interface and programmatic API access for vulnerability scanning across multiple content types including open-source dependencies, application code, container images, and infrastructure-as-code configurations.
3
4
## Package Information
5
6
- **Package Name**: snyk
7
- **Package Type**: npm
8
- **Language**: JavaScript/TypeScript
9
- **Installation**: `npm install -g snyk` or `npm install snyk`
10
11
## Core Imports
12
13
### Programmatic API
14
15
```javascript
16
const snyk = require('snyk');
17
```
18
19
### ES Module (if available)
20
21
```javascript
22
import snyk from 'snyk';
23
```
24
25
### CLI Usage
26
27
```bash
28
npx snyk <command> [options]
29
```
30
31
## Basic Usage
32
33
### CLI Testing
34
35
```bash
36
# Test current project for vulnerabilities
37
snyk test
38
39
# Test with specific options
40
snyk test --severity-threshold=high --json
41
42
# Monitor project for continuous scanning
43
snyk monitor
44
45
# Test Docker container
46
snyk container test nginx:latest
47
48
# Test Infrastructure as Code
49
snyk iac test ./terraform/
50
```
51
52
### Programmatic Usage
53
54
```javascript
55
const snyk = require('snyk');
56
57
// Test a project programmatically (main API function)
58
snyk.test('/path/to/project', {
59
org: 'my-org',
60
json: true
61
}).then(result => {
62
console.log('Vulnerabilities found:', result);
63
}).catch(error => {
64
console.error('Test failed:', error);
65
});
66
67
// Access configuration
68
console.log('API token:', snyk.api);
69
snyk.config.set('org', 'my-organization');
70
71
// Note: Monitor functionality is CLI-only, not available in programmatic API
72
```
73
74
## Architecture
75
76
Snyk CLI is built around several key components:
77
78
- **CLI Interface**: Full-featured command-line interface with 15+ commands for vulnerability scanning and management
79
- **Programmatic API**: Node.js library providing test(), config, and other core functions for integration
80
- **Plugin System**: Extensible architecture supporting 25+ package managers and ecosystems
81
- **Multi-Content Scanning**: Support for open-source dependencies, source code (SAST), containers, and IaC
82
- **Policy Engine**: Configurable rules and ignore patterns for customizing vulnerability reporting
83
- **Monitoring System**: Continuous monitoring capabilities with webhook notifications
84
- **Output Formats**: Human-readable, JSON, and SARIF output formats for integration with CI/CD systems
85
86
## Capabilities
87
88
### Vulnerability Testing
89
90
Core vulnerability scanning functionality for detecting security issues in projects and dependencies. Supports multiple scan types and package managers.
91
92
```javascript { .api }
93
function test(root: string, options?: TestOptions, callback?: Function): Promise<TestResult>;
94
95
interface TestOptions {
96
org?: string;
97
file?: string;
98
docker?: boolean;
99
iac?: boolean;
100
code?: boolean;
101
json?: boolean;
102
severityThreshold?: 'low' | 'medium' | 'high' | 'critical';
103
showVulnPaths?: 'none' | 'some' | 'all';
104
allProjects?: boolean;
105
yarnWorkspaces?: boolean;
106
}
107
```
108
109
[Vulnerability Testing](./vulnerability-testing.md)
110
111
### Project Monitoring
112
113
Continuous monitoring system for tracking security posture over time with automated alerts and notifications. **Note: Monitor functionality is only available via CLI commands, not through the programmatic API.**
114
115
```bash { .api }
116
snyk monitor [path] # Monitor project continuously
117
snyk monitor --org=<org-id> # Monitor with specific organization
118
snyk monitor --project-name=<name> # Set custom project name
119
snyk monitor --target-reference=<ref> # Set target reference (e.g., branch name)
120
```
121
122
[Project Monitoring](./project-monitoring.md)
123
124
### CLI Commands
125
126
Complete command-line interface providing access to all Snyk functionality through terminal commands.
127
128
```bash { .api }
129
# Core commands
130
snyk auth # Authentication management
131
snyk test # Test for vulnerabilities
132
snyk monitor # Monitor project continuously
133
snyk fix # Auto-fix vulnerabilities
134
snyk protect # Apply patches and protections
135
136
# Specialized commands
137
snyk container test # Container scanning
138
snyk iac test # Infrastructure as Code scanning
139
snyk code test # Source code analysis (SAST)
140
snyk config # Configuration management
141
snyk policy # Policy management
142
snyk ignore # Manage vulnerability ignores
143
```
144
145
[CLI Commands](./cli-commands.md)
146
147
### Configuration Management
148
149
System for managing authentication, organization settings, and scan preferences.
150
151
```javascript { .api }
152
interface Config {
153
api: string;
154
org?: string;
155
'disable-analytics'?: boolean;
156
}
157
158
// Access configuration
159
const config = snyk.config;
160
```
161
162
[Configuration](./configuration.md)
163
164
### Container Security
165
166
Specialized scanning capabilities for Docker containers, including base image vulnerabilities and application layer scanning.
167
168
```bash { .api }
169
snyk container test <image> # Scan container image
170
snyk container test <image> --file=Dockerfile # Include Dockerfile analysis
171
snyk container monitor <image> # Monitor container continuously
172
```
173
174
[Container Security](./container-security.md)
175
176
### Infrastructure as Code (IaC)
177
178
Security scanning for infrastructure configuration files including Terraform, Kubernetes, CloudFormation, and ARM templates.
179
180
```bash { .api }
181
snyk iac test <path> # Scan IaC files
182
snyk iac test --detection-depth=<number> # Control scan depth
183
snyk iac describe --only-managed # Drift detection
184
```
185
186
[Infrastructure as Code](./infrastructure-as-code.md)
187
188
### Source Code Analysis
189
190
Static Application Security Testing (SAST) for identifying security vulnerabilities in application source code.
191
192
```bash { .api }
193
snyk code test # Scan source code
194
snyk code test --org=<org-id> # Scan with specific organization
195
```
196
197
[Source Code Analysis](./source-code-analysis.md)
198
199
## Types
200
201
### Core Types
202
203
```typescript { .api }
204
interface TestResult {
205
vulnerabilities: Vulnerability[];
206
dependencyCount: number;
207
licensesPolicy: LicensesPolicy;
208
packageManager: string;
209
platform: string;
210
path: string;
211
projectName: string;
212
summary: string;
213
}
214
215
interface Vulnerability {
216
id: string;
217
title: string;
218
description: string;
219
severity: 'low' | 'medium' | 'high' | 'critical';
220
packageName: string;
221
version: string;
222
fixedIn?: string[];
223
patches?: Patch[];
224
upgradePath?: string[];
225
}
226
227
interface MonitorResult {
228
id: string;
229
uri: string;
230
path: string;
231
projectName: string;
232
}
233
234
interface Patch {
235
id: string;
236
urls: string[];
237
version: string;
238
modificationTime: string;
239
comments: string[];
240
}
241
```
242
243
### Error Types
244
245
```typescript { .api }
246
class UnsupportedPackageManagerError extends Error {
247
constructor(packageManager: string);
248
}
249
250
class MissingOptionError extends Error {
251
constructor(option: string, requiredOptions: string[]);
252
}
253
254
class ConnectionTimeoutError extends Error {
255
constructor(message: string);
256
}
257
```
258
259
### Package Manager Support
260
261
```typescript { .api }
262
type SupportedPackageManagers =
263
| 'npm' | 'yarn' | 'pnpm' // JavaScript
264
| 'maven' | 'gradle' | 'sbt' // Java/Scala
265
| 'pip' | 'poetry' // Python
266
| 'rubygems' // Ruby
267
| 'composer' // PHP
268
| 'nuget' | 'paket' // .NET
269
| 'gomodules' | 'golangdep' // Go
270
| 'cocoapods' | 'swift' // iOS/macOS
271
| 'hex' // Elixir
272
| 'Unmanaged (C/C++)'; // C/C++
273
```