A hint: This file contains one or more very long lines, so maybe it is better readable using the pure text view mode that shows the contents as wrapped lines within the browser window.
Snyk scans and monitors your projects for security vulnerabilities.
Snyk is a developer-first cloud-native security tool. It covers multiple areas of application security:
Learn more about what Snyk can do and sign up for a free account »
Snyk CLI brings the functionality of Snyk into your development workflow. It can be run locally or in your CI/CD pipeline to scan your projects for security issues.
CLI also supports Docker scanning and Terraform, k8s and other Infrastructure as Code files scanning.
Snyk CLI can be installed through multiple channels.
Snyk CLI is available as an npm package. If you have Node.js installed locally, you can install it by running:
npm install snyk@latest -g
or if you are using Yarn:
yarn global add snyk
Use GitHub Releases to download a standalone executable of Snyk CLI for your platform.
We also provide these standalone executables on our official CDN. See
release.json file for the download links:
https://static.snyk.io/cli/latest/release.json # Or for specific version or platform https://static.snyk.io/cli/v1.666.0/release.json https://static.snyk.io/cli/latest/snyk-macos
For example, to download and run the latest Snyk CLI on macOS, you could run:
curl https://static.snyk.io/cli/latest/snyk-macos -o snyk chmod +x ./snyk mv ./snyk /usr/local/bin/
You can also use these direct links to download the executables:
Drawback of this method is, that you will have to manually keep the Snyk CLI up to date.
You can verify both shasum of downloaded binaries and their GPG signatures.
Download location on
static.snyk.io contains a file
sha256sums.txt.asc. You can download it directly
https://static.snyk.io/cli/latest/sha256sums.txt.asc or for
a specific version like
To check that a downloaded file matches the checksum, use a
sha256sum command like so:
grep snyk-macos sha256sums.txt.asc | sha256sum -c -
If you want to verify Snyk CLI standalone binaries against Snyk CLI GPG key, you will need to import it first:
# A22665FB96CAB0E0973604C83676C4B8289C296E is the key belonging to firstname.lastname@example.org # Copy of this public key is also in this repository /help/_about-this-project/snyk-code-signing-public.pgp gpg --keyserver hkps://keys.openpgp.org --recv-keys A22665FB96CAB0E0973604C83676C4B8289C296E
Then verify the file is signed with:
gpg --verify sha256sums.txt.asc
Command output should look like:
gpg: Signature made So 8 Jan 14:11:44 2023 CET gpg: using EDDSA key A22665FB96CAB0E0973604C83676C4B8289C296E gpg: Good signature from "Snyk Limited <email@example.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: A226 65FB 96CA B0E0 9736 04C8 3676 C4B8 289C 296E
Install Snyk CLI from Snyk tap with Homebrew by running:
brew tap snyk/tap brew install snyk
Install Snyk CLI from our Snyk bucket with Scoop on Windows:
scoop bucket add snyk https://github.com/snyk/scoop-snyk scoop install snyk
Snyk CLI can also be run from a Docker image. Snyk offers multiple
Docker tags under
These images wrap the Snyk CLI and depending on the Tag come with a
relevant tooling for different projects. See the snyk/images on GitHub
for more details and examples.
Snyk also offers many integrations into developer tooling. These integrations will install and manage the Snyk CLI for you. For example:
Once you installed the Snyk CLI, you can verify it's working by running:
See the full Snyk CLI help.
Snyk CLI depends on Snyk.io APIs. Connect your Snyk CLI with Snyk.io by running:
Depending on your project's language, you might need to setup your language environment before using Snyk.
See our Language Support documentation.
If you are already in a folder with a supported project, start by running:
Or scan a Docker image by its tag with Snyk Container:
snyk container test ubuntu:18.04
Or a k8s file:
snyk iac test /path/to/kubernetes_file.yaml
Snyk can also monitor your project periodically and alert you for new
snyk monitor is similar to
snyk test and can be used to create a project on the Snyk
website that will be continuously monitored for new vulnerabilities.
> snyk monitor Monitoring /project (project-name)... Explore this snapshot at https://app.snyk.io/org/my-org/project/29361c2c-9005-4692-8df4-88f1c040fa7c/history/e1c994b3-de5d-482b-9281-eab4236c851e Notifications about newly disclosed issues related to these dependencies will be emailed to you.
Snyk is really powerful when you are continuously scanning and monitoring your projects for vulnerabilities.
Use one of our integrations to stay secure.
You can authorize Snyk CLI in your CI/CD programatically:
# Using a SNYK_TOKEN envvar (preferred) SNYK_TOKEN=<SNYK_API_TOKEN> snyk test # Or using a Snyk auth command snyk auth <SNYK_API_TOKEN> snyk test
Here are some flags that you might find useful:
Only report vulnerabilities of provided level or higher.
Prints results in JSON format.
Auto-detect all projects in working directory
See all the available commands and
options by running
snyk --help # or get help for a specific command like snyk iac --help snyk code --help
If you need support using Snyk CLI, please contact support.
We do not actively monitor GitHub Issues so any issues there may go unnoticed.
If you are an external contributor, before working on any contributions, please first contact support to discuss the issue or feature request with us.
If you are contributing to Snyk CLI, see our contributing guidelines
For information on how Snyk CLI is implemented, see our design decisions.
This repository is a monorepo, also covering other projects and tools:
For any security issues or concerns, please see SECURITY.md file in this repository.
The use of Snyk's API, whether through the use of the 'snyk' npm package or otherwise, is subject to the Terms & Conditions.
Made with 💜 by Snyk