Snyk Commands

Comprehensive Snyk CLI commands and workflows for security scanning across open source, code, containers, and infrastructure as code.

Installation

npm (Node.js)

# Install globally
npm install -g snyk

# Install in project
npm install --save-dev snyk

# Verify installation
snyk --version

macOS (Homebrew)

# Install via Homebrew
brew install snyk

# Update Snyk
brew upgrade snyk

# Verify installation
snyk --version

Windows (Scoop)

# Install via Scoop
scoop install snyk

# Verify installation
snyk --version

Standalone Binary

# Download standalone CLI (Linux/macOS)
curl https://static.snyk.io/cli/latest/snyk-linux -o snyk
chmod +x ./snyk
./snyk --version

# Or macOS
curl https://static.snyk.io/cli/latest/snyk-macos -o snyk
chmod +x ./snyk

Authentication

Authenticate with Browser

# Open browser for authentication
snyk auth

# Default: opens browser and creates auth token
snyk auth --token <token>

API Token Methods

# Authenticate with explicit token
snyk auth --token <your-api-token>

# Set token via environment variable
export SNYK_TOKEN=<your-api-token>
snyk test

# Check current authentication
snyk config get api

# Set organization
snyk config set org=<org-id>

Logout

# Clear stored credentials
snyk logout

# Clear all authentication
rm ~/.snyk

Open Source (SCA) Scanning

Basic Testing

# Scan current project for vulnerabilities
snyk test

# Scan with minimal output
snyk test --quiet

# Scan and show detailed info
snyk test --verbose

# Scan specific file
snyk test --file=package.json

# Scan with all vulnerability levels
snyk test --severity-threshold=low

Severity Filtering

# Only show critical vulnerabilities
snyk test --severity-threshold=critical

# Show critical and high
snyk test --severity-threshold=high

# Show critical, high, and medium
snyk test --severity-threshold=medium

# Show all (critical, high, medium, low)
snyk test --severity-threshold=low

Multiple Language Support

# Scan npm/Node.js projects
snyk test

# Scan Python projects
snyk test --file=requirements.txt

# Scan Java (Maven)
snyk test --file=pom.xml

# Scan Java (Gradle)
snyk test --file=build.gradle

# Scan .NET (NuGet)
snyk test --file=packages.config

# Scan Ruby
snyk test --file=Gemfile.lock

# Scan PHP/Composer
snyk test --file=composer.lock

# Scan Go
snyk test --file=go.mod

Monitoring Projects

# Create snapshot of vulnerabilities for monitoring
snyk monitor

# Monitor with custom name
snyk monitor --project-name=my-app

# Monitor specific organization
snyk monitor --org=<org-id>

# Monitor with tags
snyk monitor --tags=production,critical

Code Scanning (SAST)

Basic Code Scanning

# Scan code for vulnerabilities (security issues)
snyk code test

# Scan with minimal output
snyk code test --quiet

# Scan with verbose output
snyk code test --verbose

# Scan specific directory
snyk code test --scan-unmanaged

Code Severity Filtering

# Only critical issues
snyk code test --severity-threshold=critical

# Critical and high
snyk code test --severity-threshold=high

# All severities
snyk code test --severity-threshold=low

Container Scanning

Image Testing

# Scan Docker image for vulnerabilities
snyk container test <image-name>

# Test with tag
snyk container test myapp:latest

# Test from registry
snyk container test docker.io/node:16

# Test local image by ID
snyk container test --image=<image-id>

Container Monitoring

# Create snapshot of container vulnerabilities
snyk container monitor <image-name>

# Monitor with organization
snyk container monitor <image-name> --org=<org-id>

# Monitor multiple images
snyk container monitor myapp:v1.0
snyk container monitor myapp:v1.1

Advanced Container Options

# Show all vulnerabilities (including unfixed)
snyk container test <image> --show-vulnerable-paths

# Include base image vulnerabilities
snyk container test <image> --detect-scan-errors

# Test without uploading to Snyk
snyk container test <image> --skip-unresolved

Infrastructure as Code (IaC) Scanning

Terraform Scanning

# Scan Terraform files
snyk iac test

# Scan specific file
snyk iac test main.tf

# Scan with severity filter
snyk iac test --severity-threshold=high

# Test with framework
snyk iac test --framework=terraform

# Generate human-readable report
snyk iac test --report

Other IaC Formats

# Scan CloudFormation
snyk iac test --framework=cloudformation template.yaml

# Scan Kubernetes manifests
snyk iac test --framework=k8s deployment.yaml

# Scan ARM templates
snyk iac test --framework=arm

# Scan Dockerfile
snyk iac test Dockerfile

# Scan Helm charts
snyk iac test --framework=helm chart/

IaC Monitoring

# Monitor IaC configuration
snyk iac describe

# Get compliance information
snyk iac describe --framework=terraform

# Show detailed configuration
snyk iac describe --nested

Fix & Remediation

Auto-Fix Vulnerabilities

# Auto-fix vulnerabilities
snyk fix

# Dry-run to preview changes
snyk fix --dry-run

# Fix for specific severity
snyk fix --severity-threshold=high

# Force overwrite existing changes
snyk fix --force

Dependency Protection

# Apply Snyk protect (adds security patches to dependencies)
snyk protect

# Verify protection is applied
snyk protect --verbose

# Remove protection
snyk protect --uninstall

Vulnerability Ignoring

Ignore Specific Vulnerabilities

# Ignore a vulnerability interactively
snyk ignore

# Ignore with specific reason and expiry
snyk ignore --id=<vuln-id> --reason=<reason> --expiry=<date>

# Example: ignore for 30 days
snyk ignore --id=SNYK-JS-123456 --expiry=2026-04-30

# Set permanent ignore
snyk ignore --id=SNYK-JS-123456 --permanent

Policy Files

# Create .snyk policy file
snyk policy --create

# Test with policy
snyk test --policy-path=.snyk

# View policy
cat .snyk

# Update policy
snyk ignore --id=SNYK-JS-123456 --reason="False positive"

SBOM Generation

Software Bill of Materials

# Generate SBOM in JSON format
snyk sbom

# Generate SBOM for Docker image
snyk sbom --format=json <image-name>

# Output to file
snyk sbom > sbom.json

# Generate SPDX format
snyk sbom --format=spdx

# Show in table format
snyk sbom --format=table

Output Formats

JSON Output

# Test and output as JSON
snyk test --json > results.json

# Pretty-print JSON
snyk test --json-file-output=results.json

# Code test as JSON
snyk code test --json

SARIF Output

# Generate SARIF format (for GitHub Code Scanning)
snyk test --sarif > results.sarif

# SARIF for code scanning
snyk code test --sarif > code-results.sarif

# Container SARIF
snyk container test <image> --sarif > container.sarif

HTML Reports

# Generate HTML report
snyk test --html > report.html

# Open in browser
snyk test --html > report.html && open report.html

Configuration & Settings

Config Commands

# Show current configuration
snyk config show

# Set API endpoint
snyk config set api=https://api.snyk.io

# Set organization
snyk config set org=<org-id>

# Get specific setting
snyk config get api

# Unset configuration
snyk config unset org

Environment Variables

# Set token via env var
export SNYK_TOKEN=<your-token>

# Set organization
export SNYK_ORG=<org-id>

# Set API endpoint
export SNYK_API=https://api.snyk.io

# Set custom CA certificate
export NODE_EXTRA_CA_CERTS=/path/to/ca.crt

# Disable SSL verification (use with caution)
export NODE_TLS_REJECT_UNAUTHORIZED=0

.snyk Policy File

# .snyk file for ignoring vulnerabilities
version: v1.25.0
ignore:
  SNYK-JS-123456:
    - '*':
        reason: False positive
        expires: 2026-04-30
  SNYK-PY-789012:
    - '*':
        reason: Not applicable to our use case
        expires: 2026-06-30
patch:
  SNYK-JS-111111:
    - '*':
        patched: '2024-03-15'

Filtering & Organization

Filtering Vulnerabilities

# Include unpatched vulnerabilities
snyk test --show-vulnerable-paths

# Show only patchable
snyk test --show-vulnerable-paths=false

# Filter by project
snyk test --project-name=<name>

# Filter by tags
snyk monitor --tags=team:backend,env:prod

Organization Context

# Test within specific org
snyk test --org=<org-id>

# Set default organization
snyk config set org=<org-id>

# Show org ID
snyk org

# List organizations
snyk org list

CI/CD Integration

GitHub Actions

# .github/workflows/snyk.yml
name: Snyk Security Scan
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  snyk:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: snyk/actions/setup@master
      - env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        run: snyk test --severity-threshold=high

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: results.sarif

GitLab CI

# .gitlab-ci.yml
snyk_scan:
  image: snyk/snyk:latest
  script:
    - snyk auth --token $SNYK_TOKEN
    - snyk test --severity-threshold=high --json > results.json
  artifacts:
    reports:
      sast: results.json

Jenkins Pipeline

pipeline {
    agent any
    environment {
        SNYK_TOKEN = credentials('snyk-token')
    }
    stages {
        stage('Snyk Test') {
            steps {
                sh 'npm install -g snyk'
                sh 'snyk auth $SNYK_TOKEN'
                sh 'snyk test --severity-threshold=high --json > results.json'
            }
        }
    }
    post {
        always {
            publishHTML target: [
                reportDir: '.',
                reportFiles: 'results.json',
                reportName: 'Snyk Report'
            ]
        }
    }
}

Useful Command Combinations

Comprehensive Scanning Workflow

# 1. Authenticate
snyk auth

# 2. Test open source dependencies
snyk test --severity-threshold=high

# 3. Scan code for security issues
snyk code test --severity-threshold=high

# 4. Scan containers
snyk container test myapp:latest

# 5. Scan Infrastructure as Code
snyk iac test terraform/

# 6. Generate SBOM
snyk sbom > sbom.json

# 7. Create monitoring snapshot
snyk monitor --org=<org-id>

CI/CD Workflow

# Install dependencies
npm install

# Authenticate
snyk auth --token $SNYK_TOKEN

# Run all scans with strict threshold
snyk test --severity-threshold=critical --fail-on=all
snyk code test --severity-threshold=critical
snyk container test $DOCKER_IMAGE --severity-threshold=critical

# Generate reports
snyk test --json > sca-results.json
snyk code test --sarif > code-results.sarif
snyk container test $IMAGE --json > container.json

# Monitor for continuous tracking
snyk monitor --org=$SNYK_ORG --project-name=$CI_PROJECT_NAME

Fix and Deploy Workflow

# Test current state
snyk test

# Auto-fix what can be fixed
snyk fix

# Review changes
git diff

# Test after fixes
snyk test

# Commit and push
git commit -am "chore: fix security vulnerabilities"
git push

Debugging & Troubleshooting

Debug Mode

# Verbose output for debugging
snyk test --verbose

# Debug mode (very detailed logging)
snyk test --debug

# Check authentication
snyk auth --debug

# Verify installed packages
snyk test --print-deps

Common Issues

# Clear cache
rm -rf ~/.snyk

# Force re-authentication
snyk logout && snyk auth

# Test without uploading results
snyk test --skip-unresolved

# Check Snyk CLI version
snyk --version

# Update to latest version
npm install -g snyk@latest

Test Summary

# Show summary only
snyk test --quiet

# Count vulnerabilities
snyk test --json | jq '.vulnerabilities | length'

# Get highest severity
snyk test --json | jq '.metadata.severityHeader'

Environment Variables Reference

Variable	Purpose	Example
SNYK_TOKEN	API authentication token	export SNYK_TOKEN=abc123
SNYK_ORG	Default organization ID	export SNYK_ORG=org-id
SNYK_API	Custom API endpoint	export SNYK_API=https://custom.snyk.io
SNYK_INTEGRATION_NAME	Integration identifier in CI/CD	export SNYK_INTEGRATION_NAME=github-actions
NODE_EXTRA_CA_CERTS	Custom CA certificate	export NODE_EXTRA_CA_CERTS=/path/ca.crt
HTTP_PROXY	HTTP proxy settings	export HTTP_PROXY=http://proxy:8080
HTTPS_PROXY	HTTPS proxy settings	export HTTPS_PROXY=https://proxy:8080

Best Practices

Security

• Always authenticate with a secure API token (never commit tokens)
• Use --severity-threshold=critical in production CI/CD
• Regularly update Snyk CLI to latest version
• Review and approve auto-fixes before merging
• Keep .snyk policy files under version control
• Use organization-level policies for consistency
• Monitor vulnerabilities continuously with snyk monitor

Performance

• Use --quiet flag for CI/CD to reduce output
• Cache dependencies between runs where possible
• Run container scans on specific tags, not all
• Use --skip-unresolved to skip unfixable issues
• Filter by severity to focus on actionable issues
• Scan only affected paths when possible

Workflow

• Integrate into PR checks to prevent merging unsafe code
• Use snyk fix to automate patching
• Review snyk ignore decisions before committing
• Use snyk monitor for continuous tracking
• Set up alerts for new vulnerabilities
• Document exceptions with reasons and expiry dates
• Regular review of ignored vulnerabilities

Resources

Official Documentation

• Snyk Documentation
• CLI Commands Reference
• Snyk Code Documentation
• Container Scanning
• IaC Scanning
• API Reference

Community & Support

• Snyk GitHub
• Snyk Community Forum
• GitHub Discussions
• Issue Tracker
• Snyk Blog

Related Tools

• Docker - Container scanning integration
• Kubernetes - IaC scanning for K8s
• Terraform - Infrastructure as Code security

---

Last updated: 2026-03-30