Snyk 명령어
오픈 소스, 코드, 컨테이너 및 인프라 코드 전반에 걸친 보안 스캔을 위한 포괄적인 Snyk CLI 명령어 및 워크플로우
설치
npm (Node.js)
# Install globally
npm install -g snyk
# Install in project
npm install --save-dev snyk
# Verify installation
snyk --versionmacOS (Homebrew)
# Install via Homebrew
brew install snyk
# Update Snyk
brew upgrade snyk
# Verify installation
snyk --versionWindows (Scoop)
# Install via Scoop
scoop install snyk
# Verify installation
snyk --version독립 실행형 바이너리
# Download standalone CLI (Linux/macOS)
curl https://static.snyk.io/cli/latest/snyk-linux -o snyk
chmod +x ./snyk
./snyk --version
# Or macOS
curl https://static.snyk.io/cli/latest/snyk-macos -o snyk
chmod +x ./snyk인증
브라우저를 통한 인증
# Open browser for authentication
snyk auth
# Default: opens browser and creates auth token
snyk auth --token <token>API 토큰 방법
# Authenticate with explicit token
snyk auth --token <your-api-token>
# Set token via environment variable
export SNYK_TOKEN=<your-api-token>
snyk test
# Check current authentication
snyk config get api
# Set organization
snyk config set org=<org-id>로그아웃
# Clear stored credentials
snyk logout
# Clear all authentication
rm ~/.snyk오픈 소스 (SCA) 스캔
기본 테스트
# Scan current project for vulnerabilities
snyk test
# Scan with minimal output
snyk test --quiet
# Scan and show detailed info
snyk test --verbose
# Scan specific file
snyk test --file=package.json
# Scan with all vulnerability levels
snyk test --severity-threshold=low심각도 필터링
# Only show critical vulnerabilities
snyk test --severity-threshold=critical
# Show critical and high
snyk test --severity-threshold=high
# Show critical, high, and medium
snyk test --severity-threshold=medium
# Show all (critical, high, medium, low)
snyk test --severity-threshold=low다중 언어 지원
# Scan npm/Node.js projects
snyk test
# Scan Python projects
snyk test --file=requirements.txt
# Scan Java (Maven)
snyk test --file=pom.xml
# Scan Java (Gradle)
snyk test --file=build.gradle
# Scan .NET (NuGet)
snyk test --file=packages.config
# Scan Ruby
snyk test --file=Gemfile.lock
# Scan PHP/Composer
snyk test --file=composer.lock
# Scan Go
snyk test --file=go.mod프로젝트 모니터링
# Create snapshot of vulnerabilities for monitoring
snyk monitor
# Monitor with custom name
snyk monitor --project-name=my-app
# Monitor specific organization
snyk monitor --org=<org-id>
# Monitor with tags
snyk monitor --tags=production,critical코드 스캔 (SAST)
기본 코드 스캔
# Scan code for vulnerabilities (security issues)
snyk code test
# Scan with minimal output
snyk code test --quiet
# Scan with verbose output
snyk code test --verbose
# Scan specific directory
snyk code test --scan-unmanaged코드 심각도 필터링
# Only critical issues
snyk code test --severity-threshold=critical
# Critical and high
snyk code test --severity-threshold=high
# All severities
snyk code test --severity-threshold=low컨테이너 스캔
이미지 테스트
# Scan Docker image for vulnerabilities
snyk container test <image-name>
# Test with tag
snyk container test myapp:latest
# Test from registry
snyk container test docker.io/node:16
# Test local image by ID
snyk container test --image=<image-id>컨테이너 모니터링
# Create snapshot of container vulnerabilities
snyk container monitor <image-name>
# Monitor with organization
snyk container monitor <image-name> --org=<org-id>
# Monitor multiple images
snyk container monitor myapp:v1.0
snyk container monitor myapp:v1.1고급 컨테이너 옵션
# Show all vulnerabilities (including unfixed)
snyk container test <image> --show-vulnerable-paths
# Include base image vulnerabilities
snyk container test <image> --detect-scan-errors
# Test without uploading to Snyk
snyk container test <image> --skip-unresolved인프라 코드 (IaC) 스캔
Terraform 스캔
# Scan Terraform files
snyk iac test
# Scan specific file
snyk iac test main.tf
# Scan with severity filter
snyk iac test --severity-threshold=high
# Test with framework
snyk iac test --framework=terraform
# Generate human-readable report
snyk iac test --report기타 IaC 형식
# Scan CloudFormation
snyk iac test --framework=cloudformation template.yaml
# Scan Kubernetes manifests
snyk iac test --framework=k8s deployment.yaml
# Scan ARM templates
snyk iac test --framework=arm
# Scan Dockerfile
snyk iac test Dockerfile
# Scan Helm charts
snyk iac test --framework=helm chart/IaC 모니터링
# Monitor IaC configuration
snyk iac describe
# Get compliance information
snyk iac describe --framework=terraform
# Show detailed configuration
snyk iac describe --nested수정 및 복구
자동 취약점 수정
# Auto-fix vulnerabilities
snyk fix
# Dry-run to preview changes
snyk fix --dry-run
# Fix for specific severity
snyk fix --severity-threshold=high
# Force overwrite existing changes
snyk fix --force의존성 보호
# Apply Snyk protect (adds security patches to dependencies)
snyk protect
# Verify protection is applied
snyk protect --verbose
# Remove protection
snyk protect --uninstall취약점 무시
특정 취약점 무시
# Ignore a vulnerability interactively
snyk ignore
# Ignore with specific reason and expiry
snyk ignore --id=<vuln-id> --reason=<reason> --expiry=<date>
# Example: ignore for 30 days
snyk ignore --id=SNYK-JS-123456 --expiry=2026-04-30
# Set permanent ignore
snyk ignore --id=SNYK-JS-123456 --permanent정책 파일
# Create .snyk policy file
snyk policy --create
# Test with policy
snyk test --policy-path=.snyk
# View policy
cat .snyk
# Update policy
snyk ignore --id=SNYK-JS-123456 --reason="False positive"SBOM 생성
소프트웨어 구성 요소 명세서
# Generate SBOM in JSON format
snyk sbom
# Generate SBOM for Docker image
snyk sbom --format=json <image-name>
# Output to file
snyk sbom > sbom.json
# Generate SPDX format
snyk sbom --format=spdx
# Show in table format
snyk sbom --format=table출력 형식
JSON 출력
# Test and output as JSON
snyk test --json > results.json
# Pretty-print JSON
snyk test --json-file-output=results.json
# Code test as JSON
snyk code test --jsonSARIF 출력
# Generate SARIF format (for GitHub Code Scanning)
snyk test --sarif > results.sarif
# SARIF for code scanning
snyk code test --sarif > code-results.sarif
# Container SARIF
snyk container test <image> --sarif > container.sarifHTML 보고서
# Generate HTML report
snyk test --html > report.html
# Open in browser
snyk test --html > report.html && open report.html설정 및 구성
설정 명령어
# Show current configuration
snyk config show
# Set API endpoint
snyk config set api=https://api.snyk.io
# Set organization
snyk config set org=<org-id>
# Get specific setting
snyk config get api
# Unset configuration
snyk config unset org환경 변수
# Set token via env var
export SNYK_TOKEN=<your-token>
# Set organization
export SNYK_ORG=<org-id>
# Set API endpoint
export SNYK_API=https://api.snyk.io
# Set custom CA certificate
export NODE_EXTRA_CA_CERTS=/path/to/ca.crt
# Disable SSL verification (use with caution)
export NODE_TLS_REJECT_UNAUTHORIZED=0.snyk 정책 파일
# .snyk file for ignoring vulnerabilities
version: v1.25.0
ignore:
SNYK-JS-123456:
- '*':
reason: False positive
expires: 2026-04-30
SNYK-PY-789012:
- '*':
reason: Not applicable to our use case
expires: 2026-06-30
patch:
SNYK-JS-111111:
- '*':
patched: '2024-03-15'필터링 및 조직
취약점 필터링
# Include unpatched vulnerabilities
snyk test --show-vulnerable-paths
# Show only patchable
snyk test --show-vulnerable-paths=false
# Filter by project
snyk test --project-name=<name>
# Filter by tags
snyk monitor --tags=team:backend,env:prod조직 컨텍스트
# Test within specific org
snyk test --org=<org-id>
# Set default organization
snyk config set org=<org-id>
# Show org ID
snyk org
# List organizations
snyk org listCI/CD 통합
GitHub Actions
# .github/workflows/snyk.yml
name: Snyk Security Scan
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
snyk:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: snyk/actions/setup@master
- env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run: snyk test --severity-threshold=high
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarifGitLab CI
# .gitlab-ci.yml
snyk_scan:
image: snyk/snyk:latest
script:
- snyk auth --token $SNYK_TOKEN
- snyk test --severity-threshold=high --json > results.json
artifacts:
reports:
sast: results.jsonJenkins 파이프라인
pipeline {
agent any
environment {
SNYK_TOKEN = credentials('snyk-token')
}
stages {
stage('Snyk Test') {
steps {
sh 'npm install -g snyk'
sh 'snyk auth $SNYK_TOKEN'
sh 'snyk test --severity-threshold=high --json > results.json'
}
}
}
post {
always {
publishHTML target: [
reportDir: '.',
reportFiles: 'results.json',
reportName: 'Snyk Report'
]
}
}
}유용한 명령어 조합
포괄적 스캔 워크플로우
# 1. Authenticate
snyk auth
# 2. Test open source dependencies
snyk test --severity-threshold=high
# 3. Scan code for security issues
snyk code test --severity-threshold=high
# 4. Scan containers
snyk container test myapp:latest
# 5. Scan Infrastructure as Code
snyk iac test terraform/
# 6. Generate SBOM
snyk sbom > sbom.json
# 7. Create monitoring snapshot
snyk monitor --org=<org-id>CI/CD 워크플로우
# Install dependencies
npm install
# Authenticate
snyk auth --token $SNYK_TOKEN
# Run all scans with strict threshold
snyk test --severity-threshold=critical --fail-on=all
snyk code test --severity-threshold=critical
snyk container test $DOCKER_IMAGE --severity-threshold=critical
# Generate reports
snyk test --json > sca-results.json
snyk code test --sarif > code-results.sarif
snyk container test $IMAGE --json > container.json
# Monitor for continuous tracking
snyk monitor --org=$SNYK_ORG --project-name=$CI_PROJECT_NAME수정 및 배포 워크플로우
# Test current state
snyk test
# Auto-fix what can be fixed
snyk fix
# Review changes
git diff
# Test after fixes
snyk test
# Commit and push
git commit -am "chore: fix security vulnerabilities"
git push디버깅 및 문제 해결
디버그 모드
# Verbose output for debugging
snyk test --verbose
# Debug mode (very detailed logging)
snyk test --debug
# Check authentication
snyk auth --debug
# Verify installed packages
snyk test --print-deps일반적인 문제
# Clear cache
rm -rf ~/.snyk
# Force re-authentication
snyk logout && snyk auth
# Test without uploading results
snyk test --skip-unresolved
# Check Snyk CLI version
snyk --version
# Update to latest version
npm install -g snyk@latest테스트 요약
# Show summary only
snyk test --quiet
# Count vulnerabilities
snyk test --json | jq '.vulnerabilities | length'
# Get highest severity
snyk test --json | jq '.metadata.severityHeader'환경 변수 참조
| 변수 | 용도 | 예시 |
|---|---|---|
SNYK_TOKEN | API 인증 토큰 | export SNYK_TOKEN=abc123 |
SNYK_ORG | 기본 조직 ID | export SNYK_ORG=org-id |
SNYK_API | 사용자 정의 API 엔드포인트 | export SNYK_API=https://custom.snyk.io |
SNYK_INTEGRATION_NAME | CI/CD의 통합 식별자 | export SNYK_INTEGRATION_NAME=github-actions |
NODE_EXTRA_CA_CERTS | 사용자 정의 CA 인증서 | export NODE_EXTRA_CA_CERTS=/path/ca.crt |
HTTP_PROXY | HTTP 프록시 설정 | export HTTP_PROXY=http://proxy:8080 |
HTTPS_PROXY | HTTPS 프록시 설정 | export HTTPS_PROXY=https://proxy:8080 |
모범 사례
보안
- 항상 보안 API 토큰으로 인증 (토큰을 커밋하지 않음)
- 프로덕션 CI/CD에서
--severity-threshold=critical사용 - Snyk CLI를 최신 버전으로 정기적으로 업데이트
- 자동 수정을 검토하고 병합 전에 승인
.snyk정책 파일을 버전 제어에 포함- 일관성을 위해 조직 수준의 정책 사용
snyk monitor로 취약점을 지속적으로 모니터링
성능
- CI/CD에서
--quiet플래그를 사용하여 출력 감소 - 가능하면 실행 간에 의존성 캐싱
- 모든 이미지가 아닌 특정 태그에서 컨테이너 스캔 실행
- 수정 불가능한 문제를 건너뛰기 위해
--skip-unresolved사용 - 심각도별로 필터링하여 실행 가능한 문제에 집중
- 가능하면 영향을 받는 경로만 스캔
워크플로우
- PR 확인에 통합하여 안전하지 않은 코드의 병합 방지
snyk fix를 사용하여 패칭 자동화- 커밋하기 전에
snyk ignore결정 검토 - 지속적 추적을 위해
snyk monitor사용 - 새로운 취약점에 대한 경고 설정
- 이유와 만료 날짜가 포함된 예외 문서화
- 무시된 취약점의 정기적 검토
리소스
공식 문서
- Snyk Documentation
- CLI Commands Reference
- Snyk Code Documentation
- Container Scanning
- IaC Scanning
- API Reference
커뮤니티 및 지원
관련 도구
- Docker - Container scanning integration
- Kubernetes - IaC scanning for K8s
- Terraform - Infrastructure as Code security
Last updated: 2026-03-30