Why should I add Snyk Test to my Continuous Integration?

To continuously avoid known vulnerabilities in your dependencies, integrate Snyk into your continuous integration (a.k.a. build) system.

For Node.js

  1. Install the Snyk utility using npm install -g snyk.
  2. Run snyk wizard in the directory of your project following the prompts which will also generate a .snyk policy file.
  3. Ensure the .snyk file you generated was added to your source control (git add .snyk).
  4. If you selected to, Snyk will include snyk test as part of your npm test command, so if there are new vulnerabilities in the future, your CI will fail, protecting you from introducing vulnerabilities to production. Alternatively, you can add snyk test to any other CI test platform you use.

For Ruby, Scala, Python and Java (Gradle and Maven) CI

  1. Install the Snyk utility using npm install -g snyk.
  2. Add snyk test to your CI test platform

Setting up automatic monitoring

If you monitor a project with Snyk, you’ll get notified if your project’s dependencies are affected by newly disclosed vulnerabilities. To make sure the list of dependencies we have for your project is up to date, refresh it continuously by running snyk monitor in your deployment process.

Configure your environment to include the SNYK_TOKEN environment variable. You can find your API token on the dashboard after logging in.

API token configuration

Make sure you don’t check your API token into source control, to avoid exposing it to others. Instead, use your CI environment variables to configure it.

See guidance for how to do this on: