To continuously avoid known vulnerabilities in your dependencies, integrate Snyk into your continuous integration (build) system.
For Node.js
- Install the Snyk utility using
npm install -g snyk
- Use the
snyk ignore
command to create a.snyk
file. - Ensure the
.snyk
file you generated was added to your source control (git add .snyk
) - If you selected to, Snyk includes
snyk test
as part of yournpm test
command, so if there are new vulnerabilities in the future, your CI will fail, protecting you from introducing vulnerabilities to production. Alternatively, you can addsnyk test
to any other CI test platform you use
For Ruby, Scala, Python and Java (Gradle and Maven) CI
- Install the Snyk utility using
npm install -g snyk
- Add
snyk test
to your CI test platform
Setting up automatic monitoring
If you monitor a project, Snyk notifies you if dependencies in your project are affected by newly disclosed vulnerabilities. To make sure the list of dependencies we have for your project is up to date, refresh it continuously by running snyk monitor
in your deployment process.
Configure your environment to include the SNYK_TOKEN
environment variable. You can find your API token on the dashboard after logging in.
API token configuration
Ensure you do not check your API token into source control, to avoid exposing it to others. Instead, use your CI environment variables to configure it.
See guidance for how to do this on the following pages: