View my tickets
Submit a ticket Try Snyk for free

Articles in this section

  1. Support Portal | Snyk
  2. Using Snyk
  3. Reporting Vulnerabilities

How can I use Snyk behind a proxy?

  • Updated

Some common issues when working behind a proxy are:

  • Snyk CLI requests are not going through the proxy.
  • Requests to app.snyk.io are blocked by the proxy.
  • Snyk CLI does not recognize an authorized certificate and prevents generating insecure requests.

Snyk CLI requests are not going through the proxy

First, check what the details of your proxy are. In Windows, run an ipconfig /all command and look for your proxy settings. You must retrieve the following information:

  • HTTP or HTTPS
  • private IP of the proxy
  • port (80, 8080, or 443 typically)

To run Snyk from behind a proxy, use an environment variable to point to your proxy.

Snyk supports a set of environment variables to enforce specific proxy settings:

  • HTTP_PROXY / http_proxy
  • HTTPS_PROXY / https_proxy
  • NO_PROXY / no_proxy

For example, to configure a proxy and run a Snyk test with the new proxy value, run:

$ export https_proxy=https://my.corporate.proxy:8080
$ snyk test
Notes:
  • The command to add an environment variable may differ among Windows CMD, Powershell, Mac terminal, and Linux. 
  • export https_proxy=value sets a global env variable. If you prefer to set a local env variable you can use set https_proxy=value instead.

Requests to app.snyk.io are blocked by the proxy

To check if this is the case, add a debugging option to the CLI, using:

$ snyk test -d
If you see a timeout error or a econnrefused error in the request, then https://app.snyk.io may be blocked by the proxy.

Snyk CLI does not recognize an authorized certificate and prevents generating insecure requests

To check if this is the case, you can tell Snyk to ignore insecure certificates, knowing that your proxy could be the reason for presenting a custom certificate to Snyk.

You can test this by running:

$ snyk auth --insecure
$ snyk test --insecure

If the --insecure flag helps, you may want to point Snyk towards your custom CA certs more permanently by exporting them as follows. Snyk CLI is a Node application and honors environment variables.

$ export NODE_EXTRA_CA_CERTS=/path-to-the-ca-cert.crt

You can also try a combination of the above to resolve the issues:

$ set https_proxy=<PROXY>:PORT
$ snyk auth --insecure
$ snyk test -d --insecure

Enforce HTTP instead of HTTPS

Note that if set with the HTTP protocol the CLI upgrades the requests to HTTPS unless SNYK_HTTP_PROTOCOL_UPGRADE is set to 0.

If the HTTP protocol is set to the value of 0, the CLI (or API) requests aimed at HTTP URLs are not upgraded to HTTPS. If the HTTP protocol is not set, the default behavior is to upgrade these requests from HTTP to HTTPS.

In this case, the series of commands to run a test with Snyk would look like this:

export HTTPS_PROXY=http://127.0.0.1:8866
export SNYK_HTTP_PROTOCOL_UPGRADE=0
snyk test

Additional information

How can we whitelist Snyk IP addresses?

Configure the Snyk CLI