"serverless projects" or "projects with more than one deployable artifact" or something to that effect.
Please note that we're currently working on an improved solution that will automatically scan for multiple files in the CLI. Currently, when a user tries to test a project that contains several manifest files in the CLI by using
snyk test OR snyk monitor
Snyk will only pick the first manifest file and run the test on it. To point snyk to a specific file, you can use the --file argument:
snyk test --file=package.json
In some serverless projects or in projects where more than one deployable artifact is included, you may want to test many projects or packages. For this, some users have seen success using a quick bash script:
You can use a command such as the following to pull all the relevant manifest files in a project:
for i in $(find . -maxdepth 1 -name "<manifest file>"); do snyk monitor --file="$i"; done
*Replace <manifest file> with an appropriate filename such as pom.xml, Gemfile, etc. You can replace `monitor` with `test` as well.
-maxdepth 1 will tell find to only search in the current subdirectory, so this is configurable.
For an advanced example, you can use the following command to test all Maven, Go, NodeJS, Gradle and Pip manifest files at once:
for i in $(find . -maxdepth 1 -name "pom.xml" -o -name "package.json" -o -name "requirements.txt" -o -name "build.gradle" -o -name "Go.mod" -o -name "package-lock.json"); do snyk monitor --all-sub-projects --file=$i; done
List of all the manifest files that Snyk support:
Maven - pom.xml
Gradle - build.gradle
Kotlin - build.gradle or build.gradle.kts
Pip - requirements.txt
pipenv - Pipfile
NodeJs - package.json or package-lock.json or yarn.lock
SBT - build.sbt
.Net - packages.config
.NET Core - project.json
Golang - Gopkg.lock or vendor/vendor.json
Composer - composer.lock
Ruby - Gemfile and Gemfile.lock
Go - Go.mod