There are a few reasons why the Snyk CLI may indicate a different number of vulnerabilities found from the Snyk UI or an integration with your repo.
- Your project may have devDependencies that are being ignored.
- The CLI has direct access to your private dependencies and build environment.
- In comparison to something like
npm audit
, Snyk reports different results. - If the project was scanned with a LockFile, the results may be different from scanning the project using a manifest file such as
package.json
.
Your project may have devDependencies that are being ignored.
By default, Snyk does not scan for dependencies listed in the devDependencies section of the manifest file. You can enable scanning of devDependencies in two ways:
- Through the Snyk CLI, add the command line option:
--dev
. - Using the Snyk UI, click on settings
> Languages and select Scan and fix devDependencies as shown in the following screen shot:
The CLI has direct access to your private dependencies and build environment.
The Snyk CLI has direct access to all of your project files, build environment ,and private dependencies.
Snyk integrations such as GitHub, GitLab and BitBucket only process the dependency files of the project, for example, package.json
, Gemfile.lock
, and so on. Snyk then infers the dependency graph of your project, mimicking the operation of the build tool. Snyk does not have access to private dependencies, specifics of your build environment, and so on. Thus the results may be partial compared to a Snyk CLI-based analysis.
When compared to something like npm audit, Snyk reports different results.
In comparison to npm audit
, Snyk has about one third more vulnerabilities in its database. For a third party perspective, see the Nearform blog report of comparing Snyk and npm audit
.