Snyk’s CLI helps you find and fix known vulnerabilities in your dependencies, both ad hoc and as part of your CI (Build) system.
The Snyk CLI requires you to authenticate with your account before using it. See our Language Support page for information about package managers and languages that the CLI supports.
CLI command structure
Following is the Snyk CLI tool command structure:
snyk [options] [command] [package]
The package argument is optional.
If no package is indicated, Snyk runs the command against the current working directory, allowing you test your non-public applications.
CLI commands
Following is the complete list of commands available from the Snyk AppSec CLI tool.
Runsnyk help for the full usage information.
auth [api-token].....Authenticate use of the Snyk CLI tool with your Snyk account.
test ............... Test for any known vulnerabilities.
monitor ............ Record the state of dependencies and any vulnerabilities on snyk.io.
container ............... Test container images for any vulnerabilities. See Test images with the Snyk Container CLI.
config ............. Manage Snyk's configuration, note that this configuration is stored on your machine and applies to all Snyk CLI calls.
help [topic] ....... Display detailed help about commands and options.
ignore ............. Modifies the .snyk policy to ignore stated issues. For more help run snyk help ignore.
policy ............. Display the .snyk policy for a package.
protect ............ Protect your code from vulnerabilities and optionally suppress specific vulnerabilities. Note: Node.js only.
wizard ............. Configure your policy file to update, auto patch and ignore vulnerabilities in npm & yarn projects. snyk wizard updates your .snyk file automatically.
CLI exit codes
Exit code 0 This means Snyk did not find vulnerabilities in your code an exited the process without failing the job.
Exit code 1 This means Snyk found vulnerabilities in your code and have failed the build
Exit code 2 This means Snyk exited with an error, please re-run with `-d` to see further information.
Exit code 3 This means Snyk did not detect any supported projects/manifests to scan. Re-check the command or if the command should run in a different directory.
CLI options
Following is a partial list of the options available to you when running commands from our CLI tool:
--all-projects runs an auto-discovery to scan the current directory and test all manifest files found. By default we scan the current directory and 3 extra levels deep. For Gradle monorepos Snyk will only look for root level build.gradle files and apply the same logic as --all-sub-projects behind the scenes. This command is designed to be run in the root of your monorepo.
--detection-depth add this option if you want to increase the depth further than the default for --all-projects
--dev Include devDependencies.
--exclude=<comma separated list of directory names> enables you to run snyk test or snyk monitor using the --all-projects option while still excluding specified directories
--file Sets package file. For more help run `snyk help file`.
--org Associate a snapshot (or wizard snapshot) with a specific organization. For more help run `snyk help orgs`.
--ignore-policy Ignores and resets the state of your policy file.
--trust-policies Applies and uses ignore rules from your dependencies' Snyk policies, otherwise ignore policies are only shown as a suggestion.
--show-vulnerable-paths (test command only) Display the dependency paths from the top level dependencies, down to the vulnerable packages. Defaults to some (a few example paths). false is an alias for none. Does not affect output in JSON mode.
--dry-run Don't apply updates or patches during protect.
--severity-threshold = low/medium/high; only report vulnerabilities of the provided level or higher.
--scan-all-unmanaged Autodetects maven jars and wars in given directory. Individual testing can be done with --file=<jar-file-name>
--fail-on=<all|upgradable|patchable>
all : fail when there is at least one vulnerability that can be either upgraded or patched.
upgradable : fail when there is at least one vulnerability that can be upgraded.
patchable : fail when there is at least one vulnerability that can be patched.
-q, --quiet Silence all output.
-h, --help This help information.
-v, --version The CLI version.
Run snyk help to view the complete list of commands and options directly from the terminal.
Examples of real Snyk CLI commands
$ snyk test
$ snyk test folder1 folder2
$ snyk test ionic@1.6.5
$ snyk monitor --org=my-team
$ snyk test --show-vulnerable-paths=false
Use snyk test in your test scripts. If a vulnerability is found, the process exits with a non-zero code.