Add the Snyk plugin to your Maven projects to test and monitor for vulnerabilities and license issues as an integrated part of your build flow, when working from your local environment, and on an ad-hoc basis.
With the Maven plugin, you can also quickly monitor, track, identify and remediate issues that risk your application’s security posture over time, as fixes are made available for vulnerabilities or new vulnerabilities are disclosed.
This document describes how to add, configure and use the Snyk plugin for Maven.
Note
See the Apache Maven documentation for additional information.
The test goal presents a list of vulnerabilities in your project's dependencies, in either a developer's machine or in your CI process.
The monitor goal records the state of dependencies and any vulnerabilities on
snyk.io
so you can be alerted when new vulnerabilities or updates/patches are disclosed that affect your repositories.Running
mvn snyk:test or mvn snyk:monitor
will run the desired goals (either test or monitor) outside the Maven build lifecycle.
Use the Snyk plugin with your Maven projects to test and monitor your code for vulnerabilities on an ongoing basis, breaking builds when newly disclosed vulnerabilities related to your project are announced and receiving relevant notifications—all based on your configurations.
A collaborator installs and configures the plugin for each relevant project from the pom.xml file. (In other words, installation is per project).
A collaborator pulls the repository and builds the project.
-
When the build runs:
Snyk authenticates your account using the API token.
Snyk analyzes the manifest file (pom.xml) of your project to find its direct and transitive dependencies, testing your build against the Snyk vulnerability database for known vulnerabilities.
From the CLI, the test results summary is displayed, indicating the number of known issues and the number of associated dependency paths identified.
Based on configurations, a snapshot is taken of the project and the project is pushed for monitoring to
snyk.io
, displaying the project details and the dependency hierarchy from the Snyk UI as well as vulnerability results and remediation advice.If a severity threshold was defined for a severity that is assigned to any vulnerability in your project, Maven breaks the build.
Thereafter, Snyk continues to monitor the snapshot of your project as new vulnerabilities that affect your project are disclosed. Based on your configurations, if vulnerabilities are found, Snyk notifies you via email or Slack so that you can take immediate remediation action.
Install and configure the Snyk plugin in your environment to start testing your project for vulnerabilities whenever you want.
-
Open the pom.xml file for the project you’re working with, and add the plugin snippet inside the
<build><plugins></plugins></build>
section that is already configured in the file.<plugin> <groupId>io.snyk</groupId> <artifactId>snyk-maven-plugin</artifactId> <version>1.2.5</version> <executions> <execution> <id>snyk-test</id> <phase>test</phase> <goals> <goal>test</goal> </goals> </execution> <execution> <id>snyk-monitor</id> <phase>install</phase> <goals> <goal>monitor</goal> </goals> </execution> </executions> <configuration> <apiToken>${SNYK_API_TOKEN}</apiToken> <failOnSeverity>medium</failOnSeverity> <org></org> </configuration> </plugin>
-
Add additional optional parameters based on project needs. Parameter defaults in the plugin snippet are configured based on Snyk recommendations. For full descriptions of the parameters, see Reference: Maven plugin parameters.
For more information about Maven phases and goals, see their documentation.
Every time a collaborator checks out the repository and runs the relevant maven commands and arguments as usual (for example, mvn clean install -Prun-its)
, snyk test
and snyk monitor
run at the execution phase in which you inserted the plugin, as follows:
-
At the
snyk-test
phase, Snyk scans for vulnerabilities and displays results from the terminal: -
If the
snyk-monitor
phase is also configured, monitor results are displayed from the terminal: -
Additionally, if the
snyk-monitor
phase is configured, monitor results are also displayed from the browser and Snyk continues to monitor your project for newly discovered vulnerabilities:
Parameter |
Default |
Other options |
---|---|---|
version |
1.2.5 |
Use the plugin version you’re comfortable with, as listed here. |
snyk-test phase |
test |
The Maven phase in which to install the snyk test. |
snyk-test goal |
test |
The task to be run during this phase. |
snyk-monitor phase |
install |
The Maven phase in which to install snyk monitor |
goal |
monitor |
The task to be run during this phase. |
token |
${SNYK_API_TOKEN} |
apiToken (mandatory): The apiToken is used to authenticate with the Snyk services. With the API token, the plugin can be configured with it as a system property or environment variable. The token can also be manually added to the pom.xml, although this is not the recommended method. This is mandatory configuration |
failOnSeverity |
medium |
failOnSeverity (optional): Setting failOnSeverity to any of the values (low, medium or high) will fail the Maven build if a severity is found at or above what was configured. This configuration is optional, and will be set to low if not defined. Setting it to false will never fail the build. |
org |
empty |
org (optional): The org configuration element sets under which of your Snyk organisations the project will be recorded. Leaving out this configuration will record the project under your default organisation. |
|
true |
includeProvidedDependencies (optional): The includeProvidedDependencies configuration element allows to include dependencies with provided scope. Default value is true. |