Snyk's knowledge of the transitive dependencies in your project make it possible for Snyk to offer remediation advice. Snyk can fix vulnerabilities in two ways:
- By upgrading direct dependencies to a vulnerability-free version.
- By patching the vulnerability.
Snyk supports the following workflows to help developers remediate their vulnerabilities:
- Automatically opening git pull/merge requests (PRs/MRs). This is a daily recurring process.
- Using the Open a Fix PR/MR feature in the Snyk UI to manually open a pull/merge request with the fixes.
- Using the Snyk CLI
wizardcommand to fix vulnerabilities in Node.js applications.
For more details on remediation using Snyk, you can read our article on how to remediate your vulnerabilities.
Enabling automatic pull requests
If your projects were imported into Snyk via an integrated SCM (source code manager), Snyk will generate automatic pull requests on these. To modify the integration's settings, select the Integrations tab at the top of the Snyk UI and select your source control repository. Click the gear icon for your integration.
This screenshot is from the settings screen in Snyk of our integration with GitHub. In GitHub, you can view the PR Snyk has opened by selecting the Pull Request tab at the top of the GitHub Repository. PRs are generated overnight, and multiple pull request might exist for different dependencies.
Opening a Fix PR/MR
Snyk offers the ability to create pull/merge requests directly from your project (if it has vulnerabilities with fixes!). To generate a PR/MR, find your project from the project list, and select the file.
Select Open a Fix PR/MR or Fix this vulnerability. This will first show you what fixes are about to be applied (you can select/unselect these individually), and then start generating the pull/merge request, before taking you to it in your SCM.