Snyk's knowledge of the transitive dependencies in your project make it possible for Snyk to offer remediation advice. Snyk can fix vulnerabilities in two ways:

1. By upgrading direct dependencies to a vulnerability-free version.
2. By patching the vulnerability.

Snyk supports the following workflows to help developers remediate their vulnerabilities:

• Automatically opening git pull/merge requests (PRs/MRs). This is a daily recurring process.
• Using the Open a Fix PR/MR feature in the Snyk UI to manually open a pull/merge request with the fixes.
• Using the Snyk CLI wizard command to fix vulnerabilities in Node.js applications.

For more details on remediation using Snyk, you can read our article on how to remediate your vulnerabilities.

Automatic pull requests

For projects imported via and SCM (Source Code Manager), Snyk offer 3 types of automated pull requests.

1. Fix pull requests for new vulnerabilities (see below)
2. Fix pull requests to clear the backlog of vulnerabilities in a prioritised order (see below)
3. Dependency upgrade pull requests

Fix Pull Requests for New vulnerabilities

These pull requests are raised during recurring tests, by default daily, but can also be changed to occur weekly.

They are automatically raised to fix vulnerabilities which are either:

• New since last scan, and have a fix
• Pre-dated the last scan, but a fix has been found since the last scan

They are on by default for new integrations. 

For GitHub (cloud), GitHub Enterprise Server and BitBucket Cloud, these can be enabled or disabled at either a per integration level (applying to all projects monitored through that integration), or can be overridden and enabled or disabled on a per-project level.

Where it can be enabled per-project, go to the project, then the settings, and from there, on the left, select GitHub Integration, under the Automatic fix pull requests section, select to Customize for only this project then enable New vulnerabilities - PRs to fix vulnerabilities found since the last recurring test.

To enable at the integration level, go to Settings, Integration, select a SCM integration, and find the setting for New vulnerabilities - PRs to fix vulnerabilities found since the last recurring test.

Fix pull requests to clear the backlog of vulnerabilities in a prioritised order

These pull requests are raised during recurring tests, by default daily, but can also be changed to occur weekly.

They are automatically raised for the fixable vulnerability with the highest Snyk Priority Score.

A new PR is created each day per project. There is currently a limit where only issues with a priority score over 700 will be targeted by these backlog clearing pull requests. So when no fixable issues remain with a score over 700, no new PRs of this kind will be raised.

These are on by default for new integrations. 

These are currently only available for GitHub (cloud), GitHub Enterprise Server and BitBucket Cloud andcan be enabled or disabled at either a per integration level (applying to all projects monitored through that integration), or can be overridden and enabled or disabled on a per-project level.

To enable per-project, go to the project, then the settings, and from there, on the left, select GitHub Integration, under the Automatic fix pull requests section, select to Customize for only this project then enable All vulnerabilities - PRs for the highest priority fixable vulnerabilities that exist on this project.

To enable at the integration level, go to Settings, Integration, select a SCM integration, and find the setting for New vulnerabilities - PRs to fix vulnerabilities found since the last recurring test.

Opening a fix PR/MR manually through Snyk

Snyk offers the ability to create pull/merge requests directly from your project (if it has vulnerabilities with fixes!). To generate a PR/MR, find your project from the project list, and select the file.

Select Open a Fix PR/MR or Fix this vulnerability. This will first show you what fixes are about to be applied (you can select/unselect these individually), and then start generating the pull/merge request, before taking you to it in your SCM.