Dependency & Container Security
Snyk: Dependency Scanning in CI/CD
3 min read
Snyk is the most widely adopted SCA tool, known for its developer experience and comprehensive vulnerability database.
Snyk Overview
| Feature | Description |
|---|---|
| Languages | JavaScript, Python, Java, Go, Ruby, .NET, PHP, Scala |
| Package Managers | npm, pip, Maven, Gradle, Go modules, Bundler, NuGet |
| CI/CD | GitHub, GitLab, Bitbucket, Jenkins, Azure DevOps |
| Free Tier | 200 tests/month for open-source projects |
Installation
# Install Snyk CLI
npm install -g snyk
# Or via Homebrew
brew install snyk
# Authenticate (creates ~/.config/configstore/snyk.json)
snyk auth
Basic Usage
# Test current directory
snyk test
# Test specific manifest
snyk test --file=package.json
# Test with severity threshold
snyk test --severity-threshold=high
# Output in JSON for CI processing
snyk test --json > snyk-results.json
Understanding Snyk Output
Testing /app...
✗ High severity vulnerability found in lodash
Description: Prototype Pollution
Info: https://snyk.io/vuln/SNYK-JS-LODASH-567746
Introduced through: express@4.17.1 > lodash@4.17.15
From: express@4.17.1 > lodash@4.17.15
Fixed in: lodash@4.17.21
Remediation: Upgrade to lodash@4.17.21
Organization: your-org
Package manager: npm
Target file: package.json
Project name: my-app
Tested 156 dependencies for known vulnerabilities
Found 3 vulnerabilities (1 high, 2 medium)
CI/CD Integration
GitHub Actions
# .github/workflows/snyk.yml
name: Snyk Security Scan
on:
push:
branches: [main]
pull_request:
jobs:
snyk:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high
- name: Upload Snyk results to GitHub
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif
GitLab CI
# .gitlab-ci.yml
snyk:
image: snyk/snyk:node
stage: test
script:
- snyk auth $SNYK_TOKEN
- snyk test --severity-threshold=high
allow_failure: false
Monitoring Dependencies
Beyond one-time scans, Snyk monitors for new vulnerabilities:
# Add project to Snyk monitoring
snyk monitor
# Monitor with custom project name
snyk monitor --project-name="production-api"
# Monitor specific org
snyk monitor --org=my-team
Automated Fix PRs
Snyk can automatically create pull requests to fix vulnerabilities:
# Snyk GitHub integration settings
auto_remediation:
enabled: true
strategy: patch # or 'upgrade'
branch_prefix: snyk-fix/
This creates PRs like:
snyk-fix/upgrade-lodash-4.17.21snyk-fix/patch-SNYK-JS-LODASH-567746
Ignoring False Positives
# Ignore a specific vulnerability
snyk ignore --id=SNYK-JS-LODASH-567746 --reason="Not exploitable in our context"
# Creates .snyk policy file
# .snyk
version: v1.25.0
ignore:
SNYK-JS-LODASH-567746:
- '*':
reason: Not exploitable - input is sanitized
expires: 2025-06-01T00:00:00.000Z
License Compliance
Snyk also checks for license issues:
# Check licenses
snyk test --show-vulnerable-paths=all
# Fail on specific licenses
snyk test --license-policy="high-risk-licenses"
| License | Risk Level | Common Policy |
|---|---|---|
| MIT | Low | Allow |
| Apache-2.0 | Low | Allow |
| GPL-3.0 | High | Block (viral) |
| AGPL-3.0 | Critical | Block |
| Commercial | Varies | Review |
Next, we'll explore container security with Trivy. :::