Security Appsec Sca Snyk Oss

Snyk CLI

Installation

# npm (recommended)
npm install -g snyk

# Homebrew (macOS)
brew install snyk

# Binary download
curl -s https://static.snyk.io/cli/latest/snyk-linux -o snyk
chmod +x snyk
sudo mv snyk /usr/local/bin/

# Docker
docker pull snyk/snyk:latest

Authentication

snyk auth                     # Opens browser OAuth flow
snyk auth $SNYK_TOKEN         # Authenticate with token (for CI/CD)

Core Commands

Test (scan for vulnerabilities):

# Scan current directory
snyk test

# Scan with specific severity threshold (fail only on high+)
snyk test --severity-threshold=high

# Scan all projects in monorepo
snyk test --all-projects

# Output in JSON
snyk test --json > snyk-results.json

# Output in SARIF (for GitHub Security tab)
snyk test --sarif > snyk-results.sarif

# Show all vulnerabilities (not just unique)
snyk test --show-vulnerable-paths=all

# Test specific manifest file
snyk test --file=backend/package.json

# Fail on specific policy
snyk test --policy-path=.snyk

Monitor (continuous tracking):

# Send results to Snyk platform for ongoing monitoring
snyk monitor

# Monitor with project name
snyk monitor --project-name="my-app-production"

# Monitor all projects
snyk monitor --all-projects

Fix (apply patches/upgrades):

# Interactive fix (shows options)
snyk fix

# Auto-fix without prompts
snyk fix --dry-run   # Preview changes
snyk fix             # Apply changes

# For pip-based projects
snyk fix --python-target-python=python3.11

Understanding Snyk OSS Output

Vulnerability Report Structure

Testing ./package.json...

Tested 843 dependencies for known issues, found 12 issues, 8 vulnerable paths.

✗ High severity vulnerability found in lodash
  Description: Prototype Pollution
  Info: https://snyk.io/vuln/SNYK-JS-LODASH-1048817
  Introduced through: [email protected] > [email protected] > [email protected]
  From: [email protected] > [email protected] > [email protected]
  Remediation:
    Upgrade express to [email protected] (triggers an upgrade of [email protected])

Key fields:

• Severity: Critical, High, Medium, Low
• SNYK-ID: Snyk's unique vulnerability identifier
• Introduced through: The dependency chain from your code to the vulnerable package
• From: Full path of dependency chain
• Remediation: What upgrade fixes this, including which direct dependency to update

Priority Score in Snyk OSS

Snyk's Priority Score (0-1000) for OSS vulnerabilities adds:

• CVSS base score
• Exploit maturity (proof-of-concept / functional exploit / weaponized)
• Reachability (is the vulnerable function called by your code?)
• Social trends (community attention)
• Fix availability

Auto-Fix PRs

Snyk can automatically create pull requests to fix vulnerabilities.

SCM Integration (Recommended for Auto-Fix)

Connect Snyk to GitHub/GitLab/Bitbucket:

1. Snyk Web UI → Integrations → GitHub/GitLab/etc.
2. Install Snyk app on your organization
3. Import repositories
4. Snyk automatically opens fix PRs for new vulnerabilities

Fix PR behavior:

• One PR per direct dependency upgrade (groups related fixes)
• Includes test results in PR description (did tests pass after upgrade?)
• Shows vulnerability details and CVSS scores
• Labels PRs for easy filtering

Auto-merge rules: Configure Snyk to automatically merge low-risk fix PRs:

• Snyk Web UI → Settings → Snyk PR Checks
• Enable auto-merge for: patch upgrades, no breaking changes, tests passing

CLI Fix PRs

For CI/CD-triggered fix PRs:

# Trigger Snyk to open fix PRs for all monitored projects
snyk fix --all-projects

License Compliance

License Policy Configuration

In Snyk Web UI → Organization Settings → License Policies:

Define policies per license:

• Allow: No action
• Severity: Low/Medium/High: Alert but don't block
• Fail: Block CI pipeline

Common policy:

MIT         → Allow
Apache 2.0  → Allow
BSD-2/3     → Allow
ISC         → Allow
LGPL        → Medium (inform legal)
MPL         → Medium (inform legal)
GPL v2/v3   → High (block commercial use)
AGPL        → Critical (block - copyleft for network use)
Unknown     → Medium (review required)

CLI License Check

# Test for license issues
snyk test --json | jq '.licensesPolicy'

# List all licenses in dependencies
snyk test --json | jq '.dependencies[].license'

Reachability Analysis

Snyk OSS reachability analysis (available for JavaScript, Java, Python) determines whether your application code actually calls the vulnerable function in a dependency.

How Reachability Works

1. Snyk scans your source code to build a call graph
2. Snyk knows the specific functions/classes in the vulnerable library that are the attack surface
3. Snyk traces your code's calls to determine if any call path reaches the vulnerable function

Reachability in Output

✗ High severity vulnerability found in lodash
  Reachability: REACHABLE
  Reachable via: my-service/utils/parser.js > processTemplate > lodash.template