/
help.txt
170 lines (148 loc) · 8.76 KB
/
help.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
Usage:
$ snyk [command] [options] [package]
The package argument is optional. If no package is given, Snyk will
run the command against the current working directory allowing you
to test your non-public applications.
Commands:
auth [api-token] ... Authenticate use of the Snyk CLI tool with your Snyk account.
test ............... Test for any known vulnerabilities.
wizard ............. Configure your policy file to update, auto patch and
ignore vulnerabilities in npm & yarn projects. snyk wizard updates your .snyk file automatically.
protect ............ Protect your code from vulnerabilities and
optionally suppress specific vulnerabilities.
Note: Node.js only.
monitor ............ Record the state of dependencies and any
vulnerabilities on snyk.io.
policy ............. Display the .snyk policy for a package.
ignore ............. Modifies the .snyk policy to ignore stated issues.
For more information run `snyk help ignore`.
help [topic] ....... Display this detailed help about commands and options.
config ............. Manage Snyk's configuration, note that this configuration is stored
on your machine and applies to all Snyk CLI calls.
Options:
--all-projects ..... (test & monitor commands only)
Auto detect all projects in working directory.
Note gradle is not supported, use --all-sub-projects instead.
--detection-depth=<number>
(test & monitor commands only)
Use with --all-projects or --yarn-workspaces to indicate how many sub-directories to search.
Defaults to 2 (the current working directory and one sub-directory).
--exclude=<comma separated list of directory names>
(test & monitor commands only)
Can be used with --all-projects and --yarn-workspaces to indicate sub-directories to exclude.
Directories must be comma separated.
If using with --detection-depth exclude ignores directories at any level deep.
--dev .............. Include devDependencies (defaults to production only).
--file=<File> ...... Sets package file. For more help run `snyk help file`.
--org=<org-name> ... Specify the org machine-name to run Snyk with a specific
organization. For more help run `snyk help orgs`.
--ignore-policy .... Ignores the current policy in .snyk file, org level ignores and project policy on snyk.io.
--trust-policies ... Applies and uses ignore rules from your dependencies'
Snyk policies, otherwise ignore policies are only
shown as a suggestion.
--show-vulnerable-paths=<none|some|all>
(test command only)
Display the dependency paths from the top level
dependencies, down to the vulnerable packages.
Defaults to "some" (a few example paths).
"false" is an alias for "none".
Doesn't affect output in JSON mode.
--project-name=<string>
Specify a custom Snyk project name.
--policy-path ...... Manually pass a path to a snyk policy file.
--insecure ......... Ignore unknown certificate authorities.
--json ............. Return results in JSON format.
--dry-run .......... Don't apply updates or patches during protect.
--severity-threshold=<low|medium|high>
Only report vulnerabilities of provided level or higher.
-q, --quiet ........ Silence all output.
-h, --help ......... This help information.
-v, --version ...... The CLI version.
--print-deps ....... (test and monitor commands only)
Print the dependency tree before sending it for analysis.
--prune-repeated-subdependencies
(test and monitor command only)
Prune dependency trees, removing duplicate sub-dependencies.
Will still find all vulnerabilities, but potentially not all
of the vulnerable paths.
--remote-repo-url=<string>
(monitor command only)
Set or override the remote URL for the repository that you would like to monitor.
--fail-on=<all|upgradable|patchable>
Only fail when there are vulnerabilities that can be fixed.
All fails when there is at least one vulnerability that can be either upgraded or patched.
Upgradable fails when there is at least one vulnerability that can be upgraded.
Patchable fails when there is at least one vulnerability that can be patched.
If vulnerabilities do not have a fix and this option is being used tests will pass.
--json-file-output=<string>
(test command only)
Save test output in JSON format directly to the specified file, regardless of whether or not you use the `--json` option.
This is especially useful if you want to display the human-readable test output via stdout and at the same time save the JSON format output to a file.
Maven options:
--scan-all-unmanaged
Auto detects maven jars and wars in given directory.
Individual testing can be done with --file=<jar-file-name>
Gradle options:
--sub-project=<string> (alias: --gradle-sub-project)
For Gradle "multi project" configurations,
test a specific sub-project.
--all-sub-projects For "multi project" configurations, test all
sub-projects.
--configuration-matching=<string>
Resolve dependencies using only configuration(s) that
match the provided Java regular expression, e.g.
'^releaseRuntimeClasspath$'.
--configuration-attributes=<string>
Select certain values of configuration attributes to
resolve the dependencies. E.g.:
'buildtype:release,usage:java-runtime'
More information: https://snyk.io/docs/cli-advanced-gradle-testing/
.Net (Nuget) options:
--assets-project-name
When monitoring a .NET project using NuGet
PackageReference use the project name in
project.assets.json, if found.
--packages-folder Custom path to packages folder
npm options:
--strict-out-of-sync=<true|false>
Prevent testing out of sync lockfiles. Defaults to true.
Yarn options:
--strict-out-of-sync=<true|false>
Prevent testing out of sync lockfiles. Defaults to true.
--yarn-workspaces Detect and scan yarn workspaces. Similar to --all-projects you can specify how
many sub-directories to search & exclude some directories.
CocoaPods options:
--strict-out-of-sync=<true|false>
Prevent testing out of sync lockfiles. Defaults to false.
Python options:
--command=<string> Indicate which specific Python commands to use based on Python version.
The default is 'python' which executes your systems default python version.
Run 'python -V' to find out what version that is.
If you are using multiple Python versions, use this parameter to specify the correct Python command for execution.
For example: `--command=python3`.
--skip-unresolved=<true|false>
Allow skipping packages that are not found
in the environment.
Docker options:
--docker (alias: --container)
Test or monitor a local Docker image for Linux vulnerabilities.
--file=<string> .... Include the path to the image's Dockerfile for more detailed
remediation advice.
--exclude-base-image-vulns
Exclude from display Docker base image vulnerabilities.
Examples:
$ snyk test
$ snyk test ionic@1.6.5
$ snyk test --show-vulnerable-paths=false
$ snyk monitor --org=my-team
$ snyk monitor --project-name=my-project
$ snyk test --docker ubuntu:18.04 --org=my-team
$ snyk test --docker app:latest --file=Dockerfile --policy-path=path/to/.snyk
$ snyk test --yarn-workspaces --detection-depth=4 --strict-out-of-sync=false
Possible exit statuses and their meaning:
- 0: success, no vulns found
- 1: action_needed, vulns found
- 2: failure, try to re-run command
Pro tip: use `snyk test` in your test scripts, if a vulnerability is
found, the process will exit with a non-zero exit code.
For more information see https://snyk.io