How to Setup Snyk in 2026 - Complete Step-by-Step Guide

Why set up Snyk for application security

Application security is no longer optional - it is a baseline requirement for any team shipping software in 2026. Supply chain attacks, dependency vulnerabilities, and infrastructure misconfigurations are among the most exploited attack vectors today, and they all share one thing in common: they can be caught before code reaches production if you have the right scanning in place.

Snyk is a developer-first security platform that covers four critical scanning categories in a single tool: open-source dependency scanning (SCA), static application security testing (SAST) via Snyk Code, container image scanning, and infrastructure as code analysis. It integrates directly into the developer workflow - CLI, IDE, Git platform, and CI/CD pipeline - so security findings surface where developers are already working rather than in a separate dashboard that nobody checks.

What makes Snyk particularly effective for development teams is its approach to remediation. Instead of just listing vulnerabilities, Snyk provides actionable fix paths: automated pull requests that upgrade vulnerable dependencies, specific code change recommendations for SAST findings, and alternative base image suggestions for container vulnerabilities. The DeepCode AI engine behind Snyk Code was trained on curated security data and can detect vulnerabilities across 19+ languages with low false positive rates.

The free tier is genuinely useful. It includes all four scanning products with enough test limits for individual developers and small teams. Paid plans start at $25 per contributing developer per month for teams that need unlimited scanning and collaboration features.

This guide walks through every step of setting up Snyk from scratch - creating your account, installing the CLI, authenticating, running your first scans, configuring GitHub integration, setting up your IDE, automating scans in GitHub Actions, and managing findings with policy files. Every command and configuration shown here is production-ready.

Prerequisites

Before starting the setup process, make sure you have the following in place:

• Node.js 18 or later installed (required for the npm-based CLI installation method; alternative installation methods are available if you do not use Node.js)
• A GitHub, GitLab, Bitbucket, or Azure DevOps account for Git integration
• Docker installed (only required if you plan to scan container images)
• A project to scan - any codebase with a manifest file (package.json, requirements.txt, pom.xml, go.mod, Gemfile, etc.) or source code files

If you already have these, you can start immediately with Step 1.

Step 1: Create a Snyk account

The first step is to create your free Snyk account. Snyk offers multiple sign-up options, and the process takes under two minutes.

1. Navigate to app.snyk.io in your browser
2. Click "Sign up" and select your preferred authentication method:
   • GitHub - recommended if your repositories are on GitHub, as this pre-authorizes the GitHub integration
   • GitLab - recommended for GitLab users
   • Bitbucket - recommended for Bitbucket users
   • Google - if you prefer to use a Google account
   • Email and password - for manual account creation
3. Authorize Snyk to access your Git provider account when prompted
4. Complete the onboarding flow by selecting your role and primary use case

Signing up with your Git provider is the recommended approach because it creates the integration connection automatically. If you sign up with GitHub, for example, you can import GitHub repositories for scanning in the next step without any additional configuration.

After sign-up, you will land on the Snyk dashboard at app.snyk.io. This is where you manage projects, view scan results, configure integrations, and monitor vulnerabilities over time.

Step 2: Install the Snyk CLI

The Snyk CLI is the foundation for local scanning and CI/CD integration. It runs scans from your terminal, integrates with any CI/CD system, and provides the fastest feedback loop during development.

Install via npm (recommended for Node.js users)

npm install -g snyk

Install via Homebrew (macOS)

brew install snyk

Install via Scoop (Windows)

scoop install snyk

Install via standalone binary (any platform)

Download the latest binary for your platform from the Snyk CLI releases page. For Linux:

curl -Lo snyk https://static.snyk.io/cli/latest/snyk-linux
chmod +x snyk
sudo mv snyk /usr/local/bin/

Verify the installation

snyk --version

This should return a version number like 1.1292.0 or later. If you see the version number, the CLI is installed correctly and ready for authentication.

Step 3: Authenticate the CLI

Authentication connects your local CLI to your Snyk account, enabling it to access your organization settings, policies, and vulnerability database.

Interactive authentication (local development)

Run the following command:

snyk auth

This opens your default browser and redirects you to the Snyk authentication page. Sign in with the same account you created in Step 1, then click "Authenticate" to authorize the CLI. Once authorized, the browser displays a confirmation message and the CLI stores your authentication token locally at ~/.config/configstore/snyk.json.

Token-based authentication (CI/CD and headless environments)

For CI/CD pipelines and environments without a browser, use an API token instead:

1. Go to app.snyk.io/account
2. Scroll to the "Auth Token" section
3. Click "Generate" to create a new token (or copy the existing one)
4. Set the token as an environment variable:

export SNYK_TOKEN=your-api-token-here

In CI/CD systems, store this token as a secret (for example, as a GitHub Actions secret named SNYK_TOKEN). The CLI automatically reads the SNYK_TOKEN environment variable when it cannot find a local auth file.

Verify authentication

snyk auth check

If authentication is configured correctly, this command returns your authenticated account details.

Step 4: Run your first scan with snyk test

The snyk test command scans your project for open-source dependency vulnerabilities. It reads your manifest files (package.json, requirements.txt, pom.xml, go.mod, etc.), resolves the full dependency tree, and checks every direct and transitive dependency against Snyk's vulnerability database.

Navigate to your project directory and run:

cd /path/to/your/project
snyk test

The output lists each vulnerability found, including:

• Vulnerability title and ID (for example, SNYK-JS-LODASH-1018905)
• Severity (Critical, High, Medium, or Low)
• Introduced through - which direct dependency pulls in the vulnerable package
• Fix available - whether an upgrade or patch is available
• Exploit maturity - whether the vulnerability has known exploits in the wild

Here is an example of typical output:

Testing /path/to/your/project...

Tested 847 dependencies for known issues, found 3 issues, 1 critical severity.

Issues to fix by upgrading:

  Upgrade express@4.17.1 to express@4.18.2
  - Prototype Pollution [Critical Severity][SNYK-JS-EXPRESS-12345]
    Introduced through: express@4.17.1
    Fixed in: express@4.18.2

  Upgrade jsonwebtoken@8.5.1 to jsonwebtoken@9.0.0
  - Insecure Default Algorithm [High Severity][SNYK-JS-JSONWEBTOKEN-67890]
    Introduced through: jsonwebtoken@8.5.1
    Fixed in: jsonwebtoken@9.0.0

Filtering results by severity

To focus on critical and high severity vulnerabilities only:

snyk test --severity-threshold=high

This flag filters out medium and low severity findings, which is useful for CI/CD gating where you want to fail the build only on serious vulnerabilities.

Testing specific manifest files

If your project has multiple manifest files or you want to target a specific one:

snyk test --file=backend/requirements.txt
snyk test --file=frontend/package.json

Understanding exit codes

The snyk test command uses exit codes to indicate results, which is critical for CI/CD integration:

• Exit code 0 - No vulnerabilities found
• Exit code 1 - Vulnerabilities found
• Exit code 2 - Scan failed due to an error (authentication, network, or configuration issue)

Step 5: Enable and run Snyk Code for SAST scanning

Snyk Code performs static application security testing (SAST) by analyzing your source code for security vulnerabilities without executing it. Unlike dependency scanning, SAST examines your own code for issues like SQL injection, cross-site scripting, path traversal, hardcoded credentials, and insecure deserialization.

Enable Snyk Code in your organization

Snyk Code must be explicitly enabled before you can use it:

1. Go to app.snyk.io
2. Navigate to Settings (gear icon in the sidebar)
3. Select Snyk Code from the settings menu
4. Toggle Enable Snyk Code to on
5. Click Save changes

Run a SAST scan

Once enabled, run Snyk Code from your project directory:

snyk code test

The output shows security vulnerabilities in your source code with file paths, line numbers, and remediation guidance:

Testing /path/to/your/project ...

 ✗ [High] SQL Injection
   Path: src/controllers/userController.js, line 42
   Info: Unsanitized input from an HTTP request body flows into sql.query(),
         where it is used to build a database query. This may result in a
         SQL Injection vulnerability.

 ✗ [Medium] Hardcoded Secret
   Path: src/config/database.js, line 8
   Info: A hardcoded credential was detected. Avoid hardcoding secrets in
         source code; use environment variables or a secrets manager instead.

Filtering Snyk Code results

snyk code test --severity-threshold=high

This restricts output to high and critical severity findings, which is useful when running in CI/CD pipelines where you want to gate on serious issues only.

Supported languages

Snyk Code supports 19+ languages including JavaScript, TypeScript, Python, Java, Go, Ruby, C#, PHP, Kotlin, Swift, Scala, and C/C++. It analyzes semantic code patterns rather than simple regex matching, which enables it to trace data flows across functions and files to detect vulnerabilities that simpler tools miss.

Step 6: Scan container images

Snyk Container scans Docker images and OCI container images for vulnerabilities in both the base OS packages and application-level dependencies installed inside the image.

Scan a public image

snyk container test node:20-alpine

This pulls the image metadata (or uses a locally cached image) and checks every installed package against Snyk's vulnerability database.

Scan a locally built image

Build your image first, then scan it:

docker build -t myapp:latest .
snyk container test myapp:latest

Include Dockerfile recommendations

Adding the --file flag includes best practice recommendations for your Dockerfile:

snyk container test myapp:latest --file=Dockerfile

Snyk analyzes your Dockerfile and suggests improvements like using a smaller base image, avoiding running as root, and pinning base image versions. It also recommends alternative base images with fewer known vulnerabilities.

Example output

Testing myapp:latest...

Organization:      your-org
Package manager:   apk
Project name:      docker-image|myapp
Docker image:      myapp:latest
Platform:          linux/amd64
Base image:        node:20-alpine
Licenses:          enabled

Tested 42 dependencies for known issues, found 5 issues.

Base Image         Vulnerabilities  Severity
node:20-alpine     5                1 critical, 2 high, 2 medium

Recommendations for base image upgrade:
  Minor upgrades
    Base Image              Vulnerabilities  Severity
    node:20.11.1-alpine     2                0 critical, 0 high, 2 medium

Monitor containers continuously

To add a container image to ongoing monitoring in the Snyk dashboard:

snyk container monitor myapp:latest --file=Dockerfile

This creates a project in your Snyk dashboard that Snyk checks against newly disclosed vulnerabilities on a recurring schedule.

Step 7: Scan Infrastructure as Code

Snyk IaC scans your infrastructure configuration files for security misconfigurations before you deploy them. It supports Terraform (.tf), CloudFormation (.yaml/.json), Kubernetes manifests, Azure Resource Manager (ARM) templates, and Helm charts.

Run an IaC scan

snyk iac test

This scans all supported configuration files in the current directory and subdirectories.

Scan specific files

snyk iac test main.tf
snyk iac test k8s/deployment.yaml

Filter by severity

snyk iac test --severity-threshold=high

Example output

Testing main.tf...

Infrastructure as code issues:

  ✗ [High] S3 bucket does not have encryption enabled
    Rule: SNYK-CC-TF-45
    Path: resource > aws_s3_bucket[data] > server_side_encryption_configuration
    File: main.tf
    Resolve: Set the 'server_side_encryption_configuration' block with AES256 or aws:kms.

  ✗ [Medium] Security group allows ingress from 0.0.0.0/0
    Rule: SNYK-CC-TF-1
    Path: resource > aws_security_group[web] > ingress[0] > cidr_blocks
    File: main.tf
    Resolve: Restrict ingress to specific IP ranges instead of 0.0.0.0/0.

  ✗ [Low] RDS instance does not have deletion protection enabled
    Rule: SNYK-CC-TF-83
    Path: resource > aws_db_instance[main] > deletion_protection
    File: main.tf
    Resolve: Set 'deletion_protection' to true.

Send IaC results to the dashboard

snyk iac test --report

The --report flag uploads results to your Snyk dashboard for centralized tracking and trend analysis.

Step 8: Set up the GitHub integration

The Snyk GitHub integration automatically scans your repositories and creates pull requests to fix vulnerabilities. It adds PR checks that gate merges on security findings, monitors dependencies for newly disclosed vulnerabilities, and provides a centralized view of your security posture across all repositories.

Connect GitHub to Snyk

1. Log in to app.snyk.io
2. Navigate to Integrations in the sidebar
3. Select GitHub
4. Click Connect to GitHub and authorize Snyk in the GitHub OAuth flow
5. Choose whether to grant access to all repositories or select specific ones

Import repositories

After connecting GitHub:

1. Click Add projects in the Snyk dashboard
2. Select GitHub as the source
3. Check the repositories you want to scan
4. Click Add selected repositories

Snyk runs an initial scan on each imported repository and creates projects for every manifest file it finds (package.json, requirements.txt, Dockerfile, terraform files, etc.).

Configure PR checks

Snyk can automatically check every pull request for new vulnerabilities:

1. Go to Settings in your Snyk organization
2. Select GitHub under Integrations
3. Under Default Snyk test for pull requests, toggle it to Enabled
4. Configure the fail conditions:
   • Only fail when the PR is adding a dependency with issues - recommended for most teams
   • Fail if the repo has any issues - stricter, may block PRs for pre-existing issues

Configure automatic fix PRs

Snyk can automatically create pull requests to upgrade vulnerable dependencies:

1. In the same GitHub integration settings, find Automatic fix pull requests
2. Toggle it to Enabled
3. Configure options:
   • Fix known vulnerabilities - creates PRs when Snyk detects a fixable vulnerability
   • Fix new vulnerabilities - creates PRs when a newly disclosed vulnerability affects your dependencies
   • Backlog limit - maximum number of open fix PRs (default is 5)

Fix PRs include a detailed description of the vulnerability, the upgrade path, and any breaking change warnings. They are ready to review and merge without manual dependency version changes.

Step 9: Install the VS Code extension

The Snyk VS Code extension provides real-time security feedback directly in your editor as you write code. It runs Snyk Code (SAST), open-source dependency scanning, and IaC scanning without leaving your IDE.

Installation

1. Open VS Code
2. Go to the Extensions panel (Ctrl+Shift+X on Windows/Linux or Cmd+Shift+X on macOS)
3. Search for Snyk Security
4. Click Install on the extension published by Snyk
5. After installation, click the Snyk icon that appears in the left sidebar
6. Click Connect VS Code with Snyk and complete the browser-based authentication

Using the extension

Once connected, the extension automatically scans your open workspace:

• Code security issues appear as inline highlights in the editor with severity indicators (red for high/critical, yellow for medium, blue for low)
• Dependency vulnerabilities appear in the Snyk panel with upgrade recommendations
• IaC misconfigurations are highlighted inline in Terraform, Kubernetes, and CloudFormation files

The extension runs incrementally as you edit files, so you see security feedback in real time without manually triggering a scan.

Configuration

Open VS Code settings (Ctrl+, or Cmd+,) and search for "Snyk" to configure:

• Severity filter - choose which severity levels to display (default: all)
• Scan on save - enable or disable automatic scanning when files are saved
• Products - enable or disable specific Snyk products (Code, Open Source, IaC)
• Custom endpoint - for teams using Snyk's single-tenant or on-premise deployment

The VS Code extension also works with JetBrains IDEs (IntelliJ, PyCharm, WebStorm) through a separate plugin available in the JetBrains Marketplace. The JetBrains plugin provides the same SAST, SCA, and IaC scanning capabilities.

Step 10: Automate Snyk in GitHub Actions

Adding Snyk to your GitHub Actions workflow ensures every pull request is scanned for security issues before it can be merged. This is the most impactful integration for teams because it creates an automated security gate that runs consistently on every code change.

Basic workflow for dependency scanning

Create a workflow file at .github/workflows/snyk.yml:

name: Snyk Security Scan

on:
  pull_request:
    branches: [main, develop]
  push:
    branches: [main]

jobs:
  snyk-open-source:
    name: Snyk Open Source
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high

Replace snyk/actions/node with the appropriate action for your language:

• snyk/actions/node - JavaScript/TypeScript (npm, yarn)
• snyk/actions/python - Python (pip, pipenv, poetry)
• snyk/actions/maven - Java (Maven)
• snyk/actions/gradle - Java (Gradle)
• snyk/actions/golang - Go
• snyk/actions/dotnet - .NET
• snyk/actions/docker - Container images
• snyk/actions/iac - Infrastructure as Code

Combined workflow for all Snyk products

For comprehensive scanning across all four Snyk products in a single workflow:

name: Snyk Security

on:
  pull_request:
    branches: [main]
  push:
    branches: [main]

jobs:
  snyk-open-source:
    name: Snyk Open Source (SCA)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 20

      - name: Install dependencies
        run: npm ci

      - name: Snyk Open Source scan
        uses: snyk/actions/node@master
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high --sarif-file-output=snyk-os.sarif

      - name: Upload SARIF to GitHub Security
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: snyk-os.sarif
        if: always()

  snyk-code:
    name: Snyk Code (SAST)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Snyk Code scan
        uses: snyk/actions/node@master
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          command: code test
          args: --sarif-file-output=snyk-code.sarif

      - name: Upload SARIF to GitHub Security
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: snyk-code.sarif
        if: always()

  snyk-container:
    name: Snyk Container
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build Docker image
        run: docker build -t myapp:${{ github.sha }} .

      - name: Snyk Container scan
        uses: snyk/actions/docker@master
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          image: myapp:${{ github.sha }}
          args: --file=Dockerfile --severity-threshold=high --sarif-file-output=snyk-container.sarif

      - name: Upload SARIF to GitHub Security
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: snyk-container.sarif
        if: always()

  snyk-iac:
    name: Snyk IaC
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Snyk IaC scan
        uses: snyk/actions/iac@master
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=medium --sarif-file-output=snyk-iac.sarif

      - name: Upload SARIF to GitHub Security
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: snyk-iac.sarif
        if: always()

All four jobs run in parallel, so the total scan time is determined by the slowest individual scan rather than the sum of all four.

SARIF integration with GitHub Security tab

The --sarif-file-output flag and the upload-sarif step send Snyk results to GitHub's Security tab. This gives your team a centralized view of all security findings across all tools (not just Snyk) directly within GitHub, without needing to check a separate dashboard.

Setting up branch protection

After adding the Snyk workflow, configure branch protection to require it:

1. Go to your repository Settings on GitHub
2. Click Branches in the sidebar
3. Add or edit the branch protection rule for main
4. Under Require status checks to pass before merging, search for and add the Snyk job names (for example, "Snyk Open Source (SCA)" and "Snyk Code (SAST)")

This ensures no pull request can be merged if Snyk detects high-severity vulnerabilities.

Step 11: Configure the .snyk policy file

The .snyk policy file gives you granular control over how Snyk handles specific vulnerabilities in your project. It lets you ignore findings that are not exploitable in your context, set expiration dates on exceptions, and document the reasoning for each decision.

Ignoring a vulnerability

When Snyk flags a vulnerability that is not exploitable in your usage (for example, a vulnerability in a dependency function that your code never calls), ignore it with a documented reason:

snyk ignore --id=SNYK-JS-LODASH-1018905 \
  --expiry=2026-06-13 \
  --reason="Function _.template is not used in our codebase"

This creates or updates a .snyk file in your project root:

# Snyk (https://snyk.io) policy file
version: v1.25.0
ignore:
  SNYK-JS-LODASH-1018905:
    - '*':
        reason: Function _.template is not used in our codebase
        expires: 2026-06-13T00:00:00.000Z
        created: 2026-03-13T00:00:00.000Z

Setting path-specific ignores

You can ignore vulnerabilities only in specific paths:

version: v1.25.0
ignore:
  SNYK-JS-EXAMPLE-12345:
    - 'test/*':
        reason: Test dependencies are not shipped to production
        expires: 2026-09-13T00:00:00.000Z

Patching vulnerabilities

For vulnerabilities where no upgrade is available, Snyk can apply source-level patches:

version: v1.25.0
patch:
  SNYK-JS-LODASH-567890:
    - lodash:
        patched: '2026-03-13T00:00:00.000Z'

Run snyk protect to apply patches defined in the policy file.

Best practices for .snyk files

• Always commit the .snyk file to version control so the entire team shares the same policy
• Set expiration dates on all ignores - never ignore a vulnerability permanently. A 90-day expiration forces periodic review
• Include clear reasons for every ignore - future team members need to understand why a vulnerability was accepted
• Review the .snyk file in pull requests - changes to the policy file should go through code review just like any other code change

Step 12: Set up continuous monitoring with snyk monitor

The snyk monitor command uploads a snapshot of your project to the Snyk dashboard for continuous vulnerability monitoring. Unlike snyk test which runs once and reports results, snyk monitor creates an ongoing watch that alerts you when new vulnerabilities are disclosed that affect your dependencies.

Running snyk monitor

snyk monitor

This command:

1. Resolves your project's full dependency tree
2. Uploads the dependency snapshot to Snyk's cloud
3. Returns a URL to view the project in the Snyk dashboard

Monitoring /path/to/your/project (your-project)...

Explore this snapshot at https://app.snyk.io/org/your-org/project/abc123

Notifications about newly disclosed issues related to these
dependencies will be emailed to you.

Where to run snyk monitor

The snyk monitor command is most useful when run at specific points in your workflow:

• In your CI/CD deploy pipeline - after a successful build and test, monitor the exact dependency set that is being deployed to production
• On your main branch only - avoid monitoring feature branches, which are temporary and do not represent production state

Here is a GitHub Actions step that monitors only on pushes to main:

- name: Monitor with Snyk
  if: github.ref == 'refs/heads/main' && github.event_name == 'push'
  run: snyk monitor
  env:
    SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

Monitoring container images

snyk container monitor myapp:latest --file=Dockerfile

Monitoring IaC configurations

snyk iac test --report

The --report flag for IaC serves the same purpose as snyk monitor for dependencies - it sends results to the dashboard for continuous tracking.

Alert configuration

After running snyk monitor, configure how you receive alerts:

1. Go to Settings in the Snyk dashboard
2. Under Notifications, configure:
   • Email notifications - receive alerts for new vulnerabilities
   • Slack integration - post alerts to a Slack channel
   • Jira integration - automatically create Jira tickets for new critical vulnerabilities
   • Webhook - trigger custom workflows when new vulnerabilities are found

Troubleshooting common issues

Even with a straightforward setup, you may encounter issues. Here are the most common problems and how to resolve them.

Authentication failures

Problem: snyk test returns "Authentication failed" or "Missing API token."

Fix: Run snyk auth again to re-authenticate. For CI/CD, verify that the SNYK_TOKEN secret is correctly set in your repository settings and that the token has not expired. Generate a new token at app.snyk.io/account if needed.

# Verify your token is set
echo $SNYK_TOKEN | head -c 5
# Should print the first 5 characters of your token

Snyk Code not returning results

Problem: snyk code test returns "Snyk Code is not enabled" or produces no output.

Fix: Snyk Code must be explicitly enabled in your organization settings. Go to app.snyk.io > Settings > Snyk Code and toggle "Enable Snyk Code" to on. This is a common gotcha because Snyk Code is disabled by default even on paid plans.

Manifest file not found

Problem: snyk test returns "Could not detect supported target files."

Fix: Snyk needs a recognized manifest file to scan dependencies. Make sure you are running the command from the directory containing your manifest file (package.json, requirements.txt, pom.xml, etc.). For non-standard locations, specify the file explicitly:

snyk test --file=backend/requirements.txt

Container scan fails with "image not found"

Problem: snyk container test myapp:latest returns "image not found."

Fix: The image must be available locally. Build it first with docker build -t myapp:latest . or pull it with docker pull. Snyk does not pull images from registries automatically in CLI mode - it reads the image from your local Docker daemon.

GitHub Actions workflow fails with permission errors

Problem: The SARIF upload step fails with "Advanced Security must be enabled for this repository."

Fix: SARIF upload to GitHub's Security tab requires GitHub Advanced Security, which is free for public repositories but requires a paid plan for private repositories. If you do not have Advanced Security, remove the upload-sarif step. Snyk results will still be available in the Snyk dashboard and as PR annotations.

Rate limiting on the free plan

Problem: Scans return "You have exceeded your test limit" before the end of the billing period.

Fix: The free plan has strict test limits (400 Open Source, 100 Code, 300 IaC, 100 Container tests per period). To reduce consumption, avoid running snyk test on every push to every branch. Instead, configure CI to only run Snyk on pull requests targeting the main branch and on pushes to main. For local development, use the VS Code extension which uses a separate allocation.

Slow scan times

Problem: Snyk scans take longer than expected in CI/CD.

Fix: For dependency scanning, ensure your project has a lock file (package-lock.json, yarn.lock, poetry.lock). Without a lock file, Snyk must resolve the full dependency tree from scratch, which is significantly slower. For Snyk Code, exclude large generated files and vendor directories by configuring exclusions in your Snyk organization settings.

Summary of all Snyk CLI commands

Here is a quick reference for every Snyk command covered in this guide:

Command	Purpose
snyk auth	Authenticate CLI with your Snyk account
snyk test	Scan dependencies for vulnerabilities (one-time)
snyk code test	Run SAST scanning on source code
snyk container test <image>	Scan container image for vulnerabilities
snyk iac test	Scan IaC files for misconfigurations
snyk monitor	Upload project snapshot for continuous monitoring
snyk container monitor <image>	Monitor container image continuously
snyk ignore --id=<vuln-id>	Ignore a specific vulnerability
snyk fix	Auto-upgrade dependencies to fix vulnerabilities
snyk log4shell	Test specifically for Log4Shell vulnerabilities
snyk --version	Check installed CLI version
snyk auth check	Verify authentication status

Each command supports additional flags for filtering, formatting, and output customization. Run snyk <command> --help for the complete list of options for any command.

What to do after setup

Once you have completed all twelve steps, your Snyk setup covers four layers of security scanning across your development workflow - from the IDE to CI/CD to production monitoring. Here is what to focus on next:

1. Review your initial scan results in the Snyk dashboard at app.snyk.io. Prioritize critical and high severity findings first
2. Merge the automatic fix PRs that Snyk created during the initial repository import. These are safe, tested upgrades for known vulnerable dependencies
3. Configure your .snyk policy file to ignore any findings that are not applicable to your context, with documented reasons and expiration dates
4. Set up Slack or Jira notifications so your team is alerted when new vulnerabilities are disclosed that affect your monitored projects
5. Establish a triage cadence - review new Snyk findings weekly and prioritize them alongside your regular backlog. Security debt, like technical debt, compounds if ignored

Snyk's strength is in its developer-first approach. The closer you integrate security scanning to where developers work - the IDE, the pull request, the CI pipeline - the more likely vulnerabilities get fixed before they reach production. The setup described in this guide puts scanning at every stage of that workflow, giving your team continuous security feedback without disrupting development velocity.

Frequently Asked Questions

How do I install Snyk CLI?

Install Snyk CLI using npm with the command 'npm install -g snyk'. You can also install it via Homebrew on macOS with 'brew install snyk', using Scoop on Windows with 'scoop install snyk', or by downloading a standalone binary from Snyk's GitHub releases page. After installation, run 'snyk auth' to authenticate your CLI with your Snyk account. Verify the installation by running 'snyk --version' to confirm it returns the current version number.

Is Snyk free to use?

Yes, Snyk offers a free tier that includes all five security products - Snyk Open Source (SCA), Snyk Code (SAST), Snyk Container, Snyk IaC, and Snyk Cloud. The free plan provides 400 Open Source tests, 100 Code tests, 300 IaC tests, and 100 Container tests per billing period. These limits are sufficient for individual developers and small open-source projects. The free plan includes GitHub and GitLab integration, IDE plugins, and community support. Paid plans start at $25 per contributing developer per month for the Team tier.

How do I authenticate Snyk CLI?

Run 'snyk auth' in your terminal. This command opens your default browser and redirects you to the Snyk login page. After you sign in and authorize the CLI, an authentication token is stored locally at ~/.config/configstore/snyk.json. For CI/CD environments where browser authentication is not possible, set the SNYK_TOKEN environment variable with an API token generated from your Snyk account settings page at app.snyk.io/account.

How do I run Snyk Code for SAST scanning?

Enable Snyk Code in your organization settings at app.snyk.io under Settings, then Snyk Code, then toggle 'Enable Snyk Code.' Once enabled, run 'snyk code test' from your project directory to perform static application security testing. Snyk Code analyzes your source code for vulnerabilities like SQL injection, cross-site scripting, path traversal, and hardcoded secrets. Results include severity ratings, file locations, line numbers, and remediation guidance. You can also run Snyk Code from your IDE using the VS Code or JetBrains plugin.

How do I integrate Snyk with GitHub?

Log in to app.snyk.io, go to Integrations, select GitHub, and authorize Snyk to access your GitHub account. Then import your repositories by clicking 'Add projects' and selecting the repos you want to scan. Snyk will automatically run an initial scan and create pull requests for fixable vulnerabilities. It also adds PR checks that scan every new pull request for security issues before merge. You can configure automatic fix PRs, recurring test frequency, and which projects to monitor from the integration settings.

How do I scan Docker containers with Snyk?

Run 'snyk container test ' to scan a Docker image for vulnerabilities. For example, 'snyk container test node:20-alpine' scans the Node.js Alpine image. Snyk identifies vulnerabilities in the base image OS packages and application dependencies. To scan a locally built image, build it first with 'docker build -t myapp .' and then run 'snyk container test myapp'. Add '--file=Dockerfile' to include Dockerfile best practice recommendations. Use 'snyk container monitor' to continuously track an image in the Snyk dashboard.

How do I scan Terraform files with Snyk IaC?

Run 'snyk iac test' from a directory containing Terraform (.tf), CloudFormation (.yaml/.json), Kubernetes manifests, or ARM templates. Snyk IaC checks for misconfigurations like publicly accessible S3 buckets, unencrypted databases, overly permissive security groups, and missing logging configurations. You can target specific files with 'snyk iac test main.tf' or scan an entire directory recursively. Use '--severity-threshold=high' to filter results by severity level and '--report' to send results to the Snyk dashboard.

How do I set up Snyk in GitHub Actions?

Create a workflow file at .github/workflows/snyk.yml that runs on pull_request events. Use the 'snyk/actions' official GitHub Actions - snyk/actions/node for Node.js projects, snyk/actions/python for Python, snyk/actions/docker for containers, and snyk/actions/iac for infrastructure as code. Store your Snyk API token as a GitHub secret named SNYK_TOKEN. The action runs 'snyk test' and posts results as a check on the pull request. Add 'continue-on-error: true' with SARIF upload to see results in GitHub's Security tab.

What is the .snyk policy file and how do I use it?

The .snyk file is a YAML policy file that lives in your project root and controls how Snyk handles specific vulnerabilities. You can use it to ignore vulnerabilities that are not exploitable in your context, set custom severity levels, and exclude specific paths from scanning. Create it by running 'snyk ignore --id=SNYK-JS-EXAMPLE-12345 --reason="Not exploitable in our usage"'. The file should be committed to version control so the entire team shares the same policy. Each ignore entry includes the vulnerability ID, an expiration date, and a reason for the exception.

What is the difference between snyk test and snyk monitor?

The 'snyk test' command runs a one-time scan of your project and reports vulnerabilities in the terminal. It is designed for local development and CI/CD pipelines where you need immediate pass/fail results. The 'snyk monitor' command takes a snapshot of your project dependencies and uploads it to the Snyk dashboard for continuous monitoring. Snyk then checks your snapshot against its vulnerability database on a recurring schedule and sends alerts when new vulnerabilities are disclosed that affect your dependencies. Use 'snyk test' in CI for gating and 'snyk monitor' in your deployment pipeline after a successful build.

How do I fix vulnerabilities found by Snyk?

Snyk provides multiple remediation options depending on the vulnerability type. For open-source dependency vulnerabilities, run 'snyk fix' to automatically upgrade to the nearest non-vulnerable version. For vulnerabilities without a direct upgrade path, Snyk suggests applying a patch via 'snyk protect'. For Snyk Code findings, follow the remediation guidance that includes specific code change recommendations. In the Snyk dashboard, click 'Open a fix PR' to have Snyk create a pull request that upgrades the affected dependency. For container vulnerabilities, Snyk recommends alternative base images with fewer known vulnerabilities.

How do I set up the Snyk VS Code extension?

Open VS Code, go to the Extensions panel (Ctrl+Shift+X or Cmd+Shift+X), and search for 'Snyk Security'. Install the extension published by Snyk. After installation, click the Snyk icon in the sidebar and authenticate by clicking 'Connect VS Code with Snyk'. The extension scans your open files in real time for open-source dependency vulnerabilities, code security issues via Snyk Code, and IaC misconfigurations. Findings appear inline in the editor with severity indicators and remediation guidance. You can configure scan settings and severity filters in VS Code's settings under the Snyk section.

Can I use Snyk with GitLab, Bitbucket, or Azure DevOps?

Yes, Snyk supports all major Git platforms. For GitLab, go to Integrations in the Snyk dashboard and select GitLab. You will need a GitLab personal access token with api scope. For Bitbucket Cloud, select the Bitbucket Cloud integration and authorize via OAuth. For Bitbucket Server, provide your server URL and a personal access token. For Azure DevOps, select the Azure Repos integration and authorize with your Azure account. All integrations support automatic project import, PR checks, and recurring scanning. The Snyk CLI also works in any CI/CD system regardless of Git platform.

How do I reduce false positives in Snyk?

Snyk produces relatively few false positives compared to traditional SAST tools, but you can further reduce noise by configuring exclusions in the .snyk policy file for vulnerabilities that are not exploitable in your context. Use the '--severity-threshold' flag to filter out low-severity findings in CI. For Snyk Code, configure file exclusions in your Snyk organization settings to skip generated code, test files, and vendor directories. Enable Snyk's reachability analysis on Enterprise plans to determine whether vulnerable functions are actually called in your code, which eliminates false positives from unused dependency code paths.

How long does a Snyk scan take?

Snyk Open Source scans typically complete in 10 to 30 seconds because they analyze manifest files (package.json, requirements.txt, pom.xml) rather than scanning the entire codebase. Snyk Code SAST scans take 30 seconds to 3 minutes depending on project size, since they perform deeper semantic analysis of source code. Container scans take 15 to 60 seconds per image. IaC scans are the fastest, usually completing in under 10 seconds for typical Terraform or Kubernetes configurations. In CI/CD pipelines, the total Snyk scan adds 1 to 5 minutes to your build time.

---

Originally published at aicodereview.cc