jq is a handy CLI utility to easily print, filter and manipulate JSON data. Let me show you how I'm using it for some projects.
So let's say you have a Continuous Integration (CI) such as Travis, Circle or Jenkins to build your application, in which you are running Snyk's security tests via the CLI to hunt for those security vulnerabilities and break the build to make sure you're not introducing unnecessary risk.
How can you make sure you focus on actionability, so that developers are able to fix security issues when the build fails?
This is where
jq and JSON formatted results come in.
Did you also know you can get results in JSON output?
and how does that help us exactly?
Luckily, one of snyk's CLI command arguments is the ability to pass a
--json to a snyk test and pipe all of its output to
jq which we can then use with some filtering as below to selectively export or fail the build only on those open source security vulnerabilities in our project that could be addressed and fixed.
So here's an example:
$ snyk test --json | jq
That will just pretty print the JSON output in color and proper formatting and indentation as we didn't provide any arguments to
A super nice thing to do in a CI that promotes application security testing if you're using the Snyk CLI test is to make sure you're breaking the build on actionable security problems. Meaning, if the build breaks, developers can see why and then take action, such as to upgrade a library, in order to remediate the vulnerability.
Using jq, we can further do that thanks to Snyk's
isUpgradable field in the JSON results:
$ snyk test --json | jq '.vulnerabilities |= map(select(.isUpgradable == true or .isPatchable == true))`
Here are some further
jq related resources to keep you going:
- For filters and other operators documentation you may refer to the jq documentation
- Lastly you might want to read a more thorough post about getting the most out of Snyk test with JSON
- 1. To learn more about Snyk CLI command arguments we have created this Snyk CLI Cheat Sheet
If you care about your application security (you probably should? :-]) you might want to bump it up a notch and connect your source code repositories with Snyk (it's free, for private repos too!).
You get this lovely looking dashboard for your project and Snyk will also automatically open Pull Requests to fix your security issues: