{"id":13841152,"url":"https://github.com/snyk/snyk-maven-plugin","last_synced_at":"2025-05-07T15:22:49.994Z","repository":{"id":20677346,"uuid":"90587883","full_name":"snyk/snyk-maven-plugin","owner":"snyk","description":"Test and monitor your projects for vulnerabilities with Maven. This plugin is officially maintained by Snyk.","archived":false,"fork":false,"pushed_at":"2024-08-13T12:05:48.000Z","size":467,"stargazers_count":79,"open_issues_count":34,"forks_count":47,"subscribers_count":102,"default_branch":"main","last_synced_at":"2025-03-31T11:21:19.589Z","etag":null,"topics":["maven","maven-plugin","monitors","security","security-tools","snyk","snyk-cli","vulnerabilities"],"latest_commit_sha":null,"homepage":"https://snyk.io","language":"Java","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/snyk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-05-08T04:57:54.000Z","updated_at":"2024-11-21T16:00:04.000Z","dependencies_parsed_at":"2024-01-16T19:09:03.296Z","dependency_job_id":"6a6ec263-859b-4dff-b2c4-7dbd58582933","html_url":"https://github.com/snyk/snyk-maven-plugin","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snyk%2Fsnyk-maven-plugin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snyk%2Fsnyk-maven-plugin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snyk%2Fsnyk-maven-plugin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snyk%2Fsnyk-maven-plugin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/snyk","download_url":"https://codeload.github.com/snyk/snyk-maven-plugin/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252903031,"owners_count":21822359,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["maven","maven-plugin","monitors","security","security-tools","snyk","snyk-cli","vulnerabilities"],"created_at":"2024-08-04T17:01:03.348Z","updated_at":"2025-05-07T15:22:49.973Z","avatar_url":"https://github.com/snyk.png","language":"Java","funding_links":[],"categories":["Java","Java (504)"],"sub_categories":[],"readme":"\u003cimg src=\"https://snyk.io/style/asset/logo/snyk-print.svg\" alt=\"Snyk Logo\" /\u003e\n\n# Snyk Maven Plugin\n\n[![Maven Release](https://img.shields.io/maven-central/v/io.snyk/snyk-maven-plugin)](https://search.maven.org/artifact/io.snyk/snyk-maven-plugin)\n[![Vulnerabilities](https://img.shields.io/snyk/vulnerabilities/github/snyk/snyk-maven-plugin.svg)](https://snyk.io)\n\nTests and monitors your Maven dependencies for vulnerabilities. This plugin is\nofficially maintained by [Snyk](https://snyk.io).\n\n## Installation\n\n1. [Get your Snyk API token.](https://support.snyk.io/hc/en-us/articles/360004037537-Authentication-for-third-party-tools)\n\n2. Add the Snyk Maven Plugin to your `pom.xml` and configure it as needed.\n\n```xml\n\u003c!-- Example Plugin Configuration --\u003e\n\u003cbuild\u003e\n  \u003cplugins\u003e\n    \u003cplugin\u003e\n      \u003cgroupId\u003eio.snyk\u003c/groupId\u003e\n      \u003cartifactId\u003esnyk-maven-plugin\u003c/artifactId\u003e\n      \u003cversion\u003e2.0.0\u003c/version\u003e\n      \u003cinherited\u003efalse\u003c/inherited\u003e\n      \u003cexecutions\u003e\n        \u003cexecution\u003e\n          \u003cid\u003esnyk-test\u003c/id\u003e\n          \u003cgoals\u003e\n            \u003cgoal\u003etest\u003c/goal\u003e\n          \u003c/goals\u003e\n        \u003c/execution\u003e\n        \u003cexecution\u003e\n          \u003cid\u003esnyk-monitor\u003c/id\u003e\n          \u003cgoals\u003e\n            \u003cgoal\u003emonitor\u003c/goal\u003e\n          \u003c/goals\u003e\n        \u003c/execution\u003e\n      \u003c/executions\u003e\n      \u003cconfiguration\u003e\n        \u003capiToken\u003e${env.SNYK_TOKEN}\u003c/apiToken\u003e\n        \u003cargs\u003e\n          \u003carg\u003e--all-projects\u003c/arg\u003e\n        \u003c/args\u003e\n      \u003c/configuration\u003e\n    \u003c/plugin\u003e\n  \u003c/plugins\u003e\n\u003c/build\u003e\n```\n\n## Supported Versions\n\n- Java 8 and above.\n- Maven 3.2.5 and above.\n\n## Goals\n\n### `code-test` (experimental)\n\nDefault phase: `test`\n\nPerforms a static-analysis of your project's source code and provides a list of\nvulnerabilities if any are found.\n\n### `container-test` (experimental)\n\nDefault phase: `install`\n\nPerforms analysis of the layers of a container image.  The tag of the image to\nbe scanned should be provided as an argument;\n\n```xml\n\u003c!-- Example of specifying the tag of the image to scan --\u003e\n\u003cconfiguration\u003e\n  \u003cargs\u003e\n    \u003carg\u003e--print-deps\u003c/arg\u003e\n    \u003carg\u003enginx:1.9.5\u003c/arg\u003e\n  \u003c/args\u003e\n\u003c/configuration\u003e\n```\n\n### `test`\n\nDefault Phase: `test`\n\nScans your project's dependencies and provides a list of vulnerabilities if any\nare found.\n\n### `monitor`\n\nDefault Phase: `install`\n\nTakes a snapshot of your project's dependency tree and monitors it\non [snyk.io](https://snyk.io). You'll be alerted when new relevant\nvulnerabilities, updates or patches are disclosed.\n\n## Configuration\n\nYou can configure the following parameters inside the `\u003cconfiguration\u003e` section.\nAll parameters are optional.\n\n### `apiToken` \\[string\\]\n\n\u003e ⚠️ Do NOT include your API token directly in your `pom.xml`. Use a variable\n\u003e instead.\n\nYou must provide a Snyk API token to access Snyk's services. You can do so by:\n\n- Providing `apiToken` in your configuration using a variable.\n- Providing a `SNYK_TOKEN` environment variable.\n- Authenticating via `snyk auth` using the Snyk CLI before using this plugin.\n\n### `skip` \\[boolean\\]\n\nDefault: `false`\n\nSkip this execution entirely.\n\nWhen running `mvn`, you can also use `-Dsnyk.skip` to enable this behavior.\n\n### `failOnIssues` \\[boolean\\]\n\nDefault: `true`\n\nWhen set to `true` then, should the Snyk CLI tool indicate that action is\nrequired to remedy a security issue, the Maven build will be considered\nfailed.  When set to `false` the build will continue even if action is\nrequired.\n\n### `args` \\[array\\\u003cstring\\\u003e\\]\n\nThis plugin uses [Snyk CLI](https://github.com/snyk/snyk) so you can pass any\nsupported arguments using `\u003cargs\u003e`. See the example below.\n\nFor a list of supported arguments,\nsee [Snyk CLI Reference](https://support.snyk.io/hc/en-us/articles/360003812578-CLI-reference).\n\n```xml\n\u003c!-- Example Arguments Configuration --\u003e\n\u003cconfiguration\u003e\n  \u003cargs\u003e\n    \u003carg\u003e--severity-threshold=high\u003c/arg\u003e\n    \u003carg\u003e--scan-all-unmanaged\u003c/arg\u003e\n    \u003carg\u003e--json\u003c/arg\u003e\n  \u003c/args\u003e\n\u003c/configuration\u003e\n```\n\n### `cli` \\[object\\]\n\nLets you configure the Snyk CLI that's used by this plugin.\n\nBy default, the CLI will be automatically downloaded and updated for you.\n\nSee [CLI Configuration](#cli-configuration).\n\n## CLI Configuration\n\n\u003e ⚠️ For most use cases you don't need to set any `\u003ccli\u003e` options.\n\nYou can configure the CLI in three different modes:\n\n- [Auto-Download and Update](#auto-download-and-update) (default)\n- [Custom CLI Executable](#custom-cli-executable)\n- [Specific CLI Version](#specific-cli-version)\n\nFollow the link for each mode to see which parameters are available.\n\n```xml\n\u003c!-- Example CLI Configuration --\u003e\n\u003cconfiguration\u003e\n  \u003ccli\u003e\n    \u003cupdatePolicy\u003edaily\u003c/updatePolicy\u003e\n  \u003c/cli\u003e\n\u003c/configuration\u003e\n```\n\n### Auto-Download and Update\n\n#### `updatePolicy` \\[string\\]\n\nDefault: `daily`\n\nHow often to download the latest CLI release. Snyk recommends always keeping your CLI installation updated to the latest version. Can be one of the following:\n\n- `daily` - On the first execution of the day.\n- `always` - On every execution.\n- `never` - Never update after the initial download.\n- `interval:\u003cminutes\u003e` - On the execution after more than `\u003cminutes\u003e` has passed\n  since the last update. e.g. `interval:60` will update after an hour.\n\n#### `downloadDestination` \\[string\\]\n\nDefault: OS-specific, see below.\n\nWhere to place the downloaded executable. By default, this is OS-specific as\nfollows:\n\n- Linux - `$XDG_DATA_HOME/snyk/snyk-linux` or `~/.local/share/snyk/snyk-linux`\n- macOS - `~/Library/Application Support/Snyk/snyk-macos`\n- Windows - `%APPDATA%\\Snyk\\snyk-win.exe`\n\n### Custom CLI Executable\n\n#### `executable` \\[string\\]\n\nExample: `~/.local/share/snyk/snyk-linux`\n\nPath to a pre-installed Snyk CLI executable. You can find executables on the\n[Snyk CLI Releases page](https://github.com/snyk/snyk/releases).\n\n### Specific CLI Version\n\n#### `version` \\[string\\]\n\nExample: `1.542.0`\n\nSpecify if you want to use a specific version. You can find versions on the\n[Snyk CLI Releases page](https://github.com/snyk/snyk/releases).\n\nSetting this option will trigger a download of the CLI on every execution.\n\n## Demonstration\n\nTo try out this plugin, see [the demo project](https://github.com/snyk/demo-snyk-maven-plugin).\n\n## Migrating from Snyk Maven Plugin v1 to v2\n\nAll plugin parameters from v1 should be moved to the `\u003cargs\u003e` object, to keep\nthem in line with the CLI usage. For example:\n\n- `org` =\u003e `\u003carg\u003e--org=my-org-name\u003c/arg\u003e`\n- `failOnSeverity` =\u003e `\u003carg\u003e--severity-threshold=low|medium|high\u003c/arg\u003e`\n- `failOnAuthError` =\u003e Use `\u003cskip\u003etrue\u003c/skip\u003e` to skip plugin execution.\n- `includeProvidedDependencies` =\u003e `provided` dependencies are always included.\n\nFor a list of supported arguments, see [Configuration](#args-arraystring).\n\n---\n\nMade with 💜 by Snyk\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsnyk%2Fsnyk-maven-plugin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsnyk%2Fsnyk-maven-plugin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsnyk%2Fsnyk-maven-plugin/lists"}