https://github.com/asos/snyker

An opinionated, heavy-handed wrapper around Snyk.
https://github.com/asos/snyker

cli security snyk snyk-cli vulnerabilities vulnerable-paths

Last synced: about 1 month ago
JSON representation

An opinionated, heavy-handed wrapper around Snyk.

• Host: GitHub
• URL: https://github.com/asos/snyker
• Owner: ASOS
• License: mit
• Created: 2021-10-26T13:31:55.000Z (over 2 years ago)
• Default Branch: main
• Last Pushed: 2021-12-16T13:11:33.000Z (over 2 years ago)
• Last Synced: 2024-05-14T20:17:08.405Z (about 2 months ago)
• Topics: cli, security, snyk, snyk-cli, vulnerabilities, vulnerable-paths
• Language: JavaScript
• Homepage:
• Size: 50.8 KB
• Stars: 6
• Watchers: 6
• Forks: 0
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • Contributing: docs/CONTRIBUTING.md
  • License: LICENSE
  • Codeowners: docs/CODEOWNERS

Lists

• awesome-snyk-community - Snyker - An opinionated CLI wrapper around Snyk for purging vulnerabilities from Node projects. (Snyk CLI, Plugins, Extensions, Filters)

README

        


  
Snyker




An opinionated CLI wrapper around Snyk for purging vulnerabilities from Node projects





   

   

   

   

   

   

   

   





  You're not you when you've got hundreds of vulnerable paths



---

## Getting Started

```bash

# Start fixing vulnerabilities straight away using NPX

npx @asos/snyker

# Add to your global NPM packages

npm i -g @asos/snyker

# Or to your global Yarn packages

yarn global add @asos/snyker

```

## About

The Snyk CLI is great for reporting vulnerabilities and providing top level dependency upgrades and patches, but struggles when the vulnerability rests within a nested sub-dependency. This is despite the fact that many sub-dependencies have reasonable flexibility in the version ranges they allow for their own dependencies.

This CLI takes a brute-force approach to solving this limitation of Snyk. It purges the `.snyk` file from a project, checks for vulnerable paths using Snyk, then forces `yarn` / `npm` to try to upgrade any dependency along the vulnerable paths before finally ignoring any vulnerability that cannot be fixed in the previous steps. If a patch is available for any outstanding vulnerability then it is also added to the Snyk policy.

Note that this tool obeys your defined package version ranges and therefore can't fix anything that requires a major upgrade if you are only permitting minor or patch upgrades.

This tool also does not make use of Snyk's ability to perform package major upgrades. It will simply ignore vulnerabilities that cannot be fixed in the aforementioned steps. _It is on you to sanity check anything that this tool decides to ignore._

Snyker will list the known vulnerabilities it has been unable to fix. If Snyk reports that there are major upgrades available to fix one or more of the outstanding vulnerabilities, Snyker will output a recommended `yarn` / `npm` command for performing the upgrade(s).

It is recommended that you use this tool alongside the official Snyk wizard CLI, not replace it completely.

## Usage

### Options

```console

snyker --retries 3 --lockfile package-lock.json

```

| Flag                  | Description                                                            | Default     |

| --------------------- | ---------------------------------------------------------------------- | ----------- |

| `--lockfile ` | Specify the lockfile to use (e.g. `yarn.lock` or `package-lock.json`). | `yarn.lock` |

| `--retries `     | Will set the number of times to retry logical steps of Snyker.         | `2`         |

### Post Execution

It is recommended that you manually perform the following to ensure that you apply any upgrades that are available and currently unsupported by this CLI.

```console

rm .snyk

snyk wizard --dev

```

## Contributing

Please check out the [CONTRIBUTING](./docs/CONTRIBUTING.md) docs.

## Changelog

Please check out the [CHANGELOG](./docs/CHANGELOG.md) docs.

---

## License

Snyker is licensed under the [MIT License](./LICENSE.md).