https://github.com/snyk/snyk-maven-plugin

Test and monitor your projects for vulnerabilities with Maven. This plugin is officially maintained by Snyk.
https://github.com/snyk/snyk-maven-plugin

maven maven-plugin monitors security security-tools snyk snyk-cli vulnerabilities

Last synced: 6 months ago
JSON representation

Test and monitor your projects for vulnerabilities with Maven. This plugin is officially maintained by Snyk.

• Host: GitHub
• URL: https://github.com/snyk/snyk-maven-plugin
• Owner: snyk
• License: other
• Created: 2017-05-08T04:57:54.000Z (over 8 years ago)
• Default Branch: main
• Last Pushed: 2024-08-13T12:05:48.000Z (about 1 year ago)
• Last Synced: 2025-03-31T11:21:19.589Z (7 months ago)
• Topics: maven, maven-plugin, monitors, security, security-tools, snyk, snyk-cli, vulnerabilities
• Language: Java
• Homepage: https://snyk.io
• Size: 456 KB
• Stars: 79
• Watchers: 102
• Forks: 47
• Open Issues: 34
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE
  • Codeowners: .github/CODEOWNERS

Awesome Lists containing this project

• awesome-hacking-lists - snyk/snyk-maven-plugin - Test and monitor your projects for vulnerabilities with Maven. This plugin is officially maintained by Snyk. (Java)

README

          


# Snyk Maven Plugin

[![Maven Release](https://img.shields.io/maven-central/v/io.snyk/snyk-maven-plugin)](https://search.maven.org/artifact/io.snyk/snyk-maven-plugin)

[![Vulnerabilities](https://img.shields.io/snyk/vulnerabilities/github/snyk/snyk-maven-plugin.svg)](https://snyk.io)

Tests and monitors your Maven dependencies for vulnerabilities. This plugin is

officially maintained by [Snyk](https://snyk.io).

## Installation

1. [Get your Snyk API token.](https://support.snyk.io/hc/en-us/articles/360004037537-Authentication-for-third-party-tools)

2. Add the Snyk Maven Plugin to your `pom.xml` and configure it as needed.

```xml

  

    

      io.snyk

      snyk-maven-plugin

      2.0.0

      false

      

        

          snyk-test

          

            test

          

        

        

          snyk-monitor

          

            monitor

          

        

      

      

        ${env.SNYK_TOKEN}

        

          --all-projects

        

      

    

  

```

## Supported Versions

- Java 8 and above.

- Maven 3.2.5 and above.

## Goals

### `code-test` (experimental)

Default phase: `test`

Performs a static-analysis of your project's source code and provides a list of

vulnerabilities if any are found.

### `container-test` (experimental)

Default phase: `install`

Performs analysis of the layers of a container image.  The tag of the image to

be scanned should be provided as an argument;

```xml

  

    --print-deps

    nginx:1.9.5

  

```

### `test`

Default Phase: `test`

Scans your project's dependencies and provides a list of vulnerabilities if any

are found.

### `monitor`

Default Phase: `install`

Takes a snapshot of your project's dependency tree and monitors it

on [snyk.io](https://snyk.io). You'll be alerted when new relevant

vulnerabilities, updates or patches are disclosed.

## Configuration

You can configure the following parameters inside the `` section.

All parameters are optional.

### `apiToken` \[string\]

> ⚠️ Do NOT include your API token directly in your `pom.xml`. Use a variable

> instead.

You must provide a Snyk API token to access Snyk's services. You can do so by:

- Providing `apiToken` in your configuration using a variable.

- Providing a `SNYK_TOKEN` environment variable.

- Authenticating via `snyk auth` using the Snyk CLI before using this plugin.

### `skip` \[boolean\]

Default: `false`

Skip this execution entirely.

When running `mvn`, you can also use `-Dsnyk.skip` to enable this behavior.

### `failOnIssues` \[boolean\]

Default: `true`

When set to `true` then, should the Snyk CLI tool indicate that action is

required to remedy a security issue, the Maven build will be considered

failed.  When set to `false` the build will continue even if action is

required.

### `args` \[array\\]

This plugin uses [Snyk CLI](https://github.com/snyk/snyk) so you can pass any

supported arguments using ``. See the example below.

For a list of supported arguments,

see [Snyk CLI Reference](https://support.snyk.io/hc/en-us/articles/360003812578-CLI-reference).

```xml

  

    --severity-threshold=high

    --scan-all-unmanaged

    --json

  

```

### `cli` \[object\]

Lets you configure the Snyk CLI that's used by this plugin.

By default, the CLI will be automatically downloaded and updated for you.

See [CLI Configuration](#cli-configuration).

## CLI Configuration

> ⚠️ For most use cases you don't need to set any `` options.

You can configure the CLI in three different modes:

- [Auto-Download and Update](#auto-download-and-update) (default)

- [Custom CLI Executable](#custom-cli-executable)

- [Specific CLI Version](#specific-cli-version)

Follow the link for each mode to see which parameters are available.

```xml

  

    daily

  

```

### Auto-Download and Update

#### `updatePolicy` \[string\]

Default: `daily`

How often to download the latest CLI release. Snyk recommends always keeping your CLI installation updated to the latest version. Can be one of the following:

- `daily` - On the first execution of the day.

- `always` - On every execution.

- `never` - Never update after the initial download.

- `interval:` - On the execution after more than `` has passed

  since the last update. e.g. `interval:60` will update after an hour.

#### `downloadDestination` \[string\]

Default: OS-specific, see below.

Where to place the downloaded executable. By default, this is OS-specific as

follows:

- Linux - `$XDG_DATA_HOME/snyk/snyk-linux` or `~/.local/share/snyk/snyk-linux`

- macOS - `~/Library/Application Support/Snyk/snyk-macos`

- Windows - `%APPDATA%\Snyk\snyk-win.exe`

### Custom CLI Executable

#### `executable` \[string\]

Example: `~/.local/share/snyk/snyk-linux`

Path to a pre-installed Snyk CLI executable. You can find executables on the

[Snyk CLI Releases page](https://github.com/snyk/snyk/releases).

### Specific CLI Version

#### `version` \[string\]

Example: `1.542.0`

Specify if you want to use a specific version. You can find versions on the

[Snyk CLI Releases page](https://github.com/snyk/snyk/releases).

Setting this option will trigger a download of the CLI on every execution.

## Demonstration

To try out this plugin, see [the demo project](https://github.com/snyk/demo-snyk-maven-plugin).

## Migrating from Snyk Maven Plugin v1 to v2

All plugin parameters from v1 should be moved to the `` object, to keep

them in line with the CLI usage. For example:

- `org` => `--org=my-org-name`

- `failOnSeverity` => `--severity-threshold=low|medium|high`

- `failOnAuthError` => Use `true` to skip plugin execution.

- `includeProvidedDependencies` => `provided` dependencies are always included.

For a list of supported arguments, see [Configuration](#args-arraystring).

---

Made with 💜 by Snyk