Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/snyk/snyk-maven-plugin
Test and monitor your projects for vulnerabilities with Maven. This plugin is officially maintained by Snyk.
https://github.com/snyk/snyk-maven-plugin
maven maven-plugin monitors security security-tools snyk snyk-cli vulnerabilities
Last synced: 18 days ago
JSON representation
Test and monitor your projects for vulnerabilities with Maven. This plugin is officially maintained by Snyk.
- Host: GitHub
- URL: https://github.com/snyk/snyk-maven-plugin
- Owner: snyk
- License: other
- Created: 2017-05-08T04:57:54.000Z (over 7 years ago)
- Default Branch: main
- Last Pushed: 2024-08-13T12:05:48.000Z (4 months ago)
- Last Synced: 2024-11-17T20:02:49.901Z (26 days ago)
- Topics: maven, maven-plugin, monitors, security, security-tools, snyk, snyk-cli, vulnerabilities
- Language: Java
- Homepage: https://snyk.io
- Size: 456 KB
- Stars: 78
- Watchers: 106
- Forks: 47
- Open Issues: 34
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS
Awesome Lists containing this project
- awesome-hacking-lists - snyk/snyk-maven-plugin - Test and monitor your projects for vulnerabilities with Maven. This plugin is officially maintained by Snyk. (Java)
README
# Snyk Maven Plugin
[![Maven Release](https://img.shields.io/maven-central/v/io.snyk/snyk-maven-plugin)](https://search.maven.org/artifact/io.snyk/snyk-maven-plugin)
[![Vulnerabilities](https://img.shields.io/snyk/vulnerabilities/github/snyk/snyk-maven-plugin.svg)](https://snyk.io)Tests and monitors your Maven dependencies for vulnerabilities. This plugin is
officially maintained by [Snyk](https://snyk.io).## Installation
1. [Get your Snyk API token.](https://support.snyk.io/hc/en-us/articles/360004037537-Authentication-for-third-party-tools)
2. Add the Snyk Maven Plugin to your `pom.xml` and configure it as needed.
```xml
io.snyk
snyk-maven-plugin
2.0.0
false
snyk-test
test
snyk-monitor
monitor
${env.SNYK_TOKEN}
--all-projects
```
## Supported Versions
- Java 8 and above.
- Maven 3.2.5 and above.## Goals
### `code-test` (experimental)
Default phase: `test`
Performs a static-analysis of your project's source code and provides a list of
vulnerabilities if any are found.### `container-test` (experimental)
Default phase: `install`
Performs analysis of the layers of a container image. The tag of the image to
be scanned should be provided as an argument;```xml
--print-deps
nginx:1.9.5
```
### `test`
Default Phase: `test`
Scans your project's dependencies and provides a list of vulnerabilities if any
are found.### `monitor`
Default Phase: `install`
Takes a snapshot of your project's dependency tree and monitors it
on [snyk.io](https://snyk.io). You'll be alerted when new relevant
vulnerabilities, updates or patches are disclosed.## Configuration
You can configure the following parameters inside the `` section.
All parameters are optional.### `apiToken` \[string\]
> ⚠️ Do NOT include your API token directly in your `pom.xml`. Use a variable
> instead.You must provide a Snyk API token to access Snyk's services. You can do so by:
- Providing `apiToken` in your configuration using a variable.
- Providing a `SNYK_TOKEN` environment variable.
- Authenticating via `snyk auth` using the Snyk CLI before using this plugin.### `skip` \[boolean\]
Default: `false`
Skip this execution entirely.
When running `mvn`, you can also use `-Dsnyk.skip` to enable this behavior.
### `failOnIssues` \[boolean\]
Default: `true`
When set to `true` then, should the Snyk CLI tool indicate that action is
required to remedy a security issue, the Maven build will be considered
failed. When set to `false` the build will continue even if action is
required.### `args` \[array\\]
This plugin uses [Snyk CLI](https://github.com/snyk/snyk) so you can pass any
supported arguments using ``. See the example below.For a list of supported arguments,
see [Snyk CLI Reference](https://support.snyk.io/hc/en-us/articles/360003812578-CLI-reference).```xml
--severity-threshold=high
--scan-all-unmanaged
--json
```
### `cli` \[object\]
Lets you configure the Snyk CLI that's used by this plugin.
By default, the CLI will be automatically downloaded and updated for you.
See [CLI Configuration](#cli-configuration).
## CLI Configuration
> ⚠️ For most use cases you don't need to set any `` options.
You can configure the CLI in three different modes:
- [Auto-Download and Update](#auto-download-and-update) (default)
- [Custom CLI Executable](#custom-cli-executable)
- [Specific CLI Version](#specific-cli-version)Follow the link for each mode to see which parameters are available.
```xml
daily
```
### Auto-Download and Update
#### `updatePolicy` \[string\]
Default: `daily`
How often to download the latest CLI release. Snyk recommends always keeping your CLI installation updated to the latest version. Can be one of the following:
- `daily` - On the first execution of the day.
- `always` - On every execution.
- `never` - Never update after the initial download.
- `interval:` - On the execution after more than `` has passed
since the last update. e.g. `interval:60` will update after an hour.#### `downloadDestination` \[string\]
Default: OS-specific, see below.
Where to place the downloaded executable. By default, this is OS-specific as
follows:- Linux - `$XDG_DATA_HOME/snyk/snyk-linux` or `~/.local/share/snyk/snyk-linux`
- macOS - `~/Library/Application Support/Snyk/snyk-macos`
- Windows - `%APPDATA%\Snyk\snyk-win.exe`### Custom CLI Executable
#### `executable` \[string\]
Example: `~/.local/share/snyk/snyk-linux`
Path to a pre-installed Snyk CLI executable. You can find executables on the
[Snyk CLI Releases page](https://github.com/snyk/snyk/releases).### Specific CLI Version
#### `version` \[string\]
Example: `1.542.0`
Specify if you want to use a specific version. You can find versions on the
[Snyk CLI Releases page](https://github.com/snyk/snyk/releases).Setting this option will trigger a download of the CLI on every execution.
## Demonstration
To try out this plugin, see [the demo project](https://github.com/snyk/demo-snyk-maven-plugin).
## Migrating from Snyk Maven Plugin v1 to v2
All plugin parameters from v1 should be moved to the `` object, to keep
them in line with the CLI usage. For example:- `org` => `--org=my-org-name`
- `failOnSeverity` => `--severity-threshold=low|medium|high`
- `failOnAuthError` => Use `true` to skip plugin execution.
- `includeProvidedDependencies` => `provided` dependencies are always included.For a list of supported arguments, see [Configuration](#args-arraystring).
---
Made with 💜 by Snyk