Skip to content

Snyk CLI

5.5k stars
official open-source macOS Cross-platform Linux Actively maintained

The official Snyk CLI. Scan dependencies for vulnerabilities, audit container images, test infrastructure-as-code, and run static analysis with structured JSON and SARIF output.

Part of the Snyk CLI tools for AI agents

What your agent can do

You run `npm audit` and get a wall of text. 47 vulnerabilities, nested dependency chains, no clear priority. Which ones actually matter? Which are reachable from your code? Your agent runs `snyk test --json` and gets structured vulnerability data with severity scores, exploit maturity, fix recommendations, and upgrade paths. Parse the JSON, filter by severity, and act on what matters.Snyk scans four surfaces from one CLI. `snyk test` for application dependencies (npm, pip, Maven, Go modules, and more). `snyk container test` for Docker image vulnerabilities. `snyk iac test` for Terraform, CloudFormation, and Kubernetes misconfigurations. `snyk code test` for source code security issues (SAST). Your agent runs all four in a CI pipeline and gets a complete security picture.Exit codes are the agent-native design detail. Exit 0 means no vulnerabilities found. Exit 1 means vulnerabilities were found (the JSON output has the details). Exit 2 means an error occurred. Your agent uses exit codes to gate deployments: if `snyk test` returns 1 with any critical severity, block the deploy. No output parsing needed for the go/no-go decision.The `--sarif` flag outputs results in SARIF format (Static Analysis Results Interchange Format). Upload directly to GitHub Code Scanning with `gh api` — your vulnerabilities appear as annotations on pull requests. Your agent chains `snyk test --sarif | gh api repos/{owner}/{repo}/code-scanning/sarifs -X POST` for automated security feedback in code review.`snyk monitor` takes a snapshot and watches for new vulnerabilities over time. Your agent runs it post-deploy: `snyk monitor --json`. When a new CVE affects one of your dependencies, Snyk alerts you even if you haven't changed your code. Continuous security monitoring without continuous scanning.

Limitations

Free tier is limited to 200 tests per month for open-source projects. Some features (custom policies, license compliance) require paid plans. Vulnerability database coverage varies by ecosystem — npm and Python are strongest. No official MCP server. Container scanning requires Docker to be running for local images.

Key Commands

snyk test --json Scan project dependencies for known vulnerabilities and return structured results
snyk container test Scan a Docker container image for OS and application vulnerabilities
snyk iac test Scan infrastructure-as-code files for misconfigurations
snyk code test Run static analysis (SAST) on source code for security issues
snyk monitor Take a snapshot of the project and monitor for new vulnerabilities continuously

GitHub Stats

repo snyk/cli
stars 5.5k
language TypeScript
license Apache-2.0
last commit Mar 24, 2026

Links

Official documentation docs.snyk.io/snyk-cli GitHub repository github.com/snyk/cli Vulnerability database security.snyk.io SARIF integration guide docs.snyk.io/scan-with-snyk/snyk-open-source/manage-vulnerabilities/snyk-open-source-sarif-support

FAQ

Is Snyk CLI free?
Yes for open-source projects (200 tests/month). Snyk CLI is open-source under Apache 2.0. Install with `brew install snyk` or `npm install -g snyk`. Authenticate with `snyk auth` (browser login) or `SNYK_TOKEN` environment variable for CI. Paid plans add team features, higher limits, and license compliance scanning.
Can AI agents use Snyk CLI?
Yes. Snyk runs fully non-interactive with `SNYK_TOKEN` for authentication. Every scan command supports `--json` for structured output and `--sarif` for GitHub Code Scanning integration. Exit codes indicate severity (0=clean, 1=vulns found, 2=error). Your agent scans dependencies, containers, IaC, and source code in CI pipelines without interactive prompts.
What is the difference between Snyk and npm audit?
Snyk covers more than npm. Beyond JavaScript dependencies, Snyk scans Python, Go, Java, Ruby, .NET, and more. It also scans container images, infrastructure-as-code (Terraform, CloudFormation), and source code. Snyk provides fix recommendations with specific upgrade paths. npm audit only covers npm packages and gives less actionable output. For agent workflows, Snyk's `--json` output is more structured and consistent.
Can Snyk scan Docker containers?
Yes. `snyk container test node:20-alpine --json` scans the image for OS-level and application vulnerabilities. It identifies which layer introduced each vulnerability and recommends base image upgrades. Your agent scans images before pushing to registries, catching vulnerable dependencies before deployment.
How does Snyk integrate with GitHub?
Two ways. First, `snyk test --sarif` outputs SARIF format that uploads to GitHub Code Scanning via `gh api`. Vulnerabilities appear as PR annotations. Second, `snyk monitor` sends snapshots to the Snyk dashboard, which can auto-create fix PRs on GitHub. Your agent uses SARIF upload for PR-level feedback and monitor for continuous tracking.

Related tools in Security

Vault CLI official
brew tap hashicorp/tap && brew install hashicorp/tap/vault
category Security
The official HashiCorp Vault CLI. Read and write secrets, generate dynamic credentials, manage encryption keys, and control access policies with structured JSON output.
35.3k
1Password CLI official
brew install 1password-cli
category Security
The official 1Password CLI. Read secrets, inject credentials into processes, and manage vaults without exposing sensitive values in scripts or environment files.
206

Last verified: Mar 25, 2026