At first hook tries to use globally installed snyk tool. And if it doesn't exist
then hook installs snyk into a .fabasoad/pre-commit-snyk temporary directory
that will be removed after scanning is completed.
The following tools have to be available on a runner prior using this pre-commit hook:
<rev>in the examples below, is the latest revision tag from fabasoad/pre-commit-snyk repository.
This hook runs snyk code test command.
repos:
- repo: https://github.com/fabasoad/pre-commit-snyk
rev: <rev>
hooks:
- id: snyk-codeThis hook runs snyk container test command.
repos:
- repo: https://github.com/fabasoad/pre-commit-snyk
rev: <rev>
hooks:
- id: snyk-containerThis hook runs snyk iac test command.
repos:
- repo: https://github.com/fabasoad/pre-commit-snyk
rev: <rev>
hooks:
- id: snyk-iacThis hook runs snyk log4shell command.
repos:
- repo: https://github.com/fabasoad/pre-commit-snyk
rev: <rev>
hooks:
- id: snyk-log4shellThis hook runs snyk test command.
repos:
- repo: https://github.com/fabasoad/pre-commit-snyk
rev: <rev>
hooks:
- id: snyk-testThere are 2 ways to customize scanning for both snyk and pre-commit-snyk -
environment variables and arguments passed to args.
You can pass arguments to the hook as well as to the snyk itself. To distinguish
parameters you need to use --snyk-args for snyk arguments and --hook-args
for pre-commit-snyk arguments. Supported delimiter is =. So, use --hook-args=<arg>
but not --hook-args <arg>. Please find Examples for more details.
You can install snyk locally and run snyk --help to see all the available
arguments:
$ snyk --version
1.1291.1
$ snyk --help
CLI help
Snyk CLI scans and monitors your projects for security vulnerabilities and license issues.
For more information visit the Snyk website https://snyk.io
For details see the CLI documentation https://docs.snyk.io/features/snyk-cli
How to get started
1. Authenticate by running snyk auth.
2. Test your local project with snyk test.
3. Get alerted for new vulnerabilities with snyk monitor.
Available commands
To learn more about each Snyk CLI command, use the --help option, for example, snyk auth
--help.
Note: The help on the docs site is the same as the --help in the CLI.
snyk auth
Authenticate Snyk CLI with a Snyk account.
snyk test
Test a project for open-source vulnerabilities and license issues.
Note: Use snyk test --unmanaged to scan all files for known open-source dependencies (C/C++
only).
snyk monitor
Snapshot and continuously monitor a project for open-source vulnerabilities and license
issues.
snyk container
These commands test and continuously monitor container images for vulnerabilities and
generate an SBOM for a container image.
snyk iac
These commands find and report security issues in Infrastructure as Code files; detect,
track, and alert on infrastructure drift and unmanaged resources; and create a .driftigore
file.
snyk code
The snyk code test command finds security issues using Static Code Analysis.
snyk sbom
Generate or test an SBOM document in ecosystems supported by Snyk.
snyk log4shell
Find Log4Shell vulnerability.
snyk config
Manage Snyk CLI configuration.
snyk policy
Display the .snyk policy for a package.
snyk ignore
Modify the .snyk policy to ignore stated issues.
Debug
Use -d option to output the debug logs.
Configure the Snyk CLI
You can use environment variables to configure the Snyk CLI and also set variables to
configure the Snyk CLI to connect with the Snyk API. See Configure the Snyk CLI
https://docs.snyk.io/features/snyk-cli/configure-the-snyk-cliHere is the precedence order of pre-commit-snyk tool:
- Parameter passed to the hook as argument via
--hook-args. - Environment variable.
- Default value.
For example, if you set PRE_COMMIT_SNYK_LOG_LEVEL=warning and --hook-args=--log-level error then error value will be used.
With this parameter you can control the log level of pre-commit-snyk hook output.
It doesn't impact snyk log level output. To control snyk log level output
please look at the Snyk parameters.
- Parameter name:
--log-level - Environment variable:
PRE_COMMIT_SNYK_LOG_LEVEL - Possible values:
debug,info,warning,error - Default:
info
With this parameter you can enable/disable the coloring of pre-commit-snyk
hook logs. It doesn't impact snyk logs coloring.
- Parameter name:
--log-color - Environment variable:
PRE_COMMIT_SNYK_LOG_COLOR - Possible values:
true,false - Default:
true
Specifies specific snyk version to use. This will work only if snyk is not
globally installed, otherwise globally installed snyk takes precedence.
- Parameter name:
--snyk-version - Environment variable:
PRE_COMMIT_SNYK_SNYK_VERSION - Possible values: Snyk version that you can find here
- Default:
latest
With this parameter you can choose either to keep cache directory (.fabasoad/pre-commit-snyk),
or to remove it. By default, it removes cache directory. With false parameter
cache directory will not be removed which means that if snyk is not installed
globally every subsequent run won't download snyk again. Don't forget to add
cache directory into the .gitignore file.
- Parameter name:
--clean-cache - Environment variable:
PRE_COMMIT_SNYK_CLEAN_CACHE - Possible values:
true,false - Default:
true
Pass arguments separately from each other:
repos:
- repo: https://github.com/fabasoad/pre-commit-snyk
rev: <rev>
hooks:
- id: snyk-test
args:
- --hook-args=--log-level debug
- --snyk-args=--package-manager=pip
- --snyk-args=--file=requirements.txtPass arguments altogether grouped by category:
repos:
- repo: https://github.com/fabasoad/pre-commit-snyk
rev: <rev>
hooks:
- id: snyk-iac
args:
- --hook-args=--log-level debug
- --snyk-args=--detection-depth=1 --ignore-policy
