diff --git a/help/commands-docs/_EXAMPLES.md b/help/commands-docs/_EXAMPLES.md index f9b2538b9c..4608112662 100644 --- a/help/commands-docs/_EXAMPLES.md +++ b/help/commands-docs/_EXAMPLES.md @@ -30,6 +30,15 @@ See `snyk iac --help` for more details and examples: $ snyk iac test /path/to/tf-plan.json $ snyk iac test /path/to/arm_file.json +To use your own custom rules to scan IaC configuration files, download the `snyk-iac-rules` SDK from https://github.com/snyk/snyk-iac-rules. Follow the +instructions there to write, build, and push a custom rules bundle and then +either use the Snyk UI to configure your custom rules settings or configure +a remote OCI registry locally by running the following commands: + + $ snyk config set oci-registry-url=https://registry-1.docker.io/username/repo:tag + $ snyk config set oci-registry-username=username + $ snyk config set oci-registry-password=password + ### Static code analysis (SAST) scanning See `snyk code --help` for more details and examples: diff --git a/help/commands-docs/config.md b/help/commands-docs/config.md index 45327e17c6..9b53d773ac 100644 --- a/help/commands-docs/config.md +++ b/help/commands-docs/config.md @@ -36,3 +36,12 @@ This command does not manage the `.snyk` file that's part of your project. See ` - `disable-analytics`: Turns off analytics reporting. + +- `oci-registry-url`: + Configures the OCI registry used in IaC scannings with custom rules. + +- `oci-registry-username`: + Configures the username for an OCI registry used in IaC scannings with custom rules. + +- `oci-registry-password`: + Configures the password for an OCI registry used in IaC scannings with custom rules. diff --git a/help/commands-docs/iac-examples.md b/help/commands-docs/iac-examples.md index 464aafd7aa..d7d14e533b 100644 --- a/help/commands-docs/iac-examples.md +++ b/help/commands-docs/iac-examples.md @@ -19,3 +19,6 @@ - `Test matching files in a directory`: \$ snyk iac test /path/to/directory + +- `Test matching files in a directory using a local custom rules bundle`: + \$ snyk iac test /path/to/directory --rules=bundle.tar.gz diff --git a/help/commands-docs/iac.md b/help/commands-docs/iac.md index 3dba3d11e7..dac51f31e3 100644 --- a/help/commands-docs/iac.md +++ b/help/commands-docs/iac.md @@ -66,3 +66,11 @@ Find security issues in your Infrastructure as Code files. Default: If the `--scan` flag is not provided it would scan the proposed changes only by default. Example #1: `--scan=planned-values` (full state scan) Example #2: `--scan=resource-changes` (proposed changes scan) + +- `--rules=`: + Dedicated flag for Custom Rules scanning. + It enables the IaC scans to use a custom rules bundle generated via the `snyk-iac-rules` SDK. To download it and learn how to use it, go to + https://github.com/snyk/snyk-iac-rules. + This flag cannot be used if the custom rules settings were configured via the Snyk UI. + Default: If the `--rules` flag is not provided it would scan the configuration files using the internal Snyk rules only. + Example: `--rules=bundle.tar.gz` (scans the configuration files using custom rules and internal Snyk rules) diff --git a/help/commands-man/snyk-auth.1 b/help/commands-man/snyk-auth.1 index ef0cd112aa..2d9f41503b 100644 --- a/help/commands-man/snyk-auth.1 +++ b/help/commands-man/snyk-auth.1 @@ -1,6 +1,6 @@ .\" generated with Ronn-NG/v0.9.1 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1 -.TH "SNYK\-AUTH" "1" "October 2021" "Snyk.io" +.TH "SNYK\-AUTH" "1" "November 2021" "Snyk.io" .SH "NAME" \fBsnyk\-auth\fR \- Authenticate Snyk CLI with a Snyk account .SH "SYNOPSIS" diff --git a/help/commands-man/snyk-code.1 b/help/commands-man/snyk-code.1 index 5cd600413a..bcedb6b7a2 100644 --- a/help/commands-man/snyk-code.1 +++ b/help/commands-man/snyk-code.1 @@ -1,6 +1,6 @@ .\" generated with Ronn-NG/v0.9.1 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1 -.TH "SNYK\-CODE" "1" "October 2021" "Snyk.io" +.TH "SNYK\-CODE" "1" "November 2021" "Snyk.io" .SH "NAME" \fBsnyk\-code\fR \- Find security issues using Static code analysis .SH "SYNOPSIS" diff --git a/help/commands-man/snyk-config.1 b/help/commands-man/snyk-config.1 index adcc529d2b..d9934c1390 100644 --- a/help/commands-man/snyk-config.1 +++ b/help/commands-man/snyk-config.1 @@ -1,6 +1,6 @@ .\" generated with Ronn-NG/v0.9.1 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1 -.TH "SNYK\-CONFIG" "1" "October 2021" "Snyk.io" +.TH "SNYK\-CONFIG" "1" "November 2021" "Snyk.io" .SH "NAME" \fBsnyk\-config\fR \- Manage Snyk CLI configuration .SH "SYNOPSIS" @@ -33,6 +33,15 @@ Defines the API endpoint to use\. .TP \fBdisable\-analytics\fR Turns off analytics reporting\. +.TP +\fBoci\-registry\-url\fR +Configures the OCI registry used in IaC scannings with custom rules\. +.TP +\fBoci\-registry\-username\fR +Configures the username for an OCI registry used in IaC scannings with custom rules\. +.TP +\fBoci\-registry\-password\fR +Configures the password for an OCI registry used in IaC scannings with custom rules\. .SS "Flags available accross all commands" .TP \fB\-\-insecure\fR diff --git a/help/commands-man/snyk-container.1 b/help/commands-man/snyk-container.1 index a3b3af7101..812ceb782f 100644 --- a/help/commands-man/snyk-container.1 +++ b/help/commands-man/snyk-container.1 @@ -1,6 +1,6 @@ .\" generated with Ronn-NG/v0.9.1 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1 -.TH "SNYK\-CONTAINER" "1" "October 2021" "Snyk.io" +.TH "SNYK\-CONTAINER" "1" "November 2021" "Snyk.io" .SH "NAME" \fBsnyk\-container\fR \- Test container images for vulnerabilities .SH "SYNOPSIS" diff --git a/help/commands-man/snyk-help.1 b/help/commands-man/snyk-help.1 index d6c36c43e4..0209555db0 100644 --- a/help/commands-man/snyk-help.1 +++ b/help/commands-man/snyk-help.1 @@ -1,6 +1,6 @@ .\" generated with Ronn-NG/v0.9.1 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1 -.TH "SNYK\-HELP" "1" "October 2021" "Snyk.io" +.TH "SNYK\-HELP" "1" "November 2021" "Snyk.io" .SH "NAME" \fBsnyk\-help\fR \- Prints help topics .SH "SYNOPSIS" diff --git a/help/commands-man/snyk-iac.1 b/help/commands-man/snyk-iac.1 index 56649c2b60..631972bc50 100644 --- a/help/commands-man/snyk-iac.1 +++ b/help/commands-man/snyk-iac.1 @@ -1,6 +1,6 @@ .\" generated with Ronn-NG/v0.9.1 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1 -.TH "SNYK\-IAC" "1" "October 2021" "Snyk.io" +.TH "SNYK\-IAC" "1" "November 2021" "Snyk.io" .SH "NAME" \fBsnyk\-iac\fR \- Find security issues in your Infrastructure as Code files .SH "SYNOPSIS" @@ -62,6 +62,13 @@ It enables to control whether the scan should analyse the full final state (e\.g Default: If the \fB\-\-scan\fR flag is not provided it would scan the proposed changes only by default\. .br Example #1: \fB\-\-scan=planned\-values\fR (full state scan) Example #2: \fB\-\-scan=resource\-changes\fR (proposed changes scan) +.TP +\fB\-\-rules=\fR\fIPATH_TO_CUSTOM_RULES_BUNDLE\fR +Dedicated flag for Custom Rules scanning\. +.br +It enables the IaC scans to use a custom rules bundle generated via the \fBsnyk\-iac\-rules\fR SDK\. To download it and learn how to use it, go to https://github\.com/snyk/snyk\-iac\-rules\. This flag cannot be used if the custom rules settings were configured via the Snyk UI\. Default: If the \fB\-\-rules\fR flag is not provided it would scan the configuration files using the internal Snyk rules only\. +.br +Example: \fB\-\-rules=bundle\.tar\.gz\fR (scans the configuration files using custom rules and internal Snyk rules) .SS "Flags available accross all commands" .TP \fB\-\-insecure\fR @@ -98,6 +105,9 @@ $ snyk iac test /path/to/arm_file\.json .TP \fBTest matching files in a directory\fR $ snyk iac test /path/to/directory +.TP +\fBTest matching files in a directory using a local custom rules bundle\fR +$ snyk iac test /path/to/directory \-\-rules=bundle\.tar\.gz .SH "EXIT CODES" Possible exit codes and their meaning: .P diff --git a/help/commands-man/snyk-ignore.1 b/help/commands-man/snyk-ignore.1 index 5c8c7663b5..85092ce770 100644 --- a/help/commands-man/snyk-ignore.1 +++ b/help/commands-man/snyk-ignore.1 @@ -1,6 +1,6 @@ .\" generated with Ronn-NG/v0.9.1 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1 -.TH "SNYK\-IGNORE" "1" "October 2021" "Snyk.io" +.TH "SNYK\-IGNORE" "1" "November 2021" "Snyk.io" .SH "NAME" \fBsnyk\-ignore\fR \- Modifies the \.snyk policy to ignore stated issues .SH "SYNOPSIS" diff --git a/help/commands-man/snyk-monitor.1 b/help/commands-man/snyk-monitor.1 index 98460b7cc5..0b5c5505da 100644 --- a/help/commands-man/snyk-monitor.1 +++ b/help/commands-man/snyk-monitor.1 @@ -1,6 +1,6 @@ .\" generated with Ronn-NG/v0.9.1 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1 -.TH "SNYK\-MONITOR" "1" "October 2021" "Snyk.io" +.TH "SNYK\-MONITOR" "1" "November 2021" "Snyk.io" .SH "NAME" \fBsnyk\-monitor\fR \- Snapshot and continuously monitor your project .SH "SYNOPSIS" diff --git a/help/commands-man/snyk-policy.1 b/help/commands-man/snyk-policy.1 index 3c963a640b..d12f89642e 100644 --- a/help/commands-man/snyk-policy.1 +++ b/help/commands-man/snyk-policy.1 @@ -1,6 +1,6 @@ .\" generated with Ronn-NG/v0.9.1 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1 -.TH "SNYK\-POLICY" "1" "October 2021" "Snyk.io" +.TH "SNYK\-POLICY" "1" "November 2021" "Snyk.io" .SH "NAME" \fBsnyk\-policy\fR \- Display the \.snyk policy for a package .SH "SYNOPSIS" diff --git a/help/commands-man/snyk-protect.1 b/help/commands-man/snyk-protect.1 index de8e480665..ba9dfd5be2 100644 --- a/help/commands-man/snyk-protect.1 +++ b/help/commands-man/snyk-protect.1 @@ -1,6 +1,6 @@ .\" generated with Ronn-NG/v0.9.1 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1 -.TH "SNYK\-PROTECT" "1" "October 2021" "Snyk.io" +.TH "SNYK\-PROTECT" "1" "November 2021" "Snyk.io" .SH "NAME" \fBsnyk\-protect\fR \- Applies the patches specified in your \.snyk file to the local file system .SH "SYNOPSIS" diff --git a/help/commands-man/snyk-test.1 b/help/commands-man/snyk-test.1 index 069e8c5f13..a2ce3a3598 100644 --- a/help/commands-man/snyk-test.1 +++ b/help/commands-man/snyk-test.1 @@ -1,6 +1,6 @@ .\" generated with Ronn-NG/v0.9.1 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1 -.TH "SNYK\-TEST" "1" "October 2021" "Snyk.io" +.TH "SNYK\-TEST" "1" "November 2021" "Snyk.io" .SH "NAME" \fBsnyk\-test\fR \- test local project for vulnerabilities .SH "SYNOPSIS" diff --git a/help/commands-man/snyk-wizard.1 b/help/commands-man/snyk-wizard.1 index 0fb014bcda..7e3f5910b7 100644 --- a/help/commands-man/snyk-wizard.1 +++ b/help/commands-man/snyk-wizard.1 @@ -1,6 +1,6 @@ .\" generated with Ronn-NG/v0.9.1 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1 -.TH "SNYK\-WIZARD" "1" "October 2021" "Snyk.io" +.TH "SNYK\-WIZARD" "1" "November 2021" "Snyk.io" .SH "NAME" \fBsnyk\-wizard\fR \- Configure your policy file to update, auto patch and ignore vulnerabilities .SH "SYNOPSIS" diff --git a/help/commands-man/snyk-woof.1 b/help/commands-man/snyk-woof.1 index 04ed40500a..94e0c4d6de 100644 --- a/help/commands-man/snyk-woof.1 +++ b/help/commands-man/snyk-woof.1 @@ -1,6 +1,6 @@ .\" generated with Ronn-NG/v0.9.1 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1 -.TH "SNYK\-WOOF" "1" "October 2021" "Snyk.io" +.TH "SNYK\-WOOF" "1" "November 2021" "Snyk.io" .SH "NAME" \fBsnyk\-woof\fR \- W00f .SH "SYNOPSIS" diff --git a/help/commands-man/snyk.1 b/help/commands-man/snyk.1 index 4fd6caaaaf..30569410d7 100644 --- a/help/commands-man/snyk.1 +++ b/help/commands-man/snyk.1 @@ -1,6 +1,6 @@ .\" generated with Ronn-NG/v0.9.1 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1 -.TH "SNYK" "1" "October 2021" "Snyk.io" +.TH "SNYK" "1" "November 2021" "Snyk.io" .SH "NAME" \fBsnyk\fR \- CLI and build\-time tool to find & fix known vulnerabilities in open\-source dependencies .SH "SYNOPSIS" @@ -282,6 +282,15 @@ $ snyk iac test /path/to/tf\-plan\.json $ snyk iac test /path/to/arm_file\.json .fi .IP "" 0 +.P +To use your own custom rules to scan IaC configuration files, download the \fBsnyk\-iac\-rules\fR SDK from https://github\.com/snyk/snyk\-iac\-rules\. Follow the instructions there to write, build, and push a custom rules bundle and then either use the Snyk UI to configure your custom rules settings or configure a remote OCI registry locally by running the following commands: +.IP "" 4 +.nf +$ snyk config set oci\-registry\-url=https://registry\-1\.docker\.io/username/repo:tag +$ snyk config set oci\-registry\-username=username +$ snyk config set oci\-registry\-password=password +.fi +.IP "" 0 .SS "Static code analysis (SAST) scanning" See \fBsnyk code \-\-help\fR for more details and examples: .IP "" 4 diff --git a/help/commands-md/snyk-config.md b/help/commands-md/snyk-config.md index 772cefa6d5..8a44eaef6b 100644 --- a/help/commands-md/snyk-config.md +++ b/help/commands-md/snyk-config.md @@ -37,6 +37,15 @@ This command does not manage the `.snyk` file that's part of your project. See ` - `disable-analytics`: Turns off analytics reporting. +- `oci-registry-url`: + Configures the OCI registry used in IaC scannings with custom rules. + +- `oci-registry-username`: + Configures the username for an OCI registry used in IaC scannings with custom rules. + +- `oci-registry-password`: + Configures the password for an OCI registry used in IaC scannings with custom rules. + diff --git a/help/commands-md/snyk-iac.md b/help/commands-md/snyk-iac.md index 376bb73b72..949de28b89 100644 --- a/help/commands-md/snyk-iac.md +++ b/help/commands-md/snyk-iac.md @@ -67,6 +67,14 @@ Find security issues in your Infrastructure as Code files. Example #1: `--scan=planned-values` (full state scan) Example #2: `--scan=resource-changes` (proposed changes scan) +- `--rules=`: + Dedicated flag for Custom Rules scanning. + It enables the IaC scans to use a custom rules bundle generated via the `snyk-iac-rules` SDK. To download it and learn how to use it, go to + https://github.com/snyk/snyk-iac-rules. + This flag cannot be used if the custom rules settings were configured via the Snyk UI. + Default: If the `--rules` flag is not provided it would scan the configuration files using the internal Snyk rules only. + Example: `--rules=bundle.tar.gz` (scans the configuration files using custom rules and internal Snyk rules) + @@ -110,6 +118,9 @@ Find security issues in your Infrastructure as Code files. - `Test matching files in a directory`: \$ snyk iac test /path/to/directory +- `Test matching files in a directory using a local custom rules bundle`: + \$ snyk iac test /path/to/directory --rules=bundle.tar.gz + ## EXIT CODES diff --git a/help/commands-md/snyk.md b/help/commands-md/snyk.md index 303ce3edb0..56ef66de7d 100644 --- a/help/commands-md/snyk.md +++ b/help/commands-md/snyk.md @@ -324,6 +324,15 @@ See `snyk iac --help` for more details and examples: $ snyk iac test /path/to/tf-plan.json $ snyk iac test /path/to/arm_file.json +To use your own custom rules to scan IaC configuration files, download the `snyk-iac-rules` SDK from https://github.com/snyk/snyk-iac-rules. Follow the +instructions there to write, build, and push a custom rules bundle and then +either use the Snyk UI to configure your custom rules settings or configure +a remote OCI registry locally by running the following commands: + + $ snyk config set oci-registry-url=https://registry-1.docker.io/username/repo:tag + $ snyk config set oci-registry-username=username + $ snyk config set oci-registry-password=password + ### Static code analysis (SAST) scanning See `snyk code --help` for more details and examples: diff --git a/help/commands-txt/snyk-auth.txt b/help/commands-txt/snyk-auth.txt index 546e3016ef..52097693ad 100644 --- a/help/commands-txt/snyk-auth.txt +++ b/help/commands-txt/snyk-auth.txt @@ -1,101 +1,101 @@ -NAME - snyk-auth - Authenticate Snyk CLI with a Snyk account +NAME + snyk-auth - Authenticate Snyk CLI with a Snyk account -SYNOPSIS - snyk auth [API_TOKEN] [OPTIONS] +SYNOPSIS + snyk auth [API_TOKEN] [OPTIONS] -DESCRIPTION - Authenticate Snyk CLI with a Snyk account. Running $ snyk auth without - an API_TOKEN will open a browser window and asks you to login with Snyk - account and authorize. When inputting an API_TOKEN, it will be vali- +DESCRIPTION + Authenticate Snyk CLI with a Snyk account. Running $ snyk auth without + an API_TOKEN will open a browser window and asks you to login with Snyk + account and authorize. When inputting an API_TOKEN, it will be vali- dated with Snyk API. - When running in a CI environment API_TOKEN is required. + When running in a CI environment API_TOKEN is required. -OPTIONS - [API_TOKEN] +OPTIONS + [API_TOKEN] Your Snyk token. May be an user token or a service account. - How to get your account token https://snyk.co/ucT6J - How to use Service Accounts https://snyk.co/ucT6L + How to get your account token https://snyk.co/ucT6J + How to use Service Accounts https://snyk.co/ucT6L - Flags available accross all commands - --insecure + Flags available accross all commands + --insecure Ignore unknown certificate authorities. - -d Output debug logs. + -d Output debug logs. - --quiet, -q + --quiet, -q Silence all output. - --version, -v + --version, -v Prints versions. - [COMMAND] --help, --help [COMMAND], -h - Prints a help text. You may specify a COMMAND to get more - details. + [COMMAND] --help, --help [COMMAND], -h + Prints a help text. You may specify a COMMAND to get more de- + tails. -EXIT CODES +EXIT CODES Possible exit codes and their meaning: - 0: success, no vulns found - 1: action_needed, vulns found - 2: failure, try to re-run command - 3: failure, no supported projects detected + 0: success, no vulns found + 1: action_needed, vulns found + 2: failure, try to re-run command + 3: failure, no supported projects detected -ENVIRONMENT +ENVIRONMENT You can set these environment variables to change CLI run settings. - SNYK_TOKEN + SNYK_TOKEN Snyk authorization token. Setting this envvar will override the - token that may be available in your snyk config settings. + token that may be available in your snyk config settings. - How to get your account token https://snyk.co/ucT6J - How to use Service Accounts https://snyk.co/ucT6L + How to get your account token https://snyk.co/ucT6J + How to use Service Accounts https://snyk.co/ucT6L - SNYK_CFG_KEY - Allows you to override any key that's also available as snyk - config option. + SNYK_CFG_KEY + Allows you to override any key that's also available as snyk + config option. - E.g. SNYK_CFG_ORG=myorg will override default org option in con- - fig with "myorg". + E.g. SNYK_CFG_ORG=myorg will override default org option in con- + fig with "myorg". - SNYK_REGISTRY_USERNAME + SNYK_REGISTRY_USERNAME Specify a username to use when connecting to a container reg- - istry. Note that using the --username flag will override this + istry. Note that using the --username flag will override this value. This will be ignored in favour of local Docker binary credentials when Docker is present. - SNYK_REGISTRY_PASSWORD + SNYK_REGISTRY_PASSWORD Specify a password to use when connecting to a container reg- - istry. Note that using the --password flag will override this + istry. Note that using the --password flag will override this value. This will be ignored in favour of local Docker binary credentials when Docker is present. -Connecting to Snyk API - By default Snyk CLI will connect to https://snyk.io/api/v1. +Connecting to Snyk API + By default Snyk CLI will connect to https://snyk.io/api/v1. - SNYK_API + SNYK_API Sets API host to use for Snyk requests. Useful for on-premise - instances and configuring proxies. If set with http protocol CLI - will upgrade the requests to https. Unless SNYK_HTTP_PROTO- - COL_UPGRADE is set to 0. - - SNYK_HTTP_PROTOCOL_UPGRADE=0 - If set to the value of 0, API requests aimed at http URLs will - not be upgraded to https. If not set, the default behavior will - be to upgrade these requests from http to https. Useful e.g., + instances and configuring proxies. If set with http protocol CLI + will upgrade the requests to https. Unless SNYK_HTTP_PROTO- + COL_UPGRADE is set to 0. + + SNYK_HTTP_PROTOCOL_UPGRADE=0 + If set to the value of 0, API requests aimed at http URLs will + not be upgraded to https. If not set, the default behavior will + be to upgrade these requests from http to https. Useful e.g., for reverse proxies. - HTTPS_PROXY and HTTP_PROXY - Allows you to specify a proxy to use for https and http calls. - The https in the HTTPS_PROXY means that requests using https + HTTPS_PROXY and HTTP_PROXY + Allows you to specify a proxy to use for https and http calls. + The https in the HTTPS_PROXY means that requests using https protocol will use this proxy. The proxy itself doesn't need to - use https. + use https. -NOTICES - Snyk API usage policy +NOTICES + Snyk API usage policy The use of Snyk's API, whether through the use of the 'snyk' npm pack- age or otherwise, is subject to the terms & conditions - https://snyk.co/ucT6N + https://snyk.co/ucT6N diff --git a/help/commands-txt/snyk-code.txt b/help/commands-txt/snyk-code.txt index 62f170b1a1..f0b8ebdafb 100644 --- a/help/commands-txt/snyk-code.txt +++ b/help/commands-txt/snyk-code.txt @@ -1,120 +1,120 @@ -NAME - snyk-code - Find security issues using Static code analysis +NAME + snyk-code - Find security issues using Static code analysis -SYNOPSIS - snyk code [COMMAND] [OPTIONS] PATH +SYNOPSIS + snyk code [COMMAND] [OPTIONS] PATH -DESCRIPTION +DESCRIPTION Find security issues using Static code analysis For more information see the CLI for Snyk Code help page - https://docs.snyk.io/snyk-code/cli-for-snyk-code + https://docs.snyk.io/snyk-code/cli-for-snyk-code -COMMANDS - test Test for any known issue. +COMMANDS + test Test for any known issue. -OPTIONS - --severity-threshold=low|medium|high|critical +OPTIONS + --severity-threshold=low|medium|high|critical Only report configuration issues with the provided severity level or higher. Please note that the Snyk Code configuration - issues do not currently use the critical severity level. + issues do not currently use the critical severity level. - --json Prints results in JSON format. + --json Prints results in JSON format. - --org=ORG_NAME - Specify the ORG_NAME to run Snyk commands tied to a specific - organization. This will influence private tests limits. If you + --org=ORG_NAME + Specify the ORG_NAME to run Snyk commands tied to a specific or- + ganization. This will influence private tests limits. If you have multiple organizations, you can set a default from the CLI using: - $ snyk config set org=ORG_NAME + $ snyk config set org=ORG_NAME Setting a default will ensure all newly tested projects will be tested under your default organization. If you need to override - the default, you can use the --org=ORG_NAME argument. Default: - uses ORG_NAME that sets as default in your Account settings - https://app.snyk.io/account + the default, you can use the --org=ORG_NAME argument. Default: + uses ORG_NAME that sets as default in your Account settings + https://app.snyk.io/account - --sarif + --sarif Return results in SARIF format. - Flags available accross all commands - --insecure + Flags available accross all commands + --insecure Ignore unknown certificate authorities. - -d Output debug logs. + -d Output debug logs. - --quiet, -q + --quiet, -q Silence all output. - --version, -v + --version, -v Prints versions. - [COMMAND] --help, --help [COMMAND], -h - Prints a help text. You may specify a COMMAND to get more - details. + [COMMAND] --help, --help [COMMAND], -h + Prints a help text. You may specify a COMMAND to get more de- + tails. -EXIT CODES +EXIT CODES Possible exit codes and their meaning: - 0: success, no vulns found - 1: action_needed, vulns found - 2: failure, try to re-run command - 3: failure, no supported projects detected + 0: success, no vulns found + 1: action_needed, vulns found + 2: failure, try to re-run command + 3: failure, no supported projects detected -ENVIRONMENT +ENVIRONMENT You can set these environment variables to change CLI run settings. - SNYK_TOKEN + SNYK_TOKEN Snyk authorization token. Setting this envvar will override the - token that may be available in your snyk config settings. + token that may be available in your snyk config settings. - How to get your account token https://snyk.co/ucT6J - How to use Service Accounts https://snyk.co/ucT6L + How to get your account token https://snyk.co/ucT6J + How to use Service Accounts https://snyk.co/ucT6L - SNYK_CFG_KEY - Allows you to override any key that's also available as snyk - config option. + SNYK_CFG_KEY + Allows you to override any key that's also available as snyk + config option. - E.g. SNYK_CFG_ORG=myorg will override default org option in con- - fig with "myorg". + E.g. SNYK_CFG_ORG=myorg will override default org option in con- + fig with "myorg". - SNYK_REGISTRY_USERNAME + SNYK_REGISTRY_USERNAME Specify a username to use when connecting to a container reg- - istry. Note that using the --username flag will override this + istry. Note that using the --username flag will override this value. This will be ignored in favour of local Docker binary credentials when Docker is present. - SNYK_REGISTRY_PASSWORD + SNYK_REGISTRY_PASSWORD Specify a password to use when connecting to a container reg- - istry. Note that using the --password flag will override this + istry. Note that using the --password flag will override this value. This will be ignored in favour of local Docker binary credentials when Docker is present. -Connecting to Snyk API - By default Snyk CLI will connect to https://snyk.io/api/v1. +Connecting to Snyk API + By default Snyk CLI will connect to https://snyk.io/api/v1. - SNYK_API + SNYK_API Sets API host to use for Snyk requests. Useful for on-premise - instances and configuring proxies. If set with http protocol CLI - will upgrade the requests to https. Unless SNYK_HTTP_PROTO- - COL_UPGRADE is set to 0. - - SNYK_HTTP_PROTOCOL_UPGRADE=0 - If set to the value of 0, API requests aimed at http URLs will - not be upgraded to https. If not set, the default behavior will - be to upgrade these requests from http to https. Useful e.g., + instances and configuring proxies. If set with http protocol CLI + will upgrade the requests to https. Unless SNYK_HTTP_PROTO- + COL_UPGRADE is set to 0. + + SNYK_HTTP_PROTOCOL_UPGRADE=0 + If set to the value of 0, API requests aimed at http URLs will + not be upgraded to https. If not set, the default behavior will + be to upgrade these requests from http to https. Useful e.g., for reverse proxies. - HTTPS_PROXY and HTTP_PROXY - Allows you to specify a proxy to use for https and http calls. - The https in the HTTPS_PROXY means that requests using https + HTTPS_PROXY and HTTP_PROXY + Allows you to specify a proxy to use for https and http calls. + The https in the HTTPS_PROXY means that requests using https protocol will use this proxy. The proxy itself doesn't need to - use https. + use https. -NOTICES - Snyk API usage policy +NOTICES + Snyk API usage policy The use of Snyk's API, whether through the use of the 'snyk' npm pack- age or otherwise, is subject to the terms & conditions - https://snyk.co/ucT6N + https://snyk.co/ucT6N diff --git a/help/commands-txt/snyk-config.txt b/help/commands-txt/snyk-config.txt index 2daa6ea10f..4aa6e4b243 100644 --- a/help/commands-txt/snyk-config.txt +++ b/help/commands-txt/snyk-config.txt @@ -1,116 +1,128 @@ -NAME - snyk-config - Manage Snyk CLI configuration +NAME + snyk-config - Manage Snyk CLI configuration -SYNOPSIS - snyk config get|set|clear [KEY[=VALUE]] [OPTIONS] +SYNOPSIS + snyk config get|set|clear [KEY[=VALUE]] [OPTIONS] -DESCRIPTION - Manage your local Snyk CLI config file. This config file is a JSON - located at $XDG_CONFIG_HOME or ~/.config followed by config- - store/snyk.json. For example ~/.config/configstore/snyk.json. +DESCRIPTION + Manage your local Snyk CLI config file. This config file is a JSON lo- + cated at $XDG_CONFIG_HOME or ~/.config followed by config- + store/snyk.json. For example ~/.config/configstore/snyk.json. - This command does not manage the .snyk file that's part of your - project. See snyk policy, snyk ignore or snyk wizard. + This command does not manage the .snyk file that's part of your + project. See snyk policy, snyk ignore or snyk wizard. -COMMANDS - get KEY +COMMANDS + get KEY Print a config value. - set KEY=VALUE + set KEY=VALUE Create a new config value. - unset KEY + unset KEY Remove a config value. - clear Remove all config values. + clear Remove all config values. -OPTIONS - Supported <var>KEY</var> values - api API token to use when calling Snyk API. +OPTIONS + Supported KEY values + api API token to use when calling Snyk API. - endpoint + endpoint Defines the API endpoint to use. - disable-analytics + disable-analytics Turns off analytics reporting. - Flags available accross all commands - --insecure + oci-registry-url + Configures the OCI registry used in IaC scannings with custom + rules. + + oci-registry-username + Configures the username for an OCI registry used in IaC scan- + nings with custom rules. + + oci-registry-password + Configures the password for an OCI registry used in IaC scan- + nings with custom rules. + + Flags available accross all commands + --insecure Ignore unknown certificate authorities. - -d Output debug logs. + -d Output debug logs. - --quiet, -q + --quiet, -q Silence all output. - --version, -v + --version, -v Prints versions. - [COMMAND] --help, --help [COMMAND], -h - Prints a help text. You may specify a COMMAND to get more - details. + [COMMAND] --help, --help [COMMAND], -h + Prints a help text. You may specify a COMMAND to get more de- + tails. -EXIT CODES +EXIT CODES Possible exit codes and their meaning: - 0: success, no vulns found - 1: action_needed, vulns found - 2: failure, try to re-run command - 3: failure, no supported projects detected + 0: success, no vulns found + 1: action_needed, vulns found + 2: failure, try to re-run command + 3: failure, no supported projects detected -ENVIRONMENT +ENVIRONMENT You can set these environment variables to change CLI run settings. - SNYK_TOKEN - Snyk authorization token. Setting this envvar will override the - token that may be available in your snyk config settings. + SNYK_TOKEN + Snyk authorization token. Setting this envvar will override the + token that may be available in your snyk config settings. - How to get your account token https://snyk.co/ucT6J - How to use Service Accounts https://snyk.co/ucT6L + How to get your account token https://snyk.co/ucT6J + How to use Service Accounts https://snyk.co/ucT6L - SNYK_CFG_KEY - Allows you to override any key that's also available as snyk - config option. + SNYK_CFG_KEY + Allows you to override any key that's also available as snyk + config option. - E.g. SNYK_CFG_ORG=myorg will override default org option in con- - fig with "myorg". + E.g. SNYK_CFG_ORG=myorg will override default org option in con- + fig with "myorg". - SNYK_REGISTRY_USERNAME - Specify a username to use when connecting to a container reg- - istry. Note that using the --username flag will override this - value. This will be ignored in favour of local Docker binary + SNYK_REGISTRY_USERNAME + Specify a username to use when connecting to a container reg- + istry. Note that using the --username flag will override this + value. This will be ignored in favour of local Docker binary credentials when Docker is present. - SNYK_REGISTRY_PASSWORD - Specify a password to use when connecting to a container reg- - istry. Note that using the --password flag will override this - value. This will be ignored in favour of local Docker binary + SNYK_REGISTRY_PASSWORD + Specify a password to use when connecting to a container reg- + istry. Note that using the --password flag will override this + value. This will be ignored in favour of local Docker binary credentials when Docker is present. -Connecting to Snyk API - By default Snyk CLI will connect to https://snyk.io/api/v1. +Connecting to Snyk API + By default Snyk CLI will connect to https://snyk.io/api/v1. - SNYK_API - Sets API host to use for Snyk requests. Useful for on-premise - instances and configuring proxies. If set with http protocol CLI - will upgrade the requests to https. Unless SNYK_HTTP_PROTO- - COL_UPGRADE is set to 0. + SNYK_API + Sets API host to use for Snyk requests. Useful for on-premise + instances and configuring proxies. If set with http protocol CLI + will upgrade the requests to https. Unless SNYK_HTTP_PROTO- + COL_UPGRADE is set to 0. - SNYK_HTTP_PROTOCOL_UPGRADE=0 - If set to the value of 0, API requests aimed at http URLs will - not be upgraded to https. If not set, the default behavior will - be to upgrade these requests from http to https. Useful e.g., + SNYK_HTTP_PROTOCOL_UPGRADE=0 + If set to the value of 0, API requests aimed at http URLs will + not be upgraded to https. If not set, the default behavior will + be to upgrade these requests from http to https. Useful e.g., for reverse proxies. - HTTPS_PROXY and HTTP_PROXY - Allows you to specify a proxy to use for https and http calls. - The https in the HTTPS_PROXY means that requests using https - protocol will use this proxy. The proxy itself doesn't need to - use https. - -NOTICES - Snyk API usage policy - The use of Snyk's API, whether through the use of the 'snyk' npm pack- - age or otherwise, is subject to the terms & conditions - https://snyk.co/ucT6N + HTTPS_PROXY and HTTP_PROXY + Allows you to specify a proxy to use for https and http calls. + The https in the HTTPS_PROXY means that requests using https + protocol will use this proxy. The proxy itself doesn't need to + use https. + +NOTICES + Snyk API usage policy + The use of Snyk's API, whether through the use of the 'snyk' npm pack- + age or otherwise, is subject to the terms & conditions + https://snyk.co/ucT6N diff --git a/help/commands-txt/snyk-container.txt b/help/commands-txt/snyk-container.txt index 7f94f596ad..b0bea9deaa 100644 --- a/help/commands-txt/snyk-container.txt +++ b/help/commands-txt/snyk-container.txt @@ -1,150 +1,150 @@ -NAME - snyk-container - Test container images for vulnerabilities +NAME + snyk-container - Test container images for vulnerabilities -SYNOPSIS - snyk container [COMMAND] [OPTIONS] [IMAGE] +SYNOPSIS + snyk container [COMMAND] [OPTIONS] [IMAGE] -DESCRIPTION +DESCRIPTION Find vulnerabilities in your container images. -COMMANDS - test Test for any known vulnerabilities. +COMMANDS + test Test for any known vulnerabilities. - monitor + monitor Record the state of dependencies and any vulnerabilities on snyk.io. -OPTIONS - --exclude-base-image-vulns +OPTIONS + --exclude-base-image-vulns Exclude from display base image vulnerabilities. - --file=FILE_PATH - Include the path to the image's Dockerfile for more detailed - advice. + --file=FILE_PATH + Include the path to the image's Dockerfile for more detailed ad- + vice. - --platform=PLATFORM + --platform=PLATFORM For multi-architecture images, specify the platform to test. [linux/amd64, linux/arm64, linux/riscv64, linux/ppc64le, linux/s390x, linux/386, linux/arm/v7 or linux/arm/v6] - --json Prints results in JSON format. + --json Prints results in JSON format. - --json-file-output=OUTPUT_FILE_PATH - (only in test command) Save test output in JSON format directly + --json-file-output=OUTPUT_FILE_PATH + (only in test command) Save test output in JSON format directly to the specified file, regardless of whether or not you use the - --json option. This is especially useful if you want to display + --json option. This is especially useful if you want to display the human-readable test output via stdout and at the same time save the JSON format output to a file. - --sarif + --sarif Return results in SARIF format. - --sarif-file-output=OUTPUT_FILE_PATH - (only in test command) Save test output in SARIF format directly - to the OUTPUT_FILE_PATH file, regardless of whether or not you - use the --sarif option. This is especially useful if you want to + --sarif-file-output=OUTPUT_FILE_PATH + (only in test command) Save test output in SARIF format directly + to the OUTPUT_FILE_PATH file, regardless of whether or not you + use the --sarif option. This is especially useful if you want to display the human-readable test output via stdout and at the same time save the SARIF format output to a file. - --print-deps + --print-deps Print the dependency tree before sending it for analysis. - --project-name=PROJECT_NAME + --project-name=PROJECT_NAME Specify a custom Snyk project name. - --policy-path=PATH_TO_POLICY_FILE + --policy-path=PATH_TO_POLICY_FILE Manually pass a path to a snyk policy file. - --severity-threshold=low|medium|high|critical + --severity-threshold=low|medium|high|critical Only report vulnerabilities of provided level or higher. - --username=CONTAINER_REGISTRY_USERNAME + --username=CONTAINER_REGISTRY_USERNAME Specify a username to use when connecting to a container reg- istry. This will be ignored in favour of local Docker binary credentials when Docker is present. - --password=CONTAINER_REGISTRY_PASSWORD + --password=CONTAINER_REGISTRY_PASSWORD Specify a password to use when connecting to a container reg- istry. This will be ignored in favour of local Docker binary credentials when Docker is present. - Flags available accross all commands - --insecure + Flags available accross all commands + --insecure Ignore unknown certificate authorities. - -d Output debug logs. + -d Output debug logs. - --quiet, -q + --quiet, -q Silence all output. - --version, -v + --version, -v Prints versions. - [COMMAND] --help, --help [COMMAND], -h - Prints a help text. You may specify a COMMAND to get more - details. + [COMMAND] --help, --help [COMMAND], -h + Prints a help text. You may specify a COMMAND to get more de- + tails. -EXIT CODES +EXIT CODES Possible exit codes and their meaning: - 0: success, no vulns found - 1: action_needed, vulns found - 2: failure, try to re-run command - 3: failure, no supported projects detected + 0: success, no vulns found + 1: action_needed, vulns found + 2: failure, try to re-run command + 3: failure, no supported projects detected -ENVIRONMENT +ENVIRONMENT You can set these environment variables to change CLI run settings. - SNYK_TOKEN + SNYK_TOKEN Snyk authorization token. Setting this envvar will override the - token that may be available in your snyk config settings. + token that may be available in your snyk config settings. - How to get your account token https://snyk.co/ucT6J - How to use Service Accounts https://snyk.co/ucT6L + How to get your account token https://snyk.co/ucT6J + How to use Service Accounts https://snyk.co/ucT6L - SNYK_CFG_KEY - Allows you to override any key that's also available as snyk - config option. + SNYK_CFG_KEY + Allows you to override any key that's also available as snyk + config option. - E.g. SNYK_CFG_ORG=myorg will override default org option in con- - fig with "myorg". + E.g. SNYK_CFG_ORG=myorg will override default org option in con- + fig with "myorg". - SNYK_REGISTRY_USERNAME + SNYK_REGISTRY_USERNAME Specify a username to use when connecting to a container reg- - istry. Note that using the --username flag will override this + istry. Note that using the --username flag will override this value. This will be ignored in favour of local Docker binary credentials when Docker is present. - SNYK_REGISTRY_PASSWORD + SNYK_REGISTRY_PASSWORD Specify a password to use when connecting to a container reg- - istry. Note that using the --password flag will override this + istry. Note that using the --password flag will override this value. This will be ignored in favour of local Docker binary credentials when Docker is present. -Connecting to Snyk API - By default Snyk CLI will connect to https://snyk.io/api/v1. +Connecting to Snyk API + By default Snyk CLI will connect to https://snyk.io/api/v1. - SNYK_API + SNYK_API Sets API host to use for Snyk requests. Useful for on-premise - instances and configuring proxies. If set with http protocol CLI - will upgrade the requests to https. Unless SNYK_HTTP_PROTO- - COL_UPGRADE is set to 0. - - SNYK_HTTP_PROTOCOL_UPGRADE=0 - If set to the value of 0, API requests aimed at http URLs will - not be upgraded to https. If not set, the default behavior will - be to upgrade these requests from http to https. Useful e.g., + instances and configuring proxies. If set with http protocol CLI + will upgrade the requests to https. Unless SNYK_HTTP_PROTO- + COL_UPGRADE is set to 0. + + SNYK_HTTP_PROTOCOL_UPGRADE=0 + If set to the value of 0, API requests aimed at http URLs will + not be upgraded to https. If not set, the default behavior will + be to upgrade these requests from http to https. Useful e.g., for reverse proxies. - HTTPS_PROXY and HTTP_PROXY - Allows you to specify a proxy to use for https and http calls. - The https in the HTTPS_PROXY means that requests using https + HTTPS_PROXY and HTTP_PROXY + Allows you to specify a proxy to use for https and http calls. + The https in the HTTPS_PROXY means that requests using https protocol will use this proxy. The proxy itself doesn't need to - use https. + use https. -NOTICES - Snyk API usage policy +NOTICES + Snyk API usage policy The use of Snyk's API, whether through the use of the 'snyk' npm pack- age or otherwise, is subject to the terms & conditions - https://snyk.co/ucT6N + https://snyk.co/ucT6N diff --git a/help/commands-txt/snyk-help.txt b/help/commands-txt/snyk-help.txt index e3cd7a8560..7aedbcc6e6 100644 --- a/help/commands-txt/snyk-help.txt +++ b/help/commands-txt/snyk-help.txt @@ -1,90 +1,90 @@ -NAME - snyk-help - Prints help topics +NAME + snyk-help - Prints help topics -SYNOPSIS - snyk help [TOPIC] [OPTIONS] +SYNOPSIS + snyk help [TOPIC] [OPTIONS] -DESCRIPTION - Prints help information. Pass in name of a command as TOPIC. +DESCRIPTION + Prints help information. Pass in name of a command as TOPIC. -OPTIONS - Flags available accross all commands - --insecure +OPTIONS + Flags available accross all commands + --insecure Ignore unknown certificate authorities. - -d Output debug logs. + -d Output debug logs. - --quiet, -q + --quiet, -q Silence all output. - --version, -v + --version, -v Prints versions. - [COMMAND] --help, --help [COMMAND], -h - Prints a help text. You may specify a COMMAND to get more - details. + [COMMAND] --help, --help [COMMAND], -h + Prints a help text. You may specify a COMMAND to get more de- + tails. -EXIT CODES +EXIT CODES Possible exit codes and their meaning: - 0: success, no vulns found - 1: action_needed, vulns found - 2: failure, try to re-run command - 3: failure, no supported projects detected + 0: success, no vulns found + 1: action_needed, vulns found + 2: failure, try to re-run command + 3: failure, no supported projects detected -ENVIRONMENT +ENVIRONMENT You can set these environment variables to change CLI run settings. - SNYK_TOKEN + SNYK_TOKEN Snyk authorization token. Setting this envvar will override the - token that may be available in your snyk config settings. + token that may be available in your snyk config settings. - How to get your account token https://snyk.co/ucT6J - How to use Service Accounts https://snyk.co/ucT6L + How to get your account token https://snyk.co/ucT6J + How to use Service Accounts https://snyk.co/ucT6L - SNYK_CFG_KEY - Allows you to override any key that's also available as snyk - config option. + SNYK_CFG_KEY + Allows you to override any key that's also available as snyk + config option. - E.g. SNYK_CFG_ORG=myorg will override default org option in con- - fig with "myorg". + E.g. SNYK_CFG_ORG=myorg will override default org option in con- + fig with "myorg". - SNYK_REGISTRY_USERNAME + SNYK_REGISTRY_USERNAME Specify a username to use when connecting to a container reg- - istry. Note that using the --username flag will override this + istry. Note that using the --username flag will override this value. This will be ignored in favour of local Docker binary credentials when Docker is present. - SNYK_REGISTRY_PASSWORD + SNYK_REGISTRY_PASSWORD Specify a password to use when connecting to a container reg- - istry. Note that using the --password flag will override this + istry. Note that using the --password flag will override this value. This will be ignored in favour of local Docker binary credentials when Docker is present. -Connecting to Snyk API - By default Snyk CLI will connect to https://snyk.io/api/v1. +Connecting to Snyk API + By default Snyk CLI will connect to https://snyk.io/api/v1. - SNYK_API + SNYK_API Sets API host to use for Snyk requests. Useful for on-premise - instances and configuring proxies. If set with http protocol CLI - will upgrade the requests to https. Unless SNYK_HTTP_PROTO- - COL_UPGRADE is set to 0. - - SNYK_HTTP_PROTOCOL_UPGRADE=0 - If set to the value of 0, API requests aimed at http URLs will - not be upgraded to https. If not set, the default behavior will - be to upgrade these requests from http to https. Useful e.g., + instances and configuring proxies. If set with http protocol CLI + will upgrade the requests to https. Unless SNYK_HTTP_PROTO- + COL_UPGRADE is set to 0. + + SNYK_HTTP_PROTOCOL_UPGRADE=0 + If set to the value of 0, API requests aimed at http URLs will + not be upgraded to https. If not set, the default behavior will + be to upgrade these requests from http to https. Useful e.g., for reverse proxies. - HTTPS_PROXY and HTTP_PROXY - Allows you to specify a proxy to use for https and http calls. - The https in the HTTPS_PROXY means that requests using https + HTTPS_PROXY and HTTP_PROXY + Allows you to specify a proxy to use for https and http calls. + The https in the HTTPS_PROXY means that requests using https protocol will use this proxy. The proxy itself doesn't need to - use https. + use https. -NOTICES - Snyk API usage policy +NOTICES + Snyk API usage policy The use of Snyk's API, whether through the use of the 'snyk' npm pack- age or otherwise, is subject to the terms & conditions - https://snyk.co/ucT6N + https://snyk.co/ucT6N diff --git a/help/commands-txt/snyk-iac.txt b/help/commands-txt/snyk-iac.txt index f9f1fce5f9..28a9d936bf 100644 --- a/help/commands-txt/snyk-iac.txt +++ b/help/commands-txt/snyk-iac.txt @@ -1,182 +1,196 @@ -NAME - snyk-iac - Find security issues in your Infrastructure as Code files +NAME + snyk-iac - Find security issues in your Infrastructure as Code files -SYNOPSIS - snyk iac [COMMAND] [OPTIONS] PATH +SYNOPSIS + snyk iac [COMMAND] [OPTIONS] PATH -DESCRIPTION +DESCRIPTION Find security issues in your Infrastructure as Code files. - For more information see IaC help page https://snyk.co/ucT6Q + For more information see IaC help page https://snyk.co/ucT6Q -COMMANDS - test Test for any known issue. +COMMANDS + test Test for any known issue. -OPTIONS - --detection-depth=DEPTH - (only in test command) - Indicate the maximum depth of sub-directories to search. DEPTH +OPTIONS + --detection-depth=DEPTH + (only in test command) + Indicate the maximum depth of sub-directories to search. DEPTH must be a number. Default: No Limit - Example: --detection-depth=3 + Example: --detection-depth=3 Will limit search to provided directory (or current directory if - no PATH provided) plus two levels of subdirectories. + no PATH provided) plus two levels of subdirectories. - --severity-threshold=low|medium|high|critical + --severity-threshold=low|medium|high|critical Only report configuration issues with the provided severity level or higher. Please note that the Snyk Infrastructure as - Code configuration issues do not currently use the critical + Code configuration issues do not currently use the critical severity level. - --ignore-policy - Ignores all set policies. The current policy in .snyk file, Org + --ignore-policy + Ignores all set policies. The current policy in .snyk file, Org level ignores and the project policy on snyk.io. - --json Prints results in JSON format. + --json Prints results in JSON format. - --json-file-output=OUTPUT_FILE_PATH - (only in test command) Save test output in JSON format directly + --json-file-output=OUTPUT_FILE_PATH + (only in test command) Save test output in JSON format directly to the specified file, regardless of whether or not you use the - --json option. This is especially useful if you want to display + --json option. This is especially useful if you want to display the human-readable test output via stdout and at the same time save the JSON format output to a file. - --org=ORG_NAME - Specify the ORG_NAME to run Snyk commands tied to a specific - organization. This will influence private tests limits. If you + --org=ORG_NAME + Specify the ORG_NAME to run Snyk commands tied to a specific or- + ganization. This will influence private tests limits. If you have multiple organizations, you can set a default from the CLI using: - $ snyk config set org=ORG_NAME + $ snyk config set org=ORG_NAME Setting a default will ensure all newly tested projects will be tested under your default organization. If you need to override - the default, you can use the --org=ORG_NAME argument. Default: - uses ORG_NAME that sets as default in your Account settings - https://app.snyk.io/account + the default, you can use the --org=ORG_NAME argument. Default: + uses ORG_NAME that sets as default in your Account settings + https://app.snyk.io/account - --policy-path=PATH_TO_POLICY_FILE` + --policy-path=PATH_TO_POLICY_FILE` Manually pass a path to a snyk policy file. - --sarif + --sarif Return results in SARIF format. - --sarif-file-output=OUTPUT_FILE_PATH - (only in test command) Save test output in SARIF format directly - to the OUTPUT_FILE_PATH file, regardless of whether or not you - use the --sarif option. This is especially useful if you want to + --sarif-file-output=OUTPUT_FILE_PATH + (only in test command) Save test output in SARIF format directly + to the OUTPUT_FILE_PATH file, regardless of whether or not you + use the --sarif option. This is especially useful if you want to display the human-readable test output via stdout and at the same time save the SARIF format output to a file. - --scan=TERRAFORM_PLAN_SCAN_MODE + --scan=TERRAFORM_PLAN_SCAN_MODE Dedicated flag for Terraform plan scanning modes. It enables to control whether the scan should analyse the full - final state (e.g. planned-values), or the proposed changes only - (e.g. resource-changes). - Default: If the --scan flag is not provided it would scan the + final state (e.g. planned-values), or the proposed changes only + (e.g. resource-changes). + Default: If the --scan flag is not provided it would scan the proposed changes only by default. - Example #1: --scan=planned-values (full state scan) Example #2: - --scan=resource-changes (proposed changes scan) - - Flags available accross all commands - --insecure + Example #1: --scan=planned-values (full state scan) Example #2: + --scan=resource-changes (proposed changes scan) + + --rules=PATH_TO_CUSTOM_RULES_BUNDLE + Dedicated flag for Custom Rules scanning. + It enables the IaC scans to use a custom rules bundle generated + via the snyk-iac-rules SDK. To download it and learn how to use + it, go to https://github.com/snyk/snyk-iac-rules. This flag can- + not be used if the custom rules settings were configured via the + Snyk UI. Default: If the --rules flag is not provided it would + scan the configuration files using the internal Snyk rules only. + Example: --rules=bundle.tar.gz (scans the configuration files + using custom rules and internal Snyk rules) + + Flags available accross all commands + --insecure Ignore unknown certificate authorities. - -d Output debug logs. + -d Output debug logs. - --quiet, -q + --quiet, -q Silence all output. - --version, -v + --version, -v Prints versions. - [COMMAND] --help, --help [COMMAND], -h - Prints a help text. You may specify a COMMAND to get more - details. + [COMMAND] --help, --help [COMMAND], -h + Prints a help text. You may specify a COMMAND to get more de- + tails. -EXAMPLES - For more information see IaC help page https://snyk.co/ucT6Q +EXAMPLES + For more information see IaC help page https://snyk.co/ucT6Q - Test CloudFormation file + Test CloudFormation file $ snyk iac test /path/to/cloudformation_file.yaml - Test kubernetes file + Test kubernetes file $ snyk iac test /path/to/kubernetes_file.yaml - Test terraform file + Test terraform file $ snyk iac test /path/to/terraform_file.tf - Test terraform plan file + Test terraform plan file $ snyk iac test /path/to/tf-plan.json - Test ARM file + Test ARM file $ snyk iac test /path/to/arm_file.json - Test matching files in a directory + Test matching files in a directory $ snyk iac test /path/to/directory -EXIT CODES + Test matching files in a directory using a local custom rules bundle + $ snyk iac test /path/to/directory --rules=bundle.tar.gz + +EXIT CODES Possible exit codes and their meaning: - 0: success, no vulns found - 1: action_needed, vulns found - 2: failure, try to re-run command - 3: failure, no supported projects detected + 0: success, no vulns found + 1: action_needed, vulns found + 2: failure, try to re-run command + 3: failure, no supported projects detected -ENVIRONMENT +ENVIRONMENT You can set these environment variables to change CLI run settings. - SNYK_TOKEN + SNYK_TOKEN Snyk authorization token. Setting this envvar will override the - token that may be available in your snyk config settings. + token that may be available in your snyk config settings. - How to get your account token https://snyk.co/ucT6J - How to use Service Accounts https://snyk.co/ucT6L + How to get your account token https://snyk.co/ucT6J + How to use Service Accounts https://snyk.co/ucT6L - SNYK_CFG_KEY - Allows you to override any key that's also available as snyk - config option. + SNYK_CFG_KEY + Allows you to override any key that's also available as snyk + config option. - E.g. SNYK_CFG_ORG=myorg will override default org option in con- - fig with "myorg". + E.g. SNYK_CFG_ORG=myorg will override default org option in con- + fig with "myorg". - SNYK_REGISTRY_USERNAME + SNYK_REGISTRY_USERNAME Specify a username to use when connecting to a container reg- - istry. Note that using the --username flag will override this + istry. Note that using the --username flag will override this value. This will be ignored in favour of local Docker binary credentials when Docker is present. - SNYK_REGISTRY_PASSWORD + SNYK_REGISTRY_PASSWORD Specify a password to use when connecting to a container reg- - istry. Note that using the --password flag will override this + istry. Note that using the --password flag will override this value. This will be ignored in favour of local Docker binary credentials when Docker is present. -Connecting to Snyk API - By default Snyk CLI will connect to https://snyk.io/api/v1. +Connecting to Snyk API + By default Snyk CLI will connect to https://snyk.io/api/v1. - SNYK_API + SNYK_API Sets API host to use for Snyk requests. Useful for on-premise - instances and configuring proxies. If set with http protocol CLI - will upgrade the requests to https. Unless SNYK_HTTP_PROTO- - COL_UPGRADE is set to 0. - - SNYK_HTTP_PROTOCOL_UPGRADE=0 - If set to the value of 0, API requests aimed at http URLs will - not be upgraded to https. If not set, the default behavior will - be to upgrade these requests from http to https. Useful e.g., + instances and configuring proxies. If set with http protocol CLI + will upgrade the requests to https. Unless SNYK_HTTP_PROTO- + COL_UPGRADE is set to 0. + + SNYK_HTTP_PROTOCOL_UPGRADE=0 + If set to the value of 0, API requests aimed at http URLs will + not be upgraded to https. If not set, the default behavior will + be to upgrade these requests from http to https. Useful e.g., for reverse proxies. - HTTPS_PROXY and HTTP_PROXY - Allows you to specify a proxy to use for https and http calls. - The https in the HTTPS_PROXY means that requests using https + HTTPS_PROXY and HTTP_PROXY + Allows you to specify a proxy to use for https and http calls. + The https in the HTTPS_PROXY means that requests using https protocol will use this proxy. The proxy itself doesn't need to - use https. + use https. -NOTICES - Snyk API usage policy +NOTICES + Snyk API usage policy The use of Snyk's API, whether through the use of the 'snyk' npm pack- age or otherwise, is subject to the terms & conditions - https://snyk.co/ucT6N + https://snyk.co/ucT6N diff --git a/help/commands-txt/snyk-ignore.txt b/help/commands-txt/snyk-ignore.txt index 93389b142f..72bbf118c0 100644 --- a/help/commands-txt/snyk-ignore.txt +++ b/help/commands-txt/snyk-ignore.txt @@ -1,108 +1,108 @@ -NAME - snyk-ignore - Modifies the .snyk policy to ignore stated issues +NAME + snyk-ignore - Modifies the .snyk policy to ignore stated issues -SYNOPSIS - snyk ignore --id=ISSUE_ID [--expiry=EXPIRY] [--reason=REASON] [OPTIONS] +SYNOPSIS + snyk ignore --id=ISSUE_ID [--expiry=EXPIRY] [--reason=REASON] [OPTIONS] -DESCRIPTION - Ignore a certain issue, according to its snyk ID for all occurrences. - This will update your local .snyk to contain a similar block: +DESCRIPTION + Ignore a certain issue, according to its snyk ID for all occurrences. + This will update your local .snyk to contain a similar block: - yaml ignore: '<ISSUE_ID>': - '*': reason: <REASON> expires: <EXPIRY> + yaml ignore: '': - '*': reason: expires:  -OPTIONS - --id=ISSUE_ID +OPTIONS + --id=ISSUE_ID Snyk ID for the issue to ignore. Required. - --expiry=EXPIRY - Expiry date, according to RFC2822 - https://tools.ietf.org/html/rfc2822 + --expiry=EXPIRY + Expiry date, according to RFC2822 + https://tools.ietf.org/html/rfc2822 - --reason=REASON - Human-readable REASON to ignore this issue. + --reason=REASON + Human-readable REASON to ignore this issue. - Flags available accross all commands - --insecure + Flags available accross all commands + --insecure Ignore unknown certificate authorities. - -d Output debug logs. + -d Output debug logs. - --quiet, -q + --quiet, -q Silence all output. - --version, -v + --version, -v Prints versions. - [COMMAND] --help, --help [COMMAND], -h - Prints a help text. You may specify a COMMAND to get more - details. + [COMMAND] --help, --help [COMMAND], -h + Prints a help text. You may specify a COMMAND to get more de- + tails. -EXAMPLES - Ignore a specific vulnerability - $ snyk ignore --id='npm:qs:20170213' --expiry='2021-01-10' +EXAMPLES + Ignore a specific vulnerability + $ snyk ignore --id='npm:qs:20170213' --expiry='2021-01-10' --reason='Module not affected by this vuln' -EXIT CODES +EXIT CODES Possible exit codes and their meaning: - 0: success, no vulns found - 1: action_needed, vulns found - 2: failure, try to re-run command - 3: failure, no supported projects detected + 0: success, no vulns found + 1: action_needed, vulns found + 2: failure, try to re-run command + 3: failure, no supported projects detected -ENVIRONMENT +ENVIRONMENT You can set these environment variables to change CLI run settings. - SNYK_TOKEN - Snyk authorization token. Setting this envvar will override the - token that may be available in your snyk config settings. + SNYK_TOKEN + Snyk authorization token. Setting this envvar will override the + token that may be available in your snyk config settings. - How to get your account token https://snyk.co/ucT6J - How to use Service Accounts https://snyk.co/ucT6L + How to get your account token https://snyk.co/ucT6J + How to use Service Accounts https://snyk.co/ucT6L - SNYK_CFG_KEY - Allows you to override any key that's also available as snyk - config option. + SNYK_CFG_KEY + Allows you to override any key that's also available as snyk + config option. - E.g. SNYK_CFG_ORG=myorg will override default org option in con- - fig with "myorg". + E.g. SNYK_CFG_ORG=myorg will override default org option in con- + fig with "myorg". - SNYK_REGISTRY_USERNAME - Specify a username to use when connecting to a container reg- - istry. Note that using the --username flag will override this - value. This will be ignored in favour of local Docker binary + SNYK_REGISTRY_USERNAME + Specify a username to use when connecting to a container reg- + istry. Note that using the --username flag will override this + value. This will be ignored in favour of local Docker binary credentials when Docker is present. - SNYK_REGISTRY_PASSWORD - Specify a password to use when connecting to a container reg- - istry. Note that using the --password flag will override this - value. This will be ignored in favour of local Docker binary + SNYK_REGISTRY_PASSWORD + Specify a password to use when connecting to a container reg- + istry. Note that using the --password flag will override this + value. This will be ignored in favour of local Docker binary credentials when Docker is present. -Connecting to Snyk API - By default Snyk CLI will connect to https://snyk.io/api/v1. +Connecting to Snyk API + By default Snyk CLI will connect to https://snyk.io/api/v1. - SNYK_API - Sets API host to use for Snyk requests. Useful for on-premise - instances and configuring proxies. If set with http protocol CLI - will upgrade the requests to https. Unless SNYK_HTTP_PROTO- - COL_UPGRADE is set to 0. + SNYK_API + Sets API host to use for Snyk requests. Useful for on-premise + instances and configuring proxies. If set with http protocol CLI + will upgrade the requests to https. Unless SNYK_HTTP_PROTO- + COL_UPGRADE is set to 0. - SNYK_HTTP_PROTOCOL_UPGRADE=0 - If set to the value of 0, API requests aimed at http URLs will - not be upgraded to https. If not set, the default behavior will - be to upgrade these requests from http to https. Useful e.g., + SNYK_HTTP_PROTOCOL_UPGRADE=0 + If set to the value of 0, API requests aimed at http URLs will + not be upgraded to https. If not set, the default behavior will + be to upgrade these requests from http to https. Useful e.g., for reverse proxies. - HTTPS_PROXY and HTTP_PROXY - Allows you to specify a proxy to use for https and http calls. - The https in the HTTPS_PROXY means that requests using https - protocol will use this proxy. The proxy itself doesn't need to - use https. - -NOTICES - Snyk API usage policy - The use of Snyk's API, whether through the use of the 'snyk' npm pack- - age or otherwise, is subject to the terms & conditions - https://snyk.co/ucT6N + HTTPS_PROXY and HTTP_PROXY + Allows you to specify a proxy to use for https and http calls. + The https in the HTTPS_PROXY means that requests using https + protocol will use this proxy. The proxy itself doesn't need to + use https. + +NOTICES + Snyk API usage policy + The use of Snyk's API, whether through the use of the 'snyk' npm pack- + age or otherwise, is subject to the terms & conditions + https://snyk.co/ucT6N diff --git a/help/commands-txt/snyk-monitor.txt b/help/commands-txt/snyk-monitor.txt index ba13879174..b096ecd0d9 100644 --- a/help/commands-txt/snyk-monitor.txt +++ b/help/commands-txt/snyk-monitor.txt @@ -1,354 +1,354 @@ -NAME - snyk-monitor - Snapshot and continuously monitor your project +NAME + snyk-monitor - Snapshot and continuously monitor your project -SYNOPSIS - snyk monitor [OPTIONS] +SYNOPSIS + snyk monitor [OPTIONS] -DESCRIPTION +DESCRIPTION Create a project on the Snyk website that will be continuously moni- tored for new vulnerabilities. After running this command you will see it by logging in to the website and viewing Your projects. -OPTIONS - To see command-specific flags and usage, see help command, e.g. snyk - container --help. For advanced usage, we offer language and context +OPTIONS + To see command-specific flags and usage, see help command, e.g. snyk + container --help. For advanced usage, we offer language and context specific flags, listed further down this document. - --all-projects - (only in test and monitor commands) Auto-detect all projects in + --all-projects + (only in test and monitor commands) Auto-detect all projects in working directory - --detection-depth=DEPTH - (only in test and monitor commands) Use with --all-projects or + --detection-depth=DEPTH + (only in test and monitor commands) Use with --all-projects or --yarn-workspaces to indicate how many sub-directories to - search. DEPTH must be a number. + search. DEPTH must be a number. Default: 4 (the current working directory and 3 sub-directories) - --exclude=DIRECTORY[,DIRECTORY]...> - (only in test and monitor commands) Can be used with + --exclude=DIRECTORY[,DIRECTORY]...> + (only in test and monitor commands) Can be used with --all-projects and --yarn-workspaces to indicate sub-directories and files to exclude. Must be comma separated. - If using with --detection-depth exclude ignores directories at + If using with --detection-depth exclude ignores directories at any level deep. - --prune-repeated-subdependencies, -p - (only in test and monitor commands) Prune dependency trees, - removing duplicate sub-dependencies. Will still find all vulner- - abilities, but potentially not all of the vulnerable paths. + --prune-repeated-subdependencies, -p + (only in test and monitor commands) Prune dependency trees, re- + moving duplicate sub-dependencies. Will still find all vulnera- + bilities, but potentially not all of the vulnerable paths. - --print-deps - (only in test and monitor commands) Print the dependency tree + --print-deps + (only in test and monitor commands) Print the dependency tree before sending it for analysis. - --remote-repo-url=URL + --remote-repo-url=URL Set or override the remote URL for the repository that you would like to monitor. - --dev Include development-only dependencies. Applicable only for some - package managers. E.g. devDependencies in npm or :development + --dev Include development-only dependencies. Applicable only for some + package managers. E.g. devDependencies in npm or :development dependencies in Gemfile. Default: scan only production dependencies - --org=ORG_NAME - Specify the ORG_NAME to run Snyk commands tied to a specific - organization. This will influence where will new projects be - created after running monitor command, some features availabil- - ity and private tests limits. If you have multiple organiza- - tions, you can set a default from the CLI using: + --org=ORG_NAME + Specify the ORG_NAME to run Snyk commands tied to a specific or- + ganization. This will influence where will new projects be cre- + ated after running monitor command, some features availability + and private tests limits. If you have multiple organizations, + you can set a default from the CLI using: - $ snyk config set org=ORG_NAME + $ snyk config set org=ORG_NAME - Setting a default will ensure all newly monitored projects will + Setting a default will ensure all newly monitored projects will be created under your default organization. If you need to over- - ride the default, you can use the --org=ORG_NAME argument. + ride the default, you can use the --org=ORG_NAME argument. - Default: uses ORG_NAME that sets as default in your Account set- - tings https://app.snyk.io/account + Default: uses ORG_NAME that sets as default in your Account set- + tings https://app.snyk.io/account - --file=FILE + --file=FILE Sets a package file. - When testing locally or monitoring a project, you can specify - the file that Snyk should inspect for package information. When - ommitted Snyk will try to detect the appropriate file for your + When testing locally or monitoring a project, you can specify + the file that Snyk should inspect for package information. When + ommitted Snyk will try to detect the appropriate file for your project. - --ignore-policy - Ignores all set policies. The current policy in .snyk file, Org + --ignore-policy + Ignores all set policies. The current policy in .snyk file, Org level ignores and the project policy on snyk.io. - --trust-policies + --trust-policies Applies and uses ignore rules from your dependencies' Snyk poli- - cies, otherwise ignore policies are only shown as a suggestion. + cies, otherwise ignore policies are only shown as a suggestion. - --show-vulnerable-paths=none|some|all + --show-vulnerable-paths=none|some|all Display the dependency paths from the top level dependencies, - down to the vulnerable packages. Doesn't affect output when - using JSON --json output. + down to the vulnerable packages. Doesn't affect output when us- + ing JSON --json output. - Default: some (a few example paths shown) false is an alias for - none. + Default: some (a few example paths shown) false is an alias for + none. - --project-name=PROJECT_NAME + --project-name=PROJECT_NAME Specify a custom Snyk project name. - --target-reference=TARGET_REFERENCE + --target-reference=TARGET_REFERENCE A reference to separate this project from other scans of the same project. For example, a branch name or version. Projects using the same reference can be used for grouping. More informa- - tion https://snyk.info/3B0vTPs. + tion https://snyk.info/3B0vTPs. - --project-environment=ENVIRONMENT[,ENVIRONMENT]...> - (only in monitor command) Set the project environment to one or + --project-environment=ENVIRONMENT[,ENVIRONMENT]...> + (only in monitor command) Set the project environment to one or more values (comma-separated). Allowed values: frontend, back- end, internal, external, mobile, saas, onprem, hosted, distrib- uted - --project-lifecycle=LIFECYCLE[,LIFECYCLE]...> - (only in monitor command) Set the project lifecycle to one or - more values (comma-separated). Allowed values: production, - development, sandbox + --project-lifecycle=LIFECYCLE[,LIFECYCLE]...> + (only in monitor command) Set the project lifecycle to one or + more values (comma-separated). Allowed values: production, de- + velopment, sandbox - --project-business-criticality=BUSINESS_CRITICALITY[,BUSINESS_CRITICAL- - ITY]...> - (only in monitor command) Set the project business criticality - to one or more values (comma-separated). Allowed values: criti- + --project-business-criticality=BUSINESS_CRITICALITY[,BUSINESS_CRITICAL- + ITY]...> + (only in monitor command) Set the project business criticality + to one or more values (comma-separated). Allowed values: criti- cal, high, medium, low - --project-tags=TAG[,TAG]...> - (only in monitor command) Set the project tags to one or more - values (comma-separated key value pairs with an "=" separator). + --project-tags=TAG[,TAG]...> + (only in monitor command) Set the project tags to one or more + values (comma-separated key value pairs with an "=" separator). e.g. --project-tags=department=finance,team=alpha - --policy-path=PATH_TO_POLICY_FILE` + --policy-path=PATH_TO_POLICY_FILE` Manually pass a path to a snyk policy file. - --json Prints results in JSON format. + --json Prints results in JSON format. - --json-file-output=OUTPUT_FILE_PATH - (only in test command) Save test output in JSON format directly - to the specified file, regardless of whether or not you use the - --json option. This is especially useful if you want to display - the human-readable test output via stdout and at the same time + --json-file-output=OUTPUT_FILE_PATH + (only in test command) Save test output in JSON format directly + to the specified file, regardless of whether or not you use the + --json option. This is especially useful if you want to display + the human-readable test output via stdout and at the same time save the JSON format output to a file. - --sarif + --sarif Return results in SARIF format. - --sarif-file-output=OUTPUT_FILE_PATH - (only in test command) Save test output in SARIF format directly - to the OUTPUT_FILE_PATH file, regardless of whether or not you - use the --sarif option. This is especially useful if you want to - display the human-readable test output via stdout and at the + --sarif-file-output=OUTPUT_FILE_PATH + (only in test command) Save test output in SARIF format directly + to the OUTPUT_FILE_PATH file, regardless of whether or not you + use the --sarif option. This is especially useful if you want to + display the human-readable test output via stdout and at the same time save the SARIF format output to a file. - --severity-threshold=low|medium|high|critical + --severity-threshold=low|medium|high|critical Only report vulnerabilities of provided level or higher. - --fail-on=all|upgradable|patchable + --fail-on=all|upgradable|patchable Only fail when there are vulnerabilities that can be fixed. - all fails when there is at least one vulnerability that can be - either upgraded or patched. upgradable fails when there is at - least one vulnerability that can be upgraded. patchable fails + all fails when there is at least one vulnerability that can be + either upgraded or patched. upgradable fails when there is at + least one vulnerability that can be upgraded. patchable fails when there is at least one vulnerability that can be patched. - If vulnerabilities do not have a fix and this option is being + If vulnerabilities do not have a fix and this option is being used, tests will pass. - --dry-run - (only in protect command) Don't apply updates or patches during - protect command run. + --dry-run + (only in protect command) Don't apply updates or patches during + protect command run. - -- [COMPILER_OPTIONS] - Pass extra arguments directly to Gradle or Maven. E.g. snyk test - -- --build-cache + -- [COMPILER_OPTIONS] + Pass extra arguments directly to Gradle or Maven. E.g. snyk test + -- --build-cache Below are flags that are influencing CLI behavior for specific projects, languages and contexts: - Maven options - --scan-all-unmanaged - Auto detects maven jars, aars, and wars in given directory. - Individual testing can be done with --file=JAR_FILE_NAME + Maven options + --scan-all-unmanaged + Auto detects maven jars, aars, and wars in given directory. In- + dividual testing can be done with --file=JAR_FILE_NAME - --reachable - (only in test and monitor commands) Analyze your source code to + --reachable + (only in test and monitor commands) Analyze your source code to find which vulnerable functions and packages are called. - --reachable-timeout=TIMEOUT - The amount of time (in seconds) to wait for Snyk to gather - reachability data. If it takes longer than TIMEOUT, Reachable - Vulnerabilities are not reported. This does not affect regular + --reachable-timeout=TIMEOUT + The amount of time (in seconds) to wait for Snyk to gather + reachability data. If it takes longer than TIMEOUT, Reachable + Vulnerabilities are not reported. This does not affect regular test or monitor output. Default: 300 (5 minutes). - Gradle options - More information about Gradle CLI options https://snyk.co/ucT6P + Gradle options + More information about Gradle CLI options https://snyk.co/ucT6P - O --sub-project=NAME, --gradle-sub-project=NAME: For Gradle "multi + O --sub-project=NAME, --gradle-sub-project=NAME: For Gradle "multi project" configurations, test a specific sub-project. - O --all-sub-projects: For "multi project" configurations, test all + O --all-sub-projects: For "multi project" configurations, test all sub-projects. - O --configuration-matching=CONFIGURATION_REGEX: Resolve dependencies - using only configuration(s) that match the provided Java regular - expression, e.g. ^releaseRuntimeClasspath$. + O --configuration-matching=CONFIGURATION_REGEX: Resolve dependencies + using only configuration(s) that match the provided Java regular + expression, e.g. ^releaseRuntimeClasspath$. - O --configuration-attributes=ATTRIBUTE[,ATTRIBUTE]...: Select certain - values of configuration attributes to resolve the dependencies. - E.g. buildtype:release,usage:java-runtime + O --configuration-attributes=ATTRIBUTE[,ATTRIBUTE]...: Select certain + values of configuration attributes to resolve the dependencies. + E.g. buildtype:release,usage:java-runtime - O --reachable: (only in test and monitor commands) Analyze your - source code to find which vulnerable functions and packages are + O --reachable: (only in test and monitor commands) Analyze your + source code to find which vulnerable functions and packages are called. - O --reachable-timeout=TIMEOUT: The amount of time (in seconds) to - wait for Snyk to gather reachability data. If it takes longer than - TIMEOUT, Reachable Vulnerabilities are not reported. This does not + O --reachable-timeout=TIMEOUT: The amount of time (in seconds) to + wait for Snyk to gather reachability data. If it takes longer than + TIMEOUT, Reachable Vulnerabilities are not reported. This does not affect regular test or monitor output. Default: 300 (5 minutes). - O --init-script=FILE For projects that contain a gradle initializa- + O --init-script=FILE For projects that contain a gradle initializa- tion script. - .Net & NuGet options - --assets-project-name - When monitoring a .NET project using NuGet PackageReference use + .Net & NuGet options + --assets-project-name + When monitoring a .NET project using NuGet PackageReference use the project name in project.assets.json, if found. - --packages-folder + --packages-folder Custom path to packages folder - --project-name-prefix=PREFIX_STRING - When monitoring a .NET project, use this flag to add a custom - prefix to the name of files inside a project along with any - desired separators, e.g. snyk monitor --file=my-project.sln - --project-name-prefix=my-group/. This is useful when you have + --project-name-prefix=PREFIX_STRING + When monitoring a .NET project, use this flag to add a custom + prefix to the name of files inside a project along with any de- + sired separators, e.g. snyk monitor --file=my-project.sln + --project-name-prefix=my-group/. This is useful when you have multiple projects with the same name in other sln files. - npm options - --strict-out-of-sync=true|false + npm options + --strict-out-of-sync=true|false Control testing out of sync lockfiles. Default: true - Yarn options - --strict-out-of-sync=true|false + Yarn options + --strict-out-of-sync=true|false Control testing out of sync lockfiles. Default: true - --yarn-workspaces - (only in test and monitor commands) Detect and scan yarn - workspaces. You can specify how many sub-directories to search - using --detection-depth and exclude directories and files using - --exclude. + --yarn-workspaces + (only in test and monitor commands) Detect and scan yarn + workspaces. You can specify how many sub-directories to search + using --detection-depth and exclude directories and files using + --exclude. - CocoaPods options - --strict-out-of-sync=true|false + CocoaPods options + --strict-out-of-sync=true|false Control testing out of sync lockfiles. Default: false - Python options - --command=COMMAND - Indicate which specific Python commands to use based on Python - version. The default is python which executes your systems - default python version. Run 'python -V' to find out what version - is it. If you are using multiple Python versions, use this - parameter to specify the correct Python command for execution. + Python options + --command=COMMAND + Indicate which specific Python commands to use based on Python + version. The default is python which executes your systems de- + fault python version. Run 'python -V' to find out what version + is it. If you are using multiple Python versions, use this pa- + rameter to specify the correct Python command for execution. - Default: python Example: --command=python3 + Default: python Example: --command=python3 - --skip-unresolved=true|false + --skip-unresolved=true|false Allow skipping packages that are not found in the environment. - Flags available accross all commands - --insecure + Flags available accross all commands + --insecure Ignore unknown certificate authorities. - -d Output debug logs. + -d Output debug logs. - --quiet, -q + --quiet, -q Silence all output. - --version, -v + --version, -v Prints versions. - [COMMAND] --help, --help [COMMAND], -h - Prints a help text. You may specify a COMMAND to get more - details. + [COMMAND] --help, --help [COMMAND], -h + Prints a help text. You may specify a COMMAND to get more de- + tails. -EXIT CODES +EXIT CODES Possible exit codes and their meaning: - 0: success, no vulns found - 1: action_needed, vulns found - 2: failure, try to re-run command - 3: failure, no supported projects detected + 0: success, no vulns found + 1: action_needed, vulns found + 2: failure, try to re-run command + 3: failure, no supported projects detected -ENVIRONMENT +ENVIRONMENT You can set these environment variables to change CLI run settings. - SNYK_TOKEN - Snyk authorization token. Setting this envvar will override the - token that may be available in your snyk config settings. + SNYK_TOKEN + Snyk authorization token. Setting this envvar will override the + token that may be available in your snyk config settings. - How to get your account token https://snyk.co/ucT6J - How to use Service Accounts https://snyk.co/ucT6L + How to get your account token https://snyk.co/ucT6J + How to use Service Accounts https://snyk.co/ucT6L - SNYK_CFG_KEY - Allows you to override any key that's also available as snyk - config option. + SNYK_CFG_KEY + Allows you to override any key that's also available as snyk + config option. - E.g. SNYK_CFG_ORG=myorg will override default org option in con- - fig with "myorg". + E.g. SNYK_CFG_ORG=myorg will override default org option in con- + fig with "myorg". - SNYK_REGISTRY_USERNAME - Specify a username to use when connecting to a container reg- - istry. Note that using the --username flag will override this - value. This will be ignored in favour of local Docker binary + SNYK_REGISTRY_USERNAME + Specify a username to use when connecting to a container reg- + istry. Note that using the --username flag will override this + value. This will be ignored in favour of local Docker binary credentials when Docker is present. - SNYK_REGISTRY_PASSWORD - Specify a password to use when connecting to a container reg- - istry. Note that using the --password flag will override this - value. This will be ignored in favour of local Docker binary + SNYK_REGISTRY_PASSWORD + Specify a password to use when connecting to a container reg- + istry. Note that using the --password flag will override this + value. This will be ignored in favour of local Docker binary credentials when Docker is present. -Connecting to Snyk API - By default Snyk CLI will connect to https://snyk.io/api/v1. +Connecting to Snyk API + By default Snyk CLI will connect to https://snyk.io/api/v1. - SNYK_API - Sets API host to use for Snyk requests. Useful for on-premise - instances and configuring proxies. If set with http protocol CLI - will upgrade the requests to https. Unless SNYK_HTTP_PROTO- - COL_UPGRADE is set to 0. + SNYK_API + Sets API host to use for Snyk requests. Useful for on-premise + instances and configuring proxies. If set with http protocol CLI + will upgrade the requests to https. Unless SNYK_HTTP_PROTO- + COL_UPGRADE is set to 0. - SNYK_HTTP_PROTOCOL_UPGRADE=0 - If set to the value of 0, API requests aimed at http URLs will - not be upgraded to https. If not set, the default behavior will - be to upgrade these requests from http to https. Useful e.g., + SNYK_HTTP_PROTOCOL_UPGRADE=0 + If set to the value of 0, API requests aimed at http URLs will + not be upgraded to https. If not set, the default behavior will + be to upgrade these requests from http to https. Useful e.g., for reverse proxies. - HTTPS_PROXY and HTTP_PROXY - Allows you to specify a proxy to use for https and http calls. - The https in the HTTPS_PROXY means that requests using https - protocol will use this proxy. The proxy itself doesn't need to - use https. - -NOTICES - Snyk API usage policy - The use of Snyk's API, whether through the use of the 'snyk' npm pack- - age or otherwise, is subject to the terms & conditions - https://snyk.co/ucT6N + HTTPS_PROXY and HTTP_PROXY + Allows you to specify a proxy to use for https and http calls. + The https in the HTTPS_PROXY means that requests using https + protocol will use this proxy. The proxy itself doesn't need to + use https. + +NOTICES + Snyk API usage policy + The use of Snyk's API, whether through the use of the 'snyk' npm pack- + age or otherwise, is subject to the terms & conditions + https://snyk.co/ucT6N diff --git a/help/commands-txt/snyk-policy.txt b/help/commands-txt/snyk-policy.txt index 0b2ad0b32c..310bc0f193 100644 --- a/help/commands-txt/snyk-policy.txt +++ b/help/commands-txt/snyk-policy.txt @@ -1,93 +1,93 @@ -NAME - snyk-policy - Display the .snyk policy for a package +NAME + snyk-policy - Display the .snyk policy for a package -SYNOPSIS - snyk policy [PATH_TO_POLICY_FILE] [OPTIONS] +SYNOPSIS + snyk policy [PATH_TO_POLICY_FILE] [OPTIONS] -DESCRIPTION - Displays a .snyk policy file. +DESCRIPTION + Displays a .snyk policy file. -OPTIONS - PATH_TO_POLICY_FILE +OPTIONS + PATH_TO_POLICY_FILE Manually pass a path to a snyk policy file. - Flags available accross all commands - --insecure + Flags available accross all commands + --insecure Ignore unknown certificate authorities. - -d Output debug logs. + -d Output debug logs. - --quiet, -q + --quiet, -q Silence all output. - --version, -v + --version, -v Prints versions. - [COMMAND] --help, --help [COMMAND], -h - Prints a help text. You may specify a COMMAND to get more - details. + [COMMAND] --help, --help [COMMAND], -h + Prints a help text. You may specify a COMMAND to get more de- + tails. -EXIT CODES +EXIT CODES Possible exit codes and their meaning: - 0: success, no vulns found - 1: action_needed, vulns found - 2: failure, try to re-run command - 3: failure, no supported projects detected + 0: success, no vulns found + 1: action_needed, vulns found + 2: failure, try to re-run command + 3: failure, no supported projects detected -ENVIRONMENT +ENVIRONMENT You can set these environment variables to change CLI run settings. - SNYK_TOKEN + SNYK_TOKEN Snyk authorization token. Setting this envvar will override the - token that may be available in your snyk config settings. + token that may be available in your snyk config settings. - How to get your account token https://snyk.co/ucT6J - How to use Service Accounts https://snyk.co/ucT6L + How to get your account token https://snyk.co/ucT6J + How to use Service Accounts https://snyk.co/ucT6L - SNYK_CFG_KEY - Allows you to override any key that's also available as snyk - config option. + SNYK_CFG_KEY + Allows you to override any key that's also available as snyk + config option. - E.g. SNYK_CFG_ORG=myorg will override default org option in con- - fig with "myorg". + E.g. SNYK_CFG_ORG=myorg will override default org option in con- + fig with "myorg". - SNYK_REGISTRY_USERNAME + SNYK_REGISTRY_USERNAME Specify a username to use when connecting to a container reg- - istry. Note that using the --username flag will override this + istry. Note that using the --username flag will override this value. This will be ignored in favour of local Docker binary credentials when Docker is present. - SNYK_REGISTRY_PASSWORD + SNYK_REGISTRY_PASSWORD Specify a password to use when connecting to a container reg- - istry. Note that using the --password flag will override this + istry. Note that using the --password flag will override this value. This will be ignored in favour of local Docker binary credentials when Docker is present. -Connecting to Snyk API - By default Snyk CLI will connect to https://snyk.io/api/v1. +Connecting to Snyk API + By default Snyk CLI will connect to https://snyk.io/api/v1. - SNYK_API + SNYK_API Sets API host to use for Snyk requests. Useful for on-premise - instances and configuring proxies. If set with http protocol CLI - will upgrade the requests to https. Unless SNYK_HTTP_PROTO- - COL_UPGRADE is set to 0. - - SNYK_HTTP_PROTOCOL_UPGRADE=0 - If set to the value of 0, API requests aimed at http URLs will - not be upgraded to https. If not set, the default behavior will - be to upgrade these requests from http to https. Useful e.g., + instances and configuring proxies. If set with http protocol CLI + will upgrade the requests to https. Unless SNYK_HTTP_PROTO- + COL_UPGRADE is set to 0. + + SNYK_HTTP_PROTOCOL_UPGRADE=0 + If set to the value of 0, API requests aimed at http URLs will + not be upgraded to https. If not set, the default behavior will + be to upgrade these requests from http to https. Useful e.g., for reverse proxies. - HTTPS_PROXY and HTTP_PROXY - Allows you to specify a proxy to use for https and http calls. - The https in the HTTPS_PROXY means that requests using https + HTTPS_PROXY and HTTP_PROXY + Allows you to specify a proxy to use for https and http calls. + The https in the HTTPS_PROXY means that requests using https protocol will use this proxy. The proxy itself doesn't need to - use https. + use https. -NOTICES - Snyk API usage policy +NOTICES + Snyk API usage policy The use of Snyk's API, whether through the use of the 'snyk' npm pack- age or otherwise, is subject to the terms & conditions - https://snyk.co/ucT6N + https://snyk.co/ucT6N diff --git a/help/commands-txt/snyk-protect.txt b/help/commands-txt/snyk-protect.txt index 2dbbaba26d..248bc3484d 100644 --- a/help/commands-txt/snyk-protect.txt +++ b/help/commands-txt/snyk-protect.txt @@ -1,97 +1,97 @@ -NAME - snyk-protect - Applies the patches specified in your .snyk file to the +NAME + snyk-protect - Applies the patches specified in your .snyk file to the local file system -SYNOPSIS - snyk protect [OPTIONS] +SYNOPSIS + snyk protect [OPTIONS] -DESCRIPTION - $ snyk protect is used to apply patches to your vulnerable dependen- +DESCRIPTION + $ snyk protect is used to apply patches to your vulnerable dependen- cies. It's useful after opening a fix pull request from our website (GitHub only) or after running snyk wizard on the CLI. snyk protect reads a .snyk policy file to determine what patches to apply. -OPTIONS - --dry-run +OPTIONS + --dry-run Don't apply updates or patches when running. - Flags available accross all commands - --insecure + Flags available accross all commands + --insecure Ignore unknown certificate authorities. - -d Output debug logs. + -d Output debug logs. - --quiet, -q + --quiet, -q Silence all output. - --version, -v + --version, -v Prints versions. - [COMMAND] --help, --help [COMMAND], -h - Prints a help text. You may specify a COMMAND to get more - details. + [COMMAND] --help, --help [COMMAND], -h + Prints a help text. You may specify a COMMAND to get more de- + tails. -EXIT CODES +EXIT CODES Possible exit codes and their meaning: - 0: success, no vulns found - 1: action_needed, vulns found - 2: failure, try to re-run command - 3: failure, no supported projects detected + 0: success, no vulns found + 1: action_needed, vulns found + 2: failure, try to re-run command + 3: failure, no supported projects detected -ENVIRONMENT +ENVIRONMENT You can set these environment variables to change CLI run settings. - SNYK_TOKEN + SNYK_TOKEN Snyk authorization token. Setting this envvar will override the - token that may be available in your snyk config settings. + token that may be available in your snyk config settings. - How to get your account token https://snyk.co/ucT6J - How to use Service Accounts https://snyk.co/ucT6L + How to get your account token https://snyk.co/ucT6J + How to use Service Accounts https://snyk.co/ucT6L - SNYK_CFG_KEY - Allows you to override any key that's also available as snyk - config option. + SNYK_CFG_KEY + Allows you to override any key that's also available as snyk + config option. - E.g. SNYK_CFG_ORG=myorg will override default org option in con- - fig with "myorg". + E.g. SNYK_CFG_ORG=myorg will override default org option in con- + fig with "myorg". - SNYK_REGISTRY_USERNAME + SNYK_REGISTRY_USERNAME Specify a username to use when connecting to a container reg- - istry. Note that using the --username flag will override this + istry. Note that using the --username flag will override this value. This will be ignored in favour of local Docker binary credentials when Docker is present. - SNYK_REGISTRY_PASSWORD + SNYK_REGISTRY_PASSWORD Specify a password to use when connecting to a container reg- - istry. Note that using the --password flag will override this + istry. Note that using the --password flag will override this value. This will be ignored in favour of local Docker binary credentials when Docker is present. -Connecting to Snyk API - By default Snyk CLI will connect to https://snyk.io/api/v1. +Connecting to Snyk API + By default Snyk CLI will connect to https://snyk.io/api/v1. - SNYK_API + SNYK_API Sets API host to use for Snyk requests. Useful for on-premise - instances and configuring proxies. If set with http protocol CLI - will upgrade the requests to https. Unless SNYK_HTTP_PROTO- - COL_UPGRADE is set to 0. - - SNYK_HTTP_PROTOCOL_UPGRADE=0 - If set to the value of 0, API requests aimed at http URLs will - not be upgraded to https. If not set, the default behavior will - be to upgrade these requests from http to https. Useful e.g., + instances and configuring proxies. If set with http protocol CLI + will upgrade the requests to https. Unless SNYK_HTTP_PROTO- + COL_UPGRADE is set to 0. + + SNYK_HTTP_PROTOCOL_UPGRADE=0 + If set to the value of 0, API requests aimed at http URLs will + not be upgraded to https. If not set, the default behavior will + be to upgrade these requests from http to https. Useful e.g., for reverse proxies. - HTTPS_PROXY and HTTP_PROXY - Allows you to specify a proxy to use for https and http calls. - The https in the HTTPS_PROXY means that requests using https + HTTPS_PROXY and HTTP_PROXY + Allows you to specify a proxy to use for https and http calls. + The https in the HTTPS_PROXY means that requests using https protocol will use this proxy. The proxy itself doesn't need to - use https. + use https. -NOTICES - Snyk API usage policy +NOTICES + Snyk API usage policy The use of Snyk's API, whether through the use of the 'snyk' npm pack- age or otherwise, is subject to the terms & conditions - https://snyk.co/ucT6N + https://snyk.co/ucT6N diff --git a/help/commands-txt/snyk-test.txt b/help/commands-txt/snyk-test.txt index 85a7640e46..97a054e8e7 100644 --- a/help/commands-txt/snyk-test.txt +++ b/help/commands-txt/snyk-test.txt @@ -1,354 +1,354 @@ -NAME - snyk-test - test local project for vulnerabilities +NAME + snyk-test - test local project for vulnerabilities -SYNOPSIS - snyk test [OPTIONS] +SYNOPSIS + snyk test [OPTIONS] -DESCRIPTION +DESCRIPTION Test command checks locally installed projects for vulnerabilities. It tries to autodetect supported manifest files with dependencies and test those. -OPTIONS - To see command-specific flags and usage, see help command, e.g. snyk - container --help. For advanced usage, we offer language and context +OPTIONS + To see command-specific flags and usage, see help command, e.g. snyk + container --help. For advanced usage, we offer language and context specific flags, listed further down this document. - --all-projects - (only in test and monitor commands) Auto-detect all projects in + --all-projects + (only in test and monitor commands) Auto-detect all projects in working directory - --detection-depth=DEPTH - (only in test and monitor commands) Use with --all-projects or + --detection-depth=DEPTH + (only in test and monitor commands) Use with --all-projects or --yarn-workspaces to indicate how many sub-directories to - search. DEPTH must be a number. + search. DEPTH must be a number. Default: 4 (the current working directory and 3 sub-directories) - --exclude=DIRECTORY[,DIRECTORY]...> - (only in test and monitor commands) Can be used with + --exclude=DIRECTORY[,DIRECTORY]...> + (only in test and monitor commands) Can be used with --all-projects and --yarn-workspaces to indicate sub-directories and files to exclude. Must be comma separated. - If using with --detection-depth exclude ignores directories at + If using with --detection-depth exclude ignores directories at any level deep. - --prune-repeated-subdependencies, -p - (only in test and monitor commands) Prune dependency trees, - removing duplicate sub-dependencies. Will still find all vulner- - abilities, but potentially not all of the vulnerable paths. + --prune-repeated-subdependencies, -p + (only in test and monitor commands) Prune dependency trees, re- + moving duplicate sub-dependencies. Will still find all vulnera- + bilities, but potentially not all of the vulnerable paths. - --print-deps - (only in test and monitor commands) Print the dependency tree + --print-deps + (only in test and monitor commands) Print the dependency tree before sending it for analysis. - --remote-repo-url=URL + --remote-repo-url=URL Set or override the remote URL for the repository that you would like to monitor. - --dev Include development-only dependencies. Applicable only for some - package managers. E.g. devDependencies in npm or :development + --dev Include development-only dependencies. Applicable only for some + package managers. E.g. devDependencies in npm or :development dependencies in Gemfile. Default: scan only production dependencies - --org=ORG_NAME - Specify the ORG_NAME to run Snyk commands tied to a specific - organization. This will influence where will new projects be - created after running monitor command, some features availabil- - ity and private tests limits. If you have multiple organiza- - tions, you can set a default from the CLI using: + --org=ORG_NAME + Specify the ORG_NAME to run Snyk commands tied to a specific or- + ganization. This will influence where will new projects be cre- + ated after running monitor command, some features availability + and private tests limits. If you have multiple organizations, + you can set a default from the CLI using: - $ snyk config set org=ORG_NAME + $ snyk config set org=ORG_NAME - Setting a default will ensure all newly monitored projects will + Setting a default will ensure all newly monitored projects will be created under your default organization. If you need to over- - ride the default, you can use the --org=ORG_NAME argument. + ride the default, you can use the --org=ORG_NAME argument. - Default: uses ORG_NAME that sets as default in your Account set- - tings https://app.snyk.io/account + Default: uses ORG_NAME that sets as default in your Account set- + tings https://app.snyk.io/account - --file=FILE + --file=FILE Sets a package file. - When testing locally or monitoring a project, you can specify - the file that Snyk should inspect for package information. When - ommitted Snyk will try to detect the appropriate file for your + When testing locally or monitoring a project, you can specify + the file that Snyk should inspect for package information. When + ommitted Snyk will try to detect the appropriate file for your project. - --ignore-policy - Ignores all set policies. The current policy in .snyk file, Org + --ignore-policy + Ignores all set policies. The current policy in .snyk file, Org level ignores and the project policy on snyk.io. - --trust-policies + --trust-policies Applies and uses ignore rules from your dependencies' Snyk poli- - cies, otherwise ignore policies are only shown as a suggestion. + cies, otherwise ignore policies are only shown as a suggestion. - --show-vulnerable-paths=none|some|all + --show-vulnerable-paths=none|some|all Display the dependency paths from the top level dependencies, - down to the vulnerable packages. Doesn't affect output when - using JSON --json output. + down to the vulnerable packages. Doesn't affect output when us- + ing JSON --json output. - Default: some (a few example paths shown) false is an alias for - none. + Default: some (a few example paths shown) false is an alias for + none. - --project-name=PROJECT_NAME + --project-name=PROJECT_NAME Specify a custom Snyk project name. - --target-reference=TARGET_REFERENCE + --target-reference=TARGET_REFERENCE A reference to separate this project from other scans of the same project. For example, a branch name or version. Projects using the same reference can be used for grouping. More informa- - tion https://snyk.info/3B0vTPs. + tion https://snyk.info/3B0vTPs. - --project-environment=ENVIRONMENT[,ENVIRONMENT]...> - (only in monitor command) Set the project environment to one or + --project-environment=ENVIRONMENT[,ENVIRONMENT]...> + (only in monitor command) Set the project environment to one or more values (comma-separated). Allowed values: frontend, back- end, internal, external, mobile, saas, onprem, hosted, distrib- uted - --project-lifecycle=LIFECYCLE[,LIFECYCLE]...> - (only in monitor command) Set the project lifecycle to one or - more values (comma-separated). Allowed values: production, - development, sandbox + --project-lifecycle=LIFECYCLE[,LIFECYCLE]...> + (only in monitor command) Set the project lifecycle to one or + more values (comma-separated). Allowed values: production, de- + velopment, sandbox - --project-business-criticality=BUSINESS_CRITICALITY[,BUSINESS_CRITICAL- - ITY]...> - (only in monitor command) Set the project business criticality - to one or more values (comma-separated). Allowed values: criti- + --project-business-criticality=BUSINESS_CRITICALITY[,BUSINESS_CRITICAL- + ITY]...> + (only in monitor command) Set the project business criticality + to one or more values (comma-separated). Allowed values: criti- cal, high, medium, low - --project-tags=TAG[,TAG]...> - (only in monitor command) Set the project tags to one or more - values (comma-separated key value pairs with an "=" separator). + --project-tags=TAG[,TAG]...> + (only in monitor command) Set the project tags to one or more + values (comma-separated key value pairs with an "=" separator). e.g. --project-tags=department=finance,team=alpha - --policy-path=PATH_TO_POLICY_FILE` + --policy-path=PATH_TO_POLICY_FILE` Manually pass a path to a snyk policy file. - --json Prints results in JSON format. + --json Prints results in JSON format. - --json-file-output=OUTPUT_FILE_PATH - (only in test command) Save test output in JSON format directly - to the specified file, regardless of whether or not you use the - --json option. This is especially useful if you want to display - the human-readable test output via stdout and at the same time + --json-file-output=OUTPUT_FILE_PATH + (only in test command) Save test output in JSON format directly + to the specified file, regardless of whether or not you use the + --json option. This is especially useful if you want to display + the human-readable test output via stdout and at the same time save the JSON format output to a file. - --sarif + --sarif Return results in SARIF format. - --sarif-file-output=OUTPUT_FILE_PATH - (only in test command) Save test output in SARIF format directly - to the OUTPUT_FILE_PATH file, regardless of whether or not you - use the --sarif option. This is especially useful if you want to - display the human-readable test output via stdout and at the + --sarif-file-output=OUTPUT_FILE_PATH + (only in test command) Save test output in SARIF format directly + to the OUTPUT_FILE_PATH file, regardless of whether or not you + use the --sarif option. This is especially useful if you want to + display the human-readable test output via stdout and at the same time save the SARIF format output to a file. - --severity-threshold=low|medium|high|critical + --severity-threshold=low|medium|high|critical Only report vulnerabilities of provided level or higher. - --fail-on=all|upgradable|patchable + --fail-on=all|upgradable|patchable Only fail when there are vulnerabilities that can be fixed. - all fails when there is at least one vulnerability that can be - either upgraded or patched. upgradable fails when there is at - least one vulnerability that can be upgraded. patchable fails + all fails when there is at least one vulnerability that can be + either upgraded or patched. upgradable fails when there is at + least one vulnerability that can be upgraded. patchable fails when there is at least one vulnerability that can be patched. - If vulnerabilities do not have a fix and this option is being + If vulnerabilities do not have a fix and this option is being used, tests will pass. - --dry-run - (only in protect command) Don't apply updates or patches during - protect command run. + --dry-run + (only in protect command) Don't apply updates or patches during + protect command run. - -- [COMPILER_OPTIONS] - Pass extra arguments directly to Gradle or Maven. E.g. snyk test - -- --build-cache + -- [COMPILER_OPTIONS] + Pass extra arguments directly to Gradle or Maven. E.g. snyk test + -- --build-cache Below are flags that are influencing CLI behavior for specific projects, languages and contexts: - Maven options - --scan-all-unmanaged - Auto detects maven jars, aars, and wars in given directory. - Individual testing can be done with --file=JAR_FILE_NAME + Maven options + --scan-all-unmanaged + Auto detects maven jars, aars, and wars in given directory. In- + dividual testing can be done with --file=JAR_FILE_NAME - --reachable - (only in test and monitor commands) Analyze your source code to + --reachable + (only in test and monitor commands) Analyze your source code to find which vulnerable functions and packages are called. - --reachable-timeout=TIMEOUT - The amount of time (in seconds) to wait for Snyk to gather - reachability data. If it takes longer than TIMEOUT, Reachable - Vulnerabilities are not reported. This does not affect regular + --reachable-timeout=TIMEOUT + The amount of time (in seconds) to wait for Snyk to gather + reachability data. If it takes longer than TIMEOUT, Reachable + Vulnerabilities are not reported. This does not affect regular test or monitor output. Default: 300 (5 minutes). - Gradle options - More information about Gradle CLI options https://snyk.co/ucT6P + Gradle options + More information about Gradle CLI options https://snyk.co/ucT6P - O --sub-project=NAME, --gradle-sub-project=NAME: For Gradle "multi + O --sub-project=NAME, --gradle-sub-project=NAME: For Gradle "multi project" configurations, test a specific sub-project. - O --all-sub-projects: For "multi project" configurations, test all + O --all-sub-projects: For "multi project" configurations, test all sub-projects. - O --configuration-matching=CONFIGURATION_REGEX: Resolve dependencies - using only configuration(s) that match the provided Java regular - expression, e.g. ^releaseRuntimeClasspath$. + O --configuration-matching=CONFIGURATION_REGEX: Resolve dependencies + using only configuration(s) that match the provided Java regular + expression, e.g. ^releaseRuntimeClasspath$. - O --configuration-attributes=ATTRIBUTE[,ATTRIBUTE]...: Select certain - values of configuration attributes to resolve the dependencies. - E.g. buildtype:release,usage:java-runtime + O --configuration-attributes=ATTRIBUTE[,ATTRIBUTE]...: Select certain + values of configuration attributes to resolve the dependencies. + E.g. buildtype:release,usage:java-runtime - O --reachable: (only in test and monitor commands) Analyze your - source code to find which vulnerable functions and packages are + O --reachable: (only in test and monitor commands) Analyze your + source code to find which vulnerable functions and packages are called. - O --reachable-timeout=TIMEOUT: The amount of time (in seconds) to - wait for Snyk to gather reachability data. If it takes longer than - TIMEOUT, Reachable Vulnerabilities are not reported. This does not + O --reachable-timeout=TIMEOUT: The amount of time (in seconds) to + wait for Snyk to gather reachability data. If it takes longer than + TIMEOUT, Reachable Vulnerabilities are not reported. This does not affect regular test or monitor output. Default: 300 (5 minutes). - O --init-script=FILE For projects that contain a gradle initializa- + O --init-script=FILE For projects that contain a gradle initializa- tion script. - .Net & NuGet options - --assets-project-name - When monitoring a .NET project using NuGet PackageReference use + .Net & NuGet options + --assets-project-name + When monitoring a .NET project using NuGet PackageReference use the project name in project.assets.json, if found. - --packages-folder + --packages-folder Custom path to packages folder - --project-name-prefix=PREFIX_STRING - When monitoring a .NET project, use this flag to add a custom - prefix to the name of files inside a project along with any - desired separators, e.g. snyk monitor --file=my-project.sln - --project-name-prefix=my-group/. This is useful when you have + --project-name-prefix=PREFIX_STRING + When monitoring a .NET project, use this flag to add a custom + prefix to the name of files inside a project along with any de- + sired separators, e.g. snyk monitor --file=my-project.sln + --project-name-prefix=my-group/. This is useful when you have multiple projects with the same name in other sln files. - npm options - --strict-out-of-sync=true|false + npm options + --strict-out-of-sync=true|false Control testing out of sync lockfiles. Default: true - Yarn options - --strict-out-of-sync=true|false + Yarn options + --strict-out-of-sync=true|false Control testing out of sync lockfiles. Default: true - --yarn-workspaces - (only in test and monitor commands) Detect and scan yarn - workspaces. You can specify how many sub-directories to search - using --detection-depth and exclude directories and files using - --exclude. + --yarn-workspaces + (only in test and monitor commands) Detect and scan yarn + workspaces. You can specify how many sub-directories to search + using --detection-depth and exclude directories and files using + --exclude. - CocoaPods options - --strict-out-of-sync=true|false + CocoaPods options + --strict-out-of-sync=true|false Control testing out of sync lockfiles. Default: false - Python options - --command=COMMAND - Indicate which specific Python commands to use based on Python - version. The default is python which executes your systems - default python version. Run 'python -V' to find out what version - is it. If you are using multiple Python versions, use this - parameter to specify the correct Python command for execution. + Python options + --command=COMMAND + Indicate which specific Python commands to use based on Python + version. The default is python which executes your systems de- + fault python version. Run 'python -V' to find out what version + is it. If you are using multiple Python versions, use this pa- + rameter to specify the correct Python command for execution. - Default: python Example: --command=python3 + Default: python Example: --command=python3 - --skip-unresolved=true|false + --skip-unresolved=true|false Allow skipping packages that are not found in the environment. - Flags available accross all commands - --insecure + Flags available accross all commands + --insecure Ignore unknown certificate authorities. - -d Output debug logs. + -d Output debug logs. - --quiet, -q + --quiet, -q Silence all output. - --version, -v + --version, -v Prints versions. - [COMMAND] --help, --help [COMMAND], -h - Prints a help text. You may specify a COMMAND to get more - details. + [COMMAND] --help, --help [COMMAND], -h + Prints a help text. You may specify a COMMAND to get more de- + tails. -EXIT CODES +EXIT CODES Possible exit codes and their meaning: - 0: success, no vulns found - 1: action_needed, vulns found - 2: failure, try to re-run command - 3: failure, no supported projects detected + 0: success, no vulns found + 1: action_needed, vulns found + 2: failure, try to re-run command + 3: failure, no supported projects detected -ENVIRONMENT +ENVIRONMENT You can set these environment variables to change CLI run settings. - SNYK_TOKEN - Snyk authorization token. Setting this envvar will override the - token that may be available in your snyk config settings. + SNYK_TOKEN + Snyk authorization token. Setting this envvar will override the + token that may be available in your snyk config settings. - How to get your account token https://snyk.co/ucT6J - How to use Service Accounts https://snyk.co/ucT6L + How to get your account token https://snyk.co/ucT6J + How to use Service Accounts https://snyk.co/ucT6L - SNYK_CFG_KEY - Allows you to override any key that's also available as snyk - config option. + SNYK_CFG_KEY + Allows you to override any key that's also available as snyk + config option. - E.g. SNYK_CFG_ORG=myorg will override default org option in con- - fig with "myorg". + E.g. SNYK_CFG_ORG=myorg will override default org option in con- + fig with "myorg". - SNYK_REGISTRY_USERNAME - Specify a username to use when connecting to a container reg- - istry. Note that using the --username flag will override this - value. This will be ignored in favour of local Docker binary + SNYK_REGISTRY_USERNAME + Specify a username to use when connecting to a container reg- + istry. Note that using the --username flag will override this + value. This will be ignored in favour of local Docker binary credentials when Docker is present. - SNYK_REGISTRY_PASSWORD - Specify a password to use when connecting to a container reg- - istry. Note that using the --password flag will override this - value. This will be ignored in favour of local Docker binary + SNYK_REGISTRY_PASSWORD + Specify a password to use when connecting to a container reg- + istry. Note that using the --password flag will override this + value. This will be ignored in favour of local Docker binary credentials when Docker is present. -Connecting to Snyk API - By default Snyk CLI will connect to https://snyk.io/api/v1. +Connecting to Snyk API + By default Snyk CLI will connect to https://snyk.io/api/v1. - SNYK_API - Sets API host to use for Snyk requests. Useful for on-premise - instances and configuring proxies. If set with http protocol CLI - will upgrade the requests to https. Unless SNYK_HTTP_PROTO- - COL_UPGRADE is set to 0. + SNYK_API + Sets API host to use for Snyk requests. Useful for on-premise + instances and configuring proxies. If set with http protocol CLI + will upgrade the requests to https. Unless SNYK_HTTP_PROTO- + COL_UPGRADE is set to 0. - SNYK_HTTP_PROTOCOL_UPGRADE=0 - If set to the value of 0, API requests aimed at http URLs will - not be upgraded to https. If not set, the default behavior will - be to upgrade these requests from http to https. Useful e.g., + SNYK_HTTP_PROTOCOL_UPGRADE=0 + If set to the value of 0, API requests aimed at http URLs will + not be upgraded to https. If not set, the default behavior will + be to upgrade these requests from http to https. Useful e.g., for reverse proxies. - HTTPS_PROXY and HTTP_PROXY - Allows you to specify a proxy to use for https and http calls. - The https in the HTTPS_PROXY means that requests using https - protocol will use this proxy. The proxy itself doesn't need to - use https. - -NOTICES - Snyk API usage policy - The use of Snyk's API, whether through the use of the 'snyk' npm pack- - age or otherwise, is subject to the terms & conditions - https://snyk.co/ucT6N + HTTPS_PROXY and HTTP_PROXY + Allows you to specify a proxy to use for https and http calls. + The https in the HTTPS_PROXY means that requests using https + protocol will use this proxy. The proxy itself doesn't need to + use https. + +NOTICES + Snyk API usage policy + The use of Snyk's API, whether through the use of the 'snyk' npm pack- + age or otherwise, is subject to the terms & conditions + https://snyk.co/ucT6N diff --git a/help/commands-txt/snyk-wizard.txt b/help/commands-txt/snyk-wizard.txt index 520f530ac4..dd5f37b9dc 100644 --- a/help/commands-txt/snyk-wizard.txt +++ b/help/commands-txt/snyk-wizard.txt @@ -1,11 +1,11 @@ -NAME - snyk-wizard - Configure your policy file to update, auto patch and - ignore vulnerabilities +NAME + snyk-wizard - Configure your policy file to update, auto patch and ig- + nore vulnerabilities -SYNOPSIS - snyk wizard [OPTIONS] +SYNOPSIS + snyk wizard [OPTIONS] -DESCRIPTION +DESCRIPTION Snyk's wizard will: O Enumerate your local dependencies and query Snyk's servers for vul- @@ -13,92 +13,92 @@ O Guide you through fixing found vulnerabilities - O Create a .snyk policy file to guide snyk commands such as test and - protect + O Create a .snyk policy file to guide snyk commands such as test and + protect O Remember your dependencies to alert you when new vulnerabilities are disclosed -OPTIONS - Flags available accross all commands - --insecure +OPTIONS + Flags available accross all commands + --insecure Ignore unknown certificate authorities. - -d Output debug logs. + -d Output debug logs. - --quiet, -q + --quiet, -q Silence all output. - --version, -v + --version, -v Prints versions. - [COMMAND] --help, --help [COMMAND], -h - Prints a help text. You may specify a COMMAND to get more - details. + [COMMAND] --help, --help [COMMAND], -h + Prints a help text. You may specify a COMMAND to get more de- + tails. -EXIT CODES +EXIT CODES Possible exit codes and their meaning: - 0: success, no vulns found - 1: action_needed, vulns found - 2: failure, try to re-run command - 3: failure, no supported projects detected + 0: success, no vulns found + 1: action_needed, vulns found + 2: failure, try to re-run command + 3: failure, no supported projects detected -ENVIRONMENT +ENVIRONMENT You can set these environment variables to change CLI run settings. - SNYK_TOKEN + SNYK_TOKEN Snyk authorization token. Setting this envvar will override the - token that may be available in your snyk config settings. + token that may be available in your snyk config settings. - How to get your account token https://snyk.co/ucT6J - How to use Service Accounts https://snyk.co/ucT6L + How to get your account token https://snyk.co/ucT6J + How to use Service Accounts https://snyk.co/ucT6L - SNYK_CFG_KEY - Allows you to override any key that's also available as snyk - config option. + SNYK_CFG_KEY + Allows you to override any key that's also available as snyk + config option. - E.g. SNYK_CFG_ORG=myorg will override default org option in con- - fig with "myorg". + E.g. SNYK_CFG_ORG=myorg will override default org option in con- + fig with "myorg". - SNYK_REGISTRY_USERNAME + SNYK_REGISTRY_USERNAME Specify a username to use when connecting to a container reg- - istry. Note that using the --username flag will override this + istry. Note that using the --username flag will override this value. This will be ignored in favour of local Docker binary credentials when Docker is present. - SNYK_REGISTRY_PASSWORD + SNYK_REGISTRY_PASSWORD Specify a password to use when connecting to a container reg- - istry. Note that using the --password flag will override this + istry. Note that using the --password flag will override this value. This will be ignored in favour of local Docker binary credentials when Docker is present. -Connecting to Snyk API - By default Snyk CLI will connect to https://snyk.io/api/v1. +Connecting to Snyk API + By default Snyk CLI will connect to https://snyk.io/api/v1. - SNYK_API + SNYK_API Sets API host to use for Snyk requests. Useful for on-premise - instances and configuring proxies. If set with http protocol CLI - will upgrade the requests to https. Unless SNYK_HTTP_PROTO- - COL_UPGRADE is set to 0. - - SNYK_HTTP_PROTOCOL_UPGRADE=0 - If set to the value of 0, API requests aimed at http URLs will - not be upgraded to https. If not set, the default behavior will - be to upgrade these requests from http to https. Useful e.g., + instances and configuring proxies. If set with http protocol CLI + will upgrade the requests to https. Unless SNYK_HTTP_PROTO- + COL_UPGRADE is set to 0. + + SNYK_HTTP_PROTOCOL_UPGRADE=0 + If set to the value of 0, API requests aimed at http URLs will + not be upgraded to https. If not set, the default behavior will + be to upgrade these requests from http to https. Useful e.g., for reverse proxies. - HTTPS_PROXY and HTTP_PROXY - Allows you to specify a proxy to use for https and http calls. - The https in the HTTPS_PROXY means that requests using https + HTTPS_PROXY and HTTP_PROXY + Allows you to specify a proxy to use for https and http calls. + The https in the HTTPS_PROXY means that requests using https protocol will use this proxy. The proxy itself doesn't need to - use https. + use https. -NOTICES - Snyk API usage policy +NOTICES + Snyk API usage policy The use of Snyk's API, whether through the use of the 'snyk' npm pack- age or otherwise, is subject to the terms & conditions - https://snyk.co/ucT6N + https://snyk.co/ucT6N diff --git a/help/commands-txt/snyk-woof.txt b/help/commands-txt/snyk-woof.txt index c201ca8b0b..7c484dc377 100644 --- a/help/commands-txt/snyk-woof.txt +++ b/help/commands-txt/snyk-woof.txt @@ -1,94 +1,94 @@ -NAME - snyk-woof - W00f +NAME + snyk-woof - W00f -SYNOPSIS - snyk woof [OPTIONS] +SYNOPSIS + snyk woof [OPTIONS] -DESCRIPTION +DESCRIPTION Easter egg that prints a Patch ascii art. -OPTIONS - --language=LANGUAGE - Woof in a specific language. LANGUAGE should be a ISO 639-1 +OPTIONS + --language=LANGUAGE + Woof in a specific language. LANGUAGE should be a ISO 639-1 code. - Flags available accross all commands - --insecure + Flags available accross all commands + --insecure Ignore unknown certificate authorities. - -d Output debug logs. + -d Output debug logs. - --quiet, -q + --quiet, -q Silence all output. - --version, -v + --version, -v Prints versions. - [COMMAND] --help, --help [COMMAND], -h - Prints a help text. You may specify a COMMAND to get more - details. + [COMMAND] --help, --help [COMMAND], -h + Prints a help text. You may specify a COMMAND to get more de- + tails. -EXIT CODES +EXIT CODES Possible exit codes and their meaning: - 0: success, no vulns found - 1: action_needed, vulns found - 2: failure, try to re-run command - 3: failure, no supported projects detected + 0: success, no vulns found + 1: action_needed, vulns found + 2: failure, try to re-run command + 3: failure, no supported projects detected -ENVIRONMENT +ENVIRONMENT You can set these environment variables to change CLI run settings. - SNYK_TOKEN + SNYK_TOKEN Snyk authorization token. Setting this envvar will override the - token that may be available in your snyk config settings. + token that may be available in your snyk config settings. - How to get your account token https://snyk.co/ucT6J - How to use Service Accounts https://snyk.co/ucT6L + How to get your account token https://snyk.co/ucT6J + How to use Service Accounts https://snyk.co/ucT6L - SNYK_CFG_KEY - Allows you to override any key that's also available as snyk - config option. + SNYK_CFG_KEY + Allows you to override any key that's also available as snyk + config option. - E.g. SNYK_CFG_ORG=myorg will override default org option in con- - fig with "myorg". + E.g. SNYK_CFG_ORG=myorg will override default org option in con- + fig with "myorg". - SNYK_REGISTRY_USERNAME + SNYK_REGISTRY_USERNAME Specify a username to use when connecting to a container reg- - istry. Note that using the --username flag will override this + istry. Note that using the --username flag will override this value. This will be ignored in favour of local Docker binary credentials when Docker is present. - SNYK_REGISTRY_PASSWORD + SNYK_REGISTRY_PASSWORD Specify a password to use when connecting to a container reg- - istry. Note that using the --password flag will override this + istry. Note that using the --password flag will override this value. This will be ignored in favour of local Docker binary credentials when Docker is present. -Connecting to Snyk API - By default Snyk CLI will connect to https://snyk.io/api/v1. +Connecting to Snyk API + By default Snyk CLI will connect to https://snyk.io/api/v1. - SNYK_API + SNYK_API Sets API host to use for Snyk requests. Useful for on-premise - instances and configuring proxies. If set with http protocol CLI - will upgrade the requests to https. Unless SNYK_HTTP_PROTO- - COL_UPGRADE is set to 0. - - SNYK_HTTP_PROTOCOL_UPGRADE=0 - If set to the value of 0, API requests aimed at http URLs will - not be upgraded to https. If not set, the default behavior will - be to upgrade these requests from http to https. Useful e.g., + instances and configuring proxies. If set with http protocol CLI + will upgrade the requests to https. Unless SNYK_HTTP_PROTO- + COL_UPGRADE is set to 0. + + SNYK_HTTP_PROTOCOL_UPGRADE=0 + If set to the value of 0, API requests aimed at http URLs will + not be upgraded to https. If not set, the default behavior will + be to upgrade these requests from http to https. Useful e.g., for reverse proxies. - HTTPS_PROXY and HTTP_PROXY - Allows you to specify a proxy to use for https and http calls. - The https in the HTTPS_PROXY means that requests using https + HTTPS_PROXY and HTTP_PROXY + Allows you to specify a proxy to use for https and http calls. + The https in the HTTPS_PROXY means that requests using https protocol will use this proxy. The proxy itself doesn't need to - use https. + use https. -NOTICES - Snyk API usage policy +NOTICES + Snyk API usage policy The use of Snyk's API, whether through the use of the 'snyk' npm pack- age or otherwise, is subject to the terms & conditions - https://snyk.co/ucT6N + https://snyk.co/ucT6N diff --git a/help/commands-txt/snyk.txt b/help/commands-txt/snyk.txt index c48de441d0..24efa05f78 100644 --- a/help/commands-txt/snyk.txt +++ b/help/commands-txt/snyk.txt @@ -1,346 +1,346 @@ -NAME - snyk - CLI and build-time tool to find & fix known vulnerabilities in +NAME + snyk - CLI and build-time tool to find & fix known vulnerabilities in open-source dependencies -SYNOPSIS - snyk [COMMAND] [SUBCOMMAND] [OPTIONS] [PACKAGE] [-- COMPILER_OPTIONS] +SYNOPSIS + snyk [COMMAND] [SUBCOMMAND] [OPTIONS] [PACKAGE] [-- COMPILER_OPTIONS] -DESCRIPTION +DESCRIPTION Snyk helps you find, fix and monitor known vulnerabilities in open source dependencies. For more information see https://snyk.io - Not sure where to start? - 1. authenticate with $ snyk auth + Not sure where to start? + 1. authenticate with $ snyk auth - 2. test your local project with $ snyk test + 2. test your local project with $ snyk test - 3. get alerted for new vulnerabilities with $ snyk monitor + 3. get alerted for new vulnerabilities with $ snyk monitor -COMMANDS - To see command-specific flags and usage, see help command, e.g. snyk - container --help. Available top-level CLI commands: +COMMANDS + To see command-specific flags and usage, see help command, e.g. snyk + container --help. Available top-level CLI commands: - auth [API_TOKEN] + auth [API_TOKEN] Authenticate Snyk CLI with a Snyk account. - test Test local project for vulnerabilities. + test Test local project for vulnerabilities. - monitor + monitor Snapshot and continuously monitor your project. - container - Test container images for vulnerabilities. See snyk container - --help for full instructions. + container + Test container images for vulnerabilities. See snyk container + --help for full instructions. - iac Find security issues in your Infrastructure as Code files. See - snyk iac --help for full instructions. + iac Find security issues in your Infrastructure as Code files. See + snyk iac --help for full instructions. - code Find security issues using static code analysis. See snyk code - --help for full instructions. + code Find security issues using static code analysis. See snyk code + --help for full instructions. - config Manage Snyk CLI configuration. + config Manage Snyk CLI configuration. - protect + protect Applies the patches specified in your .snyk file to the local file system. - policy Display the .snyk policy for a package. + policy Display the .snyk policy for a package. - ignore Modifies the .snyk policy to ignore stated issues. + ignore Modifies the .snyk policy to ignore stated issues. - wizard Configure your policy file to update, auto patch and ignore vul- + wizard Configure your policy file to update, auto patch and ignore vul- nerabilities. Snyk wizard updates your .snyk file. -OPTIONS - To see command-specific flags and usage, see help command, e.g. snyk - container --help. For advanced usage, we offer language and context +OPTIONS + To see command-specific flags and usage, see help command, e.g. snyk + container --help. For advanced usage, we offer language and context specific flags, listed further down this document. - --all-projects - (only in test and monitor commands) Auto-detect all projects in + --all-projects + (only in test and monitor commands) Auto-detect all projects in working directory - --detection-depth=DEPTH - (only in test and monitor commands) Use with --all-projects or + --detection-depth=DEPTH + (only in test and monitor commands) Use with --all-projects or --yarn-workspaces to indicate how many sub-directories to - search. DEPTH must be a number. + search. DEPTH must be a number. Default: 4 (the current working directory and 3 sub-directories) - --exclude=DIRECTORY[,DIRECTORY]...> - (only in test and monitor commands) Can be used with + --exclude=DIRECTORY[,DIRECTORY]...> + (only in test and monitor commands) Can be used with --all-projects and --yarn-workspaces to indicate sub-directories and files to exclude. Must be comma separated. - If using with --detection-depth exclude ignores directories at + If using with --detection-depth exclude ignores directories at any level deep. - --prune-repeated-subdependencies, -p - (only in test and monitor commands) Prune dependency trees, - removing duplicate sub-dependencies. Will still find all vulner- - abilities, but potentially not all of the vulnerable paths. + --prune-repeated-subdependencies, -p + (only in test and monitor commands) Prune dependency trees, re- + moving duplicate sub-dependencies. Will still find all vulnera- + bilities, but potentially not all of the vulnerable paths. - --print-deps - (only in test and monitor commands) Print the dependency tree + --print-deps + (only in test and monitor commands) Print the dependency tree before sending it for analysis. - --remote-repo-url=URL + --remote-repo-url=URL Set or override the remote URL for the repository that you would like to monitor. - --dev Include development-only dependencies. Applicable only for some - package managers. E.g. devDependencies in npm or :development + --dev Include development-only dependencies. Applicable only for some + package managers. E.g. devDependencies in npm or :development dependencies in Gemfile. Default: scan only production dependencies - --org=ORG_NAME - Specify the ORG_NAME to run Snyk commands tied to a specific - organization. This will influence where will new projects be - created after running monitor command, some features availabil- - ity and private tests limits. If you have multiple organiza- - tions, you can set a default from the CLI using: + --org=ORG_NAME + Specify the ORG_NAME to run Snyk commands tied to a specific or- + ganization. This will influence where will new projects be cre- + ated after running monitor command, some features availability + and private tests limits. If you have multiple organizations, + you can set a default from the CLI using: - $ snyk config set org=ORG_NAME + $ snyk config set org=ORG_NAME - Setting a default will ensure all newly monitored projects will + Setting a default will ensure all newly monitored projects will be created under your default organization. If you need to over- - ride the default, you can use the --org=ORG_NAME argument. + ride the default, you can use the --org=ORG_NAME argument. - Default: uses ORG_NAME that sets as default in your Account set- - tings https://app.snyk.io/account + Default: uses ORG_NAME that sets as default in your Account set- + tings https://app.snyk.io/account - --file=FILE + --file=FILE Sets a package file. - When testing locally or monitoring a project, you can specify - the file that Snyk should inspect for package information. When - ommitted Snyk will try to detect the appropriate file for your + When testing locally or monitoring a project, you can specify + the file that Snyk should inspect for package information. When + ommitted Snyk will try to detect the appropriate file for your project. - --ignore-policy - Ignores all set policies. The current policy in .snyk file, Org + --ignore-policy + Ignores all set policies. The current policy in .snyk file, Org level ignores and the project policy on snyk.io. - --trust-policies + --trust-policies Applies and uses ignore rules from your dependencies' Snyk poli- - cies, otherwise ignore policies are only shown as a suggestion. + cies, otherwise ignore policies are only shown as a suggestion. - --show-vulnerable-paths=none|some|all + --show-vulnerable-paths=none|some|all Display the dependency paths from the top level dependencies, - down to the vulnerable packages. Doesn't affect output when - using JSON --json output. + down to the vulnerable packages. Doesn't affect output when us- + ing JSON --json output. - Default: some (a few example paths shown) false is an alias for - none. + Default: some (a few example paths shown) false is an alias for + none. - --project-name=PROJECT_NAME + --project-name=PROJECT_NAME Specify a custom Snyk project name. - --target-reference=TARGET_REFERENCE + --target-reference=TARGET_REFERENCE A reference to separate this project from other scans of the same project. For example, a branch name or version. Projects using the same reference can be used for grouping. More informa- - tion https://snyk.info/3B0vTPs. + tion https://snyk.info/3B0vTPs. - --project-environment=ENVIRONMENT[,ENVIRONMENT]...> - (only in monitor command) Set the project environment to one or + --project-environment=ENVIRONMENT[,ENVIRONMENT]...> + (only in monitor command) Set the project environment to one or more values (comma-separated). Allowed values: frontend, back- end, internal, external, mobile, saas, onprem, hosted, distrib- uted - --project-lifecycle=LIFECYCLE[,LIFECYCLE]...> - (only in monitor command) Set the project lifecycle to one or - more values (comma-separated). Allowed values: production, - development, sandbox + --project-lifecycle=LIFECYCLE[,LIFECYCLE]...> + (only in monitor command) Set the project lifecycle to one or + more values (comma-separated). Allowed values: production, de- + velopment, sandbox - --project-business-criticality=BUSINESS_CRITICALITY[,BUSINESS_CRITICAL- - ITY]...> - (only in monitor command) Set the project business criticality - to one or more values (comma-separated). Allowed values: criti- + --project-business-criticality=BUSINESS_CRITICALITY[,BUSINESS_CRITICAL- + ITY]...> + (only in monitor command) Set the project business criticality + to one or more values (comma-separated). Allowed values: criti- cal, high, medium, low - --project-tags=TAG[,TAG]...> - (only in monitor command) Set the project tags to one or more - values (comma-separated key value pairs with an "=" separator). + --project-tags=TAG[,TAG]...> + (only in monitor command) Set the project tags to one or more + values (comma-separated key value pairs with an "=" separator). e.g. --project-tags=department=finance,team=alpha - --policy-path=PATH_TO_POLICY_FILE` + --policy-path=PATH_TO_POLICY_FILE` Manually pass a path to a snyk policy file. - --json Prints results in JSON format. + --json Prints results in JSON format. - --json-file-output=OUTPUT_FILE_PATH - (only in test command) Save test output in JSON format directly - to the specified file, regardless of whether or not you use the - --json option. This is especially useful if you want to display - the human-readable test output via stdout and at the same time + --json-file-output=OUTPUT_FILE_PATH + (only in test command) Save test output in JSON format directly + to the specified file, regardless of whether or not you use the + --json option. This is especially useful if you want to display + the human-readable test output via stdout and at the same time save the JSON format output to a file. - --sarif + --sarif Return results in SARIF format. - --sarif-file-output=OUTPUT_FILE_PATH - (only in test command) Save test output in SARIF format directly - to the OUTPUT_FILE_PATH file, regardless of whether or not you - use the --sarif option. This is especially useful if you want to - display the human-readable test output via stdout and at the + --sarif-file-output=OUTPUT_FILE_PATH + (only in test command) Save test output in SARIF format directly + to the OUTPUT_FILE_PATH file, regardless of whether or not you + use the --sarif option. This is especially useful if you want to + display the human-readable test output via stdout and at the same time save the SARIF format output to a file. - --severity-threshold=low|medium|high|critical + --severity-threshold=low|medium|high|critical Only report vulnerabilities of provided level or higher. - --fail-on=all|upgradable|patchable + --fail-on=all|upgradable|patchable Only fail when there are vulnerabilities that can be fixed. - all fails when there is at least one vulnerability that can be - either upgraded or patched. upgradable fails when there is at - least one vulnerability that can be upgraded. patchable fails + all fails when there is at least one vulnerability that can be + either upgraded or patched. upgradable fails when there is at + least one vulnerability that can be upgraded. patchable fails when there is at least one vulnerability that can be patched. - If vulnerabilities do not have a fix and this option is being + If vulnerabilities do not have a fix and this option is being used, tests will pass. - --dry-run - (only in protect command) Don't apply updates or patches during - protect command run. + --dry-run + (only in protect command) Don't apply updates or patches during + protect command run. - -- [COMPILER_OPTIONS] - Pass extra arguments directly to Gradle or Maven. E.g. snyk test - -- --build-cache + -- [COMPILER_OPTIONS] + Pass extra arguments directly to Gradle or Maven. E.g. snyk test + -- --build-cache Below are flags that are influencing CLI behavior for specific projects, languages and contexts: - Maven options - --scan-all-unmanaged - Auto detects maven jars, aars, and wars in given directory. - Individual testing can be done with --file=JAR_FILE_NAME + Maven options + --scan-all-unmanaged + Auto detects maven jars, aars, and wars in given directory. In- + dividual testing can be done with --file=JAR_FILE_NAME - --reachable - (only in test and monitor commands) Analyze your source code to + --reachable + (only in test and monitor commands) Analyze your source code to find which vulnerable functions and packages are called. - --reachable-timeout=TIMEOUT - The amount of time (in seconds) to wait for Snyk to gather - reachability data. If it takes longer than TIMEOUT, Reachable - Vulnerabilities are not reported. This does not affect regular + --reachable-timeout=TIMEOUT + The amount of time (in seconds) to wait for Snyk to gather + reachability data. If it takes longer than TIMEOUT, Reachable + Vulnerabilities are not reported. This does not affect regular test or monitor output. Default: 300 (5 minutes). - Gradle options - More information about Gradle CLI options https://snyk.co/ucT6P + Gradle options + More information about Gradle CLI options https://snyk.co/ucT6P - O --sub-project=NAME, --gradle-sub-project=NAME: For Gradle "multi + O --sub-project=NAME, --gradle-sub-project=NAME: For Gradle "multi project" configurations, test a specific sub-project. - O --all-sub-projects: For "multi project" configurations, test all + O --all-sub-projects: For "multi project" configurations, test all sub-projects. - O --configuration-matching=CONFIGURATION_REGEX: Resolve dependencies - using only configuration(s) that match the provided Java regular - expression, e.g. ^releaseRuntimeClasspath$. + O --configuration-matching=CONFIGURATION_REGEX: Resolve dependencies + using only configuration(s) that match the provided Java regular + expression, e.g. ^releaseRuntimeClasspath$. - O --configuration-attributes=ATTRIBUTE[,ATTRIBUTE]...: Select certain - values of configuration attributes to resolve the dependencies. - E.g. buildtype:release,usage:java-runtime + O --configuration-attributes=ATTRIBUTE[,ATTRIBUTE]...: Select certain + values of configuration attributes to resolve the dependencies. + E.g. buildtype:release,usage:java-runtime - O --reachable: (only in test and monitor commands) Analyze your - source code to find which vulnerable functions and packages are + O --reachable: (only in test and monitor commands) Analyze your + source code to find which vulnerable functions and packages are called. - O --reachable-timeout=TIMEOUT: The amount of time (in seconds) to - wait for Snyk to gather reachability data. If it takes longer than - TIMEOUT, Reachable Vulnerabilities are not reported. This does not + O --reachable-timeout=TIMEOUT: The amount of time (in seconds) to + wait for Snyk to gather reachability data. If it takes longer than + TIMEOUT, Reachable Vulnerabilities are not reported. This does not affect regular test or monitor output. Default: 300 (5 minutes). - O --init-script=FILE For projects that contain a gradle initializa- + O --init-script=FILE For projects that contain a gradle initializa- tion script. - .Net & NuGet options - --assets-project-name - When monitoring a .NET project using NuGet PackageReference use + .Net & NuGet options + --assets-project-name + When monitoring a .NET project using NuGet PackageReference use the project name in project.assets.json, if found. - --packages-folder + --packages-folder Custom path to packages folder - --project-name-prefix=PREFIX_STRING - When monitoring a .NET project, use this flag to add a custom - prefix to the name of files inside a project along with any - desired separators, e.g. snyk monitor --file=my-project.sln - --project-name-prefix=my-group/. This is useful when you have + --project-name-prefix=PREFIX_STRING + When monitoring a .NET project, use this flag to add a custom + prefix to the name of files inside a project along with any de- + sired separators, e.g. snyk monitor --file=my-project.sln + --project-name-prefix=my-group/. This is useful when you have multiple projects with the same name in other sln files. - npm options - --strict-out-of-sync=true|false + npm options + --strict-out-of-sync=true|false Control testing out of sync lockfiles. Default: true - Yarn options - --strict-out-of-sync=true|false + Yarn options + --strict-out-of-sync=true|false Control testing out of sync lockfiles. Default: true - --yarn-workspaces - (only in test and monitor commands) Detect and scan yarn - workspaces. You can specify how many sub-directories to search - using --detection-depth and exclude directories and files using - --exclude. + --yarn-workspaces + (only in test and monitor commands) Detect and scan yarn + workspaces. You can specify how many sub-directories to search + using --detection-depth and exclude directories and files using + --exclude. - CocoaPods options - --strict-out-of-sync=true|false + CocoaPods options + --strict-out-of-sync=true|false Control testing out of sync lockfiles. Default: false - Python options - --command=COMMAND - Indicate which specific Python commands to use based on Python - version. The default is python which executes your systems - default python version. Run 'python -V' to find out what version - is it. If you are using multiple Python versions, use this - parameter to specify the correct Python command for execution. + Python options + --command=COMMAND + Indicate which specific Python commands to use based on Python + version. The default is python which executes your systems de- + fault python version. Run 'python -V' to find out what version + is it. If you are using multiple Python versions, use this pa- + rameter to specify the correct Python command for execution. - Default: python Example: --command=python3 + Default: python Example: --command=python3 - --skip-unresolved=true|false + --skip-unresolved=true|false Allow skipping packages that are not found in the environment. - Flags available accross all commands - --insecure + Flags available accross all commands + --insecure Ignore unknown certificate authorities. - -d Output debug logs. + -d Output debug logs. - --quiet, -q + --quiet, -q Silence all output. - --version, -v + --version, -v Prints versions. - [COMMAND] --help, --help [COMMAND], -h - Prints a help text. You may specify a COMMAND to get more - details. + [COMMAND] --help, --help [COMMAND], -h + Prints a help text. You may specify a COMMAND to get more de- + tails. -EXAMPLES - Authenticate in your CI without user interaction +EXAMPLES + Authenticate in your CI without user interaction $ snyk auth MY_API_TOKEN - Test a project in current folder for known vulnerabilities + Test a project in current folder for known vulnerabilities $ snyk test - Test a specific dependency for vulnerabilities + Test a specific dependency for vulnerabilities $ snyk test ionic@1.6.5 More examples: @@ -352,8 +352,8 @@ - Container scanning - See snyk container --help for more details and examples: + Container scanning + See snyk container --help for more details and examples: $ snyk container test ubuntu:18.04 --org=my-team @@ -361,8 +361,8 @@ - Infrastructure as Code (IAC) scanning - See snyk iac --help for more details and examples: + Infrastructure as Code (IAC) scanning + See snyk iac --help for more details and examples: $ snyk iac test /path/to/cloudformation_file.yaml @@ -373,75 +373,89 @@ - Static code analysis (SAST) scanning - See snyk code --help for more details and examples: + To use your own custom rules to scan IaC configuration files, download + the snyk-iac-rules SDK from https://github.com/snyk/snyk-iac-rules. + Follow the instructions there to write, build, and push a custom rules + bundle and then either use the Snyk UI to configure your custom rules + settings or configure a remote OCI registry locally by running the fol- + lowing commands: + + + $ snyk config set oci-registry-url=https://registry-1.docker.io/username/repo:tag + $ snyk config set oci-registry-username=username + $ snyk config set oci-registry-password=password + + + + Static code analysis (SAST) scanning + See snyk code --help for more details and examples: $ snyk code test /path/to/project -EXIT CODES +EXIT CODES Possible exit codes and their meaning: - 0: success, no vulns found - 1: action_needed, vulns found - 2: failure, try to re-run command - 3: failure, no supported projects detected + 0: success, no vulns found + 1: action_needed, vulns found + 2: failure, try to re-run command + 3: failure, no supported projects detected -ENVIRONMENT +ENVIRONMENT You can set these environment variables to change CLI run settings. - SNYK_TOKEN + SNYK_TOKEN Snyk authorization token. Setting this envvar will override the - token that may be available in your snyk config settings. + token that may be available in your snyk config settings. - How to get your account token https://snyk.co/ucT6J - How to use Service Accounts https://snyk.co/ucT6L + How to get your account token https://snyk.co/ucT6J + How to use Service Accounts https://snyk.co/ucT6L - SNYK_CFG_KEY - Allows you to override any key that's also available as snyk - config option. + SNYK_CFG_KEY + Allows you to override any key that's also available as snyk + config option. - E.g. SNYK_CFG_ORG=myorg will override default org option in con- - fig with "myorg". + E.g. SNYK_CFG_ORG=myorg will override default org option in con- + fig with "myorg". - SNYK_REGISTRY_USERNAME + SNYK_REGISTRY_USERNAME Specify a username to use when connecting to a container reg- - istry. Note that using the --username flag will override this + istry. Note that using the --username flag will override this value. This will be ignored in favour of local Docker binary credentials when Docker is present. - SNYK_REGISTRY_PASSWORD + SNYK_REGISTRY_PASSWORD Specify a password to use when connecting to a container reg- - istry. Note that using the --password flag will override this + istry. Note that using the --password flag will override this value. This will be ignored in favour of local Docker binary credentials when Docker is present. -Connecting to Snyk API - By default Snyk CLI will connect to https://snyk.io/api/v1. +Connecting to Snyk API + By default Snyk CLI will connect to https://snyk.io/api/v1. - SNYK_API + SNYK_API Sets API host to use for Snyk requests. Useful for on-premise - instances and configuring proxies. If set with http protocol CLI - will upgrade the requests to https. Unless SNYK_HTTP_PROTO- - COL_UPGRADE is set to 0. - - SNYK_HTTP_PROTOCOL_UPGRADE=0 - If set to the value of 0, API requests aimed at http URLs will - not be upgraded to https. If not set, the default behavior will - be to upgrade these requests from http to https. Useful e.g., + instances and configuring proxies. If set with http protocol CLI + will upgrade the requests to https. Unless SNYK_HTTP_PROTO- + COL_UPGRADE is set to 0. + + SNYK_HTTP_PROTOCOL_UPGRADE=0 + If set to the value of 0, API requests aimed at http URLs will + not be upgraded to https. If not set, the default behavior will + be to upgrade these requests from http to https. Useful e.g., for reverse proxies. - HTTPS_PROXY and HTTP_PROXY - Allows you to specify a proxy to use for https and http calls. - The https in the HTTPS_PROXY means that requests using https + HTTPS_PROXY and HTTP_PROXY + Allows you to specify a proxy to use for https and http calls. + The https in the HTTPS_PROXY means that requests using https protocol will use this proxy. The proxy itself doesn't need to - use https. + use https. -NOTICES - Snyk API usage policy +NOTICES + Snyk API usage policy The use of Snyk's API, whether through the use of the 'snyk' npm pack- age or otherwise, is subject to the terms & conditions - https://snyk.co/ucT6N + https://snyk.co/ucT6N diff --git a/src/cli/commands/test/iac-local-execution/index.ts b/src/cli/commands/test/iac-local-execution/index.ts index 47755a33c9..73d3dab968 100644 --- a/src/cli/commands/test/iac-local-execution/index.ts +++ b/src/cli/commands/test/iac-local-execution/index.ts @@ -28,6 +28,7 @@ import { } from './measurable-methods'; import { isFeatureFlagSupportedForOrg } from '../../../../lib/feature-flags'; import { FlagError } from './assert-iac-options-flag'; +import { config as userConfig } from '../../../../lib/user-config'; import config from '../../../../lib/config'; import { findAndLoadPolicy } from '../../../../lib/policy'; import { CustomError } from '../../../../lib/errors'; @@ -53,7 +54,7 @@ export async function test( const OCIRegistryURL = (iacOrgSettings.customRules?.isEnabled && iacOrgSettings.customRules?.ociRegistryURL) || - process.env.OCI_REGISTRY_URL; + userConfig.get('oci-registry-url'); if (OCIRegistryURL && customRulesPath) { throw new FailedToExecuteCustomRulesError(); @@ -65,8 +66,8 @@ export async function test( } const URLComponents = extractURLComponents(OCIRegistryURL); - const username = process.env.OCI_REGISTRY_USERNAME; - const password = process.env.OCI_REGISTRY_PASSWORD; + const username = userConfig.get('oci-registry-username'); + const password = userConfig.get('oci-registry-password'); const opt = { username, diff --git a/test/jest/acceptance/iac/custom-rules.spec.ts b/test/jest/acceptance/iac/custom-rules.spec.ts index 73e5a46479..1d1e29e61d 100644 --- a/test/jest/acceptance/iac/custom-rules.spec.ts +++ b/test/jest/acceptance/iac/custom-rules.spec.ts @@ -92,22 +92,22 @@ describe('custom rules pull from a remote OCI registry', () => { test.each(cases)( 'given %p as a registry and correct credentials, it returns a success exit code', async ( - OCI_REGISTRY_NAME, - OCI_REGISTRY_URL, - OCI_REGISTRY_USERNAME, - OCI_REGISTRY_PASSWORD, + SNYK_CFG_OCI_REGISTRY_NAME, + SNYK_CFG_OCI_REGISTRY_URL, + SNYK_CFG_OCI_REGISTRY_USERNAME, + SNYK_CFG_OCI_REGISTRY_PASSWORD, ) => { const { stdout, exitCode } = await run( `snyk iac test ./iac/terraform/sg_open_ssh.tf`, { - OCI_REGISTRY_URL: OCI_REGISTRY_URL as string, - OCI_REGISTRY_USERNAME: OCI_REGISTRY_USERNAME as string, - OCI_REGISTRY_PASSWORD: OCI_REGISTRY_PASSWORD as string, + SNYK_CFG_OCI_REGISTRY_URL: SNYK_CFG_OCI_REGISTRY_URL as string, + SNYK_CFG_OCI_REGISTRY_USERNAME: SNYK_CFG_OCI_REGISTRY_USERNAME as string, + SNYK_CFG_OCI_REGISTRY_PASSWORD: SNYK_CFG_OCI_REGISTRY_PASSWORD as string, }, ); - expect(OCI_REGISTRY_URL).toBeDefined(); - expect(OCI_REGISTRY_USERNAME).toBeDefined(); - expect(OCI_REGISTRY_PASSWORD).toBeDefined(); + expect(SNYK_CFG_OCI_REGISTRY_URL).toBeDefined(); + expect(SNYK_CFG_OCI_REGISTRY_USERNAME).toBeDefined(); + expect(SNYK_CFG_OCI_REGISTRY_PASSWORD).toBeDefined(); expect(exitCode).toBe(1); expect(stdout).toContain('Testing ./iac/terraform/sg_open_ssh.tf'); @@ -124,7 +124,7 @@ describe('custom rules pull from a remote OCI registry', () => { const { stdout, exitCode } = await run( `snyk iac test ./iac/terraform/sg_open_ssh.tf`, { - OCI_REGISTRY_URL: + SNYK_CFG_OCI_REGISTRY_URL: 'https://registry-1.docker.io/fake-repo-test/bundle:latest', }, ); @@ -139,7 +139,7 @@ describe('custom rules pull from a remote OCI registry', () => { const { stdout, exitCode } = await run( `snyk iac test ./iac/terraform/sg_open_ssh.tf --rules=bundle.tar.gz`, { - OCI_REGISTRY_URL: + SNYK_CFG_OCI_REGISTRY_URL: 'https://registry-1.docker.io/fake-test-repo/bundle:latest', }, );