Back to Details

performing-sca-dependency-scanning-with-snyk

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Performing SCA Dependency Scanning with Snyk

使用Snyk执行SCA依赖项扫描

When to Use

适用场景

  • When applications use open-source packages that may contain known vulnerabilities
  • When compliance requires tracking and remediating vulnerable dependencies (PCI DSS, SOC 2)
  • When needing automated fix PRs for vulnerable dependencies in CI/CD
  • When license compliance requires visibility into open-source license obligations
  • When continuous monitoring is needed for newly disclosed vulnerabilities in deployed dependencies
Do not use for scanning proprietary application code for logic vulnerabilities (use SAST), for runtime vulnerability detection (use DAST), or for container OS package scanning alone (use Trivy for a free alternative).
  • 当应用使用的开源包可能包含已知漏洞时
  • 当合规要求跟踪并修复存在漏洞的依赖项时(如PCI DSS、SOC 2)
  • 当需要在CI/CD中为存在漏洞的依赖项自动生成修复拉取请求时
  • 当许可证合规要求了解开源许可证义务时
  • 当需要持续监控已部署依赖项中新披露的漏洞时
不适用场景:扫描专有应用代码的逻辑漏洞(请使用SAST)、运行时漏洞检测(请使用DAST),或仅扫描容器操作系统包(免费替代工具请使用Trivy)。

Prerequisites

前提条件

  • Snyk account (free tier covers up to 200 tests per month for open source)
  • Snyk CLI installed or Snyk GitHub/GitLab integration configured
  • SNYK_TOKEN environment variable set with API authentication token
  • Project with supported package manifests: package.json, requirements.txt, pom.xml, go.mod, Gemfile, etc.
  • Snyk账户(免费版每月最多支持200次开源测试)
  • 已安装Snyk CLI或配置好Snyk GitHub/GitLab集成
  • 已设置包含API认证令牌的SNYK_TOKEN环境变量
  • 项目包含受支持的包清单:package.json、requirements.txt、pom.xml、go.mod、Gemfile等

Workflow

工作流程

Step 1: Install and Authenticate Snyk CLI

步骤1:安装并认证Snyk CLI

bash
undefined
bash
undefined

Install Snyk CLI

Install Snyk CLI

npm install -g snyk
npm install -g snyk

Authenticate with Snyk

Authenticate with Snyk

snyk auth $SNYK_TOKEN
snyk auth $SNYK_TOKEN

Test the connection

Test the connection

snyk test --json | jq '.summary'
undefined
snyk test --json | jq '.summary'
undefined

Step 2: Scan Dependencies in CI/CD Pipeline

步骤2:在CI/CD流水线中扫描依赖项

yaml
undefined
yaml
undefined

.github/workflows/dependency-scan.yml

.github/workflows/dependency-scan.yml

name: Dependency Security Scan
on: push: branches: [main] pull_request: branches: [main] schedule: - cron: '0 8 * * 1' # Weekly Monday 8am
jobs: snyk-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4
  - name: Setup Node.js
    uses: actions/setup-node@v4
    with:
      node-version: '20'

  - name: Install dependencies
    run: npm ci

  - name: Run Snyk to check for vulnerabilities
    uses: snyk/actions/node@master
    env:
      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
    with:
      args: >
        --severity-threshold=high
        --fail-on=upgradable
        --json-file-output=snyk-results.json

  - name: Upload results to Snyk
    if: always()
    uses: snyk/actions/node@master
    env:
      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
    with:
      command: monitor
      args: --project-name=${{ github.repository }}

  - name: Upload SARIF
    if: always()
    run: |
      npx snyk-to-html -i snyk-results.json -o snyk-report.html
undefined
name: Dependency Security Scan
on: push: branches: [main] pull_request: branches: [main] schedule: - cron: '0 8 * * 1' # Weekly Monday 8am
jobs: snyk-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4
  - name: Setup Node.js
    uses: actions/setup-node@v4
    with:
      node-version: '20'

  - name: Install dependencies
    run: npm ci

  - name: Run Snyk to check for vulnerabilities
    uses: snyk/actions/node@master
    env:
      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
    with:
      args: >
        --severity-threshold=high
        --fail-on=upgradable
        --json-file-output=snyk-results.json

  - name: Upload results to Snyk
    if: always()
    uses: snyk/actions/node@master
    env:
      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
    with:
      command: monitor
      args: --project-name=${{ github.repository }}

  - name: Upload SARIF
    if: always()
    run: |
      npx snyk-to-html -i snyk-results.json -o snyk-report.html
undefined

Step 3: Configure Snyk for Multiple Languages

步骤3:为多语言项目配置Snyk

bash
undefined
bash
undefined

Python project scanning

Python project scanning

snyk test --file=requirements.txt --severity-threshold=high --json > snyk-python.json
snyk test --file=requirements.txt --severity-threshold=high --json > snyk-python.json

Java/Maven project

Java/Maven project

snyk test --file=pom.xml --severity-threshold=medium --json > snyk-java.json
snyk test --file=pom.xml --severity-threshold=medium --json > snyk-java.json

Go module scanning

Go module scanning

snyk test --file=go.mod --severity-threshold=high --json > snyk-go.json
snyk test --file=go.mod --severity-threshold=high --json > snyk-go.json

Docker image dependency scanning

Docker image dependency scanning

snyk container test myapp:latest --severity-threshold=high --json > snyk-container.json
snyk container test myapp:latest --severity-threshold=high --json > snyk-container.json

Monorepo: scan all projects

Monorepo: scan all projects

snyk test --all-projects --severity-threshold=high --json > snyk-all.json
snyk test --all-projects --severity-threshold=high --json > snyk-all.json

IaC scanning (bonus)

IaC scanning (bonus)

snyk iac test terraform/ --severity-threshold=medium --json > snyk-iac.json
undefined
snyk iac test terraform/ --severity-threshold=medium --json > snyk-iac.json
undefined

Step 4: Configure Snyk Policies for Organization

步骤4:为组织配置Snyk策略

yaml
undefined
yaml
undefined

.snyk policy file

.snyk policy file

version: v1.25.0 ignore: SNYK-JS-LODASH-1018905: - '*': reason: "Prototype pollution in lodash. Not exploitable in our usage - no user input reaches affected function." expires: 2026-06-01T00:00:00.000Z created: 2026-02-23T00:00:00.000Z
SNYK-PYTHON-REQUESTS-6241864: - '*': reason: "SSRF in requests redirect handling. Mitigated by allowlist at proxy layer." expires: 2026-04-01T00:00:00.000Z
patch: {}
version: v1.25.0 ignore: SNYK-JS-LODASH-1018905: - '*': reason: "Prototype pollution in lodash. Not exploitable in our usage - no user input reaches affected function." expires: 2026-06-01T00:00:00.000Z created: 2026-02-23T00:00:00.000Z
SNYK-PYTHON-REQUESTS-6241864: - '*': reason: "SSRF in requests redirect handling. Mitigated by allowlist at proxy layer." expires: 2026-04-01T00:00:00.000Z
patch: {}

Severity threshold for CI failures

Severity threshold for CI failures

failOnSeverity: high
undefined
failOnSeverity: high
undefined

Step 5: Enable Automated Fix Pull Requests

步骤5:启用自动修复拉取请求

bash
undefined
bash
undefined

Snyk fix: generate fix PRs for vulnerable dependencies

Snyk fix: generate fix PRs for vulnerable dependencies

snyk fix --dry-run # Preview changes
snyk fix --dry-run # Preview changes

Apply fixes locally

Apply fixes locally

snyk fix
snyk fix

Enable auto-fix PRs via Snyk dashboard:

Enable auto-fix PRs via Snyk dashboard:

1. Navigate to Organization Settings > Integrations > GitHub

1. Navigate to Organization Settings > Integrations > GitHub

2. Enable "Automatic fix pull requests"

2. Enable "Automatic fix pull requests"

3. Set "Fix only direct dependencies" or "Fix direct and transitive"

3. Set "Fix only direct dependencies" or "Fix direct and transitive"

4. Configure branch target (main or develop)

4. Configure branch target (main or develop)

undefined
undefined

Step 6: License Compliance Scanning

步骤6:许可证合规性扫描

bash
undefined
bash
undefined

Check license compliance

Check license compliance

snyk test --json | jq '.licensesPolicy'
snyk test --json | jq '.licensesPolicy'

Snyk license policy configuration via organization settings:

Snyk license policy configuration via organization settings:

- Approved licenses: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC

- Approved licenses: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC

- Restricted licenses: GPL-3.0, AGPL-3.0 (copyleft risk)

- Restricted licenses: GPL-3.0, AGPL-3.0 (copyleft risk)

- Unknown licenses: Flag for manual review

- Unknown licenses: Flag for manual review

undefined
undefined

Key Concepts

核心概念

TermDefinition
SCASoftware Composition Analysis — identifies vulnerabilities and license risks in open-source dependencies
Transitive DependencyA dependency of a direct dependency, often invisible to developers but still a vulnerability vector
Fix PRAutomated pull request generated by Snyk that upgrades a vulnerable dependency to a patched version
Snyk MonitorContinuous monitoring mode that watches deployed projects for newly disclosed vulnerabilities
Exploit MaturitySnyk's assessment of whether a vulnerability has known exploits, proof-of-concept, or no known exploit
Reachable VulnerabilityA vulnerability in a function that is actually called by the application code, not just present in the dependency
License PolicyOrganization-level rules defining which open-source licenses are approved, restricted, or require review
术语定义
SCA软件成分分析(SCA)——识别开源依赖项中的漏洞和许可证风险
Transitive Dependency传递依赖项——直接依赖项的依赖,通常对开发者不可见,但仍是漏洞载体
Fix PR修复拉取请求(Fix PR)——由Snyk生成的自动拉取请求,将存在漏洞的依赖项升级到已修复版本
Snyk MonitorSnyk监控模式——持续监控已部署项目,及时发现新披露的漏洞
Exploit Maturity漏洞利用成熟度——Snyk对漏洞是否存在已知利用方式、概念验证或无已知利用方式的评估
Reachable Vulnerability可利用漏洞——应用代码实际调用的函数中存在的漏洞,而非仅存在于依赖项中
License Policy许可证策略——组织级规则,定义哪些开源许可证是被批准、受限或需要审核的

Tools & Systems

工具与系统

  • Snyk Open Source: SCA tool for scanning dependencies across 10+ language ecosystems
  • Snyk CLI: Command-line interface for local and CI/CD scanning of dependencies
  • Snyk Advisor: Package health scoring tool evaluating maintenance, popularity, and security signals
  • OWASP Dependency-Check: Free alternative SCA tool using NVD data for vulnerability matching
  • npm audit / pip-audit: Language-specific built-in audit tools for basic vulnerability checking
  • Snyk Open Source: 支持10+语言生态系统的SCA依赖项扫描工具
  • Snyk CLI: 用于本地和CI/CD依赖项扫描的命令行界面
  • Snyk Advisor: 评估包维护状态、流行度和安全信号的包健康评分工具
  • OWASP Dependency-Check: 使用NVD数据进行漏洞匹配的免费SCA替代工具
  • npm audit / pip-audit: 语言内置的基础漏洞检查审计工具

Common Scenarios

常见场景

Scenario: Triaging a Critical Transitive Dependency Vulnerability

场景:处理关键传递依赖项漏洞

Context: Snyk reports a critical RCE vulnerability in a transitive dependency (log4j in a Java application). The direct dependency has not released a patch.
Approach:
  1. Use 
    snyk test --json
    and examine the dependency path to identify which direct dependency pulls in the vulnerable transitive
  2. Check exploit maturity: if "Mature" or "Proof of Concept", prioritize immediately
  3. If no direct fix exists, use Snyk's patch mechanism or override the transitive version in the build config
  4. For Maven: add 
    <dependencyManagement>
    section to force the safe version of the transitive dependency
  5. For npm: add an 
    overrides
    section in package.json to pin the safe version
  6. Add a Snyk ignore with expiration date if no patch is available yet
  7. Monitor the direct dependency for a release that updates the transitive
Pitfalls: Ignoring transitive vulnerabilities because "we don't use that function directly" is risky. Attackers can chain vulnerabilities across dependency boundaries. Version overrides can break API compatibility between the direct and transitive dependency.
背景:Snyk报告Java应用中传递依赖项(log4j)存在严重远程代码执行(RCE)漏洞,但直接依赖项尚未发布补丁。
处理方法:
  1. 使用
    snyk test --json
    并检查依赖路径,确定哪个直接依赖项引入了存在漏洞的传递依赖
  2. 检查漏洞利用成熟度:如果是"成熟"或"概念验证"级别,立即优先处理
  3. 如果没有直接修复方案,使用Snyk的补丁机制或在构建配置中覆盖传递依赖版本
  4. 对于Maven:添加
    <dependencyManagement>
    部分强制使用安全版本的传递依赖
  5. 对于npm:在package.json中添加
    overrides
    部分固定安全版本
  6. 如果暂无补丁,添加带过期日期的Snyk忽略规则
  7. 监控直接依赖项,等待其发布更新传递依赖的版本
注意事项:不要因为"我们不直接使用该函数"就忽略传递依赖漏洞,攻击者可跨依赖边界串联漏洞。版本覆盖可能破坏直接依赖与传递依赖之间的API兼容性。

Output Format

输出格式

Snyk Dependency Scan Report
=============================
Project: org/web-application
Manifest: package.json
Dependencies: 342 (47 direct, 295 transitive)
Scan Date: 2026-02-23

VULNERABILITY SUMMARY:
  Critical: 1  (1 fixable)
  High: 4      (3 fixable)
  Medium: 12   (8 fixable)
  Low: 23      (15 fixable)

CRITICAL:
  SNYK-JS-EXPRESS-1234567
    Package: express@4.17.1 (direct)
    Severity: Critical (CVSS 9.8)
    Exploit: Mature
    Fix: Upgrade to express@4.21.0
    Path: express@4.17.1

HIGH:
  SNYK-JS-JSONWEBTOKEN-5678901
    Package: jsonwebtoken@8.5.1 (transitive)
    Severity: High (CVSS 7.6)
    Exploit: Proof of Concept
    Fix: Upgrade passport@0.7.0 (which upgrades jsonwebtoken)
    Path: passport@0.6.0 > jsonwebtoken@8.5.1

LICENSE ISSUES:
  [RESTRICTED] GPL-3.0: some-package@1.2.3 (transitive via other-pkg)

QUALITY GATE: FAILED (1 Critical with fix available)
Snyk Dependency Scan Report
=============================
Project: org/web-application
Manifest: package.json
Dependencies: 342 (47 direct, 295 transitive)
Scan Date: 2026-02-23

VULNERABILITY SUMMARY:
  Critical: 1  (1 fixable)
  High: 4      (3 fixable)
  Medium: 12   (8 fixable)
  Low: 23      (15 fixable)

CRITICAL:
  SNYK-JS-EXPRESS-1234567
    Package: express@4.17.1 (direct)
    Severity: Critical (CVSS 9.8)
    Exploit: Mature
    Fix: Upgrade to express@4.21.0
    Path: express@4.17.1

HIGH:
  SNYK-JS-JSONWEBTOKEN-5678901
    Package: jsonwebtoken@8.5.1 (transitive)
    Severity: High (CVSS 7.6)
    Exploit: Proof of Concept
    Fix: Upgrade passport@0.7.0 (which upgrades jsonwebtoken)
    Path: passport@0.6.0 > jsonwebtoken@8.5.1

LICENSE ISSUES:
  [RESTRICTED] GPL-3.0: some-package@1.2.3 (transitive via other-pkg)

QUALITY GATE: FAILED (1 Critical with fix available)