Stack Overflow
Stack Overflow

Questions tagged [snyk]

Snyk is a service that analyzes your code to help find and fix security vulnerabilities in your applications, containers, infrastructure-as-code, and cloud environments.

Snyk is a service that analyzes your code to help find and fix security vulnerabilities in your applications, containers, infrastructure-as-code, and cloud environments.

Useful Resources

Chat

If you're interested in DevSecOps and want to discuss security (or Snyk-focused) topics in more depth, please head to the DevSecOps Community Discord.

79 questions
2
votes
1 answer

What is the breaking change criteria with Snyk

What is the criteria for choosing what upgrade involves a breaking change at Snyk when it comes to the Fix pull/merge request. For example, Pillow v8.1.2 to v9.2.0 I tried to upgrade the pillow version which involves a major upgrade and therefore…
Wesley Bentura
  • 45
  • 5
2
votes
1 answer

How do we ignore folders in Snyk

How can I ignore/exclude folders or directories when scanning a project at Snyk, whether in CLI or in SCM scan? It seems that an import of a Snyk Code or Snyk Open Source project don't behave in the same way. using the .snyk file use the --exclude…
Jonathan Gruber
  • 408
  • 1
  • 16
2
votes
1 answer

How to ignore a vulnerability for a specific file

The following Snyk vulnerability is being reported when I run % snyk code test Testing /mydir ... ✗ [High] Cross-Site Request Forgery (CSRF) Path: src/com/xxx/ConfigSecurity.java, line 22 Info: CSRF protection is disabled by disable.…
SERGIO STATERI JUNIOR
  • 61
  • 3
2
votes
1 answer

How to do Snyk code test in Jenkins pipeline?

I am helping our DevOps team integrate Snyk into the Jenkins pipelines for SAST. By default, it seems like this Snyk plugin is doing snyk test (which does open-source dependency scans) and appends the additional arguments provided with it. I…
iamahecker
  • 21
  • 5
2
votes
1 answer

Snyk False Positives for XSS in PHP

We've recently started using Snyk to perform code analysis, however have hit the stumbling block that the first scan is reporting many (>700) XSS vulnerabilities despite having code in place to sanitise and handle this. It looks like Snyk is unable…
IQJWSB0DLT
  • 21
  • 2
2
votes
2 answers

Is it possible to enforce usage of specific library version through the whole project?

I'm trying to fix some vulnerabilities in my program found by Snyk tool, but some of them are coming from libraries I'm using (like Apache's Pulsar). For example, Pulsar is using version 2.8.6 of gson, which is vulnerable according to Snyk, and the…
Mark Fesenko
  • 31
  • 2
2
votes
1 answer

Snyk How to set reviewers on automatic pull requests (Bitbucket Cloud)

I'm using Snyk Bitbucket Cloud integration. Is there a way to add a group of reviewers on automatic pull requests (Bitbucket Cloud). At this moment, the pull requests are created without reviewers. Thanks!!!
satellite satellite
  • 893
  • 2
  • 10
  • 27
2
votes
0 answers

Add Snyk Action to CodePipeline with CloudFormation

I wanted to spin up a CodePipeline on AWS with a Snyk Scan action through CloudFormation. The official documentation on how to do this is a little light on details and seems to be missing key bits of information, so I was hoping someone could shed…
Grant Moore
  • 153
  • 1
  • 10
2
votes
1 answer

Adding snyk as a post-install step?

The snyk wizard documentation recommends adding snyk protect to your project as a post-install step. How exactly do you do that? I referred to the entire package.json documentation here and couldn't find any reference to a post-install keyword.
TheLearner
  • 2,813
  • 5
  • 46
  • 94
1
vote
1 answer

npm - a package's 6th level dependency is shown to be using outdated version by snyk

In my node.js project, I have dependency on packageA. Since this package is archived now, I had to override one of it's dependencies (not sure if this is relevant). My package.json looks like this- ... "dependencies": { "packageA": "1.4.39" …
John Reese
  • 23
  • 5
1
vote
0 answers

How to address CWE-502 for Swift's Codable

Snyk.io has alerted me to a CWE-502 issue with a Swift class that implements Codable. Deserialization of untrusted data (CWE-502), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be…
Scott McKenzie
  • 16,052
  • 8
  • 45
  • 70
1
vote
1 answer

'snyk-scm-contributors-count' is not recognized as an internal or external command, operable program or batch file

I have Synk CLI installed on my local and yet snyk-scm-contributors-count is not found. I haven't found the correct documentation for it. Trying to see if anyone else having similar issues.
Sai Teja Makani
  • 21
  • 6
1
vote
0 answers

curl vulnerabilities reported against a container image that runs a dotnetcore process

We're running a dotnetcore web application on a Debian 11.7-slim image in AWS ECS+Fargate. Snyk Container is reporting that curl 7.74 is present on the image and suffers from "CVE-2023-23914 - cleartext transmission of sensitive information". We…
Peter McEvoy
  • 2,816
  • 19
  • 24
1
vote
1 answer

Snyk issue status in API - ignore, open, resolve

Is there any way in Snyk to run an API query for getting the status of a specific issue (ignored, open, resolved, etc.)?
Jonathan Gruber
  • 408
  • 1
  • 16
1
vote
1 answer

Snyk SCA (Software Composition Analysis) and continuous monitoring

Does Snyk support doing SCA + continuous monitoring of the findings when configuring an SCM integration? How would it work and what are the different steps to configure to get regular scans as we would in a CICD pipeline?
Wesley Bentura
  • 45
  • 5
1
2
3 4 5 6