In this short note, I’ll show how you can continuously monitor dependency vulnerabilities in your project with Snyk.
So what’s Snyk? Snyk is a service which allows you to detect and monitor vulnerabilities in projects, and it supports various platforms. For some reason, the documentation for how to set up the scanning for .NET projects almost is not documented, so let’s set up the scanning ourselves.
- Install Snyk CLI
npm install -g snyk
- Copy your API token and add a new environment variable with the name
SNYK_TOKEN, you can find it on the account page
- Build the testing solution
monitorcommand to detect vulnerabilities where
orgparameter is your organization name, you can find it on the settings page.
snyk monitor --org=olsh --file=YourSolution.sln
- At the moment of writing, the is an issue with scanning directories with
multiple package file types
so you should execute monitor command for each project which contains
package.jsonor other package type and specify
objdirectories as arguments.
snyk monitor --org=olsh youproject/obj yourproject2/obg
That’s it. Go to your Snyk dashboard and check found vulnerabilities.
You can also execute these steps on CI server to continuously test your projects, here is an example of a cake script which runs on AppVeryor on each commit and sends the analysis to snyk.