node package manager
Painless code sharing. npm Orgs help your team discover, share, and reuse code. Create a free org »

recink-snyk

REciNK Component for Snyk

This is a REciNK component that detects vulnerable dependencies according to package.json submitted to Snyk.io backend.

Prerequisites

  • Git >= v1.x
  • Node.js >= v6.x
  • NPM >= v3.x
  • REciNK

Use nvm to install and manage different versions of Node.js; Ideally, use v8+ for faster performance

Installation

  • npm install -g recink-snyk

Note that the component is installed automatically when running recink component add snyk

Configuration

.recink.yml configuration:

$:
  preprocess:
    '$.snyk.token': 'eval'
    # '$.snyk.reporters.github.0.token': 'eval' 
  snyk:
    token: 'process.env.SNYK_API_TOKEN'               # Snyk.io API token 
    # actionable: true                                # Show actionable items 
    # dev: false                                      # Analyze 'devDependencies' 
    # reporters:                                      # Customize Reporters (available: text, github) 
    #   text: ~ 
    #   github: 
    #     - token: 'process.env.GITHUB_ACCESS_TOKEN' 
    # fail:                                      
    #   enabled: false                                # Fail on issues found 
    #   severity: 'medium'                            # Minimal severity to handle (available: low, medium, high) 

.travis.yml configuration:

script: 'recink run snyk'  
before_install:
  # other before_install scripts... 
  - 'npm install -g recink-snyk'

Or using the registry:

before_install:
  # other before_install scripts... 
  - 'recink component add snyk'

Add the Snyk.io API Token to .travis.yml:

recink travis encrypt -x 'SNYK_API_TOKEN=1234' -x 'GITHUB_ACCESS_TOKEN=1234'

If you are using Travis Pro read this guide to properly encrypt the environment variable

Usage

GITHUB_ACCESS_TOKEN=1234 SNYK_API_TOKEN=1234 recink run snyk

Gotchas

Please note that if you are using GitHub reporter outside Travis environment it does nothing but trigger a warn.