This API uses components from the LAA CCMS Common Library:
To run Snyk locally, you will need to install the Snyk CLI.
Once installed, you will be able to run the following commands:
snyk testFor open-source vulnerabilies and licence issues. See snyk test.
snyk code testFor Static Application Security Testing (SAST) - known security issues. See snyk code test.
A JetBrains Plugin is also available to integrate with your IDE. In addition to vulnerabilities, this plugin will also report code quality issues.
The .snyk file is used to configure exclusions for scanning. If a vulnerability is not deemed to be a threat, or will be dealt with later, it can be added here to stop the pipeline failing. See documentation for more details.
Snyk may report that new vulnerabilities have been introduced on a feature branch and fail the pipeline, even if this is not the case. As newly identified vulnerabilities are always being published, the report for the main branch may become outdated when a new vulnerability is published.
If you think this may be the case, simply re-run the monitor command against the main branch
to update the report on the Snyk server, then re-run your pipeline.
Please ensure this matches the command used by the pr-merge-main workflow to maintain consistency.
snyk monitor --org=legal-aid-agency --all-projects --exclude=build,generatedYou should then see the new vulnerability in the LAA Dashboard, otherwise it is a new vulnerability introduced on the feature branch that needs to be resolved.