Tests and monitors your Maven dependencies for vulnerabilities. This plugin is officially maintained by Snyk.
-
Add the Snyk Maven Plugin to your
pom.xml
and configure it as needed.
<!-- Example Plugin Configuration -->
<build>
<plugins>
<plugin>
<groupId>io.snyk</groupId>
<artifactId>snyk-maven-plugin</artifactId>
<version>2.0.0</version>
<inherited>false</inherited>
<executions>
<execution>
<id>snyk-test</id>
<goals>
<goal>test</goal>
</goals>
</execution>
<execution>
<id>snyk-monitor</id>
<goals>
<goal>monitor</goal>
</goals>
</execution>
</executions>
<configuration>
<apiToken>${env.SNYK_TOKEN}</apiToken>
<args>
<arg>--all-projects</arg>
</args>
</configuration>
</plugin>
</plugins>
</build>
- Java 8 and above.
- Maven 3.2.5 and above.
Default Phase: test
Scans your project's dependencies and provides a list of vulnerabilities if any are found.
Default Phase: install
Takes a snapshot of your project's dependency tree and monitors it on snyk.io. You'll be alerted when new relevant vulnerabilities, updates or patches are disclosed.
You can configure the following parameters inside the <configuration>
section.
All parameters are optional.
⚠️ Do NOT include your API token directly in yourpom.xml
. Use a variable instead.
You must provide a Snyk API token to access Snyk's services. You can do so by:
- Providing
apiToken
in your configuration using a variable. - Providing a
SNYK_TOKEN
environment variable. - Authenticating via
snyk auth
using the Snyk CLI before using this plugin.
Default: false
Skip this execution entirely.
When running mvn
, you can also use -Dsnyk.skip
to enable this behavior.
This plugin uses Snyk CLI so you can pass any
supported arguments using <args>
. See the example below.
For a list of supported arguments, see Snyk CLI Reference.
<!-- Example Arguments Configuration -->
<configuration>
<args>
<arg>--severity-threshold=high</arg>
<arg>--scan-all-unmanaged</arg>
<arg>--json</arg>
</args>
</configuration>
Lets you configure the Snyk CLI that's used by this plugin.
By default, the CLI will be automatically downloaded and updated for you.
See CLI Configuration.
⚠️ For most use cases you don't need to set any<cli>
options.
You can configure the CLI in three different modes:
Follow the link for each mode to see which parameters are available.
<!-- Example CLI Configuration -->
<configuration>
<cli>
<updatePolicy>daily</updatePolicy>
</cli>
</configuration>
Default: daily
How often to download the latest CLI release. Can be one of the following:
daily
- On the first execution of the day.always
- On every execution.never
- Never update after the initial download.interval:<minutes>
- On the execution after more than<minutes>
has passed since the last update. e.g.interval:60
will update after an hour.
Default: OS-specific, see below.
Where to place the downloaded executable. By default, this is OS-specific as follows:
- Linux -
$XDG_DATA_HOME/snyk/snyk-linux
or~/.local/share/snyk/snyk-linux
- macOS -
~/Library/Application Support/Snyk/snyk-macos
- Windows -
%APPDATA%\Snyk\snyk-win.exe
Example: ~/.local/share/snyk/snyk-linux
Path to a pre-installed Snyk CLI executable. You can find executables on the Snyk CLI Releases page.
Example: 1.542.0
Specify if you want to use a specific version. You can find versions on the Snyk CLI Releases page.
Setting this option will trigger a download of the CLI on every execution.
To try out this plugin, see the demo project.
All plugin parameters from v1 should be moved to the <args>
object, to keep
them in line with the CLI usage. For example:
org
=><arg>--org=my-org-name</arg>
failOnSeverity
=><arg>--severity-threshold=low|medium|high</arg>
failOnAuthError
=> Use<skip>true</skip>
to skip plugin execution.includeProvidedDependencies
=>provided
dependencies are always included.
For a list of supported arguments, see Configuration.
Made with 💜 by Snyk