REciNK Component for Snyk
This is a REciNK component that detects vulnerable
dependencies according to package.json
submitted to Snyk.io backend.
Prerequisites
- Git >= v1.x
- Node.js >= v6.x
- NPM >= v3.x
- REciNK
Use nvm to install and manage different versions of Node.js; Ideally, use v8+ for faster performance
Installation
npm install -g recink-snyk
Note that the component is installed automatically when running
recink component add snyk
Configuration
.recink.yml
configuration:
$: preprocess: '$.snyk.token': 'eval' # '$.snyk.reporters.github.0.token': 'eval' snyk: token: 'process.env.SNYK_API_TOKEN' # Snyk.io API token # actionable: true # Show actionable items # dev: false # Analyze 'devDependencies' # reporters: # Customize Reporters (available: text, github) # text: ~ # github: # - token: 'process.env.GITHUB_TOKEN' # fail: # enabled: false # Fail on issues found # severity: 'medium' # Minimal severity to handle (available: low, medium, high)
.travis.yml
configuration:
script: 'recink run snyk' before_install: # other before_install scripts... - 'npm install -g recink-snyk'
Or using the registry:
before_install: # other before_install scripts... - 'recink component add snyk'
Add the Snyk.io API Token to .travis.yml
:
recink travis encrypt -x 'SNYK_API_TOKEN=1234' -x 'GITHUB_TOKEN=1234'
If you are using Travis Pro read this guide to properly encrypt the environment variable
Usage
GITHUB_TOKEN=1234 SNYK_API_TOKEN=1234 recink run snyk
Gotchas
Please note that if you are using GitHub
reporter outside
Travis environment it does nothing but trigger a warn.