AgentSkillsCN

snyk

Snyk 开发者安全平台,支持跨代码(SAST)、开源依赖(SCA)、容器,以及基础设施即代码(IaC)的漏洞扫描。适用于在使用 Snyk API、CLI、将 Snyk 集成到 CI/CD 流程、分析扫描结果,或管理安全策略时使用。

SKILL.md
--- frontmatter
name: snyk
description: "Snyk developer security platform for vulnerability scanning across code (SAST), open source dependencies (SCA), containers, and infrastructure as code (IaC). Use when working with Snyk APIs, CLI, integrating Snyk into CI/CD, analyzing scan results, or managing security policies."

Snyk Developer Security

Overview

Snyk platform for finding and fixing vulnerabilities in code, dependencies, containers, and IaC.

Products

ProductScansUse Case
Snyk CodeSASTSource code vulnerabilities
Snyk Open SourceSCADependency vulnerabilities
Snyk ContainerContainer imagesImage vulnerabilities
Snyk IaCTerraform, K8s, CloudFormationMisconfigurations

Authentication

python
import requests

SNYK_API_URL = "https://api.snyk.io/v1"
SNYK_REST_URL = "https://api.snyk.io/rest"

def snyk_headers(token: str) -> dict:
    return {"Authorization": f"token {token}", "Content-Type": "application/json"}

def snyk_rest_headers(token: str) -> dict:
    return {"Authorization": f"token {token}", "Content-Type": "application/vnd.api+json"}

CLI Usage

bash
# Authenticate
snyk auth <token>

# Test for vulnerabilities
snyk test                           # Current project
snyk test --all-projects            # Monorepo
snyk test --severity-threshold=high # Filter by severity

# Code analysis (SAST)
snyk code test

# Container scanning
snyk container test <image>:<tag>
snyk container test --file=Dockerfile

# IaC scanning
snyk iac test                       # Current directory
snyk iac test terraform/            # Specific path
snyk iac test --rules=snyk-rules/   # Custom rules

# Monitor (upload to Snyk dashboard)
snyk monitor
snyk container monitor <image>:<tag>
snyk iac test --report

# Generate SBOM
snyk sbom --format=cyclonedx1.4+json
snyk sbom --format=spdx2.3+json

Organization & Projects

python
def get_orgs(token: str) -> list:
    """List organizations."""
    return requests.get(
        f"{SNYK_API_URL}/orgs",
        headers=snyk_headers(token)
    ).json().get("orgs", [])

def get_projects(token: str, org_id: str) -> list:
    """List projects in organization."""
    return requests.get(
        f"{SNYK_API_URL}/org/{org_id}/projects",
        headers=snyk_headers(token)
    ).json().get("projects", [])

def get_project_issues(token: str, org_id: str, project_id: str,
                       severity: list = None) -> dict:
    """Get issues for a project."""
    body = {"filters": {}}
    if severity:
        body["filters"]["severity"] = severity  # ["critical", "high", "medium", "low"]
    
    return requests.post(
        f"{SNYK_API_URL}/org/{org_id}/project/{project_id}/aggregated-issues",
        headers=snyk_headers(token),
        json=body
    ).json()

Vulnerability Analysis

python
def test_package(token: str, org_id: str, package_manager: str,
                 package_name: str, version: str) -> dict:
    """Test a single package for vulnerabilities."""
    return requests.get(
        f"{SNYK_API_URL}/test/{package_manager}/{package_name}/{version}",
        headers=snyk_headers(token),
        params={"org": org_id}
    ).json()

def test_requirements(token: str, org_id: str, requirements_content: str) -> dict:
    """Test Python requirements.txt content."""
    return requests.post(
        f"{SNYK_API_URL}/test/pip",
        headers=snyk_headers(token),
        params={"org": org_id},
        json={"files": {"target": {"contents": requirements_content}}}
    ).json()

def test_package_json(token: str, org_id: str, package_json: dict,
                      package_lock: dict = None) -> dict:
    """Test npm package.json."""
    files = {"target": {"contents": package_json}}
    if package_lock:
        files["additional"] = [{"contents": package_lock}]
    
    return requests.post(
        f"{SNYK_API_URL}/test/npm",
        headers=snyk_headers(token),
        params={"org": org_id},
        json={"files": files}
    ).json()

Container Scanning

python
def test_container_image(token: str, org_id: str, image: str, 
                         dockerfile: str = None) -> dict:
    """Test container image for vulnerabilities."""
    body = {"image": image}
    if dockerfile:
        body["dockerfile"] = dockerfile
    
    return requests.post(
        f"{SNYK_API_URL}/test/docker",
        headers=snyk_headers(token),
        params={"org": org_id},
        json=body
    ).json()

# Parse container scan results
def parse_container_vulns(result: dict) -> list:
    """Extract vulnerabilities from container scan."""
    vulns = []
    for issue in result.get("issues", {}).get("vulnerabilities", []):
        vulns.append({
            "id": issue.get("id"),
            "title": issue.get("title"),
            "severity": issue.get("severity"),
            "cvss_score": issue.get("cvssScore"),
            "package": issue.get("packageName"),
            "version": issue.get("version"),
            "fixed_in": issue.get("fixedIn"),
            "description": issue.get("description")
        })
    return vulns

IaC Scanning

python
def test_iac(token: str, org_id: str, files: dict) -> dict:
    """Test IaC files for misconfigurations."""
    return requests.post(
        f"{SNYK_API_URL}/test/iac",
        headers=snyk_headers(token),
        params={"org": org_id},
        json={"files": files}
    ).json()

# IaC issue severities and categories
IAC_CATEGORIES = [
    "access_control",
    "encryption",
    "logging",
    "network_security", 
    "secrets_management",
    "configuration"
]

Reporting & Export

python
def get_org_issues(token: str, org_id: str, severity: str = None,
                   issue_type: str = None) -> list:
    """Get all issues across organization."""
    params = {"version": "2024-04-22"}
    filters = []
    if severity:
        filters.append(f"severity={severity}")
    if issue_type:
        filters.append(f"type={issue_type}")  # vuln, license, configuration
    
    return requests.get(
        f"{SNYK_REST_URL}/orgs/{org_id}/issues",
        headers=snyk_rest_headers(token),
        params=params
    ).json().get("data", [])

def export_sbom(token: str, org_id: str, project_id: str, 
                format: str = "cyclonedx1.4+json") -> dict:
    """Export SBOM for a project."""
    return requests.get(
        f"{SNYK_REST_URL}/orgs/{org_id}/projects/{project_id}/sbom",
        headers=snyk_rest_headers(token),
        params={"version": "2024-04-22", "format": format}
    ).json()

Ignoring & Policy

python
def ignore_issue(token: str, org_id: str, project_id: str, issue_id: str,
                 reason: str, expires: str = None) -> dict:
    """Ignore a vulnerability."""
    body = {
        "ignorePath": "",
        "reason": reason,
        "reasonType": "not-vulnerable"  # not-vulnerable, wont-fix, temporary-ignore
    }
    if expires:
        body["expires"] = expires  # ISO date
    
    return requests.post(
        f"{SNYK_API_URL}/org/{org_id}/project/{project_id}/ignore/{issue_id}",
        headers=snyk_headers(token),
        json=body
    ).json()

CI/CD Integration

yaml
# GitHub Actions
- name: Snyk Security Scan
  uses: snyk/actions/node@master
  with:
    args: --severity-threshold=high
  env:
    SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

# GitLab CI
snyk_scan:
  image: snyk/snyk:node
  script:
    - snyk auth $SNYK_TOKEN
    - snyk test --severity-threshold=high
    - snyk monitor