Security Scanning
Perform comprehensive security scans on codebases using Snyk tools.
Quick Start
When the user needs security scanning:
- •Determine the scan type needed
- •Run the appropriate Snyk scan
- •Analyze results and report findings
- •Suggest remediation for any issues found
Scan Types
Static Application Security Testing (SAST)
For scanning source code:
bash
# Use snyk_code_scan for first-party code snyk_code_scan path="/path/to/project"
Best for: Python, JavaScript, TypeScript, Java, Go, and other supported languages.
Software Composition Analysis (SCA)
For scanning dependencies:
bash
# Use snyk_sca_scan for open-source dependencies snyk_sca_scan path="/path/to/project"
Best for: Identifying vulnerable packages in requirements.txt, package.json, etc.
Infrastructure as Code (IaC)
For scanning cloud configurations:
bash
# Use snyk_iac_scan for Terraform, CloudFormation, Kubernetes snyk_iac_scan path="/path/to/infrastructure"
Best for: Terraform files, Kubernetes manifests, Dockerfiles.
Container Scanning
For scanning Docker images:
bash
# Use snyk_container_scan for container images snyk_container_scan image="image-name:tag"
Workflow
- •Identify scope: What needs scanning (code, deps, IaC, containers)?
- •Run scan: Execute the appropriate Snyk tool
- •Review results: Analyze severity levels (critical, high, medium, low)
- •Prioritize: Focus on critical and high severity issues first
- •Remediate: Fix issues and rescan to verify
Severity Filtering
Use severity_threshold to filter results:
- •
critical- Only critical vulnerabilities - •
high- High and above - •
medium- Medium and above - •
low- All vulnerabilities
Post-Scan Actions
After finding issues:
- •Critical/High: Attempt immediate fix if possible
- •Medium: Document and plan remediation
- •Low: Note for future cleanup
Always rescan after making fixes to confirm remediation.