To install the Snyk CLI you have four supported paths — npm, Homebrew, Scoop, or a standalone binary — and the right one depends on whether you want it in a project, on a developer laptop, or baked into a CI image. This guide covers each Snyk CLI install method, how to authenticate afterward, and how to keep the tool current. The steps below reflect Snyk's official installation documentation.
Which install method should you pick?
Before running a snyk install command, decide where the CLI needs to live:
- Local developer machine, mixed toolchain: use Homebrew (macOS/Linux) or Scoop (Windows). System package managers keep it updated alongside your other tools.
- JavaScript project or a Node-based CI image: use npm, which installs the CLI as a binary and slots naturally into a Node workflow.
- Locked-down CI, containers, or air-gapped hosts: use the standalone binary from GitHub Releases or Snyk's CDN, so you pull one verified artifact with no package-manager dependency.
All roads lead to the same snyk executable; the difference is how updates and dependencies are managed.
Install with npm
The npm route is the most common for JavaScript teams. The CLI is distributed as a binary via npm, so a global install works cleanly:
npm install -g snyk
Per Snyk's docs, recent CLI versions (1.853.0 and later) require Node.js 12 or newer and npm 7 or newer. Verify the install:
snyk --version
If you would rather not install globally, you can run it on demand with npx snyk test, though for repeated use a real install is faster because it avoids re-resolving the package each time.
Install with Homebrew
On macOS or Linux with Homebrew, install from Snyk's tap:
brew tap snyk/tap
brew install snyk
Snyk's tap is updated daily with the latest release, so brew upgrade snyk keeps you current. This is my default recommendation for developer laptops because it decouples the CLI version from any single project's Node version.
Install with Scoop on Windows
Windows users on Scoop can add Snyk's bucket and install:
scoop bucket add snyk https://github.com/snyk/scoop-snyk
scoop install snyk
This gives you the same daily-updated release stream as Homebrew, managed through Scoop.
Install the standalone binary
For CI runners, containers, or environments where you do not want a package manager in the loop, download the standalone executable. Snyk publishes signed binaries for macOS, Linux, and Windows on GitHub Releases and on the Snyk CDN. A Linux example:
curl -Lo ./snyk https://static.snyk.io/cli/latest/snyk-linux
chmod +x ./snyk
mv ./snyk /usr/local/bin/
snyk --version
Snyk also publishes checksums and a release.json alongside the binaries. Verify the checksum before you trust the download — this is exactly the kind of build-time dependency worth pinning to a specific version and hash rather than always pulling latest, so a compromised or unexpected release cannot silently enter your pipeline.
Authenticate the CLI
Installation alone does not let you scan against your Snyk account. After any install method, authenticate:
snyk auth
This opens a browser and routes you to sign in or sign up, then writes a token to your local Snyk config. For CI, where no browser exists, do not run snyk auth interactively — instead set the token as an environment variable:
export SNYK_TOKEN=your-api-token-here
snyk test
Store that token as a masked secret in your CI system, never in the repository. Treat it like any other credential.
First scan and CI wiring
With the CLI installed and authenticated, the core commands are:
snyk test # scan the current project's dependencies for known issues
snyk monitor # snapshot the project to Snyk for ongoing monitoring
snyk code test # static analysis of first-party code (where enabled)
In a pipeline, snyk test exits non-zero when it finds issues at or above your threshold, which fails the build. A minimal GitHub Actions step:
- name: Snyk dependency scan
run: snyk test --severity-threshold=high
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
Snyk pricing, briefly
Because cost affects whether you standardize on it, here is the current shape per Snyk's plans page: a Free tier (Snyk lists 200 open-source tests, 100 container tests, and 300 IaC tests per month), a Team plan self-serve from $25 per contributing developer per month billed annually, and custom Enterprise pricing that adds SSO, RBAC, and policy controls. Snyk defines a "contributing developer" as anyone who committed to private repos in the last 90 days, which is worth modeling before you commit. If you are evaluating alternatives on price and features, our Safeguard vs Snyk comparison lays the two out side by side.
Keeping the CLI updated
Scanners are only as good as their most recent vulnerability data and detection logic, so stale CLIs miss new findings. Homebrew and Scoop update with a normal upgrade. For npm, re-run npm install -g snyk@latest. For standalone binaries, pin an explicit version in CI and bump it deliberately so upgrades are reviewable rather than surprising.
FAQ
What is the easiest way to install the Snyk CLI?
For a developer laptop, Homebrew (brew install snyk from Snyk's tap) or Scoop on Windows is easiest because the package manager handles updates. For JavaScript projects, npm install -g snyk is the natural fit.
Do I need Node.js to install the Snyk CLI?
Only for the npm method, which requires Node.js 12+ and npm 7+ for recent CLI versions. Homebrew, Scoop, and the standalone binary do not require Node.js, which is why the binary is preferred for minimal CI images.
How do I authenticate the Snyk CLI in CI?
Do not use the interactive snyk auth browser flow in CI. Instead create an API token in your Snyk account, store it as a masked secret, and expose it as the SNYK_TOKEN environment variable so commands like snyk test authenticate automatically.
Is the Snyk CLI free to use?
Snyk offers a Free tier with monthly test limits (per its plans page, 200 open-source, 100 container, and 300 IaC tests per month). Removing limits and adding collaboration features requires the paid Team plan, and enterprise governance features require a custom Enterprise plan.