Safeguard
Security

How to Download the Snyk CLI on Any Platform

A Snyk CLI download guide covering npm, Homebrew, and standalone binaries, plus how to verify the download and authenticate before your first scan.

Priya Mehta
DevSecOps Engineer
5 min read

The Snyk CLI download comes in several forms — an npm package, a Homebrew or Scoop formula, or a standalone binary straight from Snyk's CDN — and which one you pick depends mostly on whether you want it managed by a package manager or pinned as a single executable. If you just need to get scanning, the fastest Snyk CLI download is through a package manager you already have. If you're wiring it into CI or an air-gapped environment, the standalone binary is the cleaner choice. This guide walks through each path, then covers verification and the authentication step people forget.

Downloading the Snyk CLI with npm

If you have Node.js, this is the most portable route. Snyk recommends a recent Node.js and npm; current versions of the CLI expect Node.js 12 or later and npm 7 or later.

npm install -g snyk

That installs the CLI globally. Verify it landed:

snyk --version

There's also an npm package that installs the standalone binary rather than the JavaScript implementation, which some teams prefer for consistency with their CI binary. For most developers the plain npm install -g snyk is fine.

Homebrew and Scoop

On macOS or Linux with Homebrew, Snyk maintains its own tap, updated daily with the latest release:

brew tap snyk/tap
brew install snyk

On Windows with Scoop:

scoop bucket add snyk https://github.com/snyk/scoop-snyk
scoop install snyk

Package managers handle upgrades cleanly (brew upgrade snyk, scoop update snyk), which is their main advantage over a manual binary.

Downloading the standalone binary

For CI runners, containers, or machines without Node.js, download the standalone executable from Snyk's CDN. Snyk publishes per-platform binaries and a release.json manifest with the latest links. On macOS or Linux, the pattern is to download, make it executable, and put it on your path:

curl -Lo ./snyk https://downloads.snyk.io/cli/stable/snyk-linux
chmod +x ./snyk
sudo mv ./snyk /usr/local/bin/

Swap snyk-linux for snyk-macos, snyk-macos-arm64, or snyk-win.exe as needed. If you're unsure of your architecture, uname -m tells you: x86_64 or amd64 is Intel/AMD, arm64 or aarch64 is ARM. Pin a specific version instead of stable in CI so your builds are reproducible.

Verifying the download

For any security tool, verify what you downloaded before you run it. Snyk publishes SHA-256 checksums alongside the binaries. After downloading, compare:

sha256sum snyk-linux

Match the output against the checksum Snyk lists for that release. This one step guards against a corrupted or tampered download, and it's the same hygiene you'd apply to any binary you're about to give repository access.

Authenticating before your first scan

The download is only half of it. The CLI needs to authenticate against your Snyk account before it can scan:

snyk auth

This opens a browser to complete authentication. In CI where no browser exists, set a token instead:

export SNYK_TOKEN=your-api-token

Then run a scan against a project:

snyk test

snyk test checks your dependencies against Snyk's vulnerability database; snyk code test runs their static analysis; snyk container test scans an image.

Picking the right method

Reach for npm or Homebrew on a developer laptop where you want managed upgrades. Use the pinned standalone binary in CI and containers for reproducibility and to avoid a Node.js dependency. Whichever you choose, verify the checksum and pin the version in automated environments.

If you're evaluating Snyk against other Software Composition Analysis tools, it helps to run more than one scanner against your real repositories and compare the findings and noise. Our Safeguard vs Snyk comparison lays out where each fits, and the SCA product overview explains what these scanners actually check. Running two SCA tools during an evaluation is common — the overlap tells you what's real and the gaps tell you what each misses.

FAQ

What's the easiest way to download the Snyk CLI?

If you have Node.js, npm install -g snyk is the quickest. On macOS or Linux with Homebrew, brew tap snyk/tap && brew install snyk is just as simple and handles upgrades. Both get you scanning within a minute.

How do I download the Snyk CLI without Node.js?

Download the standalone binary from Snyk's CDN with curl, make it executable, and move it onto your path. This is the recommended route for CI runners and containers because it doesn't require a Node.js runtime and can be version-pinned for reproducible builds.

Do I need to authenticate after downloading?

Yes. Run snyk auth on a workstation to authenticate via browser, or set the SNYK_TOKEN environment variable in CI. Without authentication the CLI cannot reach Snyk's vulnerability database to run a scan.

How do I verify the Snyk CLI download is genuine?

Compare the SHA-256 checksum of the downloaded binary against the value Snyk publishes for that release using sha256sum. This confirms the file wasn't corrupted or tampered with before you grant it access to your repositories.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.