Safeguard
Security

Snyk Docs: A Practical Guide to Finding What You Need

The Snyk docs at docs.snyk.io cover four scanning products and a maze of integrations. Here's how they're organized and the fastest path to the page you actually want.

Safeguard Team
Product
6 min read

The Snyk docs live at docs.snyk.io and are organized around four scanning products — Snyk Open Source, Snyk Code, Snyk Container, and Snyk IaC — plus a large set of integration and CLI guides. If you have landed on the Snyk documentation looking for a specific answer and felt lost, it is usually because you are searching by task ("how do I fail a build on high severity") when the docs are structured by product. This guide maps the terrain so you can jump straight to the right section instead of clicking through the homepage.

How the Snyk docs are structured

The Snyk user docs at docs.snyk.io open with a "What's Snyk?" overview and a "Scan with Snyk" section that branches into the four products. Getting the mental model right up front saves a lot of time, because the CLI commands, the CI/CD integration behavior, and the supported languages all differ per product.

  • Snyk Open Source is the software composition analysis (SCA) product. It finds and helps fix known vulnerabilities in the open-source libraries your application depends on. If your question is about package-lock.json, pom.xml, requirements.txt, or transitive dependency risk, this is your section.
  • Snyk Code is the static analysis (SAST) product. It scans your own source code for security issues rather than your dependencies.
  • Snyk Container scans container images and workloads for vulnerabilities, including issues in the base image layers.
  • Snyk IaC scans infrastructure-as-code — Terraform, CloudFormation, Kubernetes manifests, and Azure templates — for misconfigurations before they are deployed.

Once you know which of the four owns your question, the Snyk docs become far easier to navigate, because each product has its own supported-languages list, CLI flags, and integration notes.

Finding the CLI reference fast

Most day-to-day work happens through the snyk CLI, and the Snyk user docs dedicate a section to it. The commands you will reach for most:

snyk test        # find vulnerabilities in the current project
snyk monitor     # snapshot the project and watch for new issues over time
snyk container test <image>
snyk iac test    # scan IaC files
snyk code test   # run SAST

The distinction between snyk test and snyk monitor trips people up: test is a point-in-time check that you gate CI on, while monitor uploads a snapshot to Snyk so you get notified when a newly disclosed vulnerability affects a project you already shipped. The CLI reference pages document the exit-code behavior and severity thresholds you need for pipeline gating.

The integrations maze

A large fraction of the Snyk docs is integration guides — SCM (GitHub, GitLab, Bitbucket, Azure Repos), CI/CD systems, IDEs, and container registries. This is the part of the documentation people most often get lost in, because the same capability (say, PR checks) is documented per integration rather than once generically.

The fastest approach: identify your integration point first (where do you want Snyk to run — in the IDE, on PRs, in the pipeline, at the registry?), then go straight to that integration's page rather than reading the product page and hoping it links out. The SCM integration pages in particular cover the import flow and the PR-check configuration that most teams actually want.

Reading the docs critically

Vendor documentation describes what a tool does well; it rarely volunteers where it stops. A few things worth keeping in mind as you read the Snyk docs:

Severity and reachability are different questions. The docs will show you how to filter and gate on severity, but severity is the CVSS score of the vulnerability, not a statement about whether your code actually calls the vulnerable function. Understanding that distinction changes how you configure your gates.

Product boundaries are real. Snyk Open Source will not scan your own source (that is Snyk Code), and Snyk Code will not tell you about a vulnerable dependency (that is Open Source). Expecting one product to cover another's job is a common source of "why didn't it catch this" confusion.

Free-tier limits exist. The docs describe capabilities; your plan determines how many tests, projects, or contributors you get. Verify current limits and pricing on Snyk's own pricing page rather than assuming a feature in the docs is available on every tier.

Where Safeguard fits the comparison

If you are reading the Snyk docs as part of an evaluation rather than because you already use it, it is worth understanding what differentiates alternatives. Reachability analysis — determining whether your code path actually reaches a vulnerable function — is a meaningful axis, because it changes a long severity-sorted list into a short exploitable one. We lay out the specifics honestly on our Snyk comparison page, and our own SCA product covers how Safeguard approaches the same SCA problem Snyk Open Source targets. Both tools are legitimate; the right fit depends on your stack and how much triage noise you can absorb.

FAQ

Where are the official Snyk docs?

The official Snyk user documentation is at docs.snyk.io. It covers the four scanning products, the CLI, and integrations. Always confirm pricing and plan limits on Snyk's main site, since the docs describe capabilities without tying them to a specific tier.

What's the difference between Snyk Open Source and Snyk Code?

Snyk Open Source is SCA — it scans your third-party open-source dependencies for known vulnerabilities. Snyk Code is SAST — it scans your own first-party source code. They solve different problems and are documented as separate products.

How do I fail a CI build on Snyk findings?

Use snyk test in your pipeline and gate on its exit code, optionally with a --severity-threshold flag so only issues at or above your chosen severity fail the build. The CLI reference in the Snyk docs documents the exact flags and exit-code semantics.

Do the Snyk docs cover container and IaC scanning?

Yes. Snyk Container documents image and workload scanning, and Snyk IaC documents scanning Terraform, CloudFormation, Kubernetes, and Azure templates for misconfigurations. Each has its own CLI subcommand and integration pages.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.