snyk-cli
Safeguard articles tagged "snyk-cli" — guides, analysis, and best practices for software supply chain and application security.
8 articles
Root cause: CVE-2022-40764, the Snyk CLI command injection
A crafted vendor.json field let attackers run shell commands from inside a security scanner — CVE-2022-40764 shows why CLI tools must never build shell strings.
How the Snyk CLI's authentication flow issues and stores ...
A technical walkthrough of how Snyk's CLI authenticates via `snyk auth`, where it stores API tokens locally, and why that plaintext credential file is worth protecting.
How the Snyk CLI's JSON output format supports custom too...
A technical look at how Snyk CLI's --json and --sarif output structure vulnerability data, its exit-code quirks, and the official tools that turn it into reports.
How the Snyk CLI generates SARIF output for GitHub code s...
A technical walkthrough of how the Snyk CLI serializes scan results into SARIF 2.1.0 and how GitHub code scanning ingests them into Security tab alerts.
How the Snyk CLI's --all-projects flag discovers manifest...
A technical look at how Snyk CLI's --all-projects flag walks a repository, matches manifest files, and where directory-depth limits can leave dependencies unscanned.
How the Snyk CLI handles proxy and air-gapped enterprise ...
How the Snyk CLI actually handles corporate proxies, TLS-inspecting firewalls, and air-gapped network claims — based on Snyk's own documented configuration surface.
How the Snyk CLI's exit codes are structured for CI/CD fa...
A mechanical look at how the Snyk CLI's 0/1/2/3 exit codes work, how --severity-threshold and --fail-on change them, and how to branch on them correctly in CI/CD.
How Snyk's --project-tags and business-criticality flags ...
How Snyk CLI's --project-tags and --project-business-criticality flags attach business context to scans, and why that context can drift out of date.