Maven plugin integration with Snyk
Snyk offers a Maven plugin based on the Snyk CLI. This plugin allows you to scan and monitor your Maven dependencies for vulnerabilities.
See all releases in the Maven Central Repository,
Installation of Maven plugin
Get your Snyk API token.
Add the Snyk Maven Plugin to your
pom.xml
and configure it as needed.
Supported versions
Java 8 and above
Maven 3.2.5 and above
Goals
code-test
(experimental)
code-test
(experimental)Default phase: test
Perform a static-analysis of your Project's source code and provide a list of vulnerabilities if any are found.
container-test
(experimental)
container-test
(experimental)Default phase: install
Perform analysis of the layers of a container image.
Provide the tag of the image to be scanned as an argument:
test
test
Default Phase: test
Scan your Project's dependencies and provide a list of vulnerabilities if any are found.
monitor
monitor
Default Phase: install
Take a snapshot of your Project's dependency tree and monitor it on snyk.io. You wil be alerted when new relevant vulnerabilities, updates, or patches are disclosed.
Configuration for the Maven plugin
You can configure the following parameters inside the <configuration>
section. All parameters are optional.
apiToken
[string]
apiToken
[string]Do NOT include your API token directly in your pom.xml
. Use a variable instead.
You must provide a Snyk API token to access Snyk services. You can do so by:
Providing
apiToken
in your configuration using a variable.Providing a
SNYK_TOKEN
environment variable.Authenticating using the CLI
snyk auth
command before using this plugin.
skip
[boolean]
skip
[boolean]Default: false
Skip this execution entirely.
When you are running mvn
, you can also use -Dsnyk.skip
to enable this behavior.
failOnIssues
[boolean]
failOnIssues
[boolean]Default: true
When this variable is set to true
, if the Snyk CLI tool indicates that action is required to remedy a security issue, the Maven build will be considered failed. When this variable is set to false
, the build will continue even if action is required.
args
[array<string>]
args
[array<string>]This plugin uses the Snyk CLI, so you can pass any supported arguments using <args>
. See the example that follows.
For a list of supported CLI options, see the CLI commands and options summary.
cli
[object]
cli
[object]Lets you configure the Snyk CLI used by this plugin.
By default, the CLI is automatically downloaded and updated for you.
See the CLI configuration section that follows.
CLI configuration
For most use cases, you need not set any <cli>
options.
You can configure the CLI in three different modes:
Auto-Download and Update (default)
Custom CLI Executable
Specific CLI Version
Follow the link for each mode to see which parameters are available.
Auto-Download and Update
updatePolicy
[string]
updatePolicy
[string]Default: daily
How often to download the latest CLI release. Snyk recommends always keeping your CLI installation updated to the latest version. Can be one of the following:
daily
- On the first execution of the dayalways
- On every executionnever
- Never update after the initial downloadinterval:<minutes>
- On the execution after more than a specific number of<minutes>
has passed since the last update. For example,interval:60
to update after an hour
downloadDestination
[string]
downloadDestination
[string]Default: OS-specific
Where to place the downloaded executable. By default, this is OS-specific as follows:
Linux -
$XDG_DATA_HOME/snyk/snyk-linux
or~/.local/share/snyk/snyk-linux
macOS -
~/Library/Application Support/Snyk/snyk-macos
Windows -
%APPDATA%\Snyk\snyk-win.exe
Custom CLI Executable
executable
[string]
executable
[string]Example: ~/.local/share/snyk/snyk-linux
Path to a pre-installed Snyk CLI executable. You can find executables on the Snyk CLI releases page.
Specific CLI Version
version
[string]
version
[string]Example: 1.542.0
Specify if you want to use a specific version. You can find versions on the Snyk CLI releases page.
Setting this option triggers a download of the CLI on every execution.
Demonstration
To try out this plugin, see the demo project.
Migrating from Snyk Maven Plugin v1 to v2
Move all plugin parameters from v1 to the <args>
object, to keep them in line with CLI usage. For example:
org
=><arg>--org=my-org-name</arg>
failOnSeverity
=><arg>--severity-threshold=low|medium|high</arg>
failOnAuthError
=> Use<skip>true</skip>
to skip plugin execution.includeProvidedDependencies
=>provided
to include dependencies always.
Last updated
Was this helpful?