mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 12:45:17 +03:00
3.8 KiB
3.8 KiB
Workflow Reference: SCA Dependency Scanning with Snyk
Dependency Scanning Pipeline
Code Push / PR
│
▼
┌──────────────────┐
│ Install Deps │
│ (npm ci, pip │
│ install, etc.) │
└──────┬───────────┘
│
▼
┌──────────────────┐
│ Snyk Test │──── Report JSON ───> Artifact Storage
│ (vuln scan) │
└──────┬───────────┘
│
┌────┴────┐
│ │
PASS FAIL ──────> PR Comment with vuln details
│ │
│ ▼
│ ┌──────────────┐
│ │ Snyk Fix PR │
│ │ (auto-gen) │
│ └──────────────┘
▼
┌──────────────────┐
│ Snyk Monitor │
│ (continuous) │
└──────┬───────────┘
│
▼
Ongoing alerts for
new disclosures
Snyk CLI Command Reference
Scanning Commands
# Basic vulnerability test
snyk test
# Test with severity filter
snyk test --severity-threshold=high
# Test with exploit maturity filter
snyk test --severity-threshold=high
# Test specific manifest
snyk test --file=package-lock.json
# Test all projects in monorepo
snyk test --all-projects
# Test with dev dependencies excluded
snyk test --production
# Output in JSON
snyk test --json --json-file-output=results.json
# Output in SARIF
snyk test --sarif --sarif-file-output=results.sarif
Monitoring Commands
# Monitor project for new vulnerabilities
snyk monitor --project-name="my-app-prod"
# Monitor specific branch
snyk monitor --target-reference=main
# Monitor with tags
snyk monitor --project-tags=env=production,team=platform
Fix Commands
# Preview available fixes
snyk fix --dry-run
# Apply fixes to direct dependencies
snyk fix
# Apply fixes including dev dependencies
snyk fix --dev
Vulnerability Prioritization Matrix
| Factor | Score Weight | Description |
|---|---|---|
| CVSS Score | 30% | Base vulnerability severity |
| Exploit Maturity | 25% | Mature > POC > No Known Exploit |
| Reachability | 20% | Function called > Imported > Present |
| Fix Availability | 15% | Upgrade available > Patch > None |
| Dependency Depth | 10% | Direct > Transitive (1 hop) > Deep transitive |
Snyk Integration Options
| Platform | Integration Method | Features |
|---|---|---|
| GitHub | GitHub App | Auto-scan PRs, fix PRs, SARIF upload |
| GitLab | GitLab Integration | MR comments, dependency scanning |
| Jenkins | Snyk Plugin | Pipeline step, HTML reports |
| Azure DevOps | Extension | Pipeline task, dashboard widget |
| Bitbucket | Bitbucket App | PR checks, fix PRs |
| CLI | npm/binary | Local scanning, CI/CD integration |
Remediation Strategy by Vulnerability Type
Direct Dependency Vulnerability
- Check if upgrade is available:
snyk test --json | jq '.vulnerabilities[] | select(.isUpgradable)' - If upgradable: run
snyk fixor manually upgrade - Verify no breaking changes in the upgrade
- If not upgradable: check for patch or accept risk with ignore
Transitive Dependency Vulnerability
- Identify the dependency chain:
snyk test --json | jq '.vulnerabilities[].from' - Check if upgrading the direct dependency resolves it
- If not: use version overrides in package manager
- npm:
overridesin package.json - Maven:
dependencyManagementin pom.xml - Gradle:
constraintsin build.gradle - Poetry:
tool.poetry.extrasor constraint resolution