README

REciNK Component for Snyk

This is a REciNK component that detects vulnerable dependencies according to package.json submitted to Snyk.io backend.

Prerequisites

Git >= v1.x
Node.js >= v6.x
NPM >= v3.x
REciNK

Use nvm to install and manage different versions of Node.js; Ideally, use v8+ for faster performance

Installation

npm install -g recink-snyk

Note that the component is installed automatically when running recink component add snyk

Configuration

.recink.yml configuration:

$:
  preprocess:
    '$.snyk.token': 'eval'
    # '$.snyk.reporters.github.0.token': 'eval'
  snyk:
    token: 'process.env.SNYK_API_TOKEN'               # Snyk.io API token
    # actionable: true                                # Show actionable items
    # dev: false                                      # Analyze 'devDependencies'
    # reporters:                                      # Customize Reporters (available: text, github)
    #   text: ~
    #   github:
    #     - token: 'process.env.GITHUB_TOKEN'
    # fail:                                     
    #   enabled: false                                # Fail on issues found
    #   severity: 'medium'                            # Minimal severity to handle (available: low, medium, high)

.travis.yml configuration:

script: 'recink run snyk'  
before_install:
  # other before_install scripts...
  - 'npm install -g recink-snyk'

Or using the registry:

before_install:
  # other before_install scripts...
  - 'recink component add snyk'

Add the Snyk.io API Token to .travis.yml:

recink travis encrypt -x 'SNYK_API_TOKEN=1234' -x 'GITHUB_TOKEN=1234'

If you are using Travis Pro read this guide to properly encrypt the environment variable

Usage

GITHUB_TOKEN=1234 SNYK_API_TOKEN=1234 recink run snyk

Gotchas

Please note that if you are using GitHub reporter outside Travis environment it does nothing but trigger a warn.

Usage no npm install needed!