How do I scan multi module java projects?

Some Java projects may be broken up into multiple pom.xml files. To scan all of these at once, use the —-all-projects flag of the CLI.

Do you offer support for local modules?

Many customers reference proprietary modules the company builds which are typically hosted in a local repository (for example JFrog Artifactory). As many times, the SSL certificate for these on-prem repositories isn't valid Snyk will return an error when trying to connect to the repository. In such cases you can use the --insecure flag of the CLI which will ignore invalid certificates. As this is not good practice (but sometimes a necessity), it is recommended to offer this feature only as an explicit opt-in by the user, after explaining the ramifications.

Does Snyk have a test quota?

Free Snyk accounts have a 200 tests/month test quota. All paid Snyk plans have unlimited scanning.

Are the Snyk test quotas enforced?

No, currently the test quota is not enforced. The snyk CLI only prints a warning similar to the following when the quota is reached:

"You have reached your monthly limit of 200 private tests for your [ORG] org. To learn more about our plans and increase your tests limit visit https://snyk.io/plans."

However, the —json output does not currently include any indication of passing the quota.

How do I include dev dependencies in the scan results?

Some package managers have the notion of dependencies which are to be used only during development time. For short, these are typically referred to as dev dependencies and Snyk does not scan these by default. To include the dev dependencies in the scan results you should use the --dev flag when running the test command:

snyk test --dev --file=<manifest file> --json