Some Java projects may be broken up into multiple pom.xml files. To scan all of these at once, use the
—-all-projects flag of the CLI.
Many customers reference proprietary modules the company builds which are typically hosted in a local repository (for example JFrog Artifactory). As many times, the SSL certificate for these on-prem repositories isn't valid Snyk will return an error when trying to connect to the repository. In such cases you can use the
--insecure flag of the CLI which will ignore invalid certificates. As this is not good practice (but sometimes a necessity), it is recommended to offer this feature only as an explicit opt-in by the user, after explaining the ramifications.
Free Snyk accounts have a 200 tests/month test quota. All paid Snyk plans have unlimited scanning.
No, currently the test quota is not enforced. The snyk CLI only prints a warning similar to the following when the quota is reached:
However, the —json output does not currently include any indication of passing the quota.
Some package managers have the notion of dependencies which are to be used only during development time. For short, these are typically referred to as
dev dependencies and Snyk does not scan these by default. To include the dev dependencies in the scan results you should use the
--dev flag when running the test command:
snyk test --dev --file=<manifest file> --json