Articles

Scan Dependencies for CVEs in CircleCI with Snyk (2026)

April 16, 2026 3 min read

Snyk can scan your dependencies for CVEs in CircleCI by integrating with your CI/CD pipeline.

Here’s how Snyk can help you find and fix CVEs in your project’s dependencies within your CircleCI pipeline:

Setting up Snyk in CircleCI

  1. Install the Snyk CircleCI Orb: The easiest way to integrate Snyk is by using the official Snyk CircleCI orb. You can add it to your .circleci/config.yml file.

    version: 2.1

orbs:
  snyk: snyk/snyk@x.x.x # Replace x.x.x with the latest version

jobs:
  build:
    docker:
      - image: cimg/node:18.16.0 # Example Docker image
    steps:
      - checkout
      - snyk:
          token: $SNYK_TOKEN # Your Snyk API token
          # Other optional parameters can be added here, e.g.,
          # monitor-on-build: true
          # fail-on: "high" # Fail the build if high severity vulnerabilities are found

workflows:
  version: 2
  build-and-scan:
    jobs:
      - build

  2. Get your Snyk API Token: You’ll need a Snyk API token to authenticate the orb. You can generate this from your Snyk account settings under "API Tokens." Store this token as a secret environment variable in your CircleCI project settings (e.g., named SNYK_TOKEN).

  3. Configure your .circleci/config.yml:

    • Declare the snyk/snyk orb in the orbs section.
    • In your job (e.g., build), add the snyk step.
    • Pass your SNYK_TOKEN environment variable to the orb.
    • You can configure the orb to monitor-on-build (sending results to the Snyk UI) and fail-on specific severity levels (e.g., high, medium, low) to stop your build if vulnerabilities are found.

How it Works

When your CircleCI pipeline runs, the snyk step will:

  1. Identify Project Type: The Snyk orb automatically detects your project’s manifest files (e.g., package.json, pom.xml, requirements.txt, Gemfile.lock).
  2. Scan Dependencies: It then runs a Snyk scan against these files to identify known vulnerabilities (CVEs) in your direct and transitive dependencies.
  3. Report Results:
    • CLI Output: Snyk will print a summary of found vulnerabilities directly to your CircleCI job logs.
    • Snyk UI (if monitor-on-build: true): Results are also sent to your Snyk project dashboard, providing a more detailed view, historical tracking, and remediation advice.
  4. Enforce Policy (if fail-on is set): If the scan finds vulnerabilities exceeding the configured fail-on threshold, the CircleCI job will fail, preventing vulnerable code from progressing.

Example of a Snyk Scan in CircleCI Logs

#!/bin/bash -eo pipefail
echo "Running Snyk..."
snyk test --org=$SNYK_ORG --json-file=/tmp/snyk_results.json
if [ $? -ne 0 ]; then
  echo "Snyk test failed. Vulnerabilities found."
  # Optionally, you can fail the build here if the exit code is not 0
  # exit 1
fi
echo "Snyk scan completed."

This is a simplified representation of what the orb does. The orb handles the authentication, command execution, and result parsing for you.

Key Snyk Configurations within the Orb

  • token (Required): Your Snyk API token.
  • monitor-on-build (Optional, default: false): If true, results are sent to Snyk for monitoring and reporting.
  • fail-on (Optional, default: all): Controls when the build fails. Possible values: all, high, medium, low, none. For example, fail-on: "high" will fail the build if any high-severity vulnerabilities are found.
  • scan-type (Optional): Explicitly specify the type of scan (e.g., npm, maven, pip). Usually auto-detected.
  • severity-threshold (Optional): Similar to fail-on, but determines which vulnerabilities are reported in the CLI output.

Remediation

When Snyk finds vulnerabilities, it provides clear remediation advice:

  • Upgrade Paths: Often, the simplest fix is to upgrade a vulnerable dependency to a specific, patched version. Snyk will suggest the exact version to upgrade to.
  • Patching: For some vulnerabilities, Snyk might offer an automatic patch that you can apply.
  • Ignoring Vulnerabilities: In rare cases, you might need to ignore a vulnerability if it’s not exploitable in your specific context. Snyk allows you to manage these ignores through its UI or configuration files.

By integrating Snyk into your CircleCI pipeline, you shift security left, catching vulnerabilities early in the development lifecycle before they can reach production.

The next step after fixing CVEs is often to address license compliance issues.

Want structured learning?

Take the full Circleci course →