snyk-vulnerability-scanner

# Snyk Vulnerability Scanner Automated security vulnerability scanning and fixing for GitHub repositories using Snyk. ## What It Does 1. **Scans** repositories for security vulnerabilities using Snyk 2. **Reports** findings as GitHub issues (grouped by package) 3. **Auto-fixes** vulnerabilities by applying Snyk patches and creating PRs ## Prerequisites Before using this skill, ensure: 1. **Snyk CLI** is installed: `npm install -g snyk` and authenticated: `snyk auth` 2. **GitHub CLI** is installed: `brew install gh` and authenticated: `gh auth login` 3. **jq** is installed: `brew install jq` (for JSON processing) 4. You have **write access** to the target repository ## Workflow ``` Scan Repository → Create GitHub Issues → Auto-Fix → Create PR ``` ### Severity Levels - `critical` - Critical vulnerabilities only - `high` - High and critical vulnerabilities (default) - `medium` - Medium, high, and critical - `low` - All severities ## Usage ### Full Automated Workflow Run complete scan → report → fix workflow: ```bash ./scripts/run-full-workflow.sh <repo-url> [base-branch] [severity] [skip-issues] [skip-fix] [dry-run] ``` **Parameters:** - `repo-url` - Full GitHub URL (required) - `base-branch` - Target branch for PRs (default: `dev`) - `severity` - Comma-separated levels (default: `high,critical`) - `skip-issues` - `true` to skip GitHub issue creation (default: `false`) - `skip-fix` - `true` to skip auto-fix (default: `false`) - `dry-run` - `true` to simulate without making changes (default: `false`) **Examples:** ```bash # Full workflow with defaults ./scripts/run-full-workflow.sh https://github.com/owner/repo # Scan only, skip fixes ./scripts/run-full-workflow.sh https://github.com/owner/repo dev high false true false # Dry run - everything but no changes ./scripts/run-full-workflow.sh https://github.com/owner/repo dev high,critical false false true # Fix only (skip issues), target main branch ./scripts/run-full-workflow.sh https://github.com/owner/repo main high true false false ``` ### Step-by-Step Usage #### 1. Scan Only ```bash ./scripts/snyk-scan.sh <repo-url> [output-file] [severity-filter] ``` Generates a JSON file with vulnerability details. **Example:** ```bash ./scripts/snyk-scan.sh https://github.com/owner/repo results.json high,critical ``` #### 2. Create GitHub Issues ```bash python3 scripts/create-github-issues.py <results.json> <repo-url> ``` Creates one GitHub issue per vulnerable package, grouping all CVEs for that package. #### 3. Auto-Fix and Create PR ```bash ./scripts/snyk-auto-fix.sh <repo-url> [base-branch] [dry-run] ``` Applies Snyk fixes and creates a PR to the specified branch. **Example:** ```bash ./scripts/snyk-auto-fix.sh https://github.com/owner/repo dev false ``` ## Supported Package Managers - **npm/yarn** (`package.json`) - **Python** (`requirements.txt`, `Pipfile`, `pyproject.toml`) - **Gradle** (`build.gradle`) - **Maven** (`pom.xml`) ## GitHub Issues Issues are created with: - Labels: `security`, `vulnerability`, `snyk` - Package name in title with severity level - Detailed body with all CVEs for that package - Link to Snyk for more info - Auto-fix availability indicator Duplicate prevention: Issues won't be created if a similar issue already exists for the same package. ## Pull Requests PRs include: - Branch name: `snyk-fix-<timestamp>` - Body with fix summary, changed files, and remaining vulnerabilities - Labels: `security`, `dependencies`, `snyk` - Target: dev branch (configurable) ## Cron/Automated Runs For periodic scans, use the skill via cron: ```bash # Add to cron for daily scans at 9am 0 9 * * * cd ~/.openclaw/workspace/skills/snyk-vulnerability-scanner && ./scripts/run-full-workflow.sh https://github.com/owner/repo ``` Or via OpenClaw cron for direct integration: ```json { "name": "snyk-daily-scan", "schedule": { "kind": "cron", "expr": "0 9 * * *" }, "payload": { "kind": "agentTurn", "message": "Run Snyk vulnerability scan on https://github.com/owner/repo and create fixes for dev branch" } } ``` ## Scripts Reference | Script | Purpose | |--------|---------| | `run-full-workflow.sh` | Main entry point - runs complete workflow | | `snyk-scan.sh` | Scans repo, outputs JSON results | | `create-github-issues.py` | Creates GitHub issues from scan results | | `snyk-auto-fix.sh` | Applies fixes and creates PRs | ## Troubleshooting **"Snyk not authenticated"** → Run: `snyk auth` **"GitHub CLI not authenticated"** → Run: `gh auth login` **"No vulnerabilities found"** → Check Snyk dashboard for your project; may need to import repo first **"Permission denied" on scripts** → Run: `chmod +x scripts/*.sh` **Auto-fix not working** → Some vulnerabilities can't be auto-fixed; check Snyk dashboard for remediation advice **Dry run shows changes but real run doesn't** → Check that Snyk has fixable suggestions for the vulnerabilities; some require manual updates