Snyk Vulnerability Scanner

Automated security vulnerability scanning and fixing for GitHub repositories using Snyk.

What It Does

1. Scans repositories for security vulnerabilities using Snyk
Reports findings as GitHub issues (grouped by package)
Auto-fixes vulnerabilities by applying Snyk patches and creating PRs

Prerequisites

Before using this skill, ensure:

1. Snyk CLI is installed: npm install -g snyk and authenticated: INLINECODE1
GitHub CLI is installed: brew install gh and authenticated: INLINECODE3
jq is installed: brew install jq (for JSON processing)
You have write access to the target repository

Workflow

CODEBLOCK0

Severity Levels

- critical - Critical vulnerabilities only
INLINECODE6 - High and critical vulnerabilities (default)
INLINECODE7 - Medium, high, and critical
INLINECODE8 - All severities

Usage

Full Automated Workflow

Run complete scan → report → fix workflow:

CODEBLOCK1

Parameters:

- repo-url - Full GitHub URL (required)
INLINECODE10 - Target branch for PRs (default: dev)
INLINECODE12 - Comma-separated levels (default: high,critical)
INLINECODE14 - true to skip GitHub issue creation (default: false)
INLINECODE17 - true to skip auto-fix (default: false)
INLINECODE20 - true to simulate without making changes (default: false)

Examples:

CODEBLOCK2

Step-by-Step Usage

1. Scan Only

CODEBLOCK3

Generates a JSON file with vulnerability details.

Example:
CODEBLOCK4

2. Create GitHub Issues

CODEBLOCK5

Creates one GitHub issue per vulnerable package, grouping all CVEs for that package.

3. Auto-Fix and Create PR

CODEBLOCK6

Applies Snyk fixes and creates a PR to the specified branch.

Example:
CODEBLOCK7

Supported Package Managers

- npm/yarn (package.json)
Python (requirements.txt, Pipfile, pyproject.toml)
Gradle (build.gradle)
Maven (pom.xml)

GitHub Issues

Issues are created with:

- Labels: security, vulnerability, INLINECODE31
Package name in title with severity level
Detailed body with all CVEs for that package
Link to Snyk for more info
Auto-fix availability indicator

Duplicate prevention: Issues won't be created if a similar issue already exists for the same package.

Pull Requests

PRs include:

- Branch name: INLINECODE32
Body with fix summary, changed files, and remaining vulnerabilities
Labels: security, dependencies, INLINECODE35
Target: dev branch (configurable)

Cron/Automated Runs

For periodic scans, use the skill via cron:

CODEBLOCK8

Or via OpenClaw cron for direct integration:

CODEBLOCK9

Scripts Reference

Script	Purpose
INLINECODE36	Main entry point - runs complete workflow
INLINECODE37

Troubleshooting

"Snyk not authenticated"
→ Run: INLINECODE40

"GitHub CLI not authenticated"
→ Run: INLINECODE41

"No vulnerabilities found"
→ Check Snyk dashboard for your project; may need to import repo first

"Permission denied" on scripts
→ Run: INLINECODE42

Auto-fix not working
→ Some vulnerabilities can't be auto-fixed; check Snyk dashboard for remediation advice

Dry run shows changes but real run doesn't
→ Check that Snyk has fixable suggestions for the vulnerabilities; some require manual updates

Snyk 漏洞扫描器

使用 Snyk 对 GitHub 仓库进行自动化安全漏洞扫描与修复。

功能概述

1. 扫描使用 Snyk 扫描仓库中的安全漏洞
报告将发现结果以 GitHub Issue 形式呈现（按包分组）
自动修复 通过应用 Snyk 补丁并创建 PR 来修复漏洞

前置条件

使用此技能前，请确保：

1. 已安装 Snyk CLI：npm install -g snyk 并完成认证：snyk auth
已安装 GitHub CLI：brew install gh 并完成认证：gh auth login
已安装 jq：brew install jq（用于 JSON 处理）
拥有目标仓库的写入权限

工作流程

扫描仓库 → 创建 GitHub Issue → 自动修复 → 创建 PR

严重级别

- critical - 仅严重漏洞
high - 高危和严重漏洞（默认）
medium - 中危、高危和严重漏洞
low - 所有级别

使用方法

全自动工作流程

运行完整的扫描 → 报告 → 修复工作流：

bash
./scripts/run-full-workflow.sh <仓库地址> [基础分支] [严重级别] [跳过Issue] [跳过修复] [试运行]

参数说明：

- repo-url - 完整的 GitHub 地址（必填）
base-branch - PR 的目标分支（默认：dev）
severity - 逗号分隔的级别（默认：high,critical）
skip-issues - true 跳过创建 GitHub Issue（默认：false）
skip-fix - true 跳过自动修复（默认：false）
dry-run - true 模拟运行，不实际修改（默认：false）

示例：

bash

使用默认参数运行完整工作流

./scripts/run-full-workflow.sh https://github.com/owner/repo

仅扫描，跳过修复

./scripts/run-full-workflow.sh https://github.com/owner/repo dev high false true false

试运行 - 执行所有步骤但不实际修改

./scripts/run-full-workflow.sh https://github.com/owner/repo dev high,critical false false true

仅修复（跳过Issue），目标 main 分支

./scripts/run-full-workflow.sh https://github.com/owner/repo main high true false false

分步使用

1. 仅扫描

bash
./scripts/snyk-scan.sh <仓库地址> [输出文件] [严重级别过滤]

生成包含漏洞详情的 JSON 文件。

示例：
bash
./scripts/snyk-scan.sh https://github.com/owner/repo results.json high,critical

2. 创建 GitHub Issue

bash
python3 scripts/create-github-issues.py <仓库地址>

为每个存在漏洞的包创建一个 GitHub Issue，并将该包的所有 CVE 合并在一起。

3. 自动修复并创建 PR

bash
./scripts/snyk-auto-fix.sh <仓库地址> [基础分支] [试运行]

应用 Snyk 修复并创建指向指定分支的 PR。

示例：
bash
./scripts/snyk-auto-fix.sh https://github.com/owner/repo dev false

支持的包管理器

- npm/yarn（package.json）
Python（requirements.txt、Pipfile、pyproject.toml）
Gradle（build.gradle）
Maven（pom.xml）

GitHub Issue

创建的 Issue 包含：

- 标签：security、vulnerability、snyk
标题中包含包名和严重级别
详细内容包含该包的所有 CVE
指向 Snyk 的链接以获取更多信息
自动修复可用性指示

重复预防：如果同一包已存在类似的 Issue，则不会重复创建。

拉取请求

PR 包含：

- 分支名称：snyk-fix-<时间戳>
内容包含修复摘要、变更文件和剩余漏洞
标签：security、dependencies、snyk
目标：dev 分支（可配置）

定时/自动运行

如需定期扫描，可通过 cron 使用此技能：

bash

添加到 cron，每天上午 9 点运行

0 9 * cd ~/.openclaw/workspace/skills/snyk-vulnerability-scanner && ./scripts/run-full-workflow.sh https://github.com/owner/repo

或通过 OpenClaw cron 直接集成：

json
{
name: snyk-daily-scan,
schedule: { kind: cron, expr: 0 9 * },
payload: {
kind: agentTurn,
message: 在 https://github.com/owner/repo 上运行 Snyk 漏洞扫描，并为 dev 分支创建修复
}
}

脚本参考

脚本	用途
run-full-workflow.sh	主入口 - 运行完整工作流
snyk-scan.sh

故障排除

Snyk 未认证
→ 运行：snyk auth

GitHub CLI 未认证
→ 运行：gh auth login

未发现漏洞
→ 检查 Snyk 仪表板中的项目；可能需要先导入仓库

脚本提示权限不足
→ 运行：chmod +x scripts/*.sh

自动修复不生效
→ 某些漏洞无法自动修复；请查看 Snyk 仪表板获取修复建议

试运行显示有变更但实际运行没有
→ 检查 Snyk 是否针对这些漏洞提供了可修复的建议；某些漏洞需要手动更新

snyk-vulnerability-scannerSnyk漏洞扫描