Around 14% of npm packages carry a known vulnerability, and new vulnerabilities are being discovered every day. The Serverless Snyk plugin helps you keep your application secure by allowing you to check the Node.js dependencies in your Serverless app for known vulnerabilities using Snyk.

Read more about Serverless security and how vulnerable open source packages affect it on the Snyk blog.

For Serverless v1 only.

1. Fix any existing vulnerable packages using Snyk's GitHub integration or Snyk wizard.

2. Install the Serverless Snyk plugin using npm

   npm install serverless-snyk --save

   You should now have Serverless Snyk installed and ready to go. You can confirm that the plugin has been installed by running serverless from your command line. You should see the Snyk plugin in the list of installed plugins.

3. Add the plugin to your Serverless config

   Next, you'll need to add the plugin to your serverless.yml file:

   plugins:
      - serverless-snyk

4. Optional: Get a Snyk API Key

   To avoid running into API rate limits and to enable continuous monitoring, you'll need to sign up for a Snyk account (if you don't have one already) and copy the API token from your dashboard. Detailed instructions on how to include the API token in your configuration are included in the setting an API key section below.

That's it! Now when you deploy, the Serverless Snyk plugin will scan your application for known vulnerabilities.

To ensure you don't run into any API rate limits, or to enable continuous monitoring of the state of your application's security, you'll need to include a valid API token in your application.

You can do this by signing up for an account (if you don't have one already) and copying the API token from your dashboard.

Since the Serverless framework does not currently support environment variables, Serverless Snyk uses dotenv to store your token. You'll want to create a .env file in the root of your project, and then set a snykAuth variable with the value you copied from your dashboard:

snykAuth=YOUR_API_TOKEN

By default, Serverless Snyk will stop serverless from deploying if Snyk detects any vulnerabilities in your dependencies. Each vulnerability will also be outputted, and you'll be prompted to run snyk wizard to address the issues.

If you would like serverless to deploy your application even if Snyk finds known vulnerabilities, you can accomplish this by using a custom variable in your serverless.yml file.

custom:
  snyk:
    breakOnVuln: false

Snyk will still run and report any vulnerabilities, but the deploy will now continue on successfully.

Snyk can take a snapshot of the current state of your dependencies each time you deploy, and proactively you of any newly discovered vulnerabilities that may impact them.

This feature requires an API token. If you've included the the API token as described above, the plugin will monitor your application by default.

There may be cases where you want to be authenticated to avoid API limits, but you don't want to monitor your application. You can turn off monitoring in the serverless.yml file:

custom:
  snyk:
    monitor: false

License: Apache License, Version 2.0